Security Checklist - Procomp Telecom Kft
Contents
1. Executed Yes L No U Not configured L Customer Comments and Reasons 2 5 Availability OpenScape Business was developed for high reliability This can be enhanced by measures in the infrastructure CL 17 Infrastructure Enhanced Availability OpenScape Business Measures e A possible weakness is electrical power supply Redundant power supplies can be used For countries with higher probability of power outages the optional PSU boards and battery packs or a separate uninterruptible power supply UPS for OpenScape Business and related components may be sensible Two or more independent public network trunks extend availability in case of carrier failures For the server based OpenScape Business components a server with redundancy can be used please see current release documentation Higher availability for OpenScape Business Servers is achieved by using a suitable virtual server environment Please note that excessive security scans may lead to reduced availability References For UPS boards see Service Manual 3 Needed Access Rights Information regarding system design Customer Comments Please describe measures taken and Reasons 3 IP Interfaces OpenScape Business X3 X5 X8 3 1 IP Interfaces and Ports Interfaces which are not used are deactivated by default and shall not be activated without explicit need The ports used with OpenScape Business can be found in 10 4 This information may be used for extern2. OpenScape Business V1 Siemens Enterprise Communications SI E M E N S www siemens enterprise com Table of Content 1 1 1 2 1 3 2 1 2 2 22 22 2 22 2 2 4 22 5 2 2 6 2 3 2al 252 2 3 3 2 3 4 2 3 5 2 3 6 Zu 2 3 8 23 9 2 4 2 4 1 2 4 2 2 4 3 2 4 4 2 4 5 2 4 6 2 5 3 1 3 1 1 3 1 2 cape 3 1 4 3 2 al 32ed 2 20 ModaCar cea assescesepazsiucesucacecusessceacsseessnatescaseeaseueees 4 General ROMAY kS sip escssecsescstaceupsasesntccssscaustawsssuscatesaupsanasntccduacnastanasstccatessapsanasstcaauassustexassucdascasaes 4 History ol Chant sai cca ss vecevenevacnre ca sessivesiwance ess seaseotecsseussuseiwceseserasssessvacesicausssevestuceiioarsesssnsseene 5 Customer Deployment Over view cccccsscsssssesssosscccccccccccsssssssesesseeesssssonssccsccossccssssssssscsssessooes 6 OpenScape Business Hardening Measures in General ssssssscccccccsssssssssssccccscccssssseees 7 System Access Protection sscssssssecccccsssssccccccsssssececccssssseccccossssssecccecsssssccecossssssseeeccsssssseeeessso 9 Administra oesie Ea EE 9 OSM SCANS Business Assistant scree cacst ceiascisis Guests neeuisea cocci basianacieGeasastaavacenieeacesetonstecsauadelatevens 9 PP a a NV el Tatra ce caton cc Geen E EE A EEE R A EEES 11 ASEE E T O E E S 11 Smart Service Delivery Platform SSDP J ossrsssisrriseississsessinsisessonssss iatera deidos bs resa tariven oisi ainnis 11 Romol Access over VPN eiren E EER 11 Remote
3. and document in the Checklist how they can be aligned This ensures that security measures are appropriately considered and included in the Statement of Work to build the basis for the agreement between SEN and the customer who will be responsible for the individual security measures e During installation setup of the solution e During operation During installation and during major enhancements or software upgrade activities The Security Checklists ideally documented as described in step 1 are used to apply and or control the security settings of every individual product Update and Feedback By their nature security relevant topics are prone to continuous changes and updates New findings corrections and enhancements of this checklist are being included as soon as possible Therefore we recommend using always the latest version of the Security Checklists of the products that are part of your solution They can be retrieved from the partner portal Siemens Enterprise Business Area SEBA at the relevant product information site We encourage you to provide feedback in any cases of unclarity or problems with the application of this checklist Please contact the Baseline Security Office obso siemens enterprise com 1 2 History of Change 2013 04 03 1 00 1 3 Customer Deployment Overview This Security Checklist covers the product OpenScape Business V1 with its related optional applications OpenScape Business UC S
4. 1 Gbit Ethernet interfaces Only one is currently used for communication via customer infrastructure It provides all those IP services which are necessary for the OpenScape Business functionality Some IP services can be restricted if needed 4 2 1 SAMBA Share File Service A SAMBA share provides help files to the OpenScape Business clients It is also needed for first distribution of OpenScape Business client software and for system backup The directories are read only by default where possible The file service can be switched off if customer security policy requires that In this case the automated functions mentioned above are not available Distribution of client SW and help files has to be done manually by the administrator The necessary files are available via OpenScape Business Assistant at Service Center CL 27 SAMBA is deactivated option OpenScape Business Measure Deactivate SAMBA share 1 at Telephony gt Security gt SAMBA Share Needed Access Rights Customer Comments and Reasons 4 2 2 XMPP Interface The Extensible Messaging and Presence Protocol XMPP is used for presence federation and chat e g with Google Talk The OpenScape Business XMPP server offers encrypted and unencrypted communication Selection depends on the communication partner Communicate only with XMPP servers which support encrypted communication if instant messages and presence status has to be confidential In this case the default self
5. Access over ISDN 7 BR Me gasiscccssensecacesssacascewstedseespavasaennecadeanonaceaereeeeeeersercsaenes een aE a 12 Communication Access and Toll Fraud Protection cccccsccsssssssssssssssssssssssssssssssscees 12 VSR Bo in emu A TO OE sae E ne ee 12 OCA Busmess UC Smati sererai e aA EO ERANA ERNEA ARE 13 OpenScape Business Smart Voicemail ccccccceeeeeessssseeesseeseeeeseseeeeseeeeeeeseeeseeeeeeeeeeeeeegs 13 ASsociated Dialling and SElVICCS isos saccicysavceneasaasaeab aaa e aN EE A E 13 Direct Inward System Access DISA 0000cccccsesssseeesesseseseseeseeeeseseesesssesseeeeseeeesseseeeeeeeegs 14 MOD oare E se seaio sen ato se estates ate seas ee eee 14 B Tors ae it e aa a EE nem EDR Se E A oa at one MNES DONC TA EY Nate N E A 15 PICS SS to POI Screen E E E 15 DOE ODN acer eee a E EA E ee ee E E E O EERE 16 Confidentiality of Communications ssssssssssseececcccccccoossssssssccceccesoosososssssssssececeeeesssssssssssoe 16 Transmission via internal IP networks LAN sssssssssseseesssssssssssrrreeerrrnssssssssssssssssssrrerrrrreeees 16 Signalling and Payload Encryption ccccccccccccscseeceeeeeeeeceeceeeeeeceeceeeeceeeceeeceeeeeeeeeseeseeseeeeeeeas 16 IP Transmission with Public Networks ccccccccccsssssssssseeeececccceeeeeeeeesaueasesseeeeeeeeeeeeeeeeeeeeeaaaags 17 PPS Pal SUD SCH OLS arraren rnea EA ETR ensues seem E RA ER ENER ee 17 Networking for OpenScape Business
6. Password menu options 4 for password policy see 10 Needed Access Rights Customer Comments and Reasons 6 2 Mailbox Protection Along with these features it is important to explain the importance of safe mailbox code numbers to the customer that they should be kept confidential and that they protect by this voice messages and features out of the mailbox It is recommended to keep the default code number length of at least 6 digits All users have to change their mailbox PIN immediately This is enforced during the first mailbox access The mailbox PIN is also used for the WBM user role CL 38 Protect all mailboxes by individual PINs Xpressions Compact Measures e Each user is instructed to choose a strong PIN All group mailboxes and auto attendant mailboxes get a strong PIN References For password policy see 10 1 Note The setting is also accessible from within the Xpressions Compact WBM Needed Access Rights End user instructions Customer Comments and Reasons Maximum login attempts should be set to 3 to block brute force attacks Default CL 39 Set maximum login attempts to 3 Xpressions Compact Measures Check configure number In Manager E under Auxiliary equipment Integrated Voice Mail IVM IVM Additional Settings Additional Needed Access Rights Customer Comments and Reasons The measures described above block toll fraud but they also limit access to the following featur
7. a central BLF Server This Windows application is part of the product It uses by default TCP default port 3001 This port has to be accessible in all nodes see also 3 2 1 The number of simultaneously operated OpenScape Business Attendant applications is restricted by the installed number of licenses SW update is possible via Internet from a fixed IP address 7 5 OpenStage Gate View OpenStage Gate View is an integrated video surveillance application which displays pictures from up to eight cameras at OpenStage phones Display is also possible for mobile phones via app or web browsers using HTTPS Video recordings can be stored at the system or a network drive The administration of the Gate View application is done within OpenScape Business Assistant This includes user set up and monitoring of live pictures and recordings Appropriate measures should be taken to protect video streams and recordings against unauthorized access Note For picture display at mobile phones or external web browsers the port 443 has to be accessible from the Internet For risks of port forwarding see 3 2 1 CL 40 OpenStage Secure Access to Videos and Recordings Gate View Measures e Change the user names and passwords for all used cameras never use the well known default e Set up strong user names and passwords for user web access Instruct users to use strong individual passwords e Change the passwords for every camera web access e Define st
8. are embedded solutions OpenScape Business S and OpenScape Business UC Booster Server use a dedicated Linux server which has its own administration Protection from unauthorized access and breach of confidentiality has to be enforced through protection of all interfaces Xpressions Compact Card is an option for an integrated voicemail mobility and conferencing server with its own administration Special care has to be taken to protect the customer from toll fraud through call forwarding within mailboxes Desktop and Server PCs are used for communication clients and central components Admission control has to be implemented by suitable password provisioning with actual security updates and virus protection for all involved PCs Subscriber Devices e g OpenStage phones Software Clients provide the user interface to the phone including unified communications services On the user and terminal side security considerations have to be made for desktop and mobile phones as well as for soft clients and the devices they are running on Access protection in case of absence as well as restriction of reachable call numbers for protection against misuse and resulting toll fraud has to be considered Precondition We recommend strongly always using the latest released software in all components CL 1 All components Up to date SW Measures Up to date SW installed for OpenScape Business OpenScape Business i Booster Card OCAB i Not install
9. confidential CL 10 Change default PIN for DISA OpenScape Business Measures e The PIN used for DISA is the same as that for individual code lock see 2 3 8 It has to be set to an individual value by every DISA user A 5 digit sequence which cannot be guessed easily has to be selected References Change of default PIN see10 2 3 strong PIN see10 1 Default Service Code 93 Needed Access Rights Yes O No L DISA not used L Customer Comments and Reasons 2 3 6 Mobility The feature mobility allows calls and feature activation via OpenScape Business for authorized users from mobile phones The subscriber is identified through his transmitted phone number The devices which are registered for this service shall be protected from unauthorized access A small risk for toll fraud lies in pretending a registered calling number by fraudulent callers CLIP no screening possible via some VoIP providers Make sure to protect registered devices from unauthorized access e g PIN for mobile phones CL 11 Protect the devices registered for mobile access Mobile Devices Measures e Use call back for enhanced security e Inform Mobility users to protect registered devices from unauthorized access References 1 Needed Access Rights Advanced Expert End user instruction Yes UO No O Mobility not used L Customer Comments Callback Yes O No H and Reasons 2 3 7 Desk Sharing An office phone can be shared between several
10. external LDAP servers Set up strong LDAP password at OpenScape Business Assistant Expert mode UC Suite for the LDAP connector Needed Access Rights End User Information Configuration Expert Customer Comments and Reasons 4 2 5 Open Directory Service The Open Directory Service ODS is providing subscriber information from OpenScape Business to other applications and clients via LDAP The information is collected from internal and external databases Unauthorized access may disclose company directory data Notes e Port 389 has to be open for access to the integrated LDAP server within OpenScape Business Linux e For access to external SQL servers strong passwords shall be defined as well CL 31 Protect internal LDAP server access OpenScape Business Measures Set up strong LDAP password at OpenScape Business Assistant Open Directory Service for the integrated LDAP server References 1 Password policy see 10 1 Needed Access Rights Customer Comments and Reasons 4 2 6 CSTA Interface The Computer supported telecommunications applications CSTA interface allows monitoring and control of devices which are connected to OpenScape Business This functionality is used by OpenScape Business UC application as well as via CSTA interface or via TAPI 120 170 middleware by external 3 party CTI applications External applications are served via UC Booster Card or Server only Attackers with LAN access
11. users Desk sharing is activated by the system wide flag relocate allowed The feature can be blocked at dedicated phones if needed type non mobile and blocked CL 12 Protect the access of desk sharing users OpenScape Business Measures e A strong password has to be set up same as code lock see 2 3 8 See 10 1 10 2 Needed Access Rights No O Desk sharing not used L Customer Comments and Reasons 2 3 8 Access to Phones Especially for places with visitor access or with special functions it is recommended to protect the phone access by a code lock Special functions are for instance system phone lock COS changeover switch night mode associated dialling and silent monitoring call supervision as well as phone lock reset for other phones Code lock is handled via phone menu or key Flex Call call from any device with own authorization is protected by the code lock PIN as well CL 13 System phones Use code lock Measures e For HFA and TDM devices with danger of misuse code lock 1s used with an individual 5 digit PIN References Default service code 93 Rules for PIN see 10 1 Needed Access Rights Executed Yes H No QO Customer Comments and Reasons 2 3 9 Door Opener OpenScape Business X3 X5 X8 provides activation of door openers via phone Remote access to door stations which are controlled via DTMF might be a security risk CL 14 OpenScape Restrict authorization for door opener Bus
12. By default the HTTPS protocol is activated For mobile devices with low performance it may be necessary to use less secure HTTP instead This is also true for OpenStage V2 devices The individual UC Smart user password has to be changed before the Client can be used It is valid for the client as well as for the web based administration of the personal contacts and password It is recommended to keep the default password policy Force user to choose secure password in OpenScape Business Assistant and to set up a secure system wide initial password Note Port forwarding for port 8802 HTTPS or 8801 HTTP has to be activated to be able to use the Web Services via WAN see 3 2 1 UC Smart user administration communicates via port 8803 It is recommended not to open the port for external access To increase security for the internal LAN an external web proxy can be used 2 3 3 OpenScape Business Smart Voicemail Change the initial PIN to an individual safe value to secure mailboxes against unauthorized access and forwarding of external calls via mailbox Users have to change the 6 digit PIN at first use to an individual strong password from an internal phone Mailbox access is denied after 6 attempts with wrong PIN CL 8 Restrict calls out of voice mail Smart Voice Mail Measures Set Class of Service COS for the Smart VM ports to outward restricted for day and night service If call forwarding out of mailboxes is needed e g for
13. a strong PIN same as for SSDP 2 2 6 Remote Access over ISDN BRI Remote Access over ISDN BRI via incoming connection should be used only with call back See also 3 2 3 It can be activated by the customer for every single service task e g via phone 2 3 Communication Access and Toll Fraud Protection Toll fraud can lead to considerable phone charges The following measures have to be observed to protect against unauthorized calls through OpenScape Business 2 3 1 Class of Service OpenScape Business provides calls to external destinations either directly from the phone or through call forwarding or via 3 party call control This includes foreign and special call numbers with high charges The reachable call destinations shall be restricted to the necessary numbers for toll fraud protection This has to be considered also for Modem and Fax ports For calls which are controlled via UC Suite e g with Call Me or Conference a restriction can be defined for the route VSL in all COS groups CL 7 Toll restriction for devices OpenScape Business Measures Suitable Class of Service COS is assigned for every device via OpenScape Business Assistant Internal or outward restricted trunk access for devices where no external calls are needed emergency calls still possible Allowed Lists configured for well defined necessary business connections other destinations are blocked Denied Lists configured to block special numbers or countries as
14. al firewall configuration e g for network separation to increase security The OpenScape Business main board provides three 1 Gbit Ethernet interfaces Administration LAN WAN Special measures should be considered for some IP services 3 1 1 Administration Access with HiPath Manager E Limit access to the OpenScape Business administration port to the administrator s PC HiPath Manager E should only be able to communicate with the system from the administrator s machine It is usually protected by a numerical password only PIN CL 18 Restrict access with HiPath Manager E OpenScape Business Measures e Access to the Manager E port TCP port 7000 by default should be limited to the administrator s PC IP address This can be done through OpenScape Business Assistant application firewall configuration References Needed Access Rights Executed Yes C No C Customer Comments and Reasons 3 1 2 SMTP Interface The Simple Mail Transfer Protocol SMTP is used to send mails to users and administrators Encryption is recommended SMTP can only be used with encryption when the used mail server supports that CL 19 SMTP Interface secure OpenScape Business Mea e Secure communication is selected at WBM gt Service Center gt Email Forwarding TLS SSL References NETE oars RE Executed Yes O No O Deactivated UJ Customer Comments and Reasons 3 1 3 SNMP Interface The Simple Network Management Protocol SNMP c
15. an alternative least cost routing LCR may be used For UC Suite the route VSL is restricted to the necessary numbers in all COS groups e g with allowed or denied list in the same way as for trunk groups Further possibilities e Setup COS for trunk group connections which trunk group is allowed to connect with which trunk group in CON Group assignment and then CON Matrix Delete the call forwarding external flag for all devices which do not need it especially for devices within reach of external persons Disable the three Transit permission flags in system parameters if no transit traffic is needed Manual 1 Needed Access Rights Advanced Expert Customer Comments and Reasons Notes e All conducted calls are logged in the system and can be checked with an accounting tool For logging incoming calls the flag Log incoming calls in Call Charges gt Output format must be activated Internal node calls and transit calls are not logged e Alarms can be configured for an attendant console in case of trunk resources occupied from external external connections It is possible to release such calls toll fraud feature 2 3 2 OpenScape Business UC Smart OpenScape Business UC Smart is offered for use by the web based applications e myPortal Smart for desktop PC myPortal for Mobile Tablet myPortal for OpenStage OpenScape Business Application Launcher Customer specific applications
16. an be used for sending error messages from the OpenScape Business to the SNMP server by trap Form the standard security point of view this is unproblematic If the SNMP server sends get or set advices to OpenScape Business there may be a risk Thus in this case the SNMP interface should be configured more secure A community string is available in SNMP V1 V2 It is comparable with a user ID that allows access to data of a device The common community string names public and private should be changed into individual names As the community string is transmitted in clear text it can be eavesdropped easily Thus also IP addresses of systems that may contact OpenScape Business via SNMP shall be limited The SNMP V1 interface is not activated by default 1 e IP address is 127 0 0 1 Enable SNMP only if necessary CL 20 SNMP Interfaces secured OpenScape Business Measures e Restrict access for Read Write and Trap communities to defined IP addresses and define individual community names 1 chapter SNMP Yes U No U Deactivated L Customer Comments and Reasons 3 1 4 LDAP Interface The Lightweight Directory Access Protocol LDAP is used for access to external databases Unauthorized access may disclose company directory data The interface is disabled by default CL 21 LDAP Server Protect LDAP access e Set up strong LDAP password at LDAP Server and OpenScape Business Administration manual LDAP Server 1 Needed Acces
17. and CSTA knowledge might exploit this interface to initiate calls CL 32 Disable or limit CSTA access OpenScape Business Measures e Limit access to specific servers using application firewall or block access if not needed see 3 2 2 Needed Access Rights Expert Customer Comments and Reasons 5 OpenScape Business S UC Booster Server Option If OpenScape Business S or UC Booster Card Server is not part of the solution please continue with chapter 6 OpenScape Business S is the UC soft switch which runs on a standard server with Suse Linux Enterprise Server SLES operating system It has basically the same features and IP interfaces as OpenScape Business X3 X5 X8 but no WAN interface router and VPN is supported within OpenScape Business OpenScape Business Booster server is used instead of the integrated OpenScape Business UC Booster Card for higher subscriber or traffic ranges It has its own web based administration Relevant differences regarding administration and interfaces are described in this paragraph 5 1 Server Administration OpenScape Business S Booster Server is running on SLES 11 operating system which is administrated independently The administrator of the server has root rights which are have to be protected The same rules as for OpenScape Business X3 X5 X8 apply for the web based local and remote administration of the OpenScape Business itself see 2 2 The server PC for OpenScape Business shall
18. be kept protected as much as possible see also 2 1 Notes Security threat through viruses is considered to be low in a protected environment for the Linux based OpenScape Business S or Booster Server There is a risk of degradation of real time performance by Anti Virus software For customers whose policy requires Anti Virus software in any case the Trend Micro software ServerProtect for Linux can be used A SLES Appliance solution is under evaluation to be used instead of the standard SLES operating system This may affect the SLES SW update CL 33 Protect OpenScape Business Server Operating System OpenScape Business Suse Linux Enterprise Server SLES Server PC Measures Automatic SLES update is activated at installation Secure and confidential root password implemented No user accounts in addition to the original settings The root account should have no additional rights in the customer network and the server should not be used for other applications Needed Access Rights Yes L No O Not part of solution U Customer Comments and Reasons 5 2 IP Interfaces Server Only the IP services which are needed for OpenScape Business operation are activated in the Linux Firewall during installation It is strongly recommended not to open additional ports If it is required to close some ports which are not essential and not used in the specific customer installation this can be done within Linux After an OpenScape Busin
19. can currently not be secured This is also true for SIP client and ITSP calls CL 15 OpenScape Signalling and Payload Encryption Business Measures System wide flag SPE support activated Payload Security activated for all relevant subscribers SPE CA Certificate and SPE Certificate imported to OpenScape Business If no customer certificates are available self signed certificates can be generated TLS has been selected for transport on the IP end points HFA WBM or device configuration interface DLS DLI Make setting if gateway calls e g with ISDN PRI trunk are considered as secure This influences the display at the phones Enable certificate handling alarms In WBM Check that an e mail is sent to the administrator when events involving SPE certificates occur Maintenance gt Events Reaction Table MSG SPE CERT xxx References Provision of certificate see also 10 3 Manual 1 Needed Access Rights Customer Comments and Reasons 2 4 3 IP Transmission with Public Networks VoIP access to public networks ITSP is based usually on a user account and password delivered by the provider This data is entered at the OpenScape Business administration and has to be kept confidential For extended security a provider with a dedicated line or secure VPN access is recommended 2 4 4 External Subscribers External subscribers like tele workers or mobile workers shall be connected via VPN to protect confidentiality and to av
20. cccccccccccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeey 17 IPH ACY EE sess cova E E E E TAEA E ATE A A amevas E ease 17 PAE A EEIE A NE E IE EAA A N E AE A E AT 18 IP Interfaces OpenScape Business X3 X5 X8 sssssssssccccccssssssccccccccsccsssssssccccsssessssscess 19 TAA E E a e E E T A E E E T E A E E 19 Administration Access with HiPath Manager E ccccccesssssssessessssessesseeeessessseseeeeeeeeeees 19 OMEP T 2 lt n em eee E O E E E O EEE 19 ea MRa i e PETE S E EIE A A A E TT T E E E 19 LDAP TO CO a E E A 20 Preval cnn a E E E A 20 POC ODON ra n E S E E E N NS 20 APPC Fre Vy A gia A E A E EA E E 21 PSTN Pecers Commanicat ON ss acre pcarsey AEEA sa an eae A aweaeereseeed 22 3 3 4 1 4 2 4 2 1 4 2 2 4 2 3 4 2 4 4 2 5 4 2 6 5 1 5 2 6 1 6 2 6 3 7 1 7 2 7 3 7 4 ve 10 10 1 10 2 10 2 1 10 2 2 10 2 3 10 2 4 10 2 5 10 3 10 4 10 5 Secure Tunnel VPN csccsorrcsrisisssrisuseresosuicdscocuvevasedsidesriseshra niine i aaciaee areca idub iiait 22 OpenScape Business UC Suite Option ssscceccceccccccsoscccccccceccccccccccsoooscccccccccecececceesoosssssseees 24 OpenScape Business UC CMGI ts seisirsssntsocsnssssennisseuinnen kar ubres n ninn REENE E EEEE EEEa 24 IP Interfaces UC Booster Card vs ssssscsssasssisssccseccsssessusssacssceacstasiosscsssonseiesesssaassuvscnasnceacseeveescecs 25 SAMBA Share File Service sige ssedcacsccansnsicseaeousseasandevaaliastewnniwass
21. ed Xpressions Compact Card Not installed HiPath Manager Not installed PCs Servers OpenScape Business S Not installed OpenScape Business UC Booster Server Server for TAPI N ot install e d Not installed Devices OpenStage phones Other Not installed Clients OpenScape Business l Not installed O myPortal myAttendant l s myAgent OpenScape Business Attendant i Not installed L OpenScape Personal Not installe d C Edition other Not installed L Customer Comments and Reasons The following chapters list the recommended measures for the OpenScape Business V1 solution 2 1 System Access Protection The administration of the system and the involved components has to be protected from unauthorized access This includes the following aspects Authentication of every user user name password digital certificates Authorization roles and privileges Audit activity log Fixed or easy to guess passwords are a serious security risk In any case individual and complex passwords must be used for all users Every user shall only get those rights or roles which are necessary for him Access to central components like OpenScape Business appliance server or LAN switches and routers shall only be possible for technicians and administrators This protects the system against direct access via administration port or USB interfaces Personal data commun
22. eenueeddsbaaandelsseliodseaicnsmsesoeauceadwetlont 25 A MPEP TI ICE area reduce A EE evento EEE EE A ERA EN 25 MIP er E re S 26 EDAP TAG a A sociosaossadacctasatonsedvaans gear esos des vad A AAAA EA E 26 Open Directory DOrViOE moraer a a ee RE ee 26 CLA ih a E EE EE E E I N EEE E EAA AE EET 21 OpenScape Business S UC Booster Server Option sssssssssecccccccccccsssosssssseccceceecocossssse 28 Server Administration scssi onneen anauen Ka reina ETENE nia EEN a 28 IP Tnterlaces SCrver siiicssnsestecosctdscasscssinceustibvesaceabacerstescencliceceusasiaconstidcasuctisosaneldesisncisincsssuiiesss 28 Xpressions Compact Card Option ssssssessisscscivecsacecsassssescvocssesstsvescsecevececwasscseesvercsevessoesesevenes 29 Administration Xpressions Compact Carrd ccccsssssssscccccccssssssssssssssssssssssssssccccccssssees 29 Matl box Protection scesescascitcsccasstessteaisctecsensanascerssccuaes ts suenaseneecdevsntescoussdsussyisiuansiediesiuesadecsousacces 30 IP Interfaces Xpressions Compact Card ccccccccscssssssssscsssssscssssccccccccsssssssssssssssssssssssssssecs 31 Forther COMMON CIS oes ccccecsyatescdesersa cesuscesancscceaseructeadecseredecvcetesctssusesseeescestecsesesceseecestaucssesceseues 32 OpenScape Business Cordless HiPath Cordless IP DECT ssssssssesccccsceesssscees 32 Wireless LAN WW LAIN sesssessssosssesssessscosssocsssesssessssesssesoseosssesssessseosssesssesossososesssessssossses
23. es Call back external party from voice mailbox Message notification call to external destination Call forwarding to substitute number Auto attendant for external destinations Xpressions Mobility Xpressions Conference If those features are needed the OpenScape Business COS for the IVM ports has to be extended with care e g to allow only local or national calls 6 3 IP Interfaces Xpressions Compact Card The LAN interface of Xpressions Compact Card is used for Voice mail to E Mail Web based Management customer super user and service Service tasks like fast SW update Several IP ports and services are used for HiPath Xpressions Compact which cannot be administrated Please make sure that access to the LAN interface of Xpressions Compact Card is not possible from unauthorized devices and especially from the Internet Note The application firewall in Manager E to protect specific IVM interfaces is currently not available 7 Further Components All released applications and components are documented in the OpenScape Business V1 sales information or current release note Please take into account the product specific security checklists for all components which are included in the solution 7 1 QOpenScape Business Cordless HiPath Cordless IP DECT For unsecured and inappropriate configurations eavesdropping attacks at DECT devices have been reported The following has to be observed to impede such attacks Encryption i
24. ess restart the integrated rules are activated again additional rules are not changed 6 Xpressions Compact Card Option If Xpressions Compact Card is not part of the solution please continue with chapter 7 Inadequate handling of mailbox passwords by customers increases the risk of toll fraud This can happen via the use of substitute auto attendant or call back feature In order to avoid such issues the measures described below must be taken 6 1 Administration Xpressions Compact Card Outgoing traffic should be blocked from Xpressions Compact for day and night service by setting all IVM ports to system class of service COS outward restricted from HiPath Manager E CL 34 Limit IVM Ports Class of Service to Outward restricted Xpressions Compact Measures e In HiPath Manager E under Classes of Service station check that the default COS group is Outward restricted e In Day and Night service the class of service 1s set to Outward restricted e If Least Cost Routing is active Class of Service at LCR gt Dial Plan has to be activated default Needed Access Rights Customer Comments and Reasons Also the default Class of Service for IVM mailboxes should be set to COS3 instead of the default COS if the feature call forwarding to substitute is not needed CL 35 Limit IVM mailbox Class of Service to COS3 Xpressions Compact Measures e In HiPath Manager E under Auxiliary equipment In
25. hones The same passwords as for HiPath Manager E are applicable Assign the first two system phones HFA to administrators or trusted users Do not deploy those phones in places with visitor access 2 2 4 Smart Service Delivery Platform SSDP The Smart Services Delivery Platform connects SEN systems via a secured internet connection to the SEN Remote Service Infrastructure This can be used by authorized sales and service partners OpenScape Business establishes a secure authenticated connection SSDP is the most secure way for remote administration and should be used wherever possible In addition SSDP can be activated by the customer for every single service task e g via phone CL 6 Secure remote Administration through SSDP OpenScape Business Measures e Activate remote access via SSDP e Define strong PIN for activation deactivation by phone 1 activation and PIN code at Service Center gt Remote Access Yes No 0 not applicable O Customer Comments and Reasons 2 2 5 Remote Access over VPN Direct unprotected access from Internet must not be used as this brings high risks from Internet attacks A secure tunnel shall be used for remote administration via IP when SSDP is not available This can be implemented via OpenScape Business X3 X5 X8 or via an external VPN router see also 3 3 The integrated access can be activated by the customer for every single service task e g via phone This shall be protected with
26. ication data and communication content like voicemails are stored in the communication solution Confidentiality has to be assured through protection of the administration access The backup data at external drives or servers has to be safeguarded as well e g by passwords 2 2 Administration Secure communication for local and remote administration access is especially important 2 2 1 OpenScape Business Assistant The access to the OpenScape Business Assistant occurs web based and is always encrypted via HTTPS A self signed server certificate for HTTPS encryption is delivered by default This has to be accepted as trusted by the user in the browser For server authentication and against man in the middle attacks an individual certificate is necessary which relies on a root certificate authority This enables the browser used for administration to set up a secure end to end connection with OpenScape Business CL 2 Customer specific SSL TLS certificate OpenScape Business name or IP address and activate it for the administration access Information about Customer certificate find also in Addendum 10 3 Needed Access Rights Executed Yes O No O Customer Comments and Reasons A new password for OpenScape Business Assistant has to be entered after first start Please observe the password recommendations for all users CL 3 Add QOpenScape Business Assistant Accounts OpenScape Business Measures Implement necessary user accou
27. icemail from phone Change is requested at first logon 6 digits number gt sharing PIN Flex call PIN number gt PIN HF Client access for Smart UC User or system specific number gt password defined by administrator 10 2 4 Xpressions Compact Card SEN Default PW Description to be changed immediately 1 admini 1 31994 Same as for Manager E 12345678 Change is requested at first logon 1234 Change is requested at first logon 10 2 5 OpenStage Gate View SEN Default PW Description to be changed immediately admin Access via OpenScape Business Assistant as Expert pop ese fa Optional initial value defined by admin 10 3 Certificates Please define here which certificates are used Interface Customer Default Usage requirement HTTPS SEN default Server authentication for web based certificate administration OpenScape Business Assistant and web services myPortal lightweight CA calls with HF A Phones remote access Please make sure that pre shared keys and certificates are stored and transmitted confidentially 10 4 Port List A current list of the ports which are used with OpenScape Business can be found at in the appendix of the Administration Manual 1 or via the SEN Partner portal SEBA at the menu item Support gt Interface Management IFMDB 10 5 References Link to OpenScape Business V1 Product Information https enterprise businessarea siemens enterprise com producti
28. iginal device For HFA devices activation of authentication 1s recommended CL 43 OpenScape HFA device authentication activated option Business and HFA Devices Measures Activate authentication at OpenScape Business Assistant and set up related passwords in the phones 1 Phone Administration Guide 10 1 Needed Access Rights Customer Comments System specific PIN UO device specific PIN O and Reasons For SIP devices authentication must be used in OpenScape Business to protect against registration of unauthorized devices This applies also to HiPath Cordless IP devices and SIP terminal adapters Increasing SIP attacks may lead to toll fraud or service degradation As SIP is a widely used standard threat is higher than for HFA phones CL 44 SIP device authentication activated OpenScape Business and SIP devices Measures e Authentication activated for all SIP subscribers with strong passwords e An individual password is used for every device so that not the whole system is corrupted if one phone is lost e SIP User ID is different from call number e g by using a system specific prefix 1 10 1 Needed Access Rights Customer Comments and Reasons 10 Addendum 10 1 Recommended Password Policy These are the recommended criteria for selection of passwords or PINs numerical passwords Please implement them unless other company specific rules are defined at customer site ef Passer Pa Minimal Length Maximal
29. iness Measures e Authorization is assigned only to those stations where it is necessary Door Release DTMF flag see manual 2 Needed Access Rights Manager E Service Customer Comments List of stations and Reasons 2 4 Confidentiality of Communications 2 4 1 Transmission via internal IP networks LAN For the internal IP network the requirements according to the administrator documentation have to be met Access to central components like switches and routers shall be restricted to technicians and administrators A logical or physical decoupling of voice and data network should be considered depending on the existing infrastructure The IT service provider of the customer may have to be involved In networking scenarios some information like system database CTI and UC networking information is transmitted unencrypted Data may be disclosed if unauthorized persons get LAN access For security critical environments this may be not appropriate and separate TLS connections may be necessary 2 4 2 Signalling and Payload Encryption For confidentiality and integrity of VoIP communication the activation of signalling and payload encryption SPE shall be considered Calls with HFA phones and conferences can be secured This includes SIP Q network calls with other OpenScape Business HiPath 4000 and OpenScape Voice systems Other connections where the OpenScape Business UC application is involved in payload e g for call recording
30. l remote user remote administrator or networking connections are secured with VPN If necessary implement VPN Needed Access Rights Yes L No No networking remote access LI Customer Comments Pre shared key L Certificates UO and Reasons 4 OpenScape Business UC Suite Option If OpenScape Business UC Suite is not part of the solution please continue with chapter 5 The OpenScape Business UC Suite offers extended functionality and can be used instead of UC Smart The OpenScape Business UC Suite and the CSTA interface are provided by the optional OpenScape Business UC Booster Card or by OpenScape Business UC Booster Server The administration of OpenScape Business UC Booster Card is integrated with the base system For differences when using the OpenScape Business UC Booster Server see chapter 5 For general PC and server security requirements see chapter 8 4 1 OpenScape Business UC Clients The OpenScape Business UC Suite delivers unified communication with personal attendant and Contact Center clients Passwords according to the password rules have to be used For the PC based communication clients an alphanumerical password would be possible In most cases access to voice mail from normal phones is also needed To cover that use case a numerical Password PIN has to be selected The minimum recommended and default length is 6 digits The following OpenScape Business client applications are available myPortal f
31. myPortal for Mobile auto attendant or notification call COS shall be extended carefully only to those destinations which are allowed to be reached If Least Cost Routing is active Class of Service at Routing gt LCR gt Dial Plan must be activated default References for change of default PIN see 10 2 Manual 1 Expert Mode Classes of Service Needed Access Rights Customer Comments and Reasons 2 3 4 Associated Dialling and Services Associated Dialling Services allow e g call setup or activation of call forwarding for other stations Assign rights only to subscribers who need them to avoid misuse CL 9 Restrict Associated Features OpenScape Business Measures e Enable the station flag only for users who need the function e Inform concerned users about handling and security risks References Manual 1 Needed Access Rights Advanced Expert End user instruction Customer Comments The following users are enabled for associated dialling and Reasons 2 3 5 Direct Inward System Access DISA The DISA feature allows call setup to external destinations and feature programming from external e g for call forwarding Unrestricted access to DISA could be used by unauthorized parties for toll fraud Access to DISA should be restricted If DISA is not used no DISA number must be configured The feature shall be enabled only for users who need the function and DISA users shall be informed to keep the PIN
32. nd system independent phones and clients e g OpenStage T TDM OpenStage HFA IP full system feature set OpenStage SIP IP standard SIP protocol OpenScape Client Personal Edition IP soft client Please observe the product related security checklists and or administration manuals For OpenStage HFA devices compare checklist 7 Use released devices according to the current sales information only It is recommended that the administration access to the devices 1s protected by individual passwords Do not keep the initial value CL 42 All Phones and Administration access protected by strong password PIN Voice Clients Change password at phone or via phone WBM References Phone Administration Guides and 10 1 Needed Access Rights admin Customer Comments System specific PIN O device specific PIN O and Reasons Note for IP Phones The web based HPT tool allows for displaying and operating the phone interface from a remote PC for service purposes Precondition is the download of a dongle key to the phone by the administrator and for observation sessions the agreement by the phone user Access is protected by the password above The dongle key can be disabled if not needed In addition the registration of an IP device with OpenScape Business shall be protected by an individual password This secures from bringing a new device with a known call number to the network which will take over the part of the or
33. nfo producthomepageservice jsp mainTab external_productversion amp view spp amp phase home amp pvid 5 15258 amp portal ViewLeftNavigation productinformation 1 OpenScape Business V1 Administrator Documentation available via e Doku or SEBA Portal product information 2 HiPath Manager E Administrator Documentation available via e Doku or SEBA Portal product information 3 OpenScape Business V1 Service Manual available via e Doku or SEBA Portal product information 4 Xpressions Compact Installation and Administration Manual available via e Doku or SEBA Portal product information 5 Support of Operating System Updates for Server Applications http wiki siemens enterprise com images c cO Security_Policy_ Support of Operating System Updates for Server _Applications pdf Support of Virus Protection Software for Server Applications http wiki siemens enterprise com images 2 21 Security Policy _ Support of Virus Protection Software for Server _Applications pdf Security Checklist OpenStage V2 Phones https enterprise businessarea siemens enterprise com productinto document Fz Eyz tRHM OpenStage 20SIP 20V2 20Installation s20Guide 20 20Security 20Checklist pdf OpenScape Business V1 Installation Linux available e Doku or SEBA Portal product information About Siemens Enterprise Communications Siemens Enterprise Communications is a leading global provider of unified communications UC solutions and network infra
34. nts for the roles e Basic e Advanced e Expert with strong individual passwords and list all needed user accounts in addendum 10 2 1 Manual 1 for passwords see chapter 10 1 Needed Access Rights Advanced Expert Customer Comments and Reasons A strong PIN code shall be defined for activating system shut down This PIN is used when activating the system shut down from a system phone CL 4 PIN for shutdown from phone OpenScape Business Measures Configure a strong PIN via OpenScape Business Assistant Expert Mode Maintenance Restart Reload Enable disable shut down Reference Strong PIN see 10 1 How to change PIN see manual 1 Needed Access Rights Executed Yes O No O Customer Comments and Reasons 2 2 2 HiPath Manager E For special administration tasks a PC SW tool is provided which has its own access control Use only variable password concept for HiPath Manager E The fixed password concept must not be used For details see 2 Password has to be numerical if administration via telephone is needed CL 5 Change initial passwords HiPath Manager E Measures Select strong passwords for all users in all roles Reference Strong PIN see 10 1 List of default PINs see 10 2 2 How to change users roles and PIN see Manual 2 Needed Access Rights Executed Yes H No O Customer Comments and Reasons 2 2 3 Assistant T TC Administration by phone is always possible from the first two system p
35. number of consecutive identical characters e g bbb 333 Maximal number of sequential characters in increasing or decreasing order e g abc 123 987 Password history latest used passwords must not be used again Minimum character count for changed password characters Do not use trivial or easy to guess passwords Take care that password entry cannot be observed Currently there is no enforcement of these rules within OpenScape Business All users have to be instructed to comply with password policies and are responsible for their observation For UC Smart clients unsafe passwords are rejected by default 10 2 Accounts Here the accounts for OpenScape Business inclusively user accounts of systems that can access OpenScape Business are listed 10 2 1 OpenScape Business Assistant User Role SEN Default PW Description to be changed immediately Change is requested at first logon 2 Expert Willbe setup by administrator 3 _ Basic optional O Z oo O 10 2 2 HiPath Manager E User Role SEN Default Description PW to be changed immediately 31994 Administration of OpenScape Business for special tasks 2 office Customer 633423 Administration of selected items by or customer usually done with OpenScape 633423 Business Assistant 3 a 10 2 3 Clients SEN Default PW Description to be changed immediately 1 lt phone 1234 OpenScape Business UC Suite Clients and access number gt to vo
36. oid misuse of the subscriber access by unauthorized persons With VPN an encrypted tunnel is set up for the communication This can be done by OpenScape Business X3 X5 X8 or by an external VPN Router For VPN details see chapter 3 3 2 4 5 Networking for OpenScape Business Protection of the IP connections for networking between different sites by VPN is strongly recommended to ensure confidentiality and to avoid misuse by unauthorized persons This can be done by OpenScape Business X3 X5 X8 or by an external VPN Router Voice communication UC communication DSS server signalling and administration take place via IP networking For VPN details see chapter 3 3 2 4 6 Privacy Some common features allow listening into a room via telephone or monitoring of phone calls Among those are room monitoring speaker calls with direct answering override and call recording They should be activated only for subscribers who need them Keep predefined alerting tones and use them in accordance with country and company regulations Please be aware that also with conference and open listening other persons may hear a phone conversation unnoticed CL 16 Change Service Code for Room Monitor OpenScape Business Measures e If room monitoring is configured in the system define a service code with maximum length which cannot be guessed easily 5 digit References Manual 1 For activating deactivating the feature system wide see 2 Needed Access Rights
37. or Desktop myPortal for Outlook myPortal for Mobile Tablet myPortal for OpenStage OpenScape Business Fax Printer myAgent myReports myAttendant Client applications provide amongst others rule based call forwarding and automated attendant or conferences This could be misused for toll fraud 1f unauthorized persons get access to the applications To protect from unauthorized access the general password rules have to be followed for the client software and the devices on which they are running Notes e Unauthorized access to the call journal and log files at the client PC may disclose the individual communication history of the user e The clients provide call recording for calls and conferences This can be disabled system wide within OpenScape Business Assistant e Callback out of voicemail is possible by default only from specific call numbers configured for the user Please be aware that changing this setting brings a residual risk of misuse by fraudulent callers CL 26 OpenScape Change password for myPortal myAgent myAttendant Business Clients and protect the devices where they are running Measures e The login password also used as mailbox PIN numerical has to be set to an individual value by every user e Unattended PCs and mobile devices must be locked PIN recommendations see 10 1 Needed Access Rights Customer Comments and Reasons 4 2 IP Interfaces UC Booster Card The optional UC Booster card provides two
38. ose 32 TAPI 120 TAPI 170 CallBridge IP sssini nern 32 OpenScape Business Attendant essssssccccccccssssccecccossssscecocossssececocsssssscecosossssseseccesssssssseeesso 32 OpenStace Gate VICW desisvcccncecaceacecev ssssesvivicscontcsacecuscdncsevssceseswiveesesuteescecxesdsouevissesacvavesseeneuese 33 Desktop and Server PCS oursin E 34 Phones and Voice CHOU iss ccsscissscsuctiscavvsasiacessecacesectssesenatiecsceseiaxies savaceenctseasuncedeceensstaxtassanbease 35 PRO COO WIN PEIPER A O A O OE EE E E E E 37 Recommended Password PoliCy essssssececccsssssccecoccsssscccoccossssesecceccssssssceecocssssssecesssssssseeesso 37 PO COMMIS easeseccssssiacedseusezasnsistsounastedessatievessesendasesscacauaivesdssasseatceaubentncweseadcubeveudesunreceaaesseubasnesaeact 37 OpenS Cape BUSINESS Assistantes c 32arsssessndeiossaneseusasncesoedaeessbeanacsstesadesascesacaasesacssarisacesatesadeeaes 38 EPn Ma cy ol peers nese E E eee ner ee ee 38 UT SINS LEEA EA EA EAA E 38 Xpressions Compact Card ja sisccssccvscssstsesesasessnsasesesessbestsesssesusesesesusnsasesesesebecnsesesesusesesesnsessseses 38 Open tiee Gae VION eee nr nee rere en ne arene E me oe renee eee re eee ae 39 AC CPUC AGES sates ca cente E E E 39 Pore EI Goen EEE ENE E EEEE EEE 39 Refere NCES sy seirecunsectcecntetdonasccasicosctdasavscssdbinseedetasuaceddecacudssevcacssbonscedeaesencaseecesddeacweucsabseteddancnoecats 39 1 Introduction 1 1 General Remarks Information and comm
39. ovide the respective characteristics shall only exist if expressly agreed in the terms of contract Availability and technical specifica tions are subject to change without notice OpenScape OpenStage and HiPath are registered trademarks of Siemens Enterprise Communications GmbH amp Co KG All other company brand product and service names are trademarks or registered trademarks of their respective holders Printed in Germany
40. ported by the communication partner CL 24 PSTN Peers communication secured OpenScape Business external router Measures e Keep CHAP setting and use strong password e Activate call back and or call number verification and use only outgoing direction if possible Needed Access Rights Customer Comments and Reasons 3 3 Secure Tunnel VPN Secure tunnels are strongly recommended for networking as well as for remote access For every VPN remote subscriber a dedicated authentication shall be selected This allows easy blocking of a remote access e g when an employee leaves the company Recommended operation mode IKE Main Mode with Perfect Forward Secrecy and DH Group 2 5 14 Default Encryption with AES check consistent setting in the VPN Client A Pre shared Key Recommended only for a limited number of devices e Chose key word according to password recommendation with minimum length of 20 bytes see 10 1 e A secure transmission and storage of the key word has to be guaranteed B Certificates shall be used for increased security requirements or with an existing PKI Infrastructure Configuration is more complex expert mode e Recommended operation mode RSA 2048 bit and hash function with SHA 2 e Documentation of certificates and serial numbers and safe storage has to be guaranteed CL 25 Networking and remote access allowed via VPN only OpenScape Business external router Measures e Check with end user that al
41. rewall the rules below apply as well CL 22 Port Opening inactive or restricted OpenScape Business external router Measures e Necessity and risk for opening ports is checked e Not essential port openings are deleted Needed Access Rights Yes Noi none active O Customer Comments Please document forwarded ports and usage and Reasons 3 2 2 Application Firewall IP address filtering protects OpenScape Business against unauthorized access from the internal or external network Access via LAN is possible for all needed ports by default Access to defined ports services can be restricted to specific IP addresses or ranges of IP addresses or can be blocked totally by entering 127 0 0 1 Use application firewall restrictions for the predefined ports with care since you can lose all access to OpenScape Business Please check the rules diligently before activating them CL 23 Application Firewall IP address filtering OpenScape Business Measures e Enable rules for application firewall if it is seen necessary and does not hinder administration access Administration manual 1 Needed Access Rights Expert Yes NoD not active O Customer Comments Please document IP address filtering and Reasons 3 2 3 PSTN Peers Communication PSTN peers communication can be used for remote devices or administration via ISDN or analogue modems CHAP is preconfigured in OpenScape Business within Routing PSTN and shall be used if it is sup
42. rong user name and password for the network drives if video recordings are stored there and have to be protected 1 10 1 Needed Access Rights Expert and End user instructions Yes U No Not Part of Solution L Customer Comments and Reasons 8 Desktop and Server PCs General requirements for all PCs which run communication clients and applications The operating system version is released for the communication software see sales information Current security updates for the Operating System and Java are installed see also 5 A suitable virus protection SW shall be installed and active see also 6 This is especially true for mail servers and Windows PCs Access 1s protected by passwords according to the password rules see 10 1 Virtual environments have to be secured accordingly Depending on the responsibility for the devices which host the OpenScape Business solution components this 1s a service or an end user instruction CL 41 Desktop Security updates virus protection and access control and Server PCs Desktop PCs for Not part of solution U OpenScape Business Clients Server for OpenScape Not part of solution L Business Server for TAPI PC for Not part of solution U OpenScape Business Attendant Not part of solution U Not part of solution U Customer Comments Operating System Update Antivirus and Reasons 9 Phones and Voice Clients OpenScape Business supports several system a
43. s Rights End user instructions Customer Comments and Reasons 3 2 Firewalls Firewalls are available within OpenScape Business X3 X5 X8 for routing via WAN and ISDN ports as well as for general IP access to OpenScape Business 3 2 1 Port Opening For some applications to be used via Internet specific services ports have to be enabled for the WAN interface to be forwarded to OpenScape Business and the internal LAN Port forwarding is not active by default All incoming IP traffic at the WAN interface without initial request from internal is blocked Please use opening ports with care The firewall is no longer in place for those IP services ports The enabled communicating applications shall meet extended security standards e g by encryption and efficient access control and robustness against denial of service attacks and message floods A web proxy in a DMZ may enhance security but can lead to dependencies with some devices and browsers Notes Port Forwarding must not be used for external VoIP subscribers and trunks as this bears the risk of attacks and toll fraud by unauthorized access Please use only VPN for remote IP subscribers Port Forwarding must not be used for application access from external e g by OpenScape Business desktop clients or CSTA applications These interfaces are not completely secured and may be intercepted and misused If an external router firewall is used instead of the integrated fi
44. s active for HiPath Cordless DECT devices by default This setting must be changed only temporarily e g for diagnostics Only the officially released components out of the Gigaset OpenStage professional family shall be used DECT Headsets DECT TAE plugs or other DECT devices can jeopardize confidentiality 7 2 Wireless LAN WLAN WLAN phones can also be used with OpenScape Business Please make sure that a secure transmission like WPA2 is chosen compare product related security checklist and or administration manual 7 3 TAPI 120 TAPI 170 CallBridge IP These applications provide CTI interfaces for phone call control and monitoring They run on Windows client PCs or servers and are protected by Windows own security mechanisms e g access control and user accounts The TAPI middleware makes use of the CSTA interface see 4 2 6 Access to the hosting PCs has to be protected For server security measures see chapter 8 7 4 OpenScape Business Attendant OpenScape Business Attendant is a Windows application which allows call monitoring and call transfer as well as feature control e g call forwarding for a single system or a network of OpenScape Business systems It is connected via USB or LAN at a suitable OpenScape Business phone OpenScape Business BLF Busy Lamp Field uses the same interface For the hosting PCs the rules from chapter 8 apply Notes Network wide subscriber busy state information is exchanged via IP with
45. signed certificates have to be accepted by the external XMPP Server Note Port forwarding for TCP port 5269 has to be activated to be able to use XMPP via WAN see 3 2 1 CL 28 Secure XMPP communication OpenScape Business Measures Use an external XMPP Server which supports secure communication Remark servers who do not accept self signed certificates cannot be used References Yes L No O XMPP not active U Customer Comments Used external XMPP Server and Reasons 4 2 3 SMTP Interface Simple Mail Transfer Protocol SMTP is used within UC Suite to receive mails for Contact Center agents Encryption is recommended SMTP can only be used with encryption when the used mail server supports that This is an additional interface independent from the base system CL 29 SMTP Interface secured OpenScape Business Measures e Select Use SSL for inbound e mail services at UC Suite gt OpenScape Business gt Contact Center vo NEE evens Executed Yes O No O Deactivated UJ Customer Comments and Reasons 4 2 4 LDAP Interface The Lightweight Directory Access Protocol LDAP is used in OpenScape Business UC Suite for access to external databases LDAP servers as a client This is an additional interface independent from the base system Unauthorized access may disclose company directory data CL 30 Protect access to external LDAP Server OpenScape Business Measures Please make sure to use strong passwords for
46. structure for enterprises of all sizes Leveraging 160 years of experience we deliver innovation and quality to the world s most successful companies backed by a world class services portfolio which includes international multi vendor managed and outsourcing capabilities Our OpenScape communications solutions provide a seamless and efficient collaboration experience on any device which amplifies collective effort and dramatically improves business performance Together our global team of UC experts and service professionals set the standards for a rich communications experience that empowers teams to deliver better results Siemens Enterprise Communications is a joint venture of The Gores Group and Siemens AG and includes Enterasys Networks a provider of network infrastructure and security solutions creating a complementary and complete enterprise communications solutions portfolio For more information please visit www siemens enterprise com or www enterasys com Siemens Enterprise Communications GmbH amp Co KG Siemens Enterprise Communications GmbH amp Co KG is a Trademark Licensee of Siemens AG Hofmannstr 51 81359 Munich Germany Status 10 2012 The information provided in this brochure contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products An obligation to pr
47. tegrated voicemail IVM change the setting from COS4 to COS3 for configured IVM ports ies Needed Access Rights Executed Customer Comments and Reasons By using the IVM WBM it is possible for the Administrator to view and modify all user accounts by logging in as Super user The Super user PIN should be set according to the recommendations in section 10 1 The maximum length of the Super user PIN 1s 8 configurable from Manager E or Xpressions Compact WBM For the administration role service the same credentials as for HiPath Manager are used CL 36 Implement a strong PIN for Super user Xpressions Compact Measures Choose a strong PIN for the Super user account in the HiPath Xpressions Compact WBM This is configured via the Mailbox Administration SU Super user gt General Settings menu options Needed Access Rights Customer Comments and Reasons The DLI login page is also accessible from the HiPath Xpressions Compact WBM and this introduces the security risk of an unauthorized party altering phone configurations or accessing other privileged information To avoid the risk it is necessary to change the default password of the DLI user from DLI to a more secure combination CL 37 Implement a strong PIN for the DLI user Xpressions Compact Measures Choose a strong PIN for the DLI account This setting is accessible from within the HiPath Xpressions Compact WBM via the Basic Settings Change
48. uite and Xpressions Compact Card It lists the security relevant topics and settings to be considered for the specific customer installation Company Address Telephone E Mail Covered Systems e g System SW version devices MAC IP addresses General Remarks Open Issues to be solved until Date Customer Supplier 2 OpenScape Business Hardening Measures in General This checklist covers the following models and the related integrated or external applications OpenScape Business X3 OpenScape Business X5 OpenScape Business X8 Oooo ETI Ta b gumenees TT Et iian OpenScape Business S server based solution Configuration overview SIP Trunking Remote Access Networking OpenScape Business optional 5 UC Suite Xpressions Compact OpenStage IP UC clients myPortal OpenScape Business Attendant Analog Phones DECT Devices The availability of many features depends on activated licenses For safeguarding a OpenScape Business based communications solution all components have to be considered OpenScape Business is providing basic voice services for TDM and IP devices and trunks as well as Unified Communication UC Administration access and features like class of service have to be configured carefully Physical and logical protection of system and infrastructure against manipulation of features as well as sabotage is necessary OpenScape Business X3 X5 X8
49. unication and their seamless integration in Unified Communications and Collaboration UCC are important and valuable assets for an enterprise and are the core parts of their business processes Therefore they have to be adequately protected Every enterprise may require a specific level of protection which depends on individual requirements to availability confidentiality integrity and compliance of the used IT and communication systems Siemens Enterprise Communications attempts to provide a common standard of features and settings of security parameters within the delivered products Beyond this we generally recommend e to adapt these default settings to the needs of the individual customer and the specific characteristic of the solution to be deployed e to outweigh the costs of implementing security measures against the risks of omitting a security measure and to harden the systems appropriately As a basis for that the Security Checklists are published They support the customer and the service in both direct and indirect channel as well as self maintainers to agree on the settings and to document the decisions that are taken The Security Checklists can be used for two purposes In the planning and design phase of a particular customer project Use the Security Checklists of every relevant product to evaluate if all products that make part of the solution can be aligned with the customer s security requirements
Download Pdf Manuals
Related Search