Table of Contents
Advertisement
PRAESENSA
–
–
–
–
–
–
–
–
Bosch Security Systems B.V.
enclosure with lockable door or by configuration of user authentication on the device**.
* Call stations, that address very large areas, are considered as critical.
** Availability of the user authentication function is to be announced.
It is highly recommended to operate PRAESENSA on its own dedicated network, not
mixed with other equipment for other purposes. Other equipment may be accessible by
unauthorized people, causing a security risk. This is especially true if the network is
connected to the Internet.
It is highly recommended that unused ports of network switches are locked or disabled to
avoid the possibility that equipment is connected that may compromise the system. This
is also the case for PRAESENSA call stations that are connected via a single network
cable. Make sure that the connector cover of the device is in place and properly fixed, to
avoid that the second network socket is accessible. Other PRAESENSA equipment should
be installed in an area that is only accessible by authorized people to avoid tampering.
PRAESENSA uses secure OMNEO for its network connections, using encryption and
authentication for all control and audio data exchange, but the system controller allows
the configuration of unsecure Dante or AES67 audio connections as an extension of the
system, both as inputs and as outputs. These Dante/AES67 connections are not
authenticated and not encrypted and form a security risk, as no precautions are taken
against malicious or accidental attacks via their network interfaces. For highest security,
these Dante/AES67 devices should not be used as part of the PRAESENSA system. If such
inputs or outputs need to be used, use unicast connections only. Only Dante devices
should be used that support Device Lock. Device Lock allows you to lock and unlock
supported Dante devices using a 4‑digit PIN (Personal Identification Number). Make sure
that the devices are locked when in normal operation. Dante Controller is needed to set
the PIN and setup the connections. Alternatively use Dante Domain Manager.
For security reasons, by default the PRA-ES8P2S Ethernet switch is not accessible from
the Internet. When the default (special link‑local) IP‑address is changed to an address
outside the link‑local range (169.254.x.x/16), then also the default (published) password
must be changed. But even for applications on a closed local network, for highest security
the password may still be changed. See section 14.5 of the PRAESENSA installation
manual.
The PRA-ES8P2S network switch supports SNMP. By convention, most SNMPv1‑v2c
equipment ships from the factory with a read-only community string set to "public". This
also applies to the PRA-ES8P2S. For security reasons SNMP should be disabled. If SNMP
must be enabled, for example to use the Bosch Network analysis tool OMN‑DOCENT, use
SNMPv3. SNMPv3 provides much better security with authentication and privacy. Select
the authentication level SHA and encryption via AES. To configure the switch accordingly,
see section 14.5 of the PRAESENSA installation manual.
The system controller webserver uses secure HTTPS with SSL. The web server in the
system controller uses a self‑signed security certificate. When you access the server via
https, you will see a Secure Connection Failed error or warning dialog indicating that the
certificate was signed by an unknown authority. This is expected and to avoid this
message in the future you have to create an exception in the browser.
Make sure that new user accounts for system configuration access use sufficiently long
and complex passwords. The user name must have between 5 and 64 characters. The
password must have between 4 and 64 characters.
The PRAESENSA system controller provides an Open Interface for external control.
Access via this interface requires the same user accounts as for system configuration
access. In addition, the system controller generates a certificate to setup the TLS
Configuration manual
General information | en
2020-09 | V1.20 | PRAESENSA 1.20
11
Advertisement
Table of Contents
