Scribd
Upload
14 views45 pages

OpenScape Voice V7, Security Checklist, Planning Guide, Issue 2_addfiles

OpenScape Voice V7, Security Checklist, Planning Guide

Uploaded by

e41ex
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views45 pages

OpenScape Voice V7, Security Checklist, Planning Guide, Issue 2_addfiles

OpenScape Voice V7, Security Checklist, Planning Guide

Uploaded by

e41ex
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 45

${DocTitle}

${DocID}
06/2012
Siemens Enterprise Communications GmbH & Co. KG
2012

Documentation
OpenScape Voice V7
Security Checklist
Planning Guide

A31003-H8070-P102-2-76A9

Siemens Enterprise Communications


www.siemens-enterprise.com
Our Quality and Environmental Management
Systems are implemented according to the
requirements of the ISO9001 and ISO14001 standard
certified by an external certification company.

Copyright © Siemens Enterprise


Communications GmbH & Co. KG06/2012
Hofmannstr. 51, D-80200 München
Siemens Enterprise Communications GmbH & Co. KG
is a Trademark Licensee of Siemens AG
Reference No.: A31003-H8070-P102-2-76A9
The information provided in this document contains
merely general descriptions or characteristics of
performance which in case of actual use do not always
apply as described or which may change as a result of
further development of the products. An obligation to
provide the respective characteristics shall only exist if
expressly agreed in the terms of contract. Availability
and technical specifications are subject to change
without notice.
OpenScape, OpenStage and HiPath are registered
trademarks of Siemens Enterprise
Siemens Enterprise Communications Communications GmbH & Co. KG.
www.siemens-enterprise.com All other company, brand, product and service names
are trademarks or registered trademarks of their
respective holders.
Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Update and Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Customer Deployment - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 OpenScape Voice V7 Hardening Measures at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Server Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1 Hardware Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 BIOS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Operating System Hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.3.1 Close Unused IP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3.2 Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3.2.1 Changing Predefined Passwords for Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3.2.2 Change Predefined Passwords for Application Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3.2.3 Change Default Password Policies for New Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3.3 Change Denial of Service (DoS) Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3.4 Allow Internet Protocol Security (IPsec) Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.3.5 Turn on IPsec Between Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.6 Transport Layer Security (TLS) Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3.6.1 Change the Default TLS Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3.6.2 Activate Verification for Mutual TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.7 Securing the Administrative Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.3.7.1 SNMP Community Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.3.8 Securing SOAP Signaling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.3.8.1 Securing SOAP Signaling via IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3.8.2 Securing SOAP Signaling via TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3.9 Adding Authorization to SOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3.10 Firewalling the SOAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3.11 Securing the IMM or IRMC Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3.11.1 Change the Default Passwords for the IMM/iRMC Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.3.11.2 Deactivate Clear-Text Administration / Activate Encrypted Communication - FTS RX330S1 and
RX200S6 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.3.11.3 Deactivate Clear-Text Administration / Activate Encrypted Communication - IBM x3250M3,
x3550M2 and x3550M3 platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.12 Securing the Signaling Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.3.12.1 Activate TLS Signaling for SIP Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.3.12.2 Activate TLS Keep-Alive for OpenStage Phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3.13 Activate MTLS Signaling for SIP Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3.14 Activate Digest Authentication to the SIP Subscribers and SIP Endpoints . . . . . . . . . . . . . . . . . . . . 40
3.3.15 Activate Authentication of SIP Subscribers and SIP Endpoints behind Trusted Endpoints . . . . . . . . 42
3.3.16 Securing Media Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3.17 Securing CSTA Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4 Securing the Billing Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5 Security Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5.1 BIOS Security Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5.2 OpenScape Voice Assistant Security Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

A31003-H8070-P102-2-76A9, 06/2012
OpenScape Voice V7, Planning Guide 3
Contents

A31003-H8070-P102-2-76A9, 06/2012
4 OpenScape Voice V7, Planning Guide
001_Introduction.fm
Introduction
General Information

1 Introduction

1.1 General Information


Information and communication and their seamless integration in Unified
Communications and Collaboration (UCC) are important and valuable assets for
an enterprise and are the core parts of their business processes. Therefore, they
have to be adequately protected. Every enterprise may require a specific level of
protection, which depends on individual requirements for availability,
confidentiality, integrity and compliance of the IT and communication systems
being used.

Siemens Enterprise Communications attempts to provide a common standard of


features and settings of security parameters within the delivered products.
Beyond this, we generally recommend:

• to adapt these default settings to the needs of the individual customer and the
specific characteristic of the solution to be deployed.

• to weigh the costs (of implementing security measures) against the risks (of
omitting a security measure) and to “harden” the systems accordingly.

As a basis for that, the Security Checklists are published. They support the
customer and the service both directly and indirectly, as well as those wanting to
maintain it themselves, to agree on the settings and to document the decisions
that are made.

The Security Checklists can be used for two purposes:

1. In the planning and design phase of a particular customer project. Use the
Security Checklists of every relevant product to evaluate if all of the products
that form a part of the solution can be aligned with the customer’s security
requirements. Document in the Checklist how they can be aligned. This
ensures that security measures are appropriately considered and included in
the Statement of Work to build the basis for the agreement between SEN and
the customer. The customer will be responsible for the individual security
measures:

• during installation and setup of the solution

• during operation.

2. During installation and during major enhancements or software upgrade


activities. The Security Checklists (ideally documented as described in the
previous step) are used to apply and/or control the security settings of every
individual product.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 5
001_Introduction.fm
Introduction
Update and Feedback

1.2 Update and Feedback


By their nature, security-relevant topics are prone to continuous changes and
updates. New findings, corrections and enhancements of this checklist are being
included as soon as possible. Therefore, we recommend always using the latest
version of the Security Checklists of the products that are part of your solution.
They can be retrieved from the partner portal Siemens Enterprise Business Area
(SEBA) at the relevant product information site.

We encourage you to provide feedback on anything that is not clear or about


problems with the application of this checklist.

Please contact the OpenScale Baseline Security Office (obso@siemens-


enterprise.com).

A31003-H8070-P102-1-76A9, 06/2012
6 OpenScape Voice V7, Planning Guide
001_Introduction.fm
Introduction
Customer Deployment - Overview

1.3 Customer Deployment - Overview


This Security Checklist covers the product OpenScape Voice V7 and lists the
security relevant topics and settings in a comprehensive form.

Customer Supplier
Company

Name

Address

Telephone

E-mail

Covered Systems (e.g. System,


SW version, devices, MAC/IP-
addresses)
Referenced Master Security Version:
Checklist

Date:

General Remarks

Open issues to be resolved until

Date

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 7
001_Introduction.fm
Introduction
Customer Deployment - Overview

A31003-H8070-P102-1-76A9, 06/2012
8 OpenScape Voice V7, Planning Guide
002_at_a_glance_measures.fm
OpenScape Voice V7 Hardening Measures at a Glance

2 OpenScape Voice V7 Hardening Measures at a Glance


The information in this document is intended to support the service technicians,
re-sellers, and consultants in the examination and setting of the required security
measures in the software and at the hardware for OpenScape Voice.

The current security settings are to be confirmed by the customer by means of


signature in the delivery of OpenScape Voice.

Deviations of the security settings on customer request are to be documented.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 9
002_at_a_glance_measures.fm
OpenScape Voice V7 Hardening Measures at a Glance

A31003-H8070-P102-1-76A9, 06/2012
10 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Hardware Security Settings

3 Server Hardening

3.1 Hardware Security Settings


There are no necessary security hardware settings known now for any of the
OpenScape Voice supported hardware platforms.

Precondition: OpenScape Voice has been installed / updated according to


Installation Manual. In the table below, enter the manufacturer name and model
number on which OpenScape Voice is installed.

CL-OSV-Hardware Hardware Platform


Platform
Measures Enter the manufacturer name and model number on
which OpenScape Voice is installed.
Hardware Platform

Needed Access Rights n/a


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings

Enter one of:

• IBM x3250 M2, IBM x3250 M3, IBM x3250 M4

• IBM x3550 M2, IBM x3550 M3

• Fujitsu RX200 S6

• Fujitsu RX330 S1

<Other manufacturer> <model number> if your server is not in above list.

3.2 BIOS Settings


Access to the BIOS allows changing the boot order of the server. Once changed
an intruder may use tools that are bootable from CD-ROM or USB device that
allow a user to change the administrator password or install files.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 11
003_Server_hardening.fm
Server Hardening
Operating System Hardening

To prevent this from happening, the BIOS needs to be password protected.

NOTE: BIOS passwords should be set in accordance with company security


policies.

Change the administrator password to access the BIOS according to the


instructions in your server's documentation guides.

• IBM: http://www-947.ibm.com/support/entry/portal/Documentation

– x3250 M2: Installation Guide

– x3250 M3: Installation and User's Guide

– x3250 M4: Installation and User's Guide

– x3550 M2: Installation and User's Guide

– x3550 M3: Installation and User's Guide

• Fujitsu: http://ts.fujitsu.com/support/manuals.html - manuals are listed under


Industry Standard Server products.

– RX200 S6: D3031 BIOS Setup Utility (Reference Manual)

– RX330 S1: PRIMERGY RX330 S1 Server (Operating Manual).

CL-OSV-BIOS Use non-default BIOS password


Measures Change the administrator password to access the BIOS
according to the instructions in your server's
documentation guides.
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

3.3 Operating System Hardening


The OpenScape Voice V7 operates on a SuSE Linux Enterprise Server Version
11 (SLES 11) operating system with Service Pack 1.

A31003-H8070-P102-1-76A9, 06/2012
12 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

3.3.1 Close Unused IP Ports


The Linux Firewall on OpenScape Voice is activated and only needed ports are
open and in use. A comprehensive port list can be found in the Interface
Management Data Base.

Only needed ports are open and in use.

3.3.2 Password Management

3.3.2.1 Changing Predefined Passwords for Administrator


Accounts

During the installation, all administrator accounts are created with default
passwords which are generally known. These passwords must be changed upon
deployment.

CL-OSV-Passwords- Change Predefined Passwords for Administrator


Admin-Accounts Accounts
Measures Change default passwords for the following accounts:

• "root"

• "srx"

• "sysad"

• "superad"

• "cdr"

• "solid"

• "secad"

• "dbad".
References OSV V7 Service Manual: Installation and Upgrades

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


For an OpenScape Voice cluster, these passwords must be changed on each
node individually.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 13
003_Server_hardening.fm
Server Hardening
Operating System Hardening

In V7, the administrator accounts "sysad", "superad", "secad" and "dbad"


have 90 day expiry limits set on their passwords.
Login to the system as root and enter the following command:
root# passwd user
Passwords should be 8-36 characters long in accordance with the customer’s
password policy.

Affects on Other Products


The "srx" account is used by the OpenScape Voice Assistant to log in to
OpenScape Voice and therefore, the new password needs to be entered on
the Common Management Portal (CMP) as well.
To do this, login to the Common Management Portal (CMP) and navigate to:
Configuration > OpenScape Voice > Select Switch > Switches > Select
Switch and Edit > Mark "Enable Password(s)", modify password(s) for
"srx" and Save.
For other products like, e.g., billing services using the "cdr" account, logging
in via SSH/SFTP using any of the accounts mentioned in the previous table
would need to be changed as well.

3.3.2.2 Change Predefined Passwords for Application


Accounts

Use the assistant to change the password of the solid database accounts.

CL-OSV-Passwords- Change Predefined Passwords for Application


Application-Accounts Accounts
Measures Change default passwords for solid users:

• "dba"

• "rtp"

• "sym" (for Integrated Simplex configurations only)


References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings

A31003-H8070-P102-1-76A9, 06/2012
14 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

These passwords can be changed via the OpenScape Voice Assistant as


follows:
Login to the Common Management Portal and navigate to:
Configuration > OpenScape Voice > Select switch > Administration >
General Settings > Database

3.3.2.3 Change Default Password Policies for New Accounts

The customer's password policy has to be installed in case the customer creates
new administrator accounts that are allowed to log in via SSH or SFTP.

CL-OSV- Change Default Password Policies for New


Passwords_New_Acc Accounts
ounts
Measures Ensure the customer's password policy has been
applied to the system, preferably by using the /etc/
pam.d mechanism.
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


If the customer has no password policy, make sure that new user accounts
have a minimum password length of 8 and a password history of no less than
5.
To set the password history and minimum password length modify the
"password:" line in the /etc/security/pam_pwcheck.conf configuration file
as follows:
password: minlen=8 maxlen=16 remember=5 use_cracklib
use_authtok use_first_pass
For password history it is necessary to create the opasswd file for storing old
password hashes:
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
For minimum password length also modify /etc/login.defs as follows:
PASS_MIN_LEN 8
The default password age should be set to 60 days.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 15
003_Server_hardening.fm
Server Hardening
Operating System Hardening

After 60 days, the user will be prompted to change his password. There is a
30 day grace period to do so before the account is locked.
To set the password age:
passwd -x 60 -w 14 -n 1 -i 30 <userid>

3.3.3 Change Denial of Service (DoS) Thresholds


During the installation, a large amount of data must be transferred to and from the
server from software servers and between nodes of the cluster, etc. In order not
to impede this process, the threshold for detection of a denial of service attack
has been intentionally set at 20,000 messages per second. After installation, this
value should be reduced.

A default white list is automatically generated at startup, based on the following


node.cfg entries: Each partner on the admin, signaling and billing interfaces, and
snmp_servers.

CL-OSV- Change DoS Thresholds


DoS_Thresholds
Measures Change the default packet rate that will trigger a denial
of service lockout.
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Denial of Service thresholds are provisionable from the CLI. The following
are the defaults and provisionable ranges:

• Block Period: 1 to 2048 seconds, with default of 60 seconds

• Rate Threshold: 1 to 256,000 packets per second, with a default of


20,000 packets per second
Typically, no single network IP-Address (for example, single phone or
server) will deliver heavy amounts of packet traffic; however, message
concentrators such as an SBC or proxy can create heavier amounts of
packet traffic and need to be taken into account when setting the rate
threshold value and the “white list” of trusted hosts, which is the list of IP
addresses that are exempt from the rate threshold limit.

A31003-H8070-P102-1-76A9, 06/2012
16 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

After installation, and bring up is complete and verified, for normal


operation of the OpenScape Voice system, Siemens Enterprise
Communications recommends the rate threshold value be set to 200
packets per second (CLI:6,1,1,6,1) for a clustered deployment and 2000
packets per second for an integrated simplex deployment. Use Option 4
to display the Rate Thresholds and option 3 to modify the Rate
Thresholds.
The administrator must take care that trusted servers are included in the
“white list” of trusted hosts (CLI:6,1,1,6,2). Use option 3 to display a list of
all trusted hosts.
The “white list” should include the IP addresses of:

• External administration servers, for example, external OpenScape


Voice Assistant.

• Trusted high traffic servers, for example, media servers, PSTN


gateways, session border controllers, SIP voice mail servers, peer
SIP switches and proxies in the network.

• Billing servers, billing clients, license servers, and other servers which
routinely transfer files to/from the OpenScape Voice system.
The OpenScape Voice IP addresses used for communication between
the nodes of the OpenScape Voice cluster are automatically added to the
“white list” during installation, and can also be added manually, if
necessary.
The administrator should carefully monitor the system after reducing the
threshold values and modify the threshold and “white list” to values for the
specific customer configuration.

3.3.4 Allow Internet Protocol Security (IPsec)


Fragmentation
If remote branch offices are connected to the data center by way of VPN or IPsec
tunnel, the routers doing that may require an MTU lower than the default of 1500.
This is most noticeable when SIP keysets are deployed at the remote branch
offices, as they exchange large amounts of data in a message that normal
endpoints would not transmit. Many customer routers that establish this tunnel
use ICMP (type 3) packets to determine what the maximum packet size is that
can be reliably transmitted. The firewall in the OpenScape Voice must be opened
to respond to these kinds of ICMP packet challenges. If these (type 3) ICMP
packets are being dropped, these settings will allow safely opening the firewall to
permit the traffic.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 17
003_Server_hardening.fm
Server Hardening
Operating System Hardening

CL-OSV- Change default ICMP types to Allow IPsec


Allow_IPsec_Fragme
ntation
Measures Change default ICMP types to allow IPsec
fragmentation between SIP endpoints (by way of VPN
tunnel on remote router).
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Enable ICMP message type 3 on OpenScape Voice:

1. Modify the ICMPDefaultTypes parameter string to include message type


3 (CLI: 1,1,3)
Configuration Parameters (methods):
browseParameterNames ...........1
getParameter....................2
modifyParameter ................3
Selection (default: 2): 3

modifyParameter:
name : hiQ/Security/Filt/ICMPDefaultTypes

modifying variable parameters:


current value: 0, 8
value <max length: 2047>: 0,3,8
input value was: “0,3,8”
Do you want to execute this action? (default: yes) :

executing method modifyParameter...


Ok.
2. Restart the Security Manager on each node (CLI: 98)
CLI> procStopProcess "SecMgr1"
...wait a few seconds for it to shut down.
CLI> procStartConfiguredProcess "SecMgr1"

A31003-H8070-P102-1-76A9, 06/2012
18 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

Menu commands are:


5…1…8 (to stop) and then 6 (to start)

3. Create ICMP packet filter rule(s) for remote host, subnet, or all hosts (CLI:
6,8,4,1):
Packet Filter Rule Name <Max Length 63 (max length: 63)>
(def: ) : SUBNET789_SIP1_FRAGMENT_ALLOWED
Description <Max Length 63 (max length: 63)> (def: ):
Allow ipsec fragmentation with remote SIP subnet
Remote FQDN <Max Length 63 (max length: 63)> (def: ):
Remote IP Address <Max Length 15 (max length: 15)> (def:):
<remote subnet for SIP endpoints>
Remote NetMask <Max Length 15 (max length: 15)> (def:
255.255.255.255) :
255.255.255.0
<remote subnet mask for SIP endpoints>
Transport Protocol <1=icmp, 2=udp, 3=tcp, 4=all, 5=esp,
6=ah, 7=sctp> (default: 4): 1
Direction <1=incoming, 2=outgoing, 3=bothways (default:
1): 1
Action <1 = Allow, 2 = Drop> (default: 1): 1
Do you want to execute this action <y/n> (default: yes):
Operation successful

3.3.5 Turn on IPsec Between Servers


After the installation of all servers and connected devices and a functional test
has been completed, ensure that you have defined IPsec policies and activated
IPsec communication to the OpenScape Voice Assistant, etc. This applies to all
servers that are somehow accessed using an un-secure protocol (such as SNMP,
MGCP, CSTA).

CL-OSV- Turn on IPsec Between Servers


IPsec_Between_Serv
ers
Measures Verify that IPsec is used to encrypt all non-secure
communication between the OpenScape Voice and its
associated servers.
References

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 19
003_Server_hardening.fm
Server Hardening
Operating System Hardening

CL-OSV- Turn on IPsec Between Servers


IPsec_Between_Serv
ers
Needed Access Rights administrator
Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Add Secure Endpoints for all associated servers that appoint IPsec natively
through their OS. Refer to the OSV V7 Service Manual: Installation and
Upgrades, section IPSec Configuration, for additional information.
Refer to the guidelines from those associated servers as to how to configure
IPsec on their side. Typically, this is done at an OS level. The OS supplier
usually provides guidelines as to how to configure IPsec for their products.
Use IPsec for the following servers:

• Media Servers (to protect the MGCP protocol which only supports UDP).
This includes an OpenScape Branch deploying an on-board media
server.

• Transfer of logging files

• Common Management Portal server

• Pulling of billing files from OpenScape Voice by a billing server

Affects on Other Products


The IPsec credentials must be entered on the peer server as well.

NOTE: OpenScape Voice uses "racoon" to establish IPsec connections. Racoon


uses the IKE (ISAKMP/Oakley) key management protocol to establish secure
connections with older hosts.

3.3.6 Transport Layer Security (TLS) Certificates

3.3.6.1 Change the Default TLS Certificates

OpenScape Voice comes with a default self-signed TLS Server Certificate. Even
when not integrated in a PKI infrastructure, the default TLS certificate of OSV
should be replaced with a new TLS certificate.

A31003-H8070-P102-1-76A9, 06/2012
20 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

CL-OSV- Change the Default TLS Certificates


TLS_Certificates
Measures Create new root and server certificates for the
OpenScape Voice solution.
References Refer to the OSV V7 Service Manual: Installation and
Upgrades, Appendix titled “OpenScape Voice Signaling
Stream Security.”
Needed Access Rights administrator
Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Creating your own root certificate means that the root CA certificate must be
installed in the trusted Root CA store of all products that need to establish a
TLS connection to OpenScape Voice. This includes, but is not limited to,:

• Phones

• Proxies

• Gateways

• Voice Mail Servers, etc.

3.3.6.2 Activate Verification for Mutual TLS

TLS connections can have post-connection validation performed upon them


where the certificate that the peer offers is checked for validity. The checks
performed at the current time are that if there is a subject alternative name within
the certificate and that if that name contains either DNS names, or IP addresses
that these DNS names, (after DNS resolution to IP address) and/or IP addresses
are checked against the IP address of the peer presenting the certificate. If the
DNS/IP address does not match the IP address of the peer the connection is
closed automatically. If there is no subject alternative name within the certificate,
the common name within the subject name is assumed to be a DNS name or IP
address. This is then similarly checked against the IP address of the peer
presenting the certificate. If the DNS name after resolution to IP address does not
match the IP Address of the peer, the connection is also closed automatically.

NOTE: By default, post-connection verification is switched off. As a prerequisite


to switching the verification on, the certificates must have been exchanged.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 21
003_Server_hardening.fm
Server Hardening
Operating System Hardening

CL-OSV- Activate Verification for Mutual TLS


Verify_Mutual_TLS
Measures Verify that post-connection verification is switched on.
References OSV V7 Service Manual: Installation and Upgrades

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Via CLI (CLI: 1,1)
Use Option 2 to verify the value for RTP parameter:
Srx/ttud/verification is set to RtpTrue.
Use Option 3 to set the value for RTP parameter: Srx/ttud/verification to
RtpTrue, if it is currently set to RtpFalse

NOTE: The procedure might interrupt call processing and should be executed in
a timely manner (or low traffic periods). For a live system the best practice would
be to execute the procedure in a maintenance window.

Stop and start the ttud process on each node. Expert Cli examples follow:
CLI> procStopProcess "ttudProc1"
...wait a few seconds for it to shut down.
CLI> procStartConfiguredProcess " ttudProc1"
In a duplex configuration, be sure to restart the process in node2. Expert Cli
examples follow;
CLI> procStopProcess "ttudProc2"
...wait a few seconds for it to shut down.
CLI> procStartConfiguredProcess "ttudProc2"

From the Cli Menu, make the following selections:


5…1…8 (to stop the process)
5…1…6 (to start the process)

A31003-H8070-P102-1-76A9, 06/2012
22 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

3.3.7 Securing the Administrative Interface

3.3.7.1 SNMP Community Name

SNMPV1 and SNMPV2 use the notion of communities to establish trust between
managers and agents. Community names are essentially passwords. A
community name allows a level of access to Management Information Base (MIB)
data. Access levels are read-only (RO) for data retrieval and read-write (RW) for
data modification. Thus an SNMP Manager requires at least two community
names or passwords.

CL-OSV- Change SNMP Community Name


SNMP_Community_N
ame
Measures Change default values for RO and RW community names.

References
Needed Access Rights root
Executed Yes: No:

OpenScape SBC:
Customer Comments
and Reasons

Additional Information for Settings


The OpenScape Voice sets by default the RO community name to "SENread"
and the RW community name to "SENsnmp". It is very important to change
these default values at the time of installation as they could be well known to
the general public.
The OpenScape Voice provides the capability to modify the SNMP RO and
RW community names via the CLI (CLI: 6,1,9). Use Option 1 to display the
current SNMP configuration and Option 2 to modify the SNMP configuration.

NOTE: V1 and V2 of the SNMP protocol sends the community names in


clear text. To prevent sniffing the community name, the interface between the
SNMP agent and the SNMP server needs to be secured via IPsec.

Affects on Other Products


Any server (with exception of the Survival Authority) using SNMP to retrieve
information from OpenScape Voice or to set information in OpenScape Voice
has to also change the read and write community names.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 23
003_Server_hardening.fm
Server Hardening
Operating System Hardening

SNMP Community Names on OpenScape Voice

NOTE: Avoid using any UNIX special characters (e.g., ampersand (&), semi
colon (;), etc.) when changing the SNMP community string as these
characters may cause translation errors.

NOTE: To change the SNMP community name string to meet site security
requirements, it is strongly recommended that you contact your next level of
support before attempting the following procedures.

Changing the Community String for the Emanate Master Agent


In V5 (and later releases), you may change community strings with the use of
Cli. In order to use startCli, follow the procedure below:

1. Login to CLI as: sysad


Node1:/home/sysad (62> startCli
2. Navigate to menu 6 > 1 > 9 > 2
3. Change the read-only/read-write community strings as shown below:
SNMP Management (methods):

Display SNMP Configuration.....................1


Modify SNMP Configuration......................2

Return..................................99

Selection (default: 1): 2

*** Modify SNMP community String ***

Enter Read-only SNMP community String: <Any ASCII


string (max length: 64)> (default: SENread):
Enter Read-write SNMP community String: <Any ASCII
string (max length: 64)> (default: SENSnmp):

Do you want to execute this action? <y/n> (default:


yes):
Checking connection with grd404n1.
Checking connection with grd404n2.
Backing up original configuration file.

A31003-H8070-P102-1-76A9, 06/2012
24 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

Copying new configuration file to grd404n1.


Copying new configuration file to grd404n2.
Please wait. Applying new configuration on grd404n1.
Please wait. Applying new configuration on grd404n2.
Validating new configuration
Done.
4. Navigate to menu 6 > 1 > 9 > 2 to display the SNMP configuration for
verification purposes.

Restarting the EMANATE Master SNMP Agent


Once the community string has been modified, you must restart the
EMANATE Master SNMP agent. This must be done every time the SNMP
Community strings are modified in order for the changes to be set. To restart
the master agent:

NOTE: Duplex OpenScape Voice systems must restart the master agent on
both nodes.

1. Log in as the superuser: su


2. Enter the following command:
cd /etc/init.d
3. Enter the following command:
./snmpdm stop
4. Enter the following command:
./snmpdm start

3.3.8 Securing SOAP Signaling


The OpenScape Voice allows configuration changes to be made via the SOAP
interface. SOAP Applications should use one of 2 mechanisms to secure this
interface:

• Secure the connection between the SOAP client and the SOAP server via
IPsec. This allows connecting to the TCP SOAP server ports.

• Secure the connection between the SOAP client and the SOAP server by
connecting to the TLS SOAP server ports.

NOTE: The OpenScape Voice firewall must be opened to allow SOAP clients
other than the Assistant to connect.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 25
003_Server_hardening.fm
Server Hardening
Operating System Hardening

3.3.8.1 Securing SOAP Signaling via IPsec

SOAP Clients that do not support TLS can connect to OpenScape Voice via TCP
with a secure IPsec connection.

The unsecure SOAP Server ports are 8767-8770.

CL-OSV- Secure SOAP Signaling via IPsec


Secure_SOAP_Signal
ing_via_IPsec
Measures Secure TCP SOAP Clients (such as the Common
Management Portal) with IPsec.

NOTE: The communication between the OpenScape


Voice Server and the Common Management Portal can
also be secured using TLS.

References OSV V7 Service Manual: Installation and Upgrades

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

The ports can be checked using the CLI or the Display of Rtp parameters using
the Assistant:

• Srx/Subp/Port for the first available port

• Srx/Subp/NumberOfInstances for the number of available ports

When changing any of the above RTP parameters the soapserver process on
each node needs to be stopped and started. Expert Cli examples follow:
CLI> procStopProcess "soapServer01"

...wait a few seconds for it to shut down.


CLI> procStartConfiguredProcess "soapServer01"

In a duplex configuration, be sure to restart the process in node2. Expert Cli


examples follow;
CLI> procStopProcess "soapServer02"

...wait a few seconds for it to shut down.


CLI> procStartConfiguredProcess "soapServer02"

A31003-H8070-P102-1-76A9, 06/2012
26 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

From the Cli Menu, make the following selections:


5…1…8 (to stop the process)
5…1…6 (to start the process)
Additional Information for Settings
Refer to Section 3.3.5, “Turn on IPsec Between Servers”, on page 19.

3.3.8.2 Securing SOAP Signaling via TLS

SOAP Clients that support TLS can connect to OpenScape Voice via TLS instead
of TCP with IPsec connection.

CL-OSV- Secure SOAP Signaling via TLS


Secure_SOAP_Signal
ing_via_TLS
Measures Secure SOAP Clients that support establishing TLS
connections with TLS.
References OSV V7 Service Manual: Installation and Upgrades

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings

The starting port for SOAP TLS can be verified via the CLI (CLI: 1,1).
Use Option 2 to verify the value for RTP Parameter:
Srx/Subp/StartingPortForTLS

The secure SOAP server ports are 8757 - 8760.

The number can be changed using CLI (to up to 4 ports) or via the Assistant:

• Srx/Subp/NumberOfInstancesWithTLS

Default server port is 8757, defined with

• Srx/Subp/StartingPortWithTLS

Per default, only the default port is active.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 27
003_Server_hardening.fm
Server Hardening
Operating System Hardening

When changing any of the above Rtp parameters, the soapserver process on
each node needs to be restarted (CLI: 98)
CLI> procStopProcess "soapServer01"
...wait a few seconds for it to shut down.
CLI> procStartConfiguredProcess "soapServer01"
In a duplex configuration also:
CLI> procStopProcess "soapServer02"
...wait a few seconds for it to shut down.
CLI> procStartConfiguredProcess "soapServer02"

The menu commands are:


5…1…8 (to stop the process)
5…1…6 (to start the process))

3.3.9 Adding Authorization to SOAP


The SOAP server must be set up to authorize SOAP clients for limited access to
the SOAP server.

CL-OSV- Add Authorization to SOAP


Adding_Authorizatio
n_to_SOAP
Measures Set up the SOAP server to authorize SOAP clients for
limited access to the SOAP server.
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Enabling the SOAP Authorization check is done via the CLI or the Assistant.
Via the CLI (CLI: 1,1):

• Use Option 2 to verify that the value for RTP Parameter Srx/Subp/
Authorization is set to RtpTrue.

• Use Option 3 to set the value for RTP Parameter Srx/Subp/


Authorization to RtpTrue if it is currently set to RtpFalse.

A31003-H8070-P102-1-76A9, 06/2012
28 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

Via the Assistant:


Configuration > OpenScape Voice > Select Switch > Administration >
General Settings > RTP
Check the parameter value for Parameter Srx/Subp/Authorization and modify
it to RtpTrue if it is currently set to RtpFalse.
Authorization can then be added for each SOAP client via the OpenScape
Voice Assistant. SOAP clients are identified via their IP address.
To authorize SOAP clients for limited access to OpenScape Voice:

• Login to the Common Management Portal and navigate to:


Configuration > OpenScape Voice > Select Switch > Administration>
General Settings > SOAP/XML Client > Add >

• Enter all required information and Save.

3.3.10 Firewalling the SOAP Clients


By default, OpenScape Voice blocks all admin traffic via the firewall. To allow a
SOAP client to connect, the firewall must be opened for the SOAP client.

CL-OSV- Firewall the SOAP Clients


Firewalling_SOAP_Cl
ients
Measures Open firewall for authorized SOAP Clients
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

3.3.11 Securing the IMM or IRMC Access


The Intel IMM card is used by the IBM x3250 and IBM x3550 platforms for remote
access. The iRMC card is used by the FTS RX200 and FSC RX330 platforms for
remote access.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 29
003_Server_hardening.fm
Server Hardening
Operating System Hardening

3.3.11.1 Change the Default Passwords for the IMM/iRMC Card

By default, the IMM/iRMC card is shipped with well known and well documented
default passwords.

CL-OSV- Change the Default Passwords for the IMM/iRMC


_Passwords_IMM/ Card
iRMC
Measures Change default passwords.
References Refer to the OpenScape Voice V7 Service Manual:
Installation and Upgrades, section titled, “Changing the
User ID and Password for the IMM/iRMC Account.”
Needed Access Rights administrator
Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings

Change the User ID and Password to the user name and password configured
for the IMM/iRMC on the specified node. This must be complete for each node of
the cluster.
CAUTION: Failure to complete this update for each cluster configuration
will result in Communication Failure alarms and could cause a failure event
resulting in one of the nodes in the cluster being shutdown.

3.3.11.2 Deactivate Clear-Text Administration / Activate


Encrypted Communication - FTS RX330S1 and RX200S6
Platforms

Overview

The iRMC User's Guide can be used as another reference for this procedure. To
find the latest version of this document go to:
http://manuals.ts.fujitsu.com/

At this URL a 'Quick Access' feature can be employed by entering irmc in the
Search by product parameter field. This typically results in 'Integrated Remote
Management Controller (iRMC)' being displayed for selection.

After selecting 'Integrated Remote Management Controller (iRMC)' click the


arrow to the right of the Search by product parameter field. The next window
presented will provide download options for iRMC User manuals. Be sure to
select the manual appropriate to your server configuration.

A31003-H8070-P102-1-76A9, 06/2012
30 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

The iRMC can be configured with a default CA Certificate, a self-signed


Certificate, or a Certificate can be uploaded to the iRMC.

The procedure requires an rsa ip parameter from each node or node in the case
of a simplex (or Low Cost) system.

NOTE: The node.cfg rsa ip parameter should only be changed by using the IFgui
Update tool. For more details on the IFgui Update tool refer to the OSV Service
Manual: Installation and Upgrades, Appendix titled, “Updating the Node.cfg File
(Also Known as EZIP)”.

An example of node.cfg query to resolve the rsa ip parameter of a node follows.


This snapshot example is from a duplex V6 OSCV running ps12E05;

To resolve the node 1 IP (rsa_1_ip);


root@bocast4a:[/etc/hiq8000] #116
# grep -i rsa_1_ip node.cfg
rsa_1_ip: 10.235.54.20
root@bocast4a:[/etc/hiq8000] #117
#
To resolve the node2 IP (rsa_2_ip);
root@bocast4a:[/etc/hiq8000] #117
# grep -i rsa_2_ip node.cfg
rsa_2_ip: 10.235.54.21
root@bocast4a:[/etc/hiq8000] #118
#
Procedure for the FTS RX330S1 and RX200S6 platforms

a) Log into the iRMC by starting a Web browser and navigating to either
HTTPS://<iRMC_address>
Or, if HTTPS is not enabled, you will have to navigate to
HTTP://<iRMC_address>
where <iRMC_address> is the IP address that is specified in node.cfg by
the rsa_1_ip parameter.
Hint: Remember to repeat the procedure for node 2 of a duplex system.

b) Log in using the username/password configured for the IMM.

c) To upload a CA certificate or use a default certificate, select iRMC S2 then


the Certificate Upload option in the left-hand pane as shown below.
Select one of the options presented for the Certificate.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 31
003_Server_hardening.fm
Server Hardening
Operating System Hardening

d) To generate a self-signed Certificate, select the iRMC S2 then the


Generate Certificate option in the left-hand pane as shown below.
Populate the applicable fields, and click the Create button.

A31003-H8070-P102-1-76A9, 06/2012
32 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

e) Once a Certificate is configured, select Network Settings then Ports and


Services in the left-hand pane as shown below. The Force HTTPS box
should be checked and the Telnet Enabled box should be unchecked. If
you had to change either of these, click the Apply button.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 33
003_Server_hardening.fm
Server Hardening
Operating System Hardening

f) For an OSV cluster, you will have to repeat the same actions using the IP
address specified in node.cfg by the rsa_2_ip parameter.

3.3.11.3 Deactivate Clear-Text Administration / Activate


Encrypted Communication - IBM x3250M3, x3550M2 and
x3550M3 platforms

Overview

The IBM Integrated Management Module User's Guide can be used as another
reference for this procedure. To find the latest version of this document or the IBM
white paper Transitioning to UEFI and IMM, go to:

http://www-947.ibm.com/systems/support/supportsite.wss/
docdisplay?lndocid=MIGR-5079770&brandind=5000008

or complete the following steps:

NOTE: Changes are made periodically to the IBM Web site. Procedures for
locating firmware and documentation might vary slightly from what is described in
this document.

1. Go to http://www.ibm.com/systems/support/.

2. Under Product support, click System x.

3. From the Product family list, select your server and click Go.

4. Under Support & downloads, click Documentation.

5. Under Product usage, select the Integrated Management Module User's


Guide - IBM Servers link.

The IMM can be configured with a self-signed Certificate or a Certificate can be


uploaded to the IMM.

The procedure requires an rsa ip parameter from each node or node in the case
of a simplex (or Low Cost) system.

NOTE: The node.cfg rsa ip parameter should only be changed by using the IFgui
Update tool. For more details on the IFgui Update tool refer to the OSV Service
Manual: Installation and Upgrades, Appendix titled, “Updating the Node.cfg File
(Also Known as EZIP.)

An example of node.cfg query to resolve the rsa ip parameter of a node


follows. This snapshot example is from a duplex V6 OSCV running ps12E05;
To resolve the node 1 IP (rsa_1_ip);

A31003-H8070-P102-1-76A9, 06/2012
34 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

root@bocast4a:[/etc/hiq8000] #116
# grep -i rsa_1_ip node.cfg
rsa_1_ip: 10.235.54.20
root@bocast4a:[/etc/hiq8000] #117
#
To resolve the node2 IP (rsa_2_ip);
root@bocast4a:[/etc/hiq8000] #117
# grep -i rsa_2_ip node.cfg
rsa_2_ip: 10.235.54.21
root@bocast4a:[/etc/hiq8000] #118
#
Procedure for the IBM x3250M3, x3550M2 and x3550M3 platforms

a) Log into the IMM by starting a Web browser and navigating to either:
HTTPS://<IMM_address>
Or, if HTTPS is not enabled, you will have to navigate to:
HTTP://<IMM_address>
where <IMM_address> is the IP address that is specified in node.cfg by
the rsa_1_ip parameter.

b) Log in using the username/password configured for the IMM.

c) To generate a self-signed CA certificate or import/upload a Signed


Certificate, select IMM Control then the Security option in the left-hand
pane as shown below. Select one of the options presented in the section
titled HTTPS Server Certificate Management.

• If the options are not displayed similar to what is shown below, set the
HTTPS Server drop-down box to Disabled and click the Save button
to the right of the box. The Certificate options should then be
displayed.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 35
003_Server_hardening.fm
Server Hardening
Operating System Hardening

d) Use the snapshot that follows as a reference for this step. After the
Certificate has been generated or imported, use the drop-down box to set
the HTTPS Server option to Enabled and click the Save button to the right
of the box.

e) Use the snapshot that follows as a reference for this step. Select IMM
Control then Network Protocols in the left-hand pane as shown. In the
Network Protocols display scroll down to the Telnet Protocol. Select

A31003-H8070-P102-1-76A9, 06/2012
36 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

Disable from the drop down menu list for the Telnet connection count.
Scroll to the bottom of the window and select the Save button (located in
the bottom right hand corner).

f) For an OSV cluster, you will have to repeat the same actions using the IP
address specified in node.cfg by the rsa_2_ip parameter.

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 37
003_Server_hardening.fm
Server Hardening
Operating System Hardening

3.3.12 Securing the Signaling Interface

3.3.12.1 Activate TLS Signaling for SIP Subscribers

By default, SIP subscribers are generated using SIP signaling in clear-text via
TCP or UDP. Signaling should be encrypted using TLS provided the SIP
subscriber supports it.

CL-OSV- Activate TLS Signaling for SIP Subscribers


TLS_Signaling_for_SI
P_Subscribers
Measures Set SIP Subscribers to TLS using the OpenScape Voice
Assistant - branch offices and main office

References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Turn on TLS for SIP Signaling to the Subscribers. This setting can be
controlled on a per subscriber basis.
Set SIP Subscribers to TLS using the OpenScape Voice Assistant.
For subscribers in branch offices:

1. Login to the Common Management Portal and navigate to:


Configuration > OpenScape Voice > Select switch > Business Group >
Select Business Group > Select Branch Office > Members > Subscribers >
Select Subscriber, click Edit > Connection tab > Set Transport Protocol to
TLS >
2. Click: Save
For subscribers in the main office:

1. Login to the Common Management Portal and navigate to:


Configuration > OpenScape Voice > Select switch > Business Group
>Select Business Group > Members > Subscribers >Select
Subscriber, click Edit > Connection tab > Set Transport Protocol to
TLS >
2. Click: Save

A31003-H8070-P102-1-76A9, 06/2012
38 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

3.3.12.2 Activate TLS Keep-Alive for OpenStage Phones

Enable TLS Keep-Alive for OpenStage Phones

CL-OSV-TLS_Keep- Activate TLS Keep-Alive for OpenStage Phones


Alive_for_OpenStage
_Phones
Measures Enable TLS Keep-Alive for OpenStage Phones
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


1. Set TLS Keep-Alive for OpenStage Phones using the OpenScape Voice Assistant.
Login to the Common Management Portal and navigate to:
Configuration > OpenScape Voice > Select switch > Signaling
Management > Digest authentication>

2. Select "Enable TLS Keep-Alive for Openstage phones” in section


"Transport Layer Security"

3. Click Save

3.3.13 Activate MTLS Signaling for SIP Endpoints


By default, SIP endpoints are generated using SIP signaling in clear-text via TCP
or UDP. Signaling should be encrypted using mutual TLS provided the SIP
endpoint supports it.

CL-OSV- Activate MTLS Signaling for SIP Endpoints


MTLS_Signaling_for_
SIP_Endpoints
Measures Turn Signaling to the Endpoints. This setting can be
controlled on a per Endpoint basis.
References

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 39
003_Server_hardening.fm
Server Hardening
Operating System Hardening

CL-OSV- Activate MTLS Signaling for SIP Endpoints


MTLS_Signaling_for_
SIP_Endpoints
Needed Access Rights administrator
Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Set SIP Endpoints to MTLS using the OpenScape Voice Assistant. Login to
the Common Management Portal and navigate to:
Configuration > OpenScape Voice > Select switch
Endpoints can be created in business groups and globally.

• To set an endpoint in the business group to MTLS:


Business Group > Select Business Group > Select Branch Office >
Members > Endpoints > Select Endpoint, click Edit > SIP tab > Set
Transport Protocol to MTLS
Click Save

• To set a global endpoint to MTLS:


Global Translation and Routing > Endpoint Management >
Endpoints > Select Endpoint, click Edit > SIP tab > Set Transport
Protocol to MTLS
Click Save

3.3.14 Activate Digest Authentication to the SIP Subscribers


and SIP Endpoints
By default, Digest Authentication is not activated after installation. This allows a
hacker to register a phone using the phone number of any subscriber, and thus
fake their identity. By assigning a unique login, password, and realm to each
subscriber, a hacker will be discouraged from hijacking a user's identity.

A31003-H8070-P102-1-76A9, 06/2012
40 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

CL-OSV- Activate Digest Authentication to the SIP


Digest_Authenticatio Subscribers and SIP Endpoints
n_to_SIP_Subscriber
s_andE_SIP_Endpoin
ts
Measures Turn on Digest Authentication for SIP signaling to SIP
Subscribers and SIP Endpoints. This setting is system-
wide for SIP Subscribers and endpoint specific for SIP
Endpoints.
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Digest Authentication can be provisioned from the CLI and from the
OpenScape Voice Assistant.
To activate digest authentication globally in the system, login to the Common
Management Portal and navigate to:
OpenScape Voice > Select Switch > Administration > Signaling
Management > Digest Authentication > Check Enable
Authentication > Save
Assign user name, individual password, and realm to each SIP subscriber
using the customer's password policy. Login to the Common Management
Portal and navigate to:
Configuration > OpenScape Voice > Select switch > Business Group
> Select Business Group > Select Branch Office > Members >
Subscribers > Select Subscriber, click Edit > Security tab > Set
Realm, User Name and Password > Save
SIP Endpoints that are not secured via MTLS must be provisioned for digest
authentication. Login to the Common Management Portal and navigate to:
Configuration > OpenScape Voice > Select switch
Endpoints can be created in business groups and globally. To set digest
authentication for an endpoint in the business group:
Business Group > Select Business Group > Select Branch Office >
Members > Endpoints > Select Endpoint, click Edit > SIP tab /
Security / Add … or Edit > Set Local and Remote Realm, User Name

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 41
003_Server_hardening.fm
Server Hardening
Operating System Hardening

and Password. Local is used for challenges received from the peer
endpoint and Remote is used for creating challenges towards the
peer endpoint. > Save
To set digest authentication for a global endpoint:
Global Translation and Routing > Endpoint Management >
Endpoints > Select Endpoint, click Edit > SIP tab / Security / Add …
or Edit > Set Local and Remote Realm, User Name and Password.
Local is used for challenges received from the peer endpoint and
Remote is used for creating challenges towards the peer endpoint.
> Save

3.3.15 Activate Authentication of SIP Subscribers and SIP


Endpoints behind Trusted Endpoints
OpenScape Voice allows SIP subscribers and SIP endpoints to be considered
trusted as soon as they are communicating with OpenScape Voice through a
trusted SIP proxy. This is not a recommended setting.

CL-OSV- Activate Authentication of SIP Subscribers and SIP


Authentication_Behin Endpoints behind Trusted Endpoints
d_trusted_Endpoints
Measures Enforce authentication of SIP Subscribers and SIP
Endpoints behind SIP Proxies.
References OSV V7 Service Manual: Installation and Upgrades

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Authentication of SIP Subscribers and SIP Endpoints behind SIP Proxies is
done via the CLI (CLI: 1,1).
Use Option 2 to verify that the value for RTP parameter Srx/Sip/
AuthTraverseViaHdrs is set to value RtpFalse.
Use Option 3 to set the value for RTP parameter Srx/Sip/
AuthTraverseViaHdrs to value RtpFalse, if it is currently set to RtpTrue.

A31003-H8070-P102-1-76A9, 06/2012
42 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Operating System Hardening

3.3.16 Securing Media Servers


Media Servers communicate via the MGCP protocol which only supports the UDP
transport type.

CL-OSV- Securing Media Servers


Media_Servers
Measures Secure Media Servers with IPsec.
References OSV V7 Service Manual: Installation and Upgrades

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Please refer to OSV Service Manual: Installation and Upgrades, Appendix
titled, “Configuring IPSec for MGCP Connections.”

3.3.17 Securing CSTA Applications


CSTA Applications only support the TCP transport type.

CL-OSV- Securing CSTA Applications


CSTA_Applications
Measures Configure IPSec for CSTA Connections
References OSV V7 Service Manual: Installation and Upgrades

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings


Please refer to the OSV Service Manual: Installation and Upgrades, Appendix
titled, “Configuring IPSec for CSTA Connections.”

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 43
003_Server_hardening.fm
Server Hardening
Securing the Billing Interface

3.4 Securing the Billing Interface


Billing files can be pushed or pulled, securely by OpenScape Voice to a billing
server or from a billing client. The transfer of these files must be done using SFTP.

CL-OSV- Secure the Billing Interface


Billing_Interface
Measures Turn on SFTP for pushing billing files to a billing server.
References OSV V7 Service Manual: Installation and Upgrades

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

Additional Information for Settings

Turn on SFTP for pushing billing files to a billing server. When a billing client pulls
billing files from OpenScape Voice, it must be configured to set up an SFTP
session using the "cdr" account’s credentials.

Login to the Common Management Portal and navigate to:


Configuration > OpenScape Voice > Select switch > Administration >
General Settings > CDR > General tab > Set the CDR Delivery Method to
SPush > Enter username and password for Primary and possibly
backup billing server > Save

3.5 Security Patches


This topic is the record for the installed security patches.

3.5.1 BIOS Security Updates


This table is the certificate for BIOS security updates.

A31003-H8070-P102-1-76A9, 06/2012
44 OpenScape Voice V7, Planning Guide
003_Server_hardening.fm
Server Hardening
Security Patches

CL-OSV- Install Security Update


BIOS_Security_Updat
e
Measures Install Security update
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

3.5.2 OpenScape Voice Assistant Security Updates


This table is the certificate for the OSV assistant security updates.

CL-OSV- Install Security Update


OSV_Assistant_Secu
rity_Update
Measures Install Security update
References

Needed Access Rights administrator


Executed Yes: No:

Customer Comments
and Reasons

A31003-H8070-P102-1-76A9, 06/2012
OpenScape Voice V7, Planning Guide 45

You might also like