network security hardening guide v1.2 final forest€¦ · 4 introduction hikvision network...
TRANSCRIPT
1
NetworkSecurityHardeningGuide
v1.2 June 2017
2
AboutThisDocumentThisdocumentprovidesinformationandexplainsmeasuresthatuserscantaketosecurenetwork
devicestoimprovenetworksecurity.
TrademarksAcknowledgementHikvision®andotherHikvisiontrademarksandlogosarethepropertiesofHikvisioninvarious
jurisdictions.Othertrademarksandlogosmentionedbelowarethepropertiesoftheirrespective
owners.
ContactInformationNo.555QianmoRoad,BinjiangDistrict,Hangzhou310052,China
Tel:+86-571-8807-5998
Fax:+86-571-8993-5635
Email:[email protected];[email protected]
TechnicalSupport:[email protected]
HSRC(HikvisionSecurityResponseCenter)Email:[email protected]
3
TableofContentsIntroduction............................................................................................................................................4
Passwords.....................................................................................................................................................4Whatisafirewall?.........................................................................................................................................5
StandardConfiguration...........................................................................................................................6Activatethedevicebysettingastrongpassword.........................................................................................6Systemrestoringandupgrading.................................................................................................................12Enableencryption.......................................................................................................................................15Useraccesscontrol.....................................................................................................................................16DisableUPnP...............................................................................................................................................17DisableQoS.................................................................................................................................................18Disablemulticastvideo...............................................................................................................................18SetIPaddressfilter.....................................................................................................................................19LockillegalloginIPaddress.........................................................................................................................19DisableSSH..................................................................................................................................................20ChooseSNMPV3.........................................................................................................................................20Firewallsetuponrouter..............................................................................................................................22Portforwarding...........................................................................................................................................23
Conclusion.............................................................................................................................................27
4
Introduction
Hikvisionnetworkdevices,likeanyothernetworkdevices,maybeexposedtocybersecurityrisks.To
protectthenetworkfromtherisk,HikvisiontakesmeasuressuchasdisablingtheTelnetandFTP
interface,andadoptingthesecurityactivationmechanism.
Note:Thisdocumentiswrittenasageneralguideline.Measurementsshouldbetakeninto
considerationdependingontheapplicationscenarios.
Passwords
Howtocreateastrongpassword?Weallknowthecommonguidelinesforchoosingastrongpassword:
• Includenumbers,symbols,uppercaseandlowercaseletters.• Passwordshouldbemorethaneightcharacterslong.• Avoidanypasswordbasedonrepetition,dictionarywords,letterornumbersequences,usernames,
relativeorpetnames,orbiographicalinformation(birthday).ThePasswordPhraseMethod:Thephrasemethodisaneasywaytoremembercomplicatedpasswordsthatarehardtocrack.UsethePasswordPhraseMethod:
• Chooseaphrasethathasnumbers.• Useonlythefirstletterineachword.• Usethepropercaseforeachletter,justasitappearsinthephrase.• Useactualnumberswheneverpossible.Use“2”for“two”or“to”and“4”for“four”or“for.”• Includepunctuation.
Let’stakethefollowingphraseasanexample:"MyflighttoNewYorkwillleaveatthreeintheafternoon!"UsingthePasswordPhrasemethodexplainedabove,thepasswordbecomes:"MftNYwla3ita!"
5
Somegeneralpassword/securitytips
• Avoidusingdictionarywordsinanylanguage.• Avoidsequencesorrepeatedcharacters.• Changeyourpasswordonaschedule.• DonotallowInternetExplorertostorepasswords.• Donottypepasswordsoncomputersthatyoudonotcontrol.• Neverprovideyourpasswordviaemail.• Neverrespondtoanemailaskingforpersonalinformation.(Bankswillneveraskyouforyour
personalinformationinanemail.)• Patchandupdatethesoftwareyouuseonaregularbasis.• Usecautionwhenopeningemailattachments.• Limittheamountofpersonalinformationyoupostaboutyourself.
Whatisafirewall?
Theshortansweristhis:AfirewallinterceptsallcommunicationsbetweenyouandtheInternet,anddecidesiftheinformationisallowedtopassthroughtoyou.Mostfirewalls,bydefault,willblockalltrafficbothinandout.This iswhatwecall“DenyallbyDefault.” Inthisdefaultstate,itisasifyourcomputerisnotevenconnectedtotheInternet.Whilethisisaverysafestatetobein,itisnotveryuseful.So,wehavetocreateasetofrulestotellthefirewallwhatweconsidersafe..Everythingelseis,bydefault,considerednotsafe.Asyoucreaterulestoallowtrafficinandout,youarecreatingtinyholesinyourfirewallforthetraffictoflowthrough.ThatiswhymanyInternetuserscall“creatingrulespinholingyourfirewall.”Themorepinholesyoucreate inyourfirewall, the lesssecureyournetworkbecomes.Youshouldonlycreateasmanypinholes,orrules,asyouneed.
6
StandardConfiguration
Thisisthestandardconfigurationforhomes,officeorsmallbusiness.
Configurationswillbedifferentbasedonthenetworkthesizeofthesystemyouareinstalling.
Thisistheminimumrecommendedforsmallmonitoringsystem.
Activatethedevicebysettingastrongpassword
Youarerequiredtoactivatethedevicefirstbysettingastrongpasswordforitbeforeyoucanuse
thedevice.
Activationviawebbrowser,ActivationviaSADP,andActivationviaclientsoftwareareallsupported.
ActivateviawebbrowserSteps:
1.Poweronthedevice,andconnectthedevicetothenetwork.
2.InputtheIPaddressintotheaddressbarofthewebbrowser,andclickEntertoenterthe
activationinterface.
Notes:
l ThedefaultIPaddressofthedeviceis192.168.1.64.
l ThedeviceenablestheDHCPbydefault,theIPaddressisallocatedautomatically.Itisnecessary
toactivatethedeviceviaSADPsoftware.PleaserefertothefollowingchapterforActivationvia
SADP.
7
3.Createapasswordandinputthepasswordintothepasswordfield.
4.Confirmthepassword.
5.ClickOKtosavethepasswordandentertheliveviewinterface.
ActivateviaSADPsoftwareSADPsoftwareisusedfordetectingtheonlinedevice,activatingthedevice,andresettingthe
password.
GettheSADPsoftwarefromthesupplieddiskortheofficialwebsite,andinstalltheSADPaccording
totheprompts.Followthestepstoactivatethedevice.
Steps:
1.RuntheSADPsoftwaretosearchtheonlinedevices.
2.Checkthedevicestatusfromthedevicelist,andselecttheinactivedevice.
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthree of the following categories: upper case letters, lower case letters, numbers, andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
8
3.Createapasswordandinputthepasswordinthepasswordfield,andconfirmthepassword.
4.ClickOKtosavethepassword.
Youcancheckwhethertheactivationiscompletedonthepopupwindow.Ifactivationfailed,please
makesurethatthepasswordmeetstherequirementandtryagain.
5.ChangethedeviceIPaddresstothesamesubnetwithyourcomputerbyeithermodifyingtheIP
addressmanuallyorcheckingthecheckboxofEnableDHCP.
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
9
6.InputthepasswordandclicktheSavebuttontoactivateyourIPaddressmodification.
ActivateviaclientsoftwareTheclientsoftwareisversatilevideomanagementsoftwareformultiplekindsofdevices.
Gettheclientsoftwarefromthesupplieddiskortheofficialwebsite,andinstallthesoftware
accordingtotheprompts.Followthestepstoactivatethedevice.
Steps:
1.Runtheclientsoftwareandthecontrolpanelofthesoftwarepopsup,asshowninthefigure
below.
10
2.ClicktheDeviceManagementicontoentertheDeviceManagementinterface,asshowninthe
figurebelow.
3.Checkthedevicestatusfromthedevicelist,andselectaninactivedevice.
4.ClicktheActivatebuttontopopuptheActivationinterface.
11
5.Createapasswordandinputthepasswordinthepasswordfield,andconfirmthepassword.
4.ClickOKtosavethepassword.
6.ClickOKbuttontostartactivation.
7.ClicktheModifyNetinfobuttontopopuptheNetworkParameterModificationinterface,as
showninthefigurebelow.
8.ChangethedeviceIPaddresstothesamesubnetwithyourcomputerbyeithermodifyingtheIP
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
12
addressmanuallyorcheckingthecheckboxofEnableDHCP.
9.InputthepasswordtoactivateyourIPaddressmodification.
Systemrestoringandupgrading
Firmwareisthesoftwarethatenablesandcontrolsthefunctionalityofnetworkdevices.Alwaysuse
thelatestfirmwaresothatyougetallpossiblesecurityupdatesandbugfixes.
Checkthecurrentfirmware
Checkthecurrentfirmwareversioninpage:Configuration>Maintenance>Upgrade&
Maintenance
Upgradethedevicetoacertainversion
Steps:
1.SelectFirmwareorFirmwareDirectorytolocatetheupgradefile.
Firmware:Locatetheexactpathoftheupgradefile.
FirmwareDirectory:Onlythedirectorytheupgradefilebelongstoisrequired.
2.ClickBrowsetoselectthelocalupgradefileandthenclickUpgradetostartremoteupgrade.
Note:Theupgradingprocesswilltake1to10minutes.Pleasedon'tdisconnectpowerofthedevice
13
duringtheprocess.Thedevicerebootsautomaticallyafterupgrade.
Restoredefaultsettings
Ifyouarenotsureaboutwhathasbeenchangedtothedevice,youcanalwayssetittothedefault
settingstomakeitinaknownstatus.
Steps:
EntertheMaintenanceinterface:Configuration>System>Maintenance>Upgrade&
Maintenance.
l Restore:Resetalltheparameters,excepttheIPparametersanduserinformation,tothedefaultsettings.
l Default:Restorealltheparameterstothefactorydefault.
Note:Afterrestoringthedefaultsettings,theIPaddressisalsorestoredtothedefaultIPaddress,
pleasebecarefulwiththisaction.
Configurebasicnetworksettings
Steps:
1.GotoConfiguration>Network>BasicSettings>TCP/IP.
2.SpecifytheIPaddress,subnetmaskandDefaultGateway.
3.Saveparameters.
14
15
Enableencryption
HTTPSprovidesauthenticationofthewebsiteanditsassociatedwebserver,whichprotectsagainst
man-in-the-middleattacks.PerformthefollowingstepstosettheportnumberofHTTPS.
E.g.,Ifyousettheportnumberas443andtheIPaddressis192.168.1.64,youmayaccessthedevice
byinputtinghttps://192.168.1.64:443viathewebbrowser.
Steps:
1.EntertheHTTPSsettingsinterface.Configuration>Network>AdvancedSettings>HTTPS.
2.CheckthecheckboxofEnabletoenablethefunction.
3.Createtheself-signedcertificateorauthorizedcertificate.
• Createtheself-signedcertificate
(1)SelectCreateSelf-signedCertificateastheInstallationMethod.
(2)ClickCreatebuttontoenterthecreationinterface.
(3)Enterthecountry,hostname/IP,validityandotherinformation.
(4)ClickOKtosavethesettings.
Note:Ifyoualreadyhadacertificateinstalled,theCreateSelf-signedCertificateisgrayedout.
• Createtheauthorizedcertificate
(1)SelectCreatethecertificaterequestfirstandcontinuetheinstallationastheInstallation
Method.
(2)ClickCreatebuttontocreatethecertificaterequest.Fillintherequiredinformationinthepopup
window.
(3)Downloadthecertificaterequestandsubmitittothetrustedcertificateauthorityforsignature.
16
(4)Afterreceivingthesignedvalidcertificate,importthecertificatetothedevice.
4.Therewillbethecertificateinformationafteryousuccessfullycreateandinstallthecertificate.
5.ClicktheSavebuttontosavethesettings.
Useraccesscontrol
Setpermissionleveltousers
Whenyouaddandmodifyusersettings,youcansetthepermissionlevelforeachusertoset
limitationsonthedevicecontrol.
Steps:
1.GotoConfiguration>System>UserManagement.
UserManagementInterface
2.ClickAddorModifytoaddauserormodifyauser.
3.SetUserName,LevelandPassword.
4.Checkoruncheckthepermissions.
5.ClickOKtofinishtheuseraddition.
17
DisableUPnP
Universal Plug and Play (UPnP™) is a networking architecture that provides compatibility among
networkingequipment,softwareandotherhardwaredevices.TheUPnPprotocolallowsdevicesto
connect seamlessly and to simplify the implementation of networks in the home and corporate
environments.Ifthedeviceisnotconnectedtoahostedvideoservice,disableUPnP.
Steps:
1.GotoConfiguration>Network>BasicSettings>NAT.
18
2.UncheckthecheckboxtodisabletheUPnP™function.
DisableQoS
QoSissuggestedtobedisabled,ifQualityofServicesisnotbeingused.
Steps:
1.GotoConfiguration>Network>AdvancedSettings>QoS
2.TodisableQoS,enterthevaluezerointheQoSDSCPSettingsfields.
Disablemulticastvideo
Ifmulticastisnotbeingused,itshouldbedisabled.
Steps:
1.GotoConfiguration>Network>BasicSettings>TCP/IP
2.ClearEnableMulticastDiscovery
3.ClickSave
19
SetIPaddressfilter
EnablingIPfilteringforauthorizedclientswillpreventthedevicefrombeingaccessedbyanyother
unauthorizedclients.
Steps:
1.GotoConfiguration>System>Security>IPAddressFilter
2.CheckthecheckboxofEnableIPAddressFilter.
3.SelectthetypeofIPAddressFilterinthedrop-downlist,ForbiddenandAllowedareselectable.
4.SettheIPAddressFilterlist.
Steps:
(1)ClicktheAddtoaddanIP.
(2)InputtheIPAddress.
(3)ClicktheOKtofinishadding.
LockillegalloginIPaddress
TheIPaddresswillbelockediftheadminuserperformssevenfailedusername/passwordattempts
(fivetimesfortheoperator/user)
1.GotoConfiguration>System>Security>SecurityService.
20
2.CheckthecheckboxofEnableIllegalLoginLock,andthentheIPaddresswillbelockedifthe
adminuserperformssevenfailedusername/passwordattempts(fivetimesfortheoperator/user).
Note:IftheIPaddressislocked,youcantrytologinthedeviceonlyafter30minutes.
DisableSSH
Hikvision’sdevicessupportSecureShellandisdisabledbydefault.Makesureitisdisabledby
checkingthesecurityserviceconfigurationinterface:Configuration>System>Security>Security
Service.
Note:Fordeviceswithoutthisconfigurationinterface,SHHisdisabledbydefault.
ChooseSNMPV3
Steps:
1.GotoConfiguration>Network>AdvancedSettings>SNMP.
21
2.CheckthecheckboxofEnableSNMPv1,EnableSNMPv2c,EnableSNMPv3toenablethefeature
correspondingly.
3.ConfiguretheSNMPsettings.
Note:ThesettingsoftheSNMPsoftwareshouldbethesameasthesettingsyouconfigurehere.
4.ClickSavetosaveandfinishthesettings.
Notes:
•Arebootisrequiredforthesettingstotakeeffect.
•Tolowertheriskofinformationleakage,youaresuggestedtoenableSNMPv3insteadofSNMP
v1orv2.
22
Firewallsetuponrouter
Pleasekeepinmindthatallfirewallsetupsaredifferent.Theexamplesbelowareintendedtogivea
generalexampleandoverviewofwhatportsshouldbesetupinafirewall.
Setup:
1. GotoyourrouterIPaddress
2. Logintoyourrouter
3. Gototheportforwardingsection
23
Findthesectionthatmentionsprotocols,internalandexternalports,andadestinationIPaddressor
ServerIPaddress,suchasthis:
Portforwarding
PortforwardingshouldonlybeusedwhendevicesneedtobeaccessedviatheInternet.Toensurepropersecurityconfiguration,pleasecarefullyfollowinstructionsbelow:
1. Minimize the port numbers exposed to the Internet. Port forwarding should only beconfigured when absolutely necessary. For example, to use web service, only port 443shouldbeforwarded.
2. Avoid common ports and reconfigure them to customized ports. For example, port 80 iscommonlyusedforHTTP.Itisrecommendedthattheuserchangetoacustomizedportonthe device other than port 80 for the designated service, following TCIP/IP port rule (1 –65535).
CreateaportforwardingrulePortsthatHikvisionuses,youcanchangetheseportstoanythingyouwant.• 80WebPort • 443SecureWebPort • 8000,10554forIVMSapplication
Tocreatetheportforwardingrule,firstlysetanamefortherule.It'sjustareminderofwhat
typeofserviceyouareforwardingtheportfor.
24
In"protocol,"selectTCP,UDP,orBothdependingonwhichapplication(s)needportforwarding.
Forinstance,youneedbothTCPandUDPprotocolsforwarding.SomeroutersonlyhaveaTCPor
anUDPoption,notboth.Onthoserouters,ifbothprotocolsareneeded,tworulesmustbe
created,oneforTCPandoneforUDP.
Theexternalanddestinationportwillbethesame.Becausesomelower-numberedportsare
beingusedbythesystembydefault,orbyspecificapplications,it'sbesttochooseaport
between50000and65535.
Finally,onthedestinationIPaddress,selectthestaticIPpreviouslychosenforthePC.
Afterthat,savethenewrule.
25
Onmostrouters,portforwardingactivatesimmediately.Somerouters,though,needareboot
toapplytherule.
CheckPortForwarding
TomakesurethatPortForwardingworkscorrectly,useoneofthemultiplefreeservicesonthe
Internet.
First,ensurethattheprogramordevicethatneedsportforwardingisupandrunning,anduses
theproperport.
Then,navigatetocanyouseeme.org
Addtheproperportandselect"CheckPort."
Thisisafreeutilityforremotelyverifyingifaportisopenorclosed.Itisusefultouserswho
wishtoverifyportforwardingandchecktoseeifaserverisrunningortodetermineifafirewall
orISPisblockingcertainports.
26
CantwodevicesonthesameLANusethesameportforwarding?
PortforwardingissetuponauniqueIPaddress,andcan'tsetuparuleforthesameportwith
twoormoreIPaddresses.
Tosetupthesameprogramontwodifferentdevices,itisnecessarytocreatetworulesfortwo
separateports,oneforeachdevice.
27
Conclusion
Thishardeningguideisintendedtobealivingdocumentandwillbeupdatedregularlytoreflectthe
mostup-to-datecybersecuritybestpractices.Itisoneofthemanyindustry-leadingcybersecurity
resourcesprovidedbyHikvision.PleasevisittheHikvisionSecurityCenteronourwebsite
http://www.hikvision.com/us/SecurityCenter_10636.htmltolearnaboutotheravailable
cybersecurityresources.Ifyouhavequestions,pleasecontactyourHikvisionrepresentativeor