Grandstream Networks GXV3370 Security Manual
  1. Manuals
  2. Brands
  3. Grandstream Networks Manuals
  4. IP Phone
  5. GXV3370
  6. Security manual

Grandstream Networks GXV3370 Security Manual

Ip multimedia phone for android
Hide thumbs Also See for GXV3370:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Configuration Manual
Grandstream Networks, Inc.
GXV3370
TM
IP Multimedia Phone for Android
Security Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the GXV3370 and is the answer not in the manual?

Questions and answers

Related Manuals for Grandstream Networks GXV3370

Summary of Contents for Grandstream Networks GXV3370

  • Page 1 Grandstream Networks, Inc. GXV3370 IP Multimedia Phone for Android Security Guide...

  • Page 2: Table Of Contents

    Provisioning via Configuration File ..................... 18 Firmware Upgrading ........................... 20 TR-069 ..............................21 FTP Server ............................22 ADB Service ............................22 LDAP ..............................23 Syslog ..............................23 SECURITY GUIDELINES FOR GXV3370 DEPLOYMENT .......... 25 P a g e GXV3370 Security Guide...
  • Page 3 Figure 7: Cust File Provision Page ....................... 9 Figure 8: Configure TLS as SIP Transport ....................10 Figure 9: SIP TLS Settings on GXV3370 ....................11 Figure 10: Additional SIP TLS Settings ....................... 11 Figure 11: Settings to Block Anonymous Call ..................... 12 Figure 12: Settings to Block Unwanted Calls ....................

  • Page 4: Overview

    SSH access is supported for mainly troubleshooting purpose and it’s recommended to disable it in normal usage. • Device Control Security The GXV3370 has multiple ways to limit the use for network settings, apps, and other settings if not necessary for the end user. • Security for SIP Accounts and Calls The SIP accounts use specific port for signaling and media stream transmission.

  • Page 5: Web Ui/Ssh Access

    Web UI Access Protocols HTTP and HTTPS are supported to access the GXV3370 web UI and can be configured under web UI → System Settings → Security Settings → Web/SSH Access. To secure transactions and prevent unauthorized access, it is highly recommended to: 1.

  • Page 6: User Management Levels

    Figure 2: GXV3370 Web UI Login The factory default username is “admin” and the default password is “admin”. The GXV3370 web UI require to change the default password at first time login. Figure 3: GXV3370 Admin Password Change To change the password for default user "admin", navigate to System Settings → Security Settings → User Info Management.

  • Page 7: Ssh Access

    Grandstream support needs it for troubleshooting purpose. SSH access on GXV3370 is enabled by default with port 22 used. It’s recommended to disable it for daily normal usage. If SSH access needs to be enabled, changing the port to a different port other than the well-known port 22 is a good practice.

  • Page 8: Figure 5: Ssh Access On Gxv3370

    Figure 5: SSH Access on GXV3370 P a g e GXV3370 Security Guide...

  • Page 9: Device Control Security

    DEVICE CONTROL SECURITY From GXV3370 web UI → System Settings → Security Settings → Web/SSH Access, administrator can set whether the user can use specific features or install apps from LCD, shown as below. Figure 6: Limit Access to Advanced Settings and Apps on LCD Configuration via Keypad Menu This option configures access for keypad Menu settings on the Settings interface of the phone.

  • Page 10: Gui Config Tool Settings

    The tool would generate a file “gxv3370cust” which should be uploaded to a HTTP/TFTP server. Then the user needs to configure the server address as GUI Customization File URL under web UI → Maintenance → Upgrade → Config File to download the file to GXV3370. For more details, please refer to the guide: http://www.grandstream.com/sites/default/files/Resources/GXV3370_GUI_Customization_Web_Tool_Gui...

  • Page 11: Security For Sip Accounts And Calls

    • SIP transport protocol: The GXV3370 supports SIP transport protocol “UDP” “TCP” and “TLS”. By default, it’s set to “UDP”. It’s recommended to use “TLS” so the SIP signaling is encrypted. SIP transport protocol can be configured per SIP account under web UI → Account → Account x → SIP Settings. When “TLS” is used, we recommend using “sips”...

  • Page 12: Figure 9: Sip Tls Settings On Gxv3370

    These settings can be found under web UI → Account → Account x → Advanced Settings. Check Domain Certificate: If enabled, the GXV3370 will check the domain certificate when TLS/TCP is used for SIP transport. The default setting is “No”. Validate Certification Chain: If enabled, the GXV3370 will validate server’s certification chain when TLS/TCP is used for SIP...

  • Page 13: Anonymous/Unsolicited Calls Protection

    Local RTP port: The default port value is 50040. Below is the range the GXV3370 uses for different RTP from web UI → Phone Settings → General Settings. (N is from 0 to 15, representing SIP account 1 to 16).

  • Page 14: Srtp

    Check SIP User ID for Incoming INVITE: This configures the GXV3370 to check the SIP User ID in the Request URI of the SIP INVITE message from the remote party. If it doesn't match the phone's SIP User ID, the call will be rejected. The default setting is “No”.

  • Page 15: Figure 13: Srtp Settings

    Figure 13: SRTP Settings P a g e GXV3370 Security Guide...

  • Page 16: Network Security

    OpenVPN ® ® and by default it’s disabled. It can be enabled and used for secure remote GXV3370 supports OpenVPN ® connection. If the device is using OpenVPN to access network, it is recommended to use a different port ®...

  • Page 17: 802.1X

    GXV3370 supports Bluetooth for Bluetooth headset connection, file transferring and handsfree mode for cell phones. By default, Bluetooth is disabled and it can be enabled from LCD. If there is no Bluetooth device used with GXV3370, it’s recommended to turn off Bluetooth so it’s not discoverable by nearly Bluetooth devices.

  • Page 18: Figure 18: Gxv3370 Pc Port Mode

    When the PC port mode is set to “Enabled”, another network device can obtain network access by connecting to GXV3370’s PC port. The PC VLAN tag and PC priority values are only available when the port mode is set to "Enabled".

  • Page 19: Security For Gxv3370 Services

    Authenticate Config file: This sets the GXV3370 to authenticate configuration file before applying it. When set to “Yes”, the configuration file must include P value P1 with GXV3370’s administration password. If it is missed or does not match the password, the GXV3370 will not apply the config file.

  • Page 20: Figure 20: Validate Certification Chain

    XML configuration file after downloading it. Then the configuration can be applied to the GXV3370. Please note this feature is supported on XML config file instead of the binary config file. Therefore, it’s recommended to use XML config file format and encrypt it with this feature.

  • Page 21: Firmware Upgrading

    This can be set up as required on the provisioning server when HTTP/HTTPS is used. Only when the GXV3370 has the correct username and password configured, it can be authenticated by the firmware server and the firmware file will be downloaded.

  • Page 22: Figure 24: Certification Management

    If the user does not need TR-069 service, it’s recommended to disable it. When TR-069 is enabled and the service is to be used, users can also consider using a different connection request port other than the well- known port 7547 for security purpose. Figure 25: TR-069 Connection Settings Page P a g e GXV3370 Security Guide...

  • Page 23: Ftp Server

    FTP Server FTP server is disabled by default on GXV3370. It can be enabled from LCD menu→File Manager app. FTP service on GXV3370 uses port 2121. After the user enables FTP server on GXV3370 and connects to it, users can browse the GXV3370 files such as screenshots from a remote PC. It is recommended to disable the FTP server during normal usage, and only turn it on for specific purpose.

  • Page 24: Ldap

    Figure 28: GXV3370 LDAP Settings Syslog GXV3370 supports sending Syslog to a remote syslog server. By default, it’s sent via UDP and we recommend to change it to “SSL/TLS” so the syslog messages containing device information will be sent securely over TLS connection.

  • Page 25: Figure 29: Syslog Protocol

    Figure 29: Syslog Protocol P a g e GXV3370 Security Guide...

  • Page 26: Security Guidelines For Gxv3370 Deployment

    Use TLS and SRTP for SIP calls On the GXV3370, it’s recommended to use TLS for SIP transport with “sips” in SIP URL scheme for SIP signaling encryption, and use SRTP for media encryption. Below table lists all the SIP ports and RTPs port used on the GXV3370 if the network administrator needs to create firewall rules.
  • Page 27 On the customer’s firewall, it’s recommended to ensure SIP port is opened for the SIP accounts on the GXV3370. It’s not necessary to use the default port 5060/5062/… on the firewall. Instead, the network administrator can consider mapping a different port on the firewall for GXV3370 SIP port 5060 for security purpose.

Table of Contents