Grandstream Networks GXV3370 Security Manual
Ip video phones with android
Hide thumbs
Also See for GXV3370:
- User manual (123 pages) ,
- Administration manual (92 pages) ,
- Quick installation manual (34 pages)
Related Manuals for Grandstream Networks GXV3370
Summary of Contents for Grandstream Networks GXV3370
- Page 1 Grandstream Networks, Inc. GXV3370/GXV3380/GXV3350 IP Video Phones with Android Security Guide...
-
Page 2: Table Of Contents
Table of Contents OVERVIEW ........................3 WEB UI/SSH ACCESS ....................4 GXV33XX Web UI Access ........................4 Web UI Access Protocols ........................4 User Login ............................5 User Management Levels ........................6 SSH Access ............................7 DEVICE CONTROL SECURITY ..................8 GUI Config Tool Settings ........................ - Page 3 Table of Figures Figure 1: Web UI Access Settings......................... 4 Figure 2: GXV3370 Web UI Login......................... 5 Figure 3: GXV33XX Admin Password Change on first login ................ 5 Figure 4: Change the default password ......................6 Figure 5: Admin (left) and User (right) Web Access ..................7 Figure 6: SSH Access on GXV33XX ......................
-
Page 4: Overview
This document is subject to change without notice. Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of Grandstream Networks, Inc. is not permitted. P a g e... -
Page 5: Web Ui/Ssh Access
GXV33XX phone on public networks and it’s recommended not to do so. Web UI Access Protocols HTTP and HTTPS are supported to access the GXV3370/GXV3380/GXV3350 web UI and can be configured under web UI → System Settings → Security Settings → Web/SSH Access. To secure transactions and prevent unauthorized access, it is highly recommended to: 1. -
Page 6: User Login
Figure 2: GXV3370 Web UI Login Notes : • The factory default username for GXV3370/GXV3380 is “admin” and the default password is “admin”. • For the GXV3350 The default administrator username is “admin” and the default random password can be found at the sticker on the GXV3350. -
Page 7: User Management Levels
• User Admin login has access to all of the GXV3370/GXV3380/GXV3350’s entire web UI pages and can execute all available operations. User login has limited access to the web UI pages. With user login, it is not allowed to configure the following settings: •... -
Page 8: Ssh Access
Figure 5: Admin (left) and User (right) Web Access SSH Access The GXV3370/GXV3380/GXV3350 allows access via SSH. This is usually not needed unless the administrator or Grandstream support needs it for troubleshooting purpose. SSH access on GXV33XX is enabled by default with port 22 used. It’s recommended to disable it for daily normal usage. If SSH access needs to be enabled, changing the port to a different port other than the well-known port 22 is a good practice. -
Page 9: Device Control Security
DEVICE CONTROL SECURITY From GXV3370/GXV3380/GXV3350 web UI → System Settings → Security Settings → Web/SSH Access, administrator can set whether the user can use specific features or install apps from LCD, shown as below. Figure 7: Limit Access to Advanced Settings and Apps on LCD Configures access control for keypad Menu settings on the Settings interface of the phone. -
Page 10: Gui Config Tool Settings
GUI Config Tool Settings The GUI config tool is an online tool designed to customize the configuration for devices. Here is the link to the GUI config tool: http://tools.grandstream.com:8081 Figure 8: GUI Config Tool Settings GUI From there, the administrator can build a customized file to remove access for certain apps and task bar features. -
Page 11: Security For Sip Accounts And Calls
UI → Account → General Settings → Account Active to deactivate Account 1. Note that GXV3370/GXV3380/GXV3350 supports up to 16 SIP accounts. Below are the ports/protocols used on GXV33XX SIP accounts: •... -
Page 12: Figure 11: Sip Tls Settings On Gxv33Xx
SIP TLS certificate, private key and password can be configured under GXV33XX web UI → System Settings → Security Settings → SIP TLS. Figure 11: SIP TLS Settings on GXV33XX When SIP TLS is used, the GXV33XX also offers additional configurations to check domain certificate and validate certificate chain. -
Page 13: Anonymous/Unsolicited Calls Protection
Port_Value+10*N+9 Anonymous/Unsolicited Calls Protection If the user would like to have anonymous calls blocked, please go to GXV3370/GXV3380/GXV3350 web UI → Account → Account x → Call Settings and enable option “Intercept Anonymous Calls”. This will automatically block the SIP call if the caller ID is anonymous. -
Page 14: Figure 14: Settings To Block Unwanted Calls
Figure 14: Settings to Block Unwanted Calls Answers the SIP request from saved servers when set to “Yes”, only the Only Accept SIP SIP requests from saved servers will be accepted; and the SIP requests Requests from Known from the unregistered server will be rejected. Servers The default setting is “No”. -
Page 15: Srtp
SRTP To protect voice communication from eavesdropping, the GXV3370/GXV3380/GXV3350 phones support SRTP for media traffic using AES 128&256. It is recommended to use SRTP if server supports it. SRTP can be configured in web UI → Account → Codec Settings → RTP Settings. -
Page 16: Network Security
NETWORK SECURITY OpenVPN ® and by default it’s disabled. It can be enabled and ® The GXV3370/GXV3380/GXV3350 supports OpenVPN used for secure remote connection as shown in the figure below: ® Figure 16: OpenVPN for Secure Network Access ® If the device is using OpenVPN to access network, it is recommended to use a different port other than ®... - Page 17 This enables/disables OpenVPN® functionality and requires the user to have access to an OpenVPN® server. The default setting is No. NOTE: To use OpenVPN® functionalities, users must enable OpenVPN® and Enable OpenVPN® configure all the settings related to OpenVPN®, including server address, port, OpenVPN®...
-
Page 18: 802.1X
802.1X The GXV3370/GXV3380/GXV3350 supports EAPOL where access to switchports can be controlled with identity/password and certificate as shown on the figure below: Figure 18: 802.1X for GXV33XX Deployment By default, it’s disabled. When it’s enabled, there are 3 different mode for selection: EAP-MD5, EAP-TLS and EAP-PEAP. -
Page 19: Bluetooth
Bluetooth devices. PC Port Mode The GXV3370/GXV3380/GXV3350 has dual switched 10/100/1000Mbps ports. LAN port is for network access and PC port has multiple mode. Assuming GXV33XX has network access, PC port mode has the following setting under web UI → Network Settings → Advanced Network Settings → PC Port Mode... -
Page 20: Security For Gxv33Xx Services
SECURITY FOR GXV33XX SERVICES Provisioning via Configuration File The GXV3370/GXV3380/GXV3350 supports downloading configuration file via HTTP/HTTPS/TFTP. Below figure shows the options for config file provisioning. Figure 21: GXV33XX Config File Provisioning We recommend users to consider the following options for added security when deploying the GXV33XX with provisioning. -
Page 21: Figure 22: Validate Certification Chain
Validate Certificate Chain: This configures whether to validate the server certificate when downloading the firmware/config file. If set to "Yes", the phone will download the firmware/config file only from the legitimate server. Figure 22: Validate Certification Chain GXV33XX supports uploading CA certificate to validate the server certificate and this setting is under GXV33XX web UI →... -
Page 22: Firmware Upgrading
Firmware Upgrading Similar to configuration file provisioning, GXV3370/GXV3380/GXV3350 supports downloading firmware file via HTTP/HTTPS/TFTP. The firmware file is encrypted and GXV33XX ensures only authentic, signed and untampered firmware file can run. Here are the recommended settings for firmware downloading. -
Page 23: Figure 25: Tr-069 Connection Settings Page
TR-069 TR-069 is enabled by default, which means the connection request port 7547 is open for TR-069 session. If the user does not need TR-069 service, it’s recommended to disable it. When TR-069 is enabled and the service is to be used, users can also consider using a different connection request port other than the well- known port 7547 for security purpose. -
Page 24: Ftp Server
FTP Server FTP server is disabled by default on GXV3370/GXV3380/GXV3350. It can be enabled from LCD menu → File Manager app. FTP service on GXV33XX uses port 2121. After the user enables FTP server and connects to it, GXV33XX files can be browsed as screenshots from a remote PC. It is recommended to disable the FTP server during normal usage, and only turn it on for specific purpose. -
Page 25: Ldap
Figure 28: LDAP Settings Syslog The GXV3370/GXV3380/GXV3350 supports sending Syslog to a remote syslog server. By default, it’s sent via UDP and we recommend to change it to “SSL/TLS” so the syslog messages containing device information will be sent securely over TLS connection. -
Page 26: Security Guidelines For Gxv33Xx Deployment
SECURITY GUIDELINES FOR GXV33XX DEPLOYMENT Often times the GXV3370/GXV3380/GXV3350 phones are deployed behind NAT. The network administrator can consider following security guidelines for the GXV33XX to work properly and securely. • Turn off SIP ALG on the router On the customer’s router, it’s recommended to turn off SIP ALG (Application Layer Gateway). SIP ALG is common in many routers intending to prevent some problems caused by router firewalls by inspecting VoIP packets and modifying it if necessary. - Page 27 Account 8 5074 for UDP/TCP RTP: 50110 RTP: 50102 RTP: 50104 BFCP Protocol: 50106 5075 for TLS RTCP: 50111 RTCP: 50103 RTCP: 50105 RTP: 50108 RTCP: 50109 Account 9 5076 for UDP/TCP RTP: 50120 RTP: 50122 RTP: 50124 BFCP Protocol: 50126 5077 for TLS RTCP: 50121 RTCP: 50123...