Grandstream GXV3370, GXV3380, GXV3350 Security Guide
Grandstream Networks, Inc.
GXV3370/GXV3380/GXV3350
IP Video Phones with AndroidTM
Security Guide
Table of Contents |
|
OVERVIEW..................................................................................................................... |
3 |
WEB UI/SSH ACCESS ................................................................................................... |
4 |
GXV33XX Web UI Access.................................................................................................................... |
4 |
Web UI Access Protocols ..................................................................................................................... |
4 |
User Login ............................................................................................................................................ |
5 |
User Management Levels .................................................................................................................... |
6 |
SSH Access.......................................................................................................................................... |
7 |
DEVICE CONTROL SECURITY ..................................................................................... |
8 |
GUI Config Tool Settings ...................................................................................................................... |
9 |
SECURITY FOR SIP ACCOUNTS AND CALLS .......................................................... |
10 |
Protocols and Ports ............................................................................................................................ |
10 |
Anonymous/Unsolicited Calls Protection ........................................................................................... |
12 |
SRTP .................................................................................................................................................. |
14 |
NETWORK SECURITY................................................................................................. |
15 |
OpenVPN®.......................................................................................................................................... |
15 |
802.1X ................................................................................................................................................ |
17 |
Bluetooth ............................................................................................................................................ |
18 |
PC Port Mode ..................................................................................................................................... |
18 |
SECURITY FOR GXV33XX SERVICES ....................................................................... |
19 |
Provisioning via Configuration File ..................................................................................................... |
19 |
Firmware Upgrading ........................................................................................................................... |
21 |
TR-069................................................................................................................................................ |
22 |
FTP Server ......................................................................................................................................... |
23 |
ADB Service ....................................................................................................................................... |
23 |
LDAP .................................................................................................................................................. |
24 |
Syslog ................................................................................................................................................. |
24 |
SECURITY GUIDELINES FOR GXV33XX DEPLOYMENT.......................................... |
25 |
P a g e | 1
GXV33XX Security Guide
Table of Figures |
|
Figure 1: Web UI Access Settings................................................................................................................. |
4 |
Figure 2: GXV3370 Web UI Login................................................................................................................. |
5 |
Figure 3: GXV33XX Admin Password Change on first login ........................................................................ |
5 |
Figure 4: Change the default password ........................................................................................................ |
6 |
Figure 5: Admin (left) and User (right) Web Access...................................................................................... |
7 |
Figure 6: SSH Access on GXV33XX............................................................................................................. |
7 |
Figure 7: Limit Access to Advanced Settings and Apps on LCD................................................................... |
8 |
Figure 8: GUI Config Tool Settings GUI ........................................................................................................ |
9 |
Figure 9: Cust File Provision Page ............................................................................................................... |
9 |
Figure 10: Configure TLS as SIP Transport ................................................................................................ |
10 |
Figure 11: SIP TLS Settings on GXV33XX ................................................................................................. |
11 |
Figure 12: Additional SIP TLS Settings ....................................................................................................... |
11 |
Figure 13: Settings to Block Anonymous Call ............................................................................................. |
12 |
Figure 14: Settings to Block Unwanted Calls .............................................................................................. |
13 |
Figure 15: SRTP Settings ........................................................................................................................... |
14 |
Figure 16: OpenVPN® for Secure Network Access..................................................................................... |
15 |
Figure 17: OpenVPN® Settings ................................................................................................................... |
15 |
Figure 18: 802.1X for GXV33XX Deployment............................................................................................. |
17 |
Figure 19: 802.1X Settings.......................................................................................................................... |
17 |
Figure 20: GXV33XX PC Port Mode ........................................................................................................... |
18 |
Figure 21: GXV33XX Config File Provisioning............................................................................................ |
19 |
Figure 22: Validate Certification Chain........................................................................................................ |
20 |
Figure 23: Certificate Management............................................................................................................. |
20 |
Figure 24: GXV33XX Firmware Upgrade Configuration ............................................................................. |
21 |
Figure 25: TR-069 Connection Settings Page ............................................................................................ |
22 |
Figure 26: File Manager App - FTP Service................................................................................................ |
23 |
Figure 27: Access Device through ADB ...................................................................................................... |
23 |
Figure 28: LDAP Settings............................................................................................................................ |
24 |
Figure 29: Syslog Protocol .......................................................................................................................... |
24 |
|
P a g e | 2 |
GXV33XX Security Guide |
|
OVERVIEW
This document presents a summary of security measures, factors, and configurations that users are recommended to consider when configuring and deploying the GXV3370/GXV3380/GXV3350.
Note: We recommend using the latest firmware for latest security patches.
The following sections are covered in this document:
•Web UI/SSH Access
Web UI access is protected by username/password and login timeout. Two-level user management is configurable. SSH access is supported for mainly troubleshooting purpose and it’s recommended to disable it in normal usage.
•Device Control Security
The GXV33XX has multiple ways to limit the use for network settings, apps, and other settings if not necessary for the end user.
•Security for SIP Accounts and Calls
The SIP accounts use specific port for signaling and media stream transmission. It also offers configurable options to block anonymous calls and unsolicited calls.
•Network Security
The GXV33XX supports OpenVPN, 802.1X, Bluetooth and PC port for network access. OpenVPN secures remote connection and 802.1X provides network access control. For Bluetooth and PC port, it’s recommended to turn them off if not used.
•Security for GXV33XX Services
GXV33XX supports service such as HTTP/HTTPS/TFTP provisioning, TR-069, LDAP, as well as allows ADB and FTP access. For provisioning, we recommend using HTTPS with username/password and using password-protected XML file. For services such as ADB and FTP, we recommend disabling them if not used to avoid potential port exposure.
•Deployment Guidelines for GXV33XX
This section introduces protocols and ports used on GXV33XX and recommendations for routers/firewall settings.
This document is subject to change without notice.
Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of Grandstream Networks, Inc. is not permitted.
P a g e | 3
GXV33XX Security Guide
WEB UI/SSH ACCESS
GXV33XX Web UI Access
The GXV3370/GXV3380/GXV3350 embedded web server responds to HTTP/HTTPS GET/POST requests. Embedded HTML pages allow users to configure the device through a web browser such as Microsoft IE, Mozilla Firefox, Google Chrome and etc. With this, administrators can access and configure all available GXV33XX information and settings. It is critical to understand the security risks involved when placing the GXV33XX phone on public networks and it’s recommended not to do so.
Web UI Access Protocols
HTTP and HTTPS are supported to access the GXV3370/GXV3380/GXV3350 web UI and can be configured under web UI → System Settings → Security Settings → Web/SSH Access. To secure transactions and prevent unauthorized access, it is highly recommended to:
1.Use HTTPS instead of HTTP.
2.Avoid using well known port numbers such as 80 and 443.
Figure 1: Web UI Access Settings
P a g e | 4
GXV33XX Security Guide
User Login
Username and password are required to log in the GXV3370/GXV3380/GXV3350 web UI.
Figure 2: GXV3370 Web UI Login
Notes :
•The factory default username for GXV3370/GXV3380 is “admin” and the default password is “admin”.
•For the GXV3350 The default administrator username is “admin” and the default random password can be found at the sticker on the GXV3350.
The GXV3370 web UI require to change the default password at first time login.
Figure 3: GXV33XX Admin Password Change on first login
To change the password for default user "admin", navigate to System Settings → Security Settings → User Info Management. The password length must between 6 and 32 characters. Strong password with a combination of numbers, uppercase letters, lowercase letters, and special characters is always recommended for security purpose:
P a g e | 5
GXV33XX Security Guide
Figure 4: Change the default password
User Management Levels
Two user privilege levels are currently supported:
•Admin
•User
Admin login has access to all of the GXV3370/GXV3380/GXV3350’s entire web UI pages and can execute all available operations. User login has limited access to the web UI pages.
With user login, it is not allowed to configure the following settings:
•Account Settings
•Phone Settings → General Settings / Ringtone / Video Settings
•Network Settings → Advanced Network Settings
•System Settings → TR069
•Maintenance → Upgrade / Event Notification
•Value-added Service
Even if user login can access certain web UI pages, it has less options compared to admin login, such as in System Settings → Security Settings page.
It is recommended to keep admin login with administrator only. And end user should be provided with userlevel login only, if ever they need web UI access.
P a g e | 6
GXV33XX Security Guide
Figure 5: Admin (left) and User (right) Web Access
SSH Access
The GXV3370/GXV3380/GXV3350 allows access via SSH. This is usually not needed unless the administrator or Grandstream support needs it for troubleshooting purpose. SSH access on GXV33XX is enabled by default with port 22 used. It’s recommended to disable it for daily normal usage. If SSH access needs to be enabled, changing the port to a different port other than the well-known port 22 is a good practice.
Figure 6: SSH Access on GXV33XX
P a g e | 7
GXV33XX Security Guide
DEVICE CONTROL SECURITY
From GXV3370/GXV3380/GXV3350 web UI → System Settings → Security Settings → Web/SSH Access, administrator can set whether the user can use specific features or install apps from LCD, shown as below.
Figure 7: Limit Access to Advanced Settings and Apps on LCD
|
|
|
|
|
|
Configures access control for keypad Menu settings on the Settings |
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
interface of the phone. |
|
|
|
|
|
|
|
|
|
• |
Unrestricted (default): configure all settings on the Settings |
|
|
|
|
|
|
|
|
|
interface; |
|
|
|
|
|
|
|
|
• |
Basic Settings Only: The Advanced Settings option will not be |
|
|
|
|
Configuration via |
|
|
|
|
displayed; |
|
|
|
|
|
|
|
• Basic Settings & Network Settings: Only the Advanced Settings |
|
|
||
|
|
Keypad Menu |
|
|
|
|
|
||
|
|
|
|
|
|
option will not be displayed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
• Constraint Mode (Recommended): users need to input admin user |
|
|
|
|
|
|
|
|
|
|
password to configure Wireless & Network and Advanced Settings. |
|
|
|
|
|
|
|
|
Note: When access control for keypad is limited to “Basic Settings Only” |
|
|
|
|
|
|
|
|
|
or “Constraint Mode”, the Admin authentication will be mandatory to start |
|
|
|
|
|
|
|
|
|
Factory Reset process. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Configures the permissions for users to install/uninstall the applications. |
|
|
|
|
|
|
|
|
|
• If set to "Allow" (default), the user is free to install/uninstall third-party |
|
|
|
|
|
|
|
|
|
|
apps. |
|
|
|
|
|
|
|
|
• If set to "Require admin password", the user need to input the |
|
|
|
|
|
Permission to |
|
|
|
|
correct administrator password to install/uninstall third-party apps. |
|
|
|
|
|
|
|
• |
If set to "Require admin password if the app source is unknown", |
|
|
|
|
|
Install/Uninstall Apps |
|
|
|
|
|
||
|
|
|
|
|
|
|
the user need to input admin password only when install apps from |
|
|
|
|
|
|
|
|
|
unknown source, administrator password authentication is required |
|
|
|
|
|
|
|
|
|
when the user uninstall third-party apps. |
|
|
|
|
|
|
|
|
• If set to "Not allow" (Recommended), the user cannot install/uninstall |
|
|
|
|
|
|
|
|
|
|
third-party apps. |
|
|
|
|
|
|
|
|
|
|
|
|
P a g e | 8
GXV33XX Security Guide
Loading...