Grandstream Networks GAC2500 Security Manual
  1. Manuals
  2. Brands
  3. Grandstream Networks Manuals
  4. Conference Phone
  5. GAC2500
  6. Security manual
Grandstream Networks GAC2500 Security Manual

Grandstream Networks GAC2500 Security Manual

Audio conference phone for android
Hide thumbs Also See for GAC2500:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, User Manual
Grandstream Networks, Inc.
GAC2500
TM
Audio Conference Phone for Android
Security Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the GAC2500 and is the answer not in the manual?

Questions and answers

Related Manuals for Grandstream Networks GAC2500

Summary of Contents for Grandstream Networks GAC2500

  • Page 1 Grandstream Networks, Inc. GAC2500 Audio Conference Phone for Android Security Guide...

  • Page 2: Table Of Contents

    Provisioning via Configuration File ..................... 15 Firmware Upgrading ........................... 17 TR-069 ..............................18 FTP Server ............................18 ADB Service ............................19 LDAP ..............................19 Syslog ..............................20 SECURITY GUIDELINES FOR GAC2500 DEPLOYMENT .......... 21 P a g e GAC2500 Security Guide...

  • Page 3: Page

    Figure 2: GAC2500 Web UI Login ........................ 5 Figure 3: GAC2500 Admin Password Change....................5 Figure 5: Disable SSH Access on GAC2500 ....................6 Figure 6: Limit Access to Advanced Settings on LCD ................... 7 Figure 7: Cust File Provision Page ....................... 8 Figure 8: Configure TLS as SIP Transport ....................

  • Page 4: Overview

    SSH access is supported for mainly troubleshooting purpose and it’s recommended to disable it in normal usage. • Device Control Security The GAC2500 has multiple ways to limit the use for network settings, apps, and other settings if not necessary for the end user. • Security for SIP Accounts and Calls The SIP accounts use specific port for signaling and media stream transmission.

  • Page 5: Web Ui/Ssh Access

    Web UI Access Protocols HTTP and HTTPS are supported to access the GAC2500 web UI and can be configured under web UI → Maintenance → Security Settings. To secure transactions and prevent unauthorized access, it is highly recommended to: 1.

  • Page 6: User Login

    Username and password are required to log in the GAC2500 web UI. Figure 2: GAC2500 Web UI Login The factory default username is “admin” and the default password is “admin”. The GAC2500 web UI require to change the default password at first time login.

  • Page 7: User Management Levels

    Grandstream support needs it for troubleshooting purpose. SSH access on GAC2500 is enabled by default with port 22 used. It’s recommended to disable it for daily normal usage. If SSH access needs to be enabled, changing the port to a different port other than the well-known port 22 is a good practice.

  • Page 8: Device Control Security

    DEVICE CONTROL SECURITY From GAC2500 web UI → Maintenance → Security Settings. administrator can set whether the user can use specific features: Figure 5: Limit Access to Advanced Settings on LCD Configuration via Keypad Menu This option configures access for keypad Menu settings on the Settings interface of the phone. It is recommended to use “Constraint Mode”...

  • Page 9: Gui Config Tool Settings

    The tool would generate a file “GAC2500cust” which should be uploaded to a HTTP/TFTP server. Then the user needs to configure the server address as GUI Customization File URL under web UI → Maintenance → Upgrade → Cust Config Server Path to download the file to GAC2500. Figure 6: Cust File Provision Page For more details, please refer to the guide: http://www.grandstream.com/tools/gac2500_gui_customization_guide.pdf...

  • Page 10: Security For Sip Accounts And Calls

    UI → Account → General Settings → Account Active to deactivate account 1. Below are the ports/protocols used on GAC2500 SIP accounts. GAC2500 supports up to 6 SIP accounts. •...

  • Page 11: Figure 10: Additional Sip Tls Settings

    These settings can be found under web UI → Account → Account x → SIP Settings. Check Domain Certificate: If enabled, the GAC2500 will check the domain certificate when TLS/TCP is used for SIP transport. The default setting is “No”. Validate Certification Chain: If enabled, the GAC2500 will validate server’s certification chain when TLS/TCP is used for SIP...

  • Page 12: Anonymous/Unsolicited Calls Protection

    The valid range is from 1024 to 65400. Anonymous/Unsolicited Calls Protection If the user would like to have anonymous calls blocked, please go to GAC2500 web UI → Account → Account x → Call Settings and enable option “Reject Anonymous call”. This will automatically block the SIP call if the caller ID is anonymous.

  • Page 13: Srtp

    Check SIP User ID for Incoming INVITE: This configures the GAC2500 to check the SIP User ID in the Request URI of the SIP INVITE message from the remote party. If it doesn't match the phone's SIP User ID, the call will be rejected. The default setting is “No”.

  • Page 14: Network Security

    Users can add VPN using different protocols (PPTP, L2TP/IPSec PSK, L2TP/IPSec RSA, IPSec Xauth PSK, IPSeXauth RSA and IPSec Hybrid RSA). VPN settings can be configured from GAC2500 LCD Settings → Advanced settings → Wireless & network → VPN and Tap on "Add VPN file" to access...

  • Page 15: Bluetooth

    GAC2500 supports Bluetooth for Bluetooth headset connection, file transferring and handsfree mode for cell phones. By default, Bluetooth is disabled and it can be enabled from LCD. If there is no Bluetooth device used with GAC2500, it’s recommended to turn off Bluetooth so it’s not discoverable by nearly Bluetooth devices.

  • Page 16: Security For Gac2500 Services

    Authenticate Config file: This sets the GAC2500 to authenticate configuration file before applying it. When set to “Yes”, the configuration file must include P value P1 with GAC2500’s administration password. If it is missed or does not match the password, the GAC2500 will not apply the config file.

  • Page 17: Figure 20: Validate Certification Chain

    XML configuration file after downloading it. Then the configuration can be applied to the GAC2500. Please note this feature is supported on XML config file instead of the binary config file. Therefore, it’s recommended to use XML config file format and encrypt it with this feature.

  • Page 18: Firmware Upgrading

    This can be set up as required on the provisioning server when HTTP/HTTPS is used. Only when the GAC2500 has the correct username and password configured, it can be authenticated by the firmware server and the firmware file will be downloaded.

  • Page 19: Ftp Server

    FTP service on GAC2500 uses port 2121. After the user enables FTP server on GAC2500 and connects to it, users can browse the GAC2500 files such as screenshots from a remote PC. It is recommended to disable the FTP server during normal usage, and only turn it on for specific purpose.

  • Page 20: Adb Service

    ADB connection is not needed. Figure 23: Developer Mode Enabled LDAP GAC2500 supports LDAP to obtain enterprise contacts from LDAP server. It’s recommended to change the default connection mode “LDAP” to “LDAPS” to protect and encrypt LDAP queries and responses using SSL/TLS.

  • Page 21: Syslog

    Figure 24: GAC2500 LDAP Settings Syslog GAC2500 supports sending Syslog to a remote syslog server. By default, it’s sent via UDP and we recommend to change it to “SSL/TLS” so the syslog messages containing device information will be sent securely over TLS connection.

  • Page 22: Security Guidelines For Gac2500 Deployment

    Use TLS and SRTP for SIP calls On the GAC2500, it’s recommended to use TLS for SIP transport with “sips” in SIP URL scheme for SIP signaling encryption, and use SRTP for media encryption. Below are the SIP ports and RTPs port used on the GAC2500 if the network administrator needs to create firewall rules.

Table of Contents