Howto:How to use security mechanisms in innovaphone products
NOTE This article is obsolete!
please read instead Howto:Security works with innovaphone
innovaphone products feature a number of security features.
This article provides a rundown of the essential features and how they are enabled.
Applies To
This information applies to
- all innovaphone devices
Build 04-5609 and later.
More Information
Securing Configuration Data
All configuration for innovaphone devices is stored in local flash memory.
While access to the data through normal interfaces is password protected, the content can potentially be examined if an attacker has physical access to the device (this would require disassembly of the device and examination of the flash EPROM).
Whenever you pass a configured device to someone else (e.g. when selling it), you should keep this in mind.
If this is a concern, erase the data before (see related articles below).
Configuration data can be dumped to text format using the “Config show” command.
From version 5 on, the resulting text file does not contain any clear-text passwords.
Still, remaining configuration information may be considered sensitive.
So be careful when providing this information to 3rd parties.
Because passwords are encrypted in the config file, you will need to remember the admin password of the device being dumped in order to load it to another device later on.
Securing Access to Configuration Data
Innovaphone devices are configured through a web based interface using HTTP access.
For HTTP authentication, both basic authentication (which is not encrypted) as well as digest authentication is available.
You should make sure the browser your are using supports digest authentication which allows for reasonable security against password snooping and man-in-the-middle attacks.
There is an option to enforce digest authentication in the “General Settings” (in other words, to disable basic authentication).
However, since the PBX’s SOAP interface is based on HTTP too, all SOAP clients not supporting digest authentication (and the TAPI driver currently is such a client) would be disabled using this option.
Innovaphone devices feature non-protected access to the devices home page.
This is convenient, however, it may reveal some critical information to random port scanners targeting a device from the internet.
You may thus choose to password protect even the home page using an option in the “General Settings” area.
By default, all HTTP clients can gain access to the device configuration provided they have the right password.
However, there is an option to restrict HTTP access generally to a particular host or network.
This option allows you to restrict all HTTP access (and thus administrative access too) e.g. to hosts from within your own LAN.
If remote configuration access is required though (which would be disabled by this setting), you may consider to setup an administrative PPTP (or PPP over ISDN) dial-in access to the device.
Many innovaphone devices do support such kind of dial-in out of the box.
You would then use the “assign remote IP address” option and assign a local ip address to the dial-in client.
This way, remote configuration is still possible and additionally secured by the PPTP encryption layer.
Due to the computational overhead of HTTPS, HTTP payload traffic is not encrypted in innovaphone devices, yet (it will be implemented in SR3 security- see related articel below)
If payload encryption is critical to you for administrational access, make sure you configure an encrypted PPTP dial-in access for configuration as described above.
There is a legacy, telnet based access to the configuration layer.
Telnet is inherently unsafe since it transfers unencrypted passwords.
It is not recommended to use this.
Form build 04-5807 on, telnet access is disabled by default.
Previous builds can disable telnet access by specifying “/port 0” on the TELNET0 config file line.
Managing Accounts
All administrative functions are secured by account names and passwords.
It is strongly recommended neither to keep the default account nor the default password setting.
Access to VoIP resources
Access to VoIP resources (such as gatekeeper registrations and access to trunklines) can be secured by account and password.
If securing VoIP resources is an issues, make sure that all gatekeeper accounts are secured by a password.
You may even want to consider disallowing any registration without password, even from within the local area network.
This can be done in the “general settings” are of the PBX.
To protect your trunk lines from unintended access, make sure configure all gateways (GWxx entries) properly.
For gatekeeper type entries, make sure there is a password, for gateway type entries, make sure the configured netmask suits your needs.
Double check all routing entries to avoid unintended access e.g. to trunk lines.
PPP and PPTP
When using built-in dial-in (PPP, PPTP) interfaces, PAP, CHAP, MS-CHAPv1 and MS-CHAPv2 (since version 7) are supported.
PAP by design does not allow for password encryption and is thus not recommended.
The CHAP variations do support password encryption using MD4 and DES and are therefore reasonably secure.
There is no payload encryption available for PPP (that is, PPP over ISDN) and PPPoE (i.e. xDSL). However, using ISDN dialup, payload encryption is not really an issue. PPTP however features powerful payload encryption in addition to password encryption. It is using SHA-1 for session key encryption and RC4 up to 128bit for payload encryption. If payload encryption is an issue to you, you should check the “enable encryption” flag in the PPTP configuration. Keep in mind that payload encryption incurs computational overhead and the number of concurrent PPTP session the device can handle is reduced.
Using PPTP is an option if fully payload encrypted configuration access is a requirement (see above).
RAS Registrations
H323 user account passwords are obviously sensitive information.
Innovaphone devices feature RAS RegistrationRequest (RRQ) password encryption based on the H.235 standard.
SOAP Client account
SOAP clients (such as the TAPI driver or the Operator) require an account/password for authentication at the HTTP layer.
Although the devices admin account can be used for that, it is better practice to use the PBX user password for this.
For the HTTP credentials, you can use the PBX users “Name” as account and its “Password” as the password. You will use the “Long Name” as SOAP access user name.
When configuring the TAPI driver e.g., you would create a user with Long Name _TAPI_, Name tapi and a password.
You would then use tapi/password as Gateway Platform Access/Account/Password and _TAPI_ as PBX Access/Username.
SNMP
SNMP is only for monitoring and does not allow any configuration changes.
You may want to restrict the list of “accepted hosts” using the gateway applets SNMP area.
You may want to change the “community” to a non-standard value.
ISDN data calls
ISDN data calls are accepted by innovaphone devices as voice calls are and they are routed similarly.
Although innovaphone devices may be configured to terminate a data call and thus access the local network via dial-in, this option must be explicitly enabled.
Denial of Service attacks
Like any other network device, innovaphone devices may be a target for a denial of service attack.
It is therefore recommended, to protect against malicious access using standard firewall techniques.
However, innovaphone devices feature a built-in DoS filter which will discard unreasonable inbound traffic.
Also, it is based on a dedicated and proprietary operating system which is usually not a target for viruses and other malicious code.
Availability
Innovaphone devices have proofed to be very robust and reliable.
However, if availability is of utmost importance, redundancy options are available which allow for outstanding protection against loss of service.
Also, most innovaphone devices may be powered via power over Ethernet (PoE) which when combined with an uninterrupted power supply (UPS) ensure seamless operation even in the case of a local power failure.
PoE may be used concurrently with a local power supply.
In Service Release 3 we will implement a bunch of new security features (as Srtp,Ldap over Tls ,https, 802,1x)
please see our roadmap service below
[roadmap]