Grandstream Networks GRP26 Series Security Manual
  1. Manuals
  2. Brands
  3. Grandstream Networks Manuals
  4. IP Phone
  5. GRP26 Series
  6. Security manual

Grandstream Networks GRP26 Series Security Manual

Hide thumbs Also See for GRP26 Series:
Table of Contents

Advertisement

Quick Links

Download this manual
Grandstream Networks, Inc.
GRP26XX Series
Security Manual

Advertisement

Table of Contents
loading

Related Manuals for Grandstream Networks GRP26 Series

Summary of Contents for Grandstream Networks GRP26 Series

  • Page 1 Grandstream Networks, Inc. GRP26XX Series Security Manual...

  • Page 2: Table Of Contents

    Table of Contents OVERVIEW ........................3 WEB UI/SSH ACCESS ....................4 Web UI Access ............................. 4 Web UI Access Protocols ........................4 Admin Login ............................5 User Management Levels ........................6 SECURITY FOR SIP ACCOUNTS AND CALLS ............8 Protocols and Ports ..........................8 Anonymous/Unsolicited Calls Protection .....................
  • Page 3 Table of Figures Figure 1 : Web UI Access Settings........................ 4 Figure 2 : Web UI Login ..........................5 Figure 3 : Change Password on First Boot ....................5 Figure 4: Change Admin Level Password ..................... 6 Figure 5 : Change User Level password ....................... 7 Figure 6 : Configure TLS as SIP Transport ....................

  • Page 4: Overview

    This document is subject to change without notice. Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of Grandstream Networks, Inc. is not permitted. P a g e...

  • Page 5: Web Ui/Ssh Access

    WEB UI/SSH ACCESS Web UI Access The GRP embedded web server responds to HTTP/HTTPS GET/POST requests. Embedded HTML pages allow users to configure the device through a web browser such as Microsoft IE, Mozilla Firefox, Google Chrome and etc. With this, administrators can access and configure all available GRP information and settings.

  • Page 6: Admin Login

    Admin Login Username and password are required to log in the GRP’s web UI. Figure 2 : Web UI Login The factory default username for administrator level is “admin” and the default password is a random password available on the sticker at the back of the unit. Changing the default password at first time login is highly recommended.

  • Page 7: User Management Levels

    Figure 4: Change Admin Level Password The password length must be between 6 and 25 characters. Strong password with a combination of numbers, uppercase letters, lowercase letters, and special characters is always recommended for security purpose. User Management Levels Two user privilege levels are currently supported: Admin •...

  • Page 8: Figure 5 : Change User Level Password

    Figure 5 : Change User Level password P a g e GRP26XX Security Manual...

  • Page 9: Security For Sip Accounts And Calls

    SECURITY FOR SIP ACCOUNTS AND CALLS Protocols and Ports By default, after a factory reset, all the accounts are active. Knowing the default local SIP port (Account1: 5060; Account2 : 5062 … ) users can make direct IP call even if the accounts are not registered to any PBX. Therefore, it is recommended to disable the unused ports.

  • Page 10: Anonymous/Unsolicited Calls Protection

    When SIP TLS is used, the GRP also offer additional configurations: - Validate Server Certificates: This feature allows users to validate server certificates with our trusted list of TLS connections - Trusted CA Certificates: Uses the certificate for Authentication Figure 8 : Additional SIP TLS Settings Local SIP port when using UDP/TCP: •...

  • Page 11: Figure 10 : Settings To Block Anonymous Call

    Additional SIP security settings: • → → → under Web GUI Account X SIP Settings Security Settings: Accept Incoming SIP from Proxy Only: Set “Yes” to force the GRP to Check SIP address of the Request URI in the incoming SIP message; if it doesn't match the SIP server address of the account, the call will be rejected.

  • Page 12: Srtp

    SRTP To protect voice communication from eavesdropping, the GRP support SRTP for media traffic using AES 128&256. It is recommended to use SRTP if it’s supported by the SIP server (Or the service provider). SRTP can be configured under Web GUI → Account X → Audio Settings. Figure 11 : SRTP Settings Selects SRTP mode to choose (“No”, “Enabled but not forced”, “Enabled and forced”, or “Optional”).

  • Page 13: Security For Grp Services

    SECURITY FOR GRP SERVICES Firmware Upgrade and Provisioning The GRP IP Phones support downloading configuration file via TFTP, HTTP/HTTPS, FTP/FTPS. Below figure shows the related options under Web GUI → Maintenance → Upgrade and Provisioning Figure 13 : Upgrade and Provisioning P a g e GRP26XX Security Manual...
  • Page 14 We recommend users to consider the following options for added security when deploying the GRP with provisioning. Upgrade Via: HTTPS: By default, HTTPS is selected. This is recommended so the traffic is encrypted while travelling through the network. HTTP/HTTPS/FTP/FTPS User Name and Password: This can be set up as required on the provisioning server when HTTP/HTTPS/FTP/FTPS is used.

  • Page 15: Figure 14 : Tr-069 Connection Settings

    CPE SSL Certificate: Configures the Cert File for the ATA to connect to the ACS via SSL. • • CPE SSL Private Key: Specifies the Cert Key for the ATA to connect to the ACS via SSL Figure 14 : TR-069 Connection Settings P a g e GRP26XX Security Manual...

  • Page 16: Syslog

    Syslog The GRP supports sending Syslog to a remote syslog server. By default, it’s sent via UDP and we recommend changing it to “SSL/TLS” so the syslog messages containing device information will be sent securely over TLS connection. Figure 15 : Syslog Protocol P a g e GRP26XX Security Manual...

  • Page 17: Security Guidelines For Grp Deployment

    SECURITY GUIDELINES FOR GRP DEPLOYMENT Often the GRP are deployed behind NAT. The network administrator can consider following security guidelines for the GRP to work properly and securely. • Turn off SIP ALG on the router On the customer’s router, it’s recommended to turn off SIP ALG (Application Layer Gateway). SIP ALG is common in many routers intending to prevent some problems caused by router firewalls by inspecting VoIP packets and modifying it if necessary.
  • Page 18 Use HTTPS for web UI access • GRP Web UI access should be equipped with strong administrator password in additional to using HTTPS. Also, do not expose the GRP web UI access to public network for normal usage. Use HTTPS for firmware downloading and config file downloading •...

Table of Contents