Beruflich Dokumente
Kultur Dokumente
Security Checklist
Planning Guide
A31003-C1010-P101-6-76A9
Provide feedback to further optimize this document to edoku@unify.com.
As reseller please address further presales related questions to the responsible presales organization at Unify or at your
distributor. For specific technical inquiries you may use the support knowledgebase, raise - if a software support contract is in
place - a ticket via our partner portal or contact your distributor.
unify.com
Contents 3
Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. History of Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. General Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3. Security Strategy for Unify Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4. Customer Deployment - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2. OpenScape Desk Phone CP Interfaces and Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. Phone Hardening Measures at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1. Phone Hardening Measures for OpenScape Desk Phone CP SIP and OpenScape Desk Phone CP HFA 11
3.2. Additional Hardening Measures for OpenScape Desk Phone CP SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.3. Additional Hardening Measures for OpenScape Desk Phone CP HFA . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4. Phone Hardening Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1. Install latest (“up-to-date”) OpenScape Desk Phone CP Phone Software . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Secure Administration Access to the Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.1. Harden Local phone Admin Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.2. Harden Local phone User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.3. Harden DLS Interface to the Phone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2.4. Harden Software Deployment and File Download to the Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.3. Configure Password Policy and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.4. Authentication of phone at SIP Server (OpenScape Desk Phone CP SIP only). . . . . . . . . . . . . . . . . . . . . 20
4.4.1. Harden Phone to use Digest Authentication (OpenScape Desk Phone CP SIP only) . . . . . . . . . . . . 20
4.5. Secure Signalling and Voice Access to the Phone (OpenScape Desk Phone CP SIP only) . . . . . . . . . . . 21
4.5.1. Harden Signalling to Secure Signalling (OpenScape Desk Phone CP SIP only) . . . . . . . . . . . . . . . . 21
4.5.2. Harden Phone to use Secure (Encrypted) Voice (OpenScape Desk Phone CP SIP only) . . . . . . . . . 23
4.6. Secure Signalling and Voice Access to the Phone (OpenScape Desk Phone CP HFA only) . . . . . . . . . . 24
4.6.1. Harden Connection to HFA Gateway (OpenScape Desk Phone CP HFA only) . . . . . . . . . . . . . . . . . 24
4.6.2. Harden Phone to use Signalling and Payload Encryption (OpenScape Desk Phone CP HFA only) . 25
4.7. Secure Interfaces and Services to the Phone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.7.1. PC Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.7.2. CCE Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.7.3. Key Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.7.4. SD Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.7.5. Remote Call Control (CSTA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.7.6. Bluetooth Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.7.7. LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.7.8. Microsoft® Exchange server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.7.9. CSTA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.7.10. BroadSoft BroadWorks servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.7.11. Circuit by Unify server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.7.12. Web Services Interface to OpenScape Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.8. Secure Access to Network (Use IEEE 802.1x Access Control) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.8.1. Enable 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5. Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1. System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1.1. Serial Interface Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.2 Remote Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.3. Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.4. Monitoring via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.5 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4 Contents
1. Introduction
– During operation
2. During installation and during major enhancements or software upgrade activities:
The Customer specific Product Security Checklists are used by a technician to apply and/or
control the security settings of every individual product.
For more information about the Unify product security strategy please refer to the relevant Security
Policies [3], [4], [5], [6], [7].
As we at Unify define a secure product, our products are not secure, but - they can be installed,
operated and maintained in a secure way. The level of the products security should be scheduled
by the customer.
The necessary information for that is drawn up in the Product Security Checklist.
For OpenScape Desk Phone CP SIP and OpenScape Desk Phone CP HFA the Product Security
Checklist is this document.
8 Introduction
Customer Supplier
Company
Name
Address
Telephone
Open issues to be
resolved until
Date
Related Topics
OpenScape Desk Phone CP Interfaces and Ports 9
• Set passwords and apply password policy (Password and PIN Policies chapter 6.2)
– Apply password policy as recommended
– Set minimum password length
– Modify default admin password
– Set user password
• Enable IEEE 802.1x in the network and at the phone by installing the appropriate certifications
• Interfaces / Ports
– Disable factory reset via hooded claw
– Enable remote trace only when needed
– Enable PC port only when required
– Enable SSH access only when required
– Disable WBM access if not needed
– Enable SNMP only if required
– Secure Serial Interface Access (--> refer to chapter 5.1.1).
– Disable SD card access if not needed
– Use TLS encryption for LDAP
12 Phone Hardening Measures at a Glance
• Circuit by Unify
– Deploy Server CA Certificates and enable checking
• Interfaces / Ports
– Enable CSTA/ CTI access only when required
– Disable Bluetooth if not needed
– Use TLS encryption and authentication for CSTA server
• Send URL
– Use HTTPS for Send URL applications
– Deploy Server CA Certificates and enable checking
Phone Types
Customer Comments /
Reasons. If some mea-
sures are not executed
then please explain here:
Related Topics
CL-Secure Admin
Access
Measure • Setup the password policy for Admin password
• Set a secure Admin password for each phone
• If not needed, disable local administration access at the
phone. This can only be done using DLS
• Disable Hooded Claw for Factory reset
References See Chapter 6.2 for setting Password policy
See Phone Administration Manual chapter on Security ->
Password Policy
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Setup Generic Admin Yes: No:
Password Policy
– Particular configuration items can be locked down by configuration of the data constraints
in the DLS
– User access to the User menus can be disabled. The user can still set forwarding and con-
figure the programmable FPK keys, but access to individual user settings is disabled.
IF THE LOCAL USER ACCESS IS DISABLED THEN THE PHONELOCK FEATURE WILL
NOT WORK
• If the customer's security policy is to prevent access to information about the phone setup such
as the IP address being used then access to the diagnostic data should be disabled.
CL-Secure User
Access
Measure • Setup Password Policy for User password
• Set an individual User Password for each phone
• Set Phone Lock ON
• Lock Down particular data items by configuration at DLS
• Disable User Access to configuration menus
• Disable access to diagnostic data if needed to comply with
customer's security policy
• Advise users to lock their phone if they leave it unattended and they
do not wish their conversations list to be seen by others
• On CP400/600 HFA only, if system based Phone Lock is required
in preference to the local based Phone Lock, disable local lock
References See Chapter 6.2 for password and PIN policy
See Phone Administration Manual chapter on Security -> Password
Policy
Needed Access Admin Access
Rights
Applicable CP20X/400/600 SIP CP20X/400/600 HFA
Executed:
Setup Generic Yes: No: Yes: No:
User Password
Policy
Setup User Yes: No: Yes: No:
Password Policy
CL-Secure User
Access
Disable Local Not available Yes: No:
Lock if using
system based
Lock in preference Not applicable:
(CP400/600 only)
Customer
Comments and
Reasons. If some
measures are not
executed then
please explain
here:
Related Topics
"Secure mode" offers mutual authentication between DLS and the phone. The connection bet-
ween DLS and phone will be established, if DLS has successfully authenticated the phone and
vice versa. Secure mode with or without PIN (Personal Identification Number) will be set by the
DLS. The PIN has to be inputted at the phone when requested. "Secure mode with PIN" protects
the transfer of the key material and should be preferred. Usage of Secure mode without PIN may
offer an attacker to capture the key material and may get non-authorized access to the DLS and
phone.
Prerequisites for the usage of the secure mode are the following:
• Customer specific key material has to be created, e.g. with customers own CA or with openSSL
or other tool. Provided by customer.
• The key material is distributed by DLS to phones in default mode (in customer network or pre-
configured). The distribution of keys and certificates via DLS (Deployment Service) is depicted
in the Deployment Service Admin Guide, chapter "Automatic Certificate Deployment"
• Both phones as well as DLS have to be set to "secure mode". How to configure the secure mode
for phone is described in "IP Device Configuration".
18 Phone Hardening Measures
CL-Secure Software
Deployment and File
download
Measure • Configure Download of Software Deployment and files
such as screensavers or ringtones to use HTTPS
• Install the HTTPS Server CA certificate and a HTTPS
phone client certificate in the phone
• The HTTPS certificate policy needs to be set to Trusted
or Full
• OCSP checking of the certificate will ensure that the
certificate from the HTTPS server has not been revoked
References See Chapter 6.3 for Certificate Handling
See Phone Administration Manual chapters on Security ->
Certificate Policy and Transferring Phone Software -> Down-
load / Update Phone Software
See DLS manual Configuration & Update Service (DLS) for
installing certificates
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Configure Phones to use Yes: No:
HTTPS for software and
file download
CL-Secure pass-
words
Measures • Set the Generic Password Policy
• Set the Admin Access password policy
• Set the User Access password policy
• Set secure Admin password
• Set individual secure User password for each phone
References See Chapter 6.2 for password and PIN policy
See Phone Administration Manual chapter on Security -> Password Pol-
icy
Needed Access Admin Access
Rights
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Setup Generic Pass- Yes: No: Partly:
word Policy
Related Topics
Digest Authentication can be used without Secure signalling over TLS - the password is transmit-
ted in a secure format, but use of TLS signalling is strongly recommended to provide an overall
security for the signalling. Use of TLS will also allow authentication by the phone of the SIP Server
- see chapter 4.5.1.
The Digest Authentication must be configured on the SIP Server before setting up the phone.
Please see the Security Check List for the SIP server.
CL-Secure Phone
Authentication on SIP
Server
Measure • Setup Digest Authentication User ID and Password
References See Phone Administration Manual chapter on System
Settings -> SIP registration
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP only.
Not CP20X/400/600 HFA.
Executed:
Set SIP Authentication Yes: No:
User ID and Password in
the phone
Customer Comments /
Reasons:
Related Topics
If the SIP server mutually authenticates the phone, a phone client certificate must be installed on
the phone using the DLS.
CL-SIP Secure
Signalling
Measure • Configure use of TLS on the SIP server and install server
certificates
• Configure TLS on the phone - the port will need to be set
to 5061
• Install the SIP Server CA certificate on the phone using
DLS
• If mutual authentication by SIP server is required, install
phone client certificate on the phone using DLS
• Configure the TLS certificate validation policy to trusted
or full - full is recommended
• Configure OCSP checking to allow revocation checking
of the SIP server certificate
• Configure the Backup proxy address 0.0.0.0
References See Chapter 6.3 for Certificate Handling
See Phone Administration Manual chapter on Security ->
Certificate Policy
See DLS manual Configuration & Update Service (DLS) for
installing certificates
See Phone Administration Manual chapter on System
Settings -> SIP Addresses and Ports
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP only.
Not CP20X/400/600 HFA.
Executed:
Set Signalling Transport to Yes: No:
TLS
CL-SIP Secure
Signalling
Configure Backup Proxy Yes: No:
address to 0.0.0.0
Related Topics
NOTE: The hardening measures to secure signalling to the SIP server will also secure signalling
to the CSTA server (see chapter 4.7.9)
CL-Secure Calls
Measure • Configure Secure Calls
• Configure Key Exchange protocol (SDES or MIKEY)
• If using SDES configure the parameters for SDES
References See Phone Administration Manual chapter on Security ->
Speech Encryption
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP only.
Not CP20X/400/600 HFA.
Executed:
Configure Secure Calls (1) Yes: No:
CL – HFA Authenticate
Gateway
Executed:
Install appropriate certifi- Yes: No:
cates on the HFA Gate-
way:
Install TLS certificates on Yes: No:
the phone using DLS:
NOTE: The hardening measures to secure connection to the HFA Gateway will also secure
connection to the Web Services Interface to OpenScape Business (see chapter 4.7.12)
NOTE: The terms “HFA Transport Protocol” and “HFA Backup Transport Protocol” used in the
“HFA Settings” tab on the DLS (See OpenScape Deployment Service Main Menu > IP Devices >
IP Phone Configuration > Signaling and Payload Encryption (SPE)) are equivalent to the terms
“Signalling transport main” and “Signalling transport standby” used in the Administrator settings on
the phone (See System > Security > System)
26 Phone Hardening Measures
.
CL – HFA Activate
signalling and payload
encryption
Measure • Configure use of TLS on the HFA Gateway
• Configure TLS on the phone – the ports will need to be set
to 4061 for Cornet TLS and 1300 for H.225 TLS
References See Phone Administration Manual chapter on System Set-
tings -> HFA Addresses and Ports
Needed Access Rights Admin Access
Applicable CP20X/400/600 HFA only.
Not CP20X/400/600 SIP.
Executed:
Configure use of TLS on Yes: No:
the HFA Gateway
4.7.1. PC Port
The PC port allows a LAN cable to be connected directly between the phone and an adjacent PC,
thereby using the same LAN connection for both PC and Phone at the desk. To prevent unauthori-
sed access to the network using the PC port on the phone, the port should be disabled if not nee-
ded.
Phone Hardening Measures 27
The default setting for the PC port is disabled, but it should be checked that PC port is disabled on
phones which do not need a local PC connection.
CL-PC Port
Measure • Disable PC Port
References See Phone Administration Manual chapter on LAN Settings
-> LAN Port Settings
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Disable PC Port if not Yes: No:
needed by user
NOTE: If PC port is configured as mirror port, signalling and voice of the phone can be sniffed.
The mirror port setting is reserved for technical specialists.
NOTE: Disabling Local Admin Access (see chapter 4.2.1) will also prevent use of the HPT tool.
CL-HPT Connection
Measure • Disable CCE access
References See Phone Administration Manual chapter on Security ->
Access Control
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Disable CCE access if not Yes: No:
needed for HPT
Related Topics
28 Phone Hardening Measures
4.7.4. SD Card
The OpenScape Desk Phone CP 600 has an SD card slot to support the usage of standard SD
and SDHC cards at default speed. SDXC cards may also be supported provided they are format-
ted with FAT32.
The default setting for SD slot access is disabled, but it should be checked that SD slot access is
disabled on phones which do not need to use SD cards.
Phone Hardening Measures 29
Unify recommends to disable the SD slot access if not used. This is general security best-practice
to reduce the likelihood of successful attacks via yet unknown vectors.
CL- SD card
Measures • Disable SD slot access
References See Phone Administration Manual chapter on Feature
Access
Needed Access Rights Admin Access
Applicable CP600 SIP and CP600 HFA only.
Not CP20X/400 SIP or CP20X/400 HFA
Executed:
Disable SD slot access if Yes: No:
not needed by user for SD
card
Customer Comments and
Reasons. If some mea-
sures are not executed
then please explain here:
CL-CSTA Access
If CTI is allowed and Auto Yes: No:
Answer is not wanted or
used then set Auto
Answer to No
Customer Comments and
Reasons. If some mea-
sures are not executed
then please explain here:
CL-Bluetooth
Measure • Disable Bluetooth if not used
• Disable Proximity monitoring if not used
• Disable Eddystone beacon if not used
• Disable iBeacon if not used
• Disable Localization client if not used
References See Phone Administration Manual chapter on Bluetooth
See Phone User Guide chapter on Individual phone configu-
ration -> Bluetooth
Needed Access Rights Admin Access / User Access
Applicable CP600 SIP and CP600 HFA only.
Not CP20X/400 SIP or CP20X/400 HFA
Executed:
If Bluetooth is not needed Yes: No:
then disable it in Admin
menu
Phone Hardening Measures 31
CL-Bluetooth
If Bluetooth is enabled and Yes: No:
proximity monitoring is not
needed, inform users to
disable proximity
monitoring
If Bluetooth is enabled and Yes: No:
Eddystone beacon and
iBeacon are not needed,
inform users to disable
beacon
If Bluetooth is enabled and Yes: No:
Localization client is not
needed then disable
Localization client in
Admin menu
Customer Comments and
Reasons. If some mea-
sures are not executed
then please explain here:
NOTE: The CP600 phone has implemented the Apple iBeacon technology according to Release
R1 of Apple's Proximity Beacon Specification, dated 2015-09-04. By design, the iBeacon adver-
tisement frame is plainly visible and open to spoofing or hijacking. This is not a security flaw in the
iBeacon per se, but application developers must keep this in mind when designing their applica-
tions with iBeacons. There is no impact on the phone when iBeacon advertisement frames are
spoofed or hijacked; the impact is on the third party application that uses iBeacon. For further infor-
mation, refer to https://developer.apple.com/ibeacon.
4.7.7. LDAP
To harden access to the LDAP server:
• simple authentication should be used with a userID and password configured in the phone
• encrypted LDAP using TLS should be used to prevent data exchanged during an LDAP query
being visible on the LAN
• install the LDAP Server CA on the phone using the DLS
• configure the LDAP Server certificate authentication policy to trusted or full - full is recommen-
ded
• configure OCSP checking to allow revocation checking of the LDAP server certificate
32 Phone Hardening Measures
CL-Secure phone
access to LDAP Server
Measure • Configure simple authentication with user ID and
password
• Configure TLS as transport protocol
• Install the LDAP Server CA certificate
• The LDAP Server certificate authentication policy needs
to be set to Trusted or Full
• OCSP checking of the certificate will ensure that the
certificate from the LDAP Server has not been revoked
References See Phone Administration Manual chapter on Corporate
Phone book: Directory Settings -> LDAP
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP400/600 HFA only.
Not CP20X HFA.
Executed:
Configure Simple Authen- Yes: No:
tication and set the LDAP
User ID and Password in
the phone
Set LDAP Transport to Yes: No:
use TLS
CL-Secure phone
access to Microsoft®
Exchange Server
Measure • Install the Exchange Server CA certificate
• The Exchange Server certificate authentication policy
needs to be set to Trusted or Full
• OCSP checking of the certificate will ensure that the
certificate from the Exchange Server has not been
revoked
References See Chapter 6.3 for Certificate Handling
See Phone Administration Manual chapters on Security ->
Certificate Policy
See Phone User Guide chapter on Microsoft® Exchange
Server
See DLS manual Configuration & Update Service (DLS) for
installing certificates
Needed Access Rights Admin Access / User Access
Applicable CP400/600 SIP and CP400/600 HFA only.
Not CP20X SIP or CP20X HFA.
Executed:
Install certificate on the Yes: No:
phone
• Configuring the OCSP checking to allow checking of the SIP server certificate will automatically
allow checking of the CSTA server certificate.
The SIP and CSTA server certificates should be signed by the same Certificate Authority (termed
“CA”) to take advantage of the automatic behaviour.
Should the SIP and CSTA server certificates be signed by different CAs, two separate root CAs
will need to be installed on the phone; one for the SIP server and the other for the CSTA server.
When these certificates are approaching their expiry, new root CA certificates must be installed on
the phone before the old ones have expired. The start date for the new certificates must be before
the end dates of the expiring certificates.
If the CSTA server mutually authenticates the phone, a phone client certificate must be installed
on the phone using the DLS.
The same phone client certificate will be used to authenticate the phone to the SIP server if au-
thentication is requested by the SIP server.
These measures are repeated here as a reminder that the same settings apply to both the SIP
server and the CSTA server.
Table: Access to CSTA Server
CL-Secure Signal-
ling to the CSTA
Server
Measures The hardening measures implemented to secure SIP Signalling (See
chapter 4.5.1)
• Configured SIP Transport Protocol to TLS
• Installed the SIP Server CA certificate on the phone using DLS
• Configured the TLS certificate validation policy to trusted or full – full
is recommended
• Configured OCSP checking to allow revocation checking of the SIP
and CSTA server certificates
• If mutual authentication by CSTA server is required, install phone
client certificate on the phone using DLS
References See Chapter Certificate Handling for Certificate Handling.
See Phone Administration Manual chapter on Security -> Certificate Pol-
icy
See DLS manual Configuration & Update Service (DLS) for installing
certificates
See Phone Administration Manual chapter on System Set- tings -> SIP
Transport
See Phone Administration Manual chapter on System Set- tings -> Stan-
dard CSTA Server Address and Port
Applicable Only applicable to IP Telephony solutions that consist of a separate
uaCSTA registrar server and SIP server which have certificates signed
by the same Certificate Authority.
CP20X/400/600 SIP only. Not CP20X/400/600 HFA
Needed Access Admin Access
Rights
Executed:
Signalling Transport Yes: No: Not applicable:
set to TLS
Phone Hardening Measures 35
CL-Secure Signal-
ling to the CSTA
Server
TLS certificate Yes: No: Not applicable:
installed on the
phone
Secure SIP Server Yes: No: Not applicable:
certificate policy con-
figured
OCSP check config- Yes: No: Not applicable:
ured
NOTE: Additional Notes and Hardening Measures: Obtaining Call Logs through XSI Interface
1. As the URI to select call log entries from the XSI server has the user name embedded in it, it is
essential the XSI server is configured to authenticate the requests to ensure the call log entries
remain confidential to each user.
36 Phone Hardening Measures
2. Where there are local privacy issues, the call log feature should be disabled on the XSI server.
Any requests from the phone will result in no call log entries being obtained because there should
be no call log entries on the XSI server.
CL – Secure phone
access to BroadSoft
BroadWorks
Measure • Configure simple authentication with username and
password
• Install the BroadSoft BroadWorks DMS Server CA
certificate
• Install the BroadSoft BroadWorks XSI Server CA
certificate
• The BroadSoft BroadWorks DMS Server certificate
authentication policy needs to be set to Trusted or Full –
Full is recommended
• The BroadSoft BroadWorks XSI Server certificate
authentication policy needs to be set to Trusted or Full –
Full is recommended
• OCSP checking of the certificate will ensure that the
certificates from the BroadSoft BroadWorks DMS and XSI
Server have not been revoked
References See Chapter 6.3 for Certificate Handling
See Phone Administration Manual chapters on Security ->
Certificate Policy
See Phone User Guide chapter on BroadSoft BroadWorks
See DLS manual Configuration & Update Service (DLS) for
installing certificates
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP only.
Not CP20X/400/600 HFA
Executed:
Configure username and Yes: No:
Password for the
BroadSoft BroadWorks
DMS and XSI servers
Install certificates on the Yes: No:
phone using the DMS
CL – Secure phone
access to BroadSoft
BroadWorks
Configure OCSP checking Yes: No:
CL – Secure phone
access to Circuit by
Unify Server
Measure • Install the Circuit by Unify Server CA certificate
• The Circuit Server certificate authentication policy needs
to be set to Trusted or Full
• OCSP checking of the certificate will ensure that the
certificate from the Circuit Server has not been revoked
References See chapter 6.3 for Certificate Handling
See Phone Administration Manual chapters on Security ->
Certificate Policy
See Phone User Guide chapter on Circuit by Unify Server
See DLS manual Configuration & Update Service (DLS) for
installing certificates
Needed Access Rights Admin Access / User Access
Applicable CP400/600 SIP and CP400/600 HFA only.
Not CP20X SIP or CP20X HFA.
Executed:
Install certificate on the Yes: No:
phone using the DLS
CL – Secure phone
access to Circuit by
Unify Server
Configure OCSP checking Yes: No:
The same phone client certificate will be used to authenticate the phone to the Web Services In-
terface if authentication is requested by the Web Services Interface.
In addition to downloading certificates onto the phone and configuring the validation policy and
OCSP checking:
• To provide secure communication between the phone and the UC Server Protocol HTTPS
should be used.
CL-Secure Signal-
ling to the Web
Services Interface
Measures The measures implemented to harden the HFA Gateway (See
chapter 4.6.1)
• Installed the HFA Gateway CA certificate on the phone using DLS
• Configured the TLS certificate validation policy to trusted or full – full
is recommended
• Configured OCSP checking to allow revocation checking of the HFA
Gateway certificate
• If mutual authentication by HFA Gateway is required, install phone
client certificate on the phone using DLS
In addition:
• Configure phones to use HTTPS for the UC Server Protocol
• Configure phones with OpenScape Business Web Services server
and port addresses
• Confirm default configuration on OpenScape Business which blocks
HTTP connections has not been overridden
References See chapter 6.3 for Certificate Handling.
See Phone Administration Manual chapter on Security -> Certificate Pol-
icy
See DLS manual Configuration & Update Service (DLS) for installing
certificates
Applicable CP400/600 HFA only.
Not CP20X/400/600 SIP. Not CP20X HFA.
Needed Access Admin Access
Rights
40 Phone Hardening Measures
CL-Secure Signal-
ling to the Web
Services Interface
Executed:
TLS certificate Yes: No: Not applicable:
installed on the
phone
Secure HFA getaway Yes: No: Not applicable:
authentication policy
configured
OCSP check config- Yes: No: Not applicable:
ured
CL-Enable 802.1x
Measures • Configure 802.1x options
• Install certificates onto the phone
• Check that 802.1x certificate policy is trusted.
• Set MSCHAP-ID and password for PEAP mode
References See IEEE 802.1x Configuration Management and DLS Cer-
tificate Management for 802.1x
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Configure 802.1x options Yes: No:
5. Administration
CL-Serial Interface
Access
Measure • Set serial interface to Unavailable
References See Phone Administration Manual chapter on Security
Access Control
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Set Serial Port access to Yes: No:
unavailable
CL-Web Access
Measure • Disable WBM access
• Install Customer generated Web Server Certificate (see
note below)
References See Phone Administration Manual chapter on Security
Access Control
See DLS manual Configuration & Update Service (DLS) for
installing certificates
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Disable WBM access if Yes: No:
not needed
NOTE: The default Web Server certificate provided on the phone is signed using SHA-1. From
Q1 2017, the three main web browsers (Internet Explorer, Chrome and Firefox) will introduce
functionality to their applications that will start impairing access to certificates that use SHA-1.
Initially, they will ask the user to acknowledge that WBM access may not be secure and it is very
possible that at some time the browsers will raise the bar further and block access completely. This
functionality is not an issue when WBM has been disabled or customer generated certificates
signed using SHA-2 have been downloaded to the phone. For further information, refer to Unify
44 Administration
CL-SNMP Access
Measure • Disable SNMP if not used
• If SNMP is used then Set the snmp community strings for
query, trap and diagnostic trap (QDC)
References See Phone Administration Manual chapter on IP Network
Parameter -> SNMP
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Disable SNMP if not used Yes: No:
5.5 Diagnostics
Trace data logging can be done either locally on the phone or to a remote server. The remote trace
is done using the standard remote syslog function. This is transmitted in clear text and to prevent
unwanted disclosure of information:
• Disable Remote trace if not needed
• Enable the Remote Trace User Notification function
Remote diagnostic access is available using the HPT tool. Remote service access for the HPT tool
is allowed when local Admin access and the CCE interface are both enabled. To prevent unwanted
access the CCE interface should be disabled. This needs to be done after each diagnostic sessi-
on where HPT is used.
NOTE: Disabling Local Admin Access (see chapter 4.2.1) will also prevent access for the HPT
tool.
NOTE: Disabling CCE Interface (see chapter 4.7.2) will also prevent access for the HPT tool.
CL-Diagnostic Access
Measure • Disable the remote trace facility (only needed for debug/
service fault finding)
• Enable the Remote Trace User Notification function
• Disable CCE interface (see chapter 4.6.2)
References See Phone Administration Manual chapter on Diagnostics ->
Remote Tracing - Syslog, and Diagnostics -> HPT Interface
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Set remote trace status to Yes: No:
OFF
CL-SSH Interface
Access
Measure • Disable SSH Interface Access using DLS
References See Phone Administration Manual chapter on SSH - Secure
Shell Access
Needed Access Rights Admin Access
Applicable CP20X/400/600 SIP and CP20X/400/600 HFA
Executed:
Set secure shell allowed Yes: No:
to OFF (via DLS only)
6. Addendum
NOTE: *OpenScape Desk Phone CP Phones have a single configuration for both passwords and
PINs. A PIN is a numeric only password and will use the same policy as configured for a password
where possible.
Addendum 49
The CLs for those functions which make use of certificates detail the actions needed to setup up
the certificates for that function.
6.3.1.1. Credentials used for OpenScape Desk Phone CP SIP and OpenScape
Desk Phone CP HFA
CL – Certificate
Checking
Measure The level of validation that is done on certificates received by the phone
is configurable. The validation levels available are:
• None
• Trusted – only certain aspects of the received certificate are checked
• Full – all aspects of the received certificate are checked
The Default setting is “None” except for the 802.1x certificate which has
the default “Trusted”.
References See Phone Administration Manual chapter on Security -> Certificate
Policy
Needed Access Admin Access
Rights
Applicable CP20X/400/600 SIP CP20X/400/600 HFA
Executed:
Set authentica- Yes: No: Yes: No:
tion policy for
https secure file
transfer:
Set authentication Yes: No: Not available
policy for secure
SIP signalling:
Addendum 53
CL – Certificate
Checking
Set authentication Not available Yes: No:
policy for secure
HFA gateway:
Set authentication Yes: No: Not available
policy for secure
SendURL:
Set authentication Yes: No: Yes: No:
policy for 802.1x:
7. References
[1] OpenScape Desk Phone CP SIP and OpenScape Desk Phone CP HFA administrator docu-
mentations (e-Doku or Portal / product information)
[2] VoIP security http://wiki.unify.com/index.php/VoIP_Security
http://wiki.unify.com/index.php/VoIP_Security
[3] DLS – Certificate Management for 802.1x / EAP-TLS http://wiki.unify.com/images/a/ae/DLS_-
_Certificate_Management_for_802_1x.pdf
http://wiki.unify.com/images/a/ae/DLS_-_Certificate_Management_for_802_1x.pdf
[4] OpenStage and Desk Phone IP - Provisioning Interface http://wiki.unify.com/images/c/c7/
OpenStage_Provisioning_Interface_Developer%27s_Guide.pdf
http://wiki.unify.com/images/c/c7/OpenStage_Provisioning_Interface_Developer%27s_Guide.pdf
[5] Interface Management Database (IFMDB) available via Unify Partner Portal
http://www.unify.com/us/partners/partner-portal.aspx
[6] Security Policy – Vulnerability Intelligence Process http://networks.unify.com/security/adviso-
ries/Security_Policy_Vulnerability_Intelligence_Process.pdf
[7] Center of Internet Security – Security Benchmarks https://benchmarks.cisecurity.org/en-us/
?route=downloads.multiform
[8] OpenScape Business Interfaces – Protocols – Web Services Interface (HTTP/HTTPS)
http://wiki.unify.com/wiki/OpenScape_Business_Interfaces#Web_Services_Interface_.28HTT-
P_.2F_HTTPS.29