Fiberme FAP26 Series Manual
  1. Manuals
  2. Brands
  3. Fiberme Manuals
  4. IP Phone
  5. FAP26 Series
  6. Manual

Fiberme FAP26 Series Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
FIBERME Communications LLC
FAP26xx Series
Security Manual

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FAP26 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Fiberme FAP26 Series

Summary of Contents for Fiberme FAP26 Series

  • Page 1 FIBERME Communications LLC FAP26xx Series Security Manual...

  • Page 2: Table Of Contents

    Table of Contents OVERVIEW………………………………………………………………………………………….3 WEB UI/SSH ACCESS ....................4 Web UI Access ..............................4 Web UI Access Protocols ..........................4 Admin Login............................... 5 User Management Levels ..........................6 SECURITY FOR SIP ACCOUNTS AND CALLS ..............8 Protocols and Ports ............................8 Anonymous/Unsolicited Calls Protection ......................
  • Page 3 Table of Figures Figure 1 : Web UI Access Settings ........................4 Figure 2 : Web UI Login ............................5 Figure 3 : Change Password on First Boot ....................... 5 Figure 4: Change Admin Level Password ......................6 Figure 5 : Change User Level password ......................7 Figure 6 : Configure TLS as SIP Transport ......................

  • Page 4: Overview

    This document is subject to change without notice. Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of FIBERME Communications LLC. is not permitted. P a g e 3...

  • Page 5: Web Ui/Ssh Access

    3. The FAP allow access via SSH for advanced troubleshooting purpose. This is usually not needed unless the administrator or FIBERME support needs it for troubleshooting purpose. SSH access on the device is enabled by default with port 22 used. It’s recommended to disable it for daily normal usage. If SSH access needs to be enabled, changing the port to a different port other than the well- known port 22 is a good practice.

  • Page 6: Admin Login

    Admin Login Username and password are required to log in the FAP’s web UI. Figure 2 : Web UI Login The factory default username for administrator level is “admin” and the default password is a random password available on the sticker at the back of the unit. Changing the default password at first time login is highly recommended.

  • Page 7: User Management Levels

    To change the password for default user "admin", navigate to Web GUI → Maintenance →Web Access Figure 4: Change Admin Level Password The password length must be between 6 and 25 characters. Strong password with a combination of numbers, uppercase letters, lowercase letters, and special characters is always recommended for security purpose.

  • Page 8: Figure 5 : Change User Level Password

    Figure 5 : Change User Level password P a g e 7...

  • Page 9: Security For Sip Accounts And Calls

    SECURITY FOR SIP ACCOUNTS AND CALLS Protocols and Ports By default, after a factory reset, all the accounts are active. Knowing the default local SIP port (Account1: 5060; Account2 : 5062 … ) users can make direct IP call even if the accounts are not registered to any PBX. Therefore, it is recommended to disable the unused ports.

  • Page 10: Anonymous/Unsolicited Calls Protection

    - Validate Server Certificates: This feature allows users to validate server certificates with our trusted list of TLS connections - Trusted CA Certificates: Uses the certificate for Authentication Figure 8 : Additional SIP TLS Settings • Local SIP port when using UDP/TCP: Starting from 5060 for Account 1, the port numbers increase by 2 for each account.

  • Page 11: Figure 10 : Settings To Block Anonymous Call

    Set “Yes” to force the FAP to Check SIP address of the Request URI in the incoming SIP message; if it doesn't match the SIP server address of the account, the call will be rejected. Additionally, the FAP has built-in mechanism that detects and stops the spam SIP calls from ringing the phones.

  • Page 12: Srtp

    SRTP To protect voice communication from eavesdropping, the FAP support SRTP for media traffic using AES 128&256. It is recommended to use SRTP if it’s supported by the SIP server (Or the service provider). SRTP can be configured under Web GUI → Account X → Audio Settings. Figure 11 : SRTP Settings Selects SRTP mode to choose (“No”, “Enabled but not forced”, “Enabled and forced”, or “Optional”).

  • Page 13: Security For Fap Services

    SECURITY FOR FAP SERVICES Firmware Upgrade and Provisioning The FAP IP Phones support downloading configuration file via TFTP, HTTP/HTTPS, FTP/FTPS. Below figure shows the related options under Web GUI → Maintenance → Upgrade and Provisioning Figure 13 : Upgrade and Provisioning P a g e 12...
  • Page 14 We recommend users to consider the following options for added security when deploying the FAP with provisioning. Upgrade Via: HTTPS: By default, HTTPS is selected. This is recommended so the traffic is encrypted while travelling through the network. HTTP/HTTPS/FTP/FTPS User Name and Password: This can be set up as required on the provisioning server when HTTP/HTTPS/FTP/FTPS is used.

  • Page 15: Figure 14 : Tr-069 Connection Settings

    • CPE SSL Private Key: Specifies the Cert Key for the ATA to connect to the ACS via SSL Figure 14 : TR-069 Connection Settings P a g e 14...

  • Page 16: Syslog

    Syslog The FAP supports sending Syslog to a remote syslog server. By default, it’s sent via UDP and we recommend changing it to “SSL/TLS” so the syslog messages containing device information will be sent securely over TLS connection. Figure 15 : Syslog Protocol P a g e 15...

  • Page 17: Security Guidelines For Fap Deployment

    SECURITY GUIDELINES FOR FAP DEPLOYMENT Often the FAP are deployed behind NAT. The network administrator can consider following security guidelines for the FAP to work properly and securely. • Turn off SIP ALG on the router On the customer’s router, it’s recommended to turn off SIP ALG (Application Layer Gateway). SIP ALG is common in many routers intending to prevent some problems caused by router firewalls by inspecting VoIP packets and modifying it if necessary.
  • Page 18 • Use HTTPS for web UI access FAP Web UI access should be equipped with strong administrator password in additional to using HTTPS. Also, do not expose the FAP web UI access to public network for normal usage. • Use HTTPS for firmware downloading and config file downloading Use HTTPS for firmware downloading and provisioning.

Table of Contents