Table of Contents
Advertisement
2.5 Security Best Practices
The default settings on the Unity card support a fast installation and start-up to get basic communication
services up and running quickly. Proper security of critical infrastructure equipment requires proper
configuration of ALL communication services. This section summarizes the settings to examine to reduce
the risk of unauthorized access to critical infrastructure equipment through a Unity card.
Table 2-1 provides a list of items to review. Each should be reviewed, configured based on the operational
needs for managing the equipment, and verified that the settings support the desired operational
functionality without adding unnecessary or unauthorized access to critical infrastructure equipment. A
reference to the proper section in this document is provided for configuring each item.
Table 2-1
Item
Accounts & Passwords
IP Network Access
Telnet Access
Web Service Protocol
SSL Certificates
Password Protect Web Access
Remote Write Web Access
Communication Protocols
BACnet Settings
Modbus Settings
Settings to review and verify to reduce risk of unauthorized access
to critical infrastructure equipment
Description
Change the admin and user account names
and passwords immediately to eliminate
default credential access.
Enable/disable IPV4 and IPV6 network
access to the Unity Card - disable unused
network access.
Enable/disable telnet access for diagnostic
and configuration support - disable when not
in use.
Select HTTPS to use SSL encryption when
accessing data through the web user
interface.
When using HTTPS, install your own SSL
Certificates from a trusted certificate authority
or generate alternative self-signed certificates
Enable to require users to login before any
device information is displayed to the user.
Disable to require all updates to the device
and card be made through a local interface,
via an Autoconfiguration connection with a
PC directly connected to the Unity card or
through the device's local user interface
display (if available).
WARNING! - Only disable this if you are
absolutely sure that you do not need to
administer the managed device or the Unity
card through a remote web browser session.
Enable/disable BACnet, Modbus, SNMP, and
YDN23 protocols - disable any that are
unused.
Set Managed Device Write Access to Read-
Only to prevent changes to the device
through the BACnet interface.
Set Managed Device Write Access to Read-
Only to prevent changes to the device
through the Modbus interface; Select the
appropriate option for Limit Network Access
Type to restrict which systems may request
Modbus data from the device - access may
be open to any system, limited to those on
the same subnet as the device, or limited to
only those from systems on a Trusted IP
Address List.
Reference
2.2 - Change User Names and
Passwords Immediately
2.3 - Configure the Card
5.4.3 - Configuration—Network Folder
5.4.4 - Configuration—Web Server
Folder
5.4.4.1 - Certificate
5.4.4 - Configuration—Web Server
Folder
5.4.4 - Configuration—Web Server
Folder
3.0 - Enable Communication Protocols
3.1.2 - Enable BACnet Protocol
3.1.1 - Enable Modbus Protocol
®
13
Liebert
IntelliSlot
Installation
™
™
Unity
Card User Manual
Hide quick links:
Advertisement
Table of Contents
