Grandstream WP820 Security Guide
Grandstream Networks, Inc.
WP820
Enterprise Portable Wi-Fi Phone
Security Guide
Table of Contents |
|
OVERVIEW..................................................................................................................... |
3 |
WEB UI/SSH ACCESS ................................................................................................... |
4 |
WP820 Web UI Access ........................................................................................................................ |
4 |
Web UI Access Protocols ..................................................................................................................... |
4 |
User Login ............................................................................................................................................ |
5 |
User Management Levels .................................................................................................................... |
6 |
SSH Access.......................................................................................................................................... |
7 |
DEVICE CONTROL SECURITY ..................................................................................... |
8 |
Configuration via Keypad Menu ........................................................................................................... |
8 |
SECURITY FOR SIP ACCOUNTS AND CALLS ............................................................ |
9 |
Protocols and Ports .............................................................................................................................. |
9 |
Anonymous/Unsolicited Calls Protection ........................................................................................... |
11 |
SRTP .................................................................................................................................................. |
13 |
NETWORK SECURITY................................................................................................. |
14 |
OpenVPN®.......................................................................................................................................... |
14 |
802.1x ................................................................................................................................................. |
15 |
Bluetooth ............................................................................................................................................ |
15 |
SECURITY FOR WP820 SERVICES............................................................................ |
16 |
Provisioning via Configuration File ..................................................................................................... |
16 |
Firmware Upgrading ........................................................................................................................... |
18 |
TR-069................................................................................................................................................ |
20 |
LDAP .................................................................................................................................................. |
21 |
Syslog ................................................................................................................................................. |
22 |
SECURITY GUIDELINES FOR WP820 DEPLOYMENT .............................................. |
23 |
P a g e | 1
WP820 Security Guide
Table of Figures |
|
Figure 1: Web UI Access Settings................................................................................................................. |
4 |
Figure 2: WP820 Web UI Login .................................................................................................................... |
5 |
Figure 3: WP820 Admin Password Change.................................................................................................. |
5 |
Figure 4: Admin (left) and User (right) Web Access...................................................................................... |
6 |
Figure 5: SSH Access on WP820 ................................................................................................................. |
7 |
Figure 6: Limit Access to Advanced Settings and Apps on LCD................................................................... |
8 |
Figure 7: Configure TLS as SIP Transport .................................................................................................... |
9 |
Figure 8: SIP TLS Settings on WP820........................................................................................................ |
10 |
Figure 9: Additional SIP TLS Settings ......................................................................................................... |
10 |
Figure 10: Settings to Block Anonymous Call ............................................................................................. |
11 |
Figure 11: Settings to Block Unwanted Calls .............................................................................................. |
12 |
Figure 12: SRTP Settings ........................................................................................................................... |
13 |
Figure 13: OpenVPN® Settings ................................................................................................................... |
14 |
Figure 14: OpenVPN® for Secure Network Access..................................................................................... |
14 |
Figure 15: EAP Method Settings................................................................................................................. |
15 |
Figure 16: 802.1X for WP820 Deployment ................................................................................................. |
15 |
Figure 17: WP820 Config File Provisioning ................................................................................................ |
16 |
Figure 18: Validate Certification Chain........................................................................................................ |
17 |
Figure 19: Certificate Management............................................................................................................. |
18 |
Figure 20: WP820 Firmware Upgrade Configuration.................................................................................. |
18 |
Figure 21: Validate Certification Chain........................................................................................................ |
19 |
Figure 22: Certification Management .......................................................................................................... |
19 |
Figure 23: TR-069 Connection Settings Page ............................................................................................ |
20 |
Figure 24: WP820 LDAP Settings............................................................................................................... |
21 |
Figure 25: Syslog Protocol .......................................................................................................................... |
22 |
P a g e | 2
WP820 Security Guide
OVERVIEW
This document presents a summary of security measures, factors, and configurations that users are recommended to consider when configuring and deploying the WP820.
Note: We recommend using the latest firmware for latest security patches.
The following sections are covered in this document:
•Web UI/SSH Access
Web UI access is protected by username/password and login timeout. Two-level user management is configurable. SSH access is supported for mainly troubleshooting purpose and it’s recommended to disable it in normal usage.
•Device Control Security
The WP820 has multiple ways to limit the use for network settings, and other settings if not necessary for the end user.
•Security for SIP Accounts and Calls
The SIP accounts use specific port for signaling and media stream transmission. It also offers configurable options to block anonymous calls and unsolicited calls.
•Network Security
The WP820 supports OpenVPN, 802.1X and Bluetooth. OpenVPN secures remote connection and 802.1X provides network access control. For Bluetooth it’s recommended to turn it off if not used.
•Security for WP820 Services
WP820 supports service such as HTTP/HTTPS/TFTP provisioning, TR-069, LDAP. For provisioning, we recommend using HTTPS with username/password and using password-protected XML file. For services such as ADB and FTP, we recommend disabling them if not used to avoid potential port exposure.
•Deployment Guidelines for WP820
This section introduces protocols and ports used on WP820 and recommendations for routers/firewall settings.
This document is subject to change without notice.
Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of Grandstream Networks, Inc. is not permitted.
P a g e | 3
WP820 Security Guide
WEB UI/SSH ACCESS
WP820 Web UI Access
The WP820 embedded web server responds to HTTP/HTTPS GET/POST requests. Embedded HTML pages allow users to configure the device through a web browser such as Microsoft IE, Mozilla Firefox, Google Chrome etc. With this, administrators can access and configure all available WP820 information and settings. It is critical to understand the security risks involved when placing the WP820 phone on public networks and it is recommended not to do so.
Web UI Access Protocols
HTTP and HTTPS are supported to access the WP820 web UI and can be configured under web UI → System Settings → Security Settings → Web/SSH Access. To secure transactions and prevent unauthorized access, it is highly recommended to:
1.Use HTTPS instead of HTTP.
2.Avoid using well known port numbers such as 80 and 443.
Figure 1: Web UI Access Settings
P a g e | 4
WP820 Security Guide
User Login
Username and password are required to log in the WP820 web UI.
Figure 2: WP820 Web UI Login
The factory default username is “admin” and the default password is “admin”. The WP820 web UI require to change the default password at first time login.
Figure 3: WP820 Admin Password Change
To change the password for default user "admin", navigate to System Settings → Security Settings → User Info Management. The password length must between 6 and 32 characters. Strong password with a combination of numbers, uppercase letters, lowercase letters, and special characters is always recommended for security purpose.
P a g e | 5
WP820 Security Guide
User Management Levels
Two user privilege levels are currently supported:
•Admin
•User
Admin login has access to all of the WP820’s web UI pages and can execute all available operations. User login has limited access to the web UI pages. With user login, the user is not allowed to configure the following settings:
•Account Settings
•Phone Settings → General Settings / Ringtone / Video Settings
•Network Settings → Advanced Network Settings
•System Settings → TR069
•Maintenance → Upgrade / Event Notification
•Value-added Service
Even user login can access certain web UI pages, it has less options compared to admin login, such as in
System Settings → Security Settings page.
It is recommended to keep admin login with administrator only. And end user should be provided with userlevel login only, if web UI access is needed.
Figure 4: Admin (left) and User (right) Web Access
P a g e | 6
WP820 Security Guide
SSH Access
The WP820 allows access via SSH for advanced troubleshooting purpose. This is usually not needed unless the administrator or Grandstream support needs it for troubleshooting purpose. SSH access on WP820 is enabled by default with port 22 used. It’s recommended to disable it for daily normal usage. If SSH access needs to be enabled, changing the port to a different port other than the well-known port 22 is a good practice.
Figure 5: SSH Access on WP820
P a g e | 7
WP820 Security Guide
Loading...