network security hardening guide v1.2 final forest€¦ · 4 introduction hikvision network...

1

NetworkSecurityHardeningGuide

v1.2 June 2017

2

AboutThisDocumentThisdocumentprovidesinformationandexplainsmeasuresthatuserscantaketosecurenetwork

devicestoimprovenetworksecurity.

TrademarksAcknowledgementHikvision®andotherHikvisiontrademarksandlogosarethepropertiesofHikvisioninvarious

jurisdictions.Othertrademarksandlogosmentionedbelowarethepropertiesoftheirrespective

owners.

ContactInformationNo.555QianmoRoad,BinjiangDistrict,Hangzhou310052,China

Tel:+86-571-8807-5998

Fax:+86-571-8993-5635

Email:overseasbusiness@hikvision.com;sales@hikvision.com

TechnicalSupport:support@hikvision.com

HSRC(HikvisionSecurityResponseCenter)Email:HSRC@hikvision.com

3

TableofContentsIntroduction............................................................................................................................................4

Passwords.....................................................................................................................................................4Whatisafirewall?.........................................................................................................................................5

StandardConfiguration...........................................................................................................................6Activatethedevicebysettingastrongpassword.........................................................................................6Systemrestoringandupgrading.................................................................................................................12Enableencryption.......................................................................................................................................15Useraccesscontrol.....................................................................................................................................16DisableUPnP...............................................................................................................................................17DisableQoS.................................................................................................................................................18Disablemulticastvideo...............................................................................................................................18SetIPaddressfilter.....................................................................................................................................19LockillegalloginIPaddress.........................................................................................................................19DisableSSH..................................................................................................................................................20ChooseSNMPV3.........................................................................................................................................20Firewallsetuponrouter..............................................................................................................................22Portforwarding...........................................................................................................................................23

Conclusion.............................................................................................................................................27

4

Introduction

Hikvisionnetworkdevices,likeanyothernetworkdevices,maybeexposedtocybersecurityrisks.To

protectthenetworkfromtherisk,HikvisiontakesmeasuressuchasdisablingtheTelnetandFTP

interface,andadoptingthesecurityactivationmechanism.

Note:Thisdocumentiswrittenasageneralguideline.Measurementsshouldbetakeninto

considerationdependingontheapplicationscenarios.

Passwords

Howtocreateastrongpassword?Weallknowthecommonguidelinesforchoosingastrongpassword:

• Includenumbers,symbols,uppercaseandlowercaseletters.• Passwordshouldbemorethaneightcharacterslong.• Avoidanypasswordbasedonrepetition,dictionarywords,letterornumbersequences,usernames,

relativeorpetnames,orbiographicalinformation(birthday).ThePasswordPhraseMethod:Thephrasemethodisaneasywaytoremembercomplicatedpasswordsthatarehardtocrack.UsethePasswordPhraseMethod:

• Chooseaphrasethathasnumbers.• Useonlythefirstletterineachword.• Usethepropercaseforeachletter,justasitappearsinthephrase.• Useactualnumberswheneverpossible.Use“2”for“two”or“to”and“4”for“four”or“for.”• Includepunctuation.

Let’stakethefollowingphraseasanexample:"MyflighttoNewYorkwillleaveatthreeintheafternoon!"UsingthePasswordPhrasemethodexplainedabove,thepasswordbecomes:"MftNYwla3ita!"

5

Somegeneralpassword/securitytips

• Avoidusingdictionarywordsinanylanguage.• Avoidsequencesorrepeatedcharacters.• Changeyourpasswordonaschedule.• DonotallowInternetExplorertostorepasswords.• Donottypepasswordsoncomputersthatyoudonotcontrol.• Neverprovideyourpasswordviaemail.• Neverrespondtoanemailaskingforpersonalinformation.(Bankswillneveraskyouforyour

personalinformationinanemail.)• Patchandupdatethesoftwareyouuseonaregularbasis.• Usecautionwhenopeningemailattachments.• Limittheamountofpersonalinformationyoupostaboutyourself.

Whatisafirewall?

Theshortansweristhis:AfirewallinterceptsallcommunicationsbetweenyouandtheInternet,anddecidesiftheinformationisallowedtopassthroughtoyou.Mostfirewalls,bydefault,willblockalltrafficbothinandout.This iswhatwecall“DenyallbyDefault.” Inthisdefaultstate,itisasifyourcomputerisnotevenconnectedtotheInternet.Whilethisisaverysafestatetobein,itisnotveryuseful.So,wehavetocreateasetofrulestotellthefirewallwhatweconsidersafe..Everythingelseis,bydefault,considerednotsafe.Asyoucreaterulestoallowtrafficinandout,youarecreatingtinyholesinyourfirewallforthetraffictoflowthrough.ThatiswhymanyInternetuserscall“creatingrulespinholingyourfirewall.”Themorepinholesyoucreate inyourfirewall, the lesssecureyournetworkbecomes.Youshouldonlycreateasmanypinholes,orrules,asyouneed.

6

StandardConfiguration

Thisisthestandardconfigurationforhomes,officeorsmallbusiness.

Configurationswillbedifferentbasedonthenetworkthesizeofthesystemyouareinstalling.

Thisistheminimumrecommendedforsmallmonitoringsystem.

Activatethedevicebysettingastrongpassword

Youarerequiredtoactivatethedevicefirstbysettingastrongpasswordforitbeforeyoucanuse

thedevice.

Activationviawebbrowser,ActivationviaSADP,andActivationviaclientsoftwareareallsupported.

ActivateviawebbrowserSteps:

1.Poweronthedevice,andconnectthedevicetothenetwork.

2.InputtheIPaddressintotheaddressbarofthewebbrowser,andclickEntertoenterthe

activationinterface.

Notes:

l ThedefaultIPaddressofthedeviceis192.168.1.64.

l ThedeviceenablestheDHCPbydefault,theIPaddressisallocatedautomatically.Itisnecessary

toactivatethedeviceviaSADPsoftware.PleaserefertothefollowingchapterforActivationvia

SADP.

7

3.Createapasswordandinputthepasswordintothepasswordfield.

4.Confirmthepassword.

5.ClickOKtosavethepasswordandentertheliveviewinterface.

ActivateviaSADPsoftwareSADPsoftwareisusedfordetectingtheonlinedevice,activatingthedevice,andresettingthe

password.

GettheSADPsoftwarefromthesupplieddiskortheofficialwebsite,andinstalltheSADPaccording

totheprompts.Followthestepstoactivatethedevice.

Steps:

1.RuntheSADPsoftwaretosearchtheonlinedevices.

2.Checkthedevicestatusfromthedevicelist,andselecttheinactivedevice.

STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthree of the following categories: upper case letters, lower case letters, numbers, andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.

8

3.Createapasswordandinputthepasswordinthepasswordfield,andconfirmthepassword.

4.ClickOKtosavethepassword.

Youcancheckwhethertheactivationiscompletedonthepopupwindow.Ifactivationfailed,please

makesurethatthepasswordmeetstherequirementandtryagain.

5.ChangethedeviceIPaddresstothesamesubnetwithyourcomputerbyeithermodifyingtheIP

addressmanuallyorcheckingthecheckboxofEnableDHCP.

STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.

9

6.InputthepasswordandclicktheSavebuttontoactivateyourIPaddressmodification.

ActivateviaclientsoftwareTheclientsoftwareisversatilevideomanagementsoftwareformultiplekindsofdevices.

Gettheclientsoftwarefromthesupplieddiskortheofficialwebsite,andinstallthesoftware

accordingtotheprompts.Followthestepstoactivatethedevice.

Steps:

1.Runtheclientsoftwareandthecontrolpanelofthesoftwarepopsup,asshowninthefigure

below.

10

2.ClicktheDeviceManagementicontoentertheDeviceManagementinterface,asshowninthe

figurebelow.

3.Checkthedevicestatusfromthedevicelist,andselectaninactivedevice.

4.ClicktheActivatebuttontopopuptheActivationinterface.

11

5.Createapasswordandinputthepasswordinthepasswordfield,andconfirmthepassword.

4.ClickOKtosavethepassword.

6.ClickOKbuttontostartactivation.

7.ClicktheModifyNetinfobuttontopopuptheNetworkParameterModificationinterface,as

showninthefigurebelow.

8.ChangethedeviceIPaddresstothesamesubnetwithyourcomputerbyeithermodifyingtheIP

STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.

12

addressmanuallyorcheckingthecheckboxofEnableDHCP.

9.InputthepasswordtoactivateyourIPaddressmodification.

Systemrestoringandupgrading

Firmwareisthesoftwarethatenablesandcontrolsthefunctionalityofnetworkdevices.Alwaysuse

thelatestfirmwaresothatyougetallpossiblesecurityupdatesandbugfixes.

Checkthecurrentfirmware

Checkthecurrentfirmwareversioninpage:Configuration>Maintenance>Upgrade&

Maintenance

Upgradethedevicetoacertainversion

Steps:

1.SelectFirmwareorFirmwareDirectorytolocatetheupgradefile.

Firmware:Locatetheexactpathoftheupgradefile.

FirmwareDirectory:Onlythedirectorytheupgradefilebelongstoisrequired.

2.ClickBrowsetoselectthelocalupgradefileandthenclickUpgradetostartremoteupgrade.

Note:Theupgradingprocesswilltake1to10minutes.Pleasedon'tdisconnectpowerofthedevice

13

duringtheprocess.Thedevicerebootsautomaticallyafterupgrade.

Restoredefaultsettings

Ifyouarenotsureaboutwhathasbeenchangedtothedevice,youcanalwayssetittothedefault

settingstomakeitinaknownstatus.

Steps:

EntertheMaintenanceinterface:Configuration>System>Maintenance>Upgrade&

Maintenance.

l Restore:Resetalltheparameters,excepttheIPparametersanduserinformation,tothedefaultsettings.

l Default:Restorealltheparameterstothefactorydefault.

Note:Afterrestoringthedefaultsettings,theIPaddressisalsorestoredtothedefaultIPaddress,

pleasebecarefulwiththisaction.

Configurebasicnetworksettings

Steps:

1.GotoConfiguration>Network>BasicSettings>TCP/IP.

2.SpecifytheIPaddress,subnetmaskandDefaultGateway.

3.Saveparameters.

14

15

Enableencryption

HTTPSprovidesauthenticationofthewebsiteanditsassociatedwebserver,whichprotectsagainst

man-in-the-middleattacks.PerformthefollowingstepstosettheportnumberofHTTPS.

E.g.,Ifyousettheportnumberas443andtheIPaddressis192.168.1.64,youmayaccessthedevice

byinputtinghttps://192.168.1.64:443viathewebbrowser.

Steps:

1.EntertheHTTPSsettingsinterface.Configuration>Network>AdvancedSettings>HTTPS.

2.CheckthecheckboxofEnabletoenablethefunction.

3.Createtheself-signedcertificateorauthorizedcertificate.

• Createtheself-signedcertificate

(1)SelectCreateSelf-signedCertificateastheInstallationMethod.

(2)ClickCreatebuttontoenterthecreationinterface.

(3)Enterthecountry,hostname/IP,validityandotherinformation.

(4)ClickOKtosavethesettings.

Note:Ifyoualreadyhadacertificateinstalled,theCreateSelf-signedCertificateisgrayedout.

• Createtheauthorizedcertificate

(1)SelectCreatethecertificaterequestfirstandcontinuetheinstallationastheInstallation

Method.

(2)ClickCreatebuttontocreatethecertificaterequest.Fillintherequiredinformationinthepopup

window.

(3)Downloadthecertificaterequestandsubmitittothetrustedcertificateauthorityforsignature.

16

(4)Afterreceivingthesignedvalidcertificate,importthecertificatetothedevice.

4.Therewillbethecertificateinformationafteryousuccessfullycreateandinstallthecertificate.

5.ClicktheSavebuttontosavethesettings.

Useraccesscontrol

Setpermissionleveltousers

Whenyouaddandmodifyusersettings,youcansetthepermissionlevelforeachusertoset

limitationsonthedevicecontrol.

Steps:

1.GotoConfiguration>System>UserManagement.

UserManagementInterface

2.ClickAddorModifytoaddauserormodifyauser.

3.SetUserName,LevelandPassword.

4.Checkoruncheckthepermissions.

5.ClickOKtofinishtheuseraddition.

17

DisableUPnP

Universal Plug and Play (UPnP™) is a networking architecture that provides compatibility among

networkingequipment,softwareandotherhardwaredevices.TheUPnPprotocolallowsdevicesto

connect seamlessly and to simplify the implementation of networks in the home and corporate

environments.Ifthedeviceisnotconnectedtoahostedvideoservice,disableUPnP.

Steps:

1.GotoConfiguration>Network>BasicSettings>NAT.

18

2.UncheckthecheckboxtodisabletheUPnP™function.

DisableQoS

QoSissuggestedtobedisabled,ifQualityofServicesisnotbeingused.

Steps:

1.GotoConfiguration>Network>AdvancedSettings>QoS

2.TodisableQoS,enterthevaluezerointheQoSDSCPSettingsfields.

Disablemulticastvideo

Ifmulticastisnotbeingused,itshouldbedisabled.

Steps:

1.GotoConfiguration>Network>BasicSettings>TCP/IP

2.ClearEnableMulticastDiscovery

3.ClickSave

19

SetIPaddressfilter

EnablingIPfilteringforauthorizedclientswillpreventthedevicefrombeingaccessedbyanyother

unauthorizedclients.

Steps:

1.GotoConfiguration>System>Security>IPAddressFilter

2.CheckthecheckboxofEnableIPAddressFilter.

3.SelectthetypeofIPAddressFilterinthedrop-downlist,ForbiddenandAllowedareselectable.

4.SettheIPAddressFilterlist.

Steps:

(1)ClicktheAddtoaddanIP.

(2)InputtheIPAddress.

(3)ClicktheOKtofinishadding.

LockillegalloginIPaddress

TheIPaddresswillbelockediftheadminuserperformssevenfailedusername/passwordattempts

(fivetimesfortheoperator/user)

1.GotoConfiguration>System>Security>SecurityService.

20

2.CheckthecheckboxofEnableIllegalLoginLock,andthentheIPaddresswillbelockedifthe

adminuserperformssevenfailedusername/passwordattempts(fivetimesfortheoperator/user).

Note:IftheIPaddressislocked,youcantrytologinthedeviceonlyafter30minutes.

DisableSSH

Hikvision’sdevicessupportSecureShellandisdisabledbydefault.Makesureitisdisabledby

checkingthesecurityserviceconfigurationinterface:Configuration>System>Security>Security

Service.

Note:Fordeviceswithoutthisconfigurationinterface,SHHisdisabledbydefault.

ChooseSNMPV3

Steps:

1.GotoConfiguration>Network>AdvancedSettings>SNMP.

21

2.CheckthecheckboxofEnableSNMPv1,EnableSNMPv2c,EnableSNMPv3toenablethefeature

correspondingly.

3.ConfiguretheSNMPsettings.

Note:ThesettingsoftheSNMPsoftwareshouldbethesameasthesettingsyouconfigurehere.

4.ClickSavetosaveandfinishthesettings.

Notes:

•Arebootisrequiredforthesettingstotakeeffect.

•Tolowertheriskofinformationleakage,youaresuggestedtoenableSNMPv3insteadofSNMP

v1orv2.

22

Firewallsetuponrouter

Pleasekeepinmindthatallfirewallsetupsaredifferent.Theexamplesbelowareintendedtogivea

generalexampleandoverviewofwhatportsshouldbesetupinafirewall.

Setup:

1. GotoyourrouterIPaddress

2. Logintoyourrouter

3. Gototheportforwardingsection

23

Findthesectionthatmentionsprotocols,internalandexternalports,andadestinationIPaddressor

ServerIPaddress,suchasthis:

Portforwarding

PortforwardingshouldonlybeusedwhendevicesneedtobeaccessedviatheInternet.Toensurepropersecurityconfiguration,pleasecarefullyfollowinstructionsbelow:

1. Minimize the port numbers exposed to the Internet. Port forwarding should only beconfigured when absolutely necessary. For example, to use web service, only port 443shouldbeforwarded.

2. Avoid common ports and reconfigure them to customized ports. For example, port 80 iscommonlyusedforHTTP.Itisrecommendedthattheuserchangetoacustomizedportonthe device other than port 80 for the designated service, following TCIP/IP port rule (1 –65535).

CreateaportforwardingrulePortsthatHikvisionuses,youcanchangetheseportstoanythingyouwant.• 80WebPort • 443SecureWebPort • 8000,10554forIVMSapplication

Tocreatetheportforwardingrule,firstlysetanamefortherule.It'sjustareminderofwhat

typeofserviceyouareforwardingtheportfor.

24

In"protocol,"selectTCP,UDP,orBothdependingonwhichapplication(s)needportforwarding.

Forinstance,youneedbothTCPandUDPprotocolsforwarding.SomeroutersonlyhaveaTCPor

anUDPoption,notboth.Onthoserouters,ifbothprotocolsareneeded,tworulesmustbe

created,oneforTCPandoneforUDP.

Theexternalanddestinationportwillbethesame.Becausesomelower-numberedportsare

beingusedbythesystembydefault,orbyspecificapplications,it'sbesttochooseaport

between50000and65535.

Finally,onthedestinationIPaddress,selectthestaticIPpreviouslychosenforthePC.

Afterthat,savethenewrule.

25

Onmostrouters,portforwardingactivatesimmediately.Somerouters,though,needareboot

toapplytherule.

CheckPortForwarding

TomakesurethatPortForwardingworkscorrectly,useoneofthemultiplefreeservicesonthe

Internet.

First,ensurethattheprogramordevicethatneedsportforwardingisupandrunning,anduses

theproperport.

Then,navigatetocanyouseeme.org

Addtheproperportandselect"CheckPort."

Thisisafreeutilityforremotelyverifyingifaportisopenorclosed.Itisusefultouserswho

wishtoverifyportforwardingandchecktoseeifaserverisrunningortodetermineifafirewall

orISPisblockingcertainports.

26

CantwodevicesonthesameLANusethesameportforwarding?

PortforwardingissetuponauniqueIPaddress,andcan'tsetuparuleforthesameportwith

twoormoreIPaddresses.

Tosetupthesameprogramontwodifferentdevices,itisnecessarytocreatetworulesfortwo

separateports,oneforeachdevice.

27

Conclusion

Thishardeningguideisintendedtobealivingdocumentandwillbeupdatedregularlytoreflectthe

mostup-to-datecybersecuritybestpractices.Itisoneofthemanyindustry-leadingcybersecurity

resourcesprovidedbyHikvision.PleasevisittheHikvisionSecurityCenteronourwebsite

http://www.hikvision.com/us/SecurityCenter_10636.htmltolearnaboutotheravailable

cybersecurityresources.Ifyouhavequestions,pleasecontactyourHikvisionrepresentativeor

contactSecurity.USA@hikvision.com