Bosch PRAESENSA Release Notes page 18

18 en | Security precautions
7 Security precautions
PRAESENSA is an IP‑connected, networked Public Address and Voice Alarm system. In order
to ensure that the intended functions of the system are not compromised, special attention
and measures are required during installation and operation to avoid tampering of the system.
Many of such measures are provided in the PRAESENSA configuration manual and installation
manual, related to the products and the activities described. This section provides an
overview of precautions to be taken, related to network security and access to the system.
–
–
–
–
–
–
–
–
2023-05 | V1.81 |
Follow the installation instructions with respect to the location of equipment and the
permitted access levels. Refer to Location of racks and enclosures. Make sure that
critical* call stations and operator panels that are configured for alarm functions only
have restricted access using a special procedure, such as being mounted in an enclosure
with lockable door or by configuration of user authentication on the device**.
* Call stations, that address very large areas, are considered as critical.
** Availability of the user authentication function is to be announced.
It is highly recommended to operate PRAESENSA on its own dedicated network, not
mixed with other equipment for other purposes. Other equipment may be accessible by
unauthorized people, causing a security risk. This is especially true if the network is
connected to the Internet.
It is highly recommended that unused ports of network switches are locked or disabled to
avoid the possibility that equipment is connected that may compromise the system. This
is also the case for PRAESENSA call stations that are connected via a single network
cable. Make sure that the connector cover of the device is in place and properly fixed, to
avoid that the second network socket is accessible. Other PRAESENSA equipment should
be installed in an area that is only accessible by authorized people to avoid tampering.
Use an Intrusion Protection System (IPS) with port security where possible to monitor
the network for malicious activity or policy violations.
PRAESENSA uses secure OMNEO for its network connections. All control and audio data
exchange use encryption and authentication, but the system controller allows the
configuration of unsecure Dante or AES67 audio connections as an extension of the
system, both as inputs and as outputs. These Dante/AES67 connections are not
authenticated and not encrypted. They form a security risk, as no precautions are taken
against malicious or accidental attacks through their network interfaces. For highest
security, these Dante/AES67 devices should not be used as part of the PRAESENSA
system. If such inputs or outputs are needed, use unicast connections.
For security reasons, by default the PRA-ES8P2S Ethernet switch is not accessible from
the Internet. When the default (special link‑local) IP‑address is changed to an address
outside the link‑local range (169.254.x.x/16), then also the default (published) password
must be changed. But even for applications on a closed local network, for highest security
the password may still be changed. Refer to Installation.
To enable SNMP, for example to use the Bosch Network analysis tool OMN‑DOCENT, use
SNMPv3. SNMPv3 provides much better security with authentication and privacy. Select
the authentication level SHA and encryption via AES. To configure the switch accordingly,
refer to Installation.
From PRAESENSA software version 1.50 onwards, the PRA-ES8P2S switches and the
CISCO IE-5000 series switches report their power fault and network connection status
directly to the PRAESENSA system controller through SNMP. The switches can be daisy-
chained without an OMNEO device between them for connection supervision. The PRA-
ES8P2S is preconfigured for this purpose from custom firmware version 1.01.05 onwards.
Release notes
PRAESENSA
Bosch Security Systems B.V.