Huawei Technologies DP300 Desktop Presence User Manual security maintenance

Huawei Technologies Co.,Ltd Desktop Presence security maintenance

UserManual.wiki >

Huawei Technologies >

DP300 User Manual >

User Manual_security maintenance

Contents

1. User Manual
2. User Manual_security maintenance
3. User Manual_Security Maintenance

User Manual_security maintenance

HUAWEI DP300 Desktop PresenceV500R002C00Security MaintenanceIssue 01Date 2015-09-15HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd.Address: Huawei Industrial BaseBantian, LonggangShenzhen 518129People's Republic of ChinaWebsite: http://e.huawei.comIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.i

About This DocumentOverviewThis document introduces security maintenance operations of HUAWEI DP300 desktoppresence (DP300 or endpoint for short).Before you use the product, refer to the product vendor for version mapping information and toconfirm compatibility with other videoconferencing equipment.Intended AudienceThis document is intended for:lTechnical support engineerslMaintenance engineersSymbol ConventionsThe symbols that may be found in this document are defined as follows:Symbol DescriptionIndicates an imminently hazardous situation which, if notavoided, will result in death or serious injury.Indicates a potentially hazardous situation which, if notavoided, could result in death or serious injury.Indicates a potentially hazardous situation which, if notavoided, may result in minor or moderate injury.Indicates a potentially hazardous situation which, if notavoided, could result in equipment damage, data loss,performance deterioration, or unanticipated results.NOTICE is used to address practices not related to personalinjury.HUAWEI DP300 Desktop PresenceSecurity Maintenance About This DocumentIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.ii

Symbol DescriptionCalls attention to important information, best practices and tips.NOTE is used to address information not related to personalinjury, equipment damage, and environment deterioration. Related DocumentsDocument Title Description Document LocationHUAWEI DP300 DesktopPresence V500R002C00Quick Installation GuideDescribes the packaged itemsand provides guidance forquick installation, andcommon configuration.Access http://e.huawei.comand choose Support >Product Support > UC&C> Telepresence andVideoconferencing >Telepresence Endpoints >Desktop Device.HUAWEI DP300 DesktopPresence V500R002C00Quick Start GuideDescribes the touchscreenand the remote controlled UI,and provides quickinstructions in commonly-used endpoint functions.HUAWEI DP300 DesktopPresence V500R002C00User GuideDescribes the methods foroperating the endpoint.HUAWEI DP300 DesktopPresence V500R002C00Administrator GuideDescribes how to configure,manage, and troubleshootingthe endpoint.HUAWEI DP300 DesktopPresence V500R002C00Command ReferenceDescribes the functions,parameters, formats, usageguidelines, and examples ofall endpoint commands.HUAWEI DP300 DesktopPresence V500R002C00Communication MatrixDescribes the ports,protocols, IP addresses, andauthentication modes for thecommunication of theendpoint. Change HistoryChanges between document issues are cumulative. The latest document issue contains all thechanges made in earlier issues.HUAWEI DP300 Desktop PresenceSecurity Maintenance About This DocumentIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.iii

Issue 01 (2015-09-15)This issue is used for first office application (FOA).HUAWEI DP300 Desktop PresenceSecurity Maintenance About This DocumentIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.iv

ContentsAbout This Document.....................................................................................................................ii1 Overview.........................................................................................................................................11.1 Purpose of Security Maintenance...................................................................................................................................11.2 What Is Layered Security Maintenance..........................................................................................................................12 Application Layer Security..........................................................................................................32.1 Setting the Interaction Mode..........................................................................................................................................32.2 Application Layer Account List.....................................................................................................................................32.2.1 Administrator Password for the Display.....................................................................................................................32.2.2 Web Management Account.........................................................................................................................................42.2.3 API Account................................................................................................................................................................52.2.4 SSH and Telnet Login.................................................................................................................................................62.2.5 Serial Port Account......................................................................................................................................................72.2.6 Upgrade Password.......................................................................................................................................................82.2.7 Air Content Sharing Password....................................................................................................................................82.2.8 Network Diagnostics Tool Account............................................................................................................................92.2.9 Information Required for Connecting to the Videoconferencing Network Management System..............................92.3 Restoring Systems to Default Settings.........................................................................................................................112.4 SiteCall Security...........................................................................................................................................................112.5 Configuring Encryption................................................................................................................................................122.6 Web Management Users...............................................................................................................................................132.6.1 Logging In to the Web Interface................................................................................................................................132.6.2 Changing the Password.............................................................................................................................................142.7 Web Access Control.....................................................................................................................................................142.8 SSH Access Control.....................................................................................................................................................152.8.1 Enabling SSH or Telnet.............................................................................................................................................152.8.2 User Login.................................................................................................................................................................152.8.3 Logging In Using the SSH Public Key......................................................................................................................162.9 Viewing Logs...............................................................................................................................................................202.10 Enabling FTPS............................................................................................................................................................202.11 Configuring an FTPS Server......................................................................................................................................202.12 Video Monitoring.......................................................................................................................................................232.12.1 Enabling Video Monitoring.....................................................................................................................................23HUAWEI DP300 Desktop PresenceSecurity Maintenance ContentsIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.v

2.12.2 Taking Picture..........................................................................................................................................................242.13 Upgrading Using the Mini System.............................................................................................................................242.13.1 Preparing for the Upgrade.......................................................................................................................................242.13.2 Performing an Upgrade...........................................................................................................................................242.14 U-Boot Operations......................................................................................................................................................252.15 Verifying a Digital Signature.....................................................................................................................................262.16 Importing a Certificate................................................................................................................................................272.17 Importing Web Certificates........................................................................................................................................282.18 Importing and Exporting Settings...............................................................................................................................283 System Layer Security................................................................................................................304 Network Layer Security..............................................................................................................315 Management Layer Security......................................................................................................335.1 Principles of System Security Maintenance.................................................................................................................345.1.1 Account Management................................................................................................................................................345.1.2 Permission Management............................................................................................................................................345.1.3 Auditing Principles....................................................................................................................................................345.2 Guidelines for Password Security Maintenance...........................................................................................................345.3 Logs Maintenance Recommendations..........................................................................................................................345.3.1 Checking Logs Regularly..........................................................................................................................................345.3.2 Backing Up Logs Regularly......................................................................................................................................355.4 Guidelines on Signaling Diagnostics............................................................................................................................355.5 Security Evaluation Recommendations........................................................................................................................355.6 Backup Recommendations...........................................................................................................................................355.7 Defects Feedback Recommendations...........................................................................................................................355.8 Common Measures Against Attacks............................................................................................................................365.9 Security Emergency Response Mechanism..................................................................................................................365.10 Security Emergency Response Email Address...........................................................................................................36A Appendix......................................................................................................................................37B Default Settings...........................................................................................................................38HUAWEI DP300 Desktop PresenceSecurity Maintenance ContentsIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.vi

1 Overview1.1 Purpose of Security MaintenanceNow application systems face severe security threats. Once problems occur, business might bedisturbed, profits reduced, or even systems break down. Users must build up and maintain theapplication system security from different layers, and discover and solve potential threats inadvance.Besides, considering the endless emergence of safety threats, a mere dependence on technologycan hardly ensure the application system security. Users must build up a safety managementsystem based on security maintenance suggestions and problems they found during the use ofthe endpoint to ensure a smooth and safe operation of the endpoint.1.2 What Is Layered Security MaintenanceAccording to the target and purpose of security maintenance, maintenance personnel mustsafeguard the service system from different layers.Application LayerSecurity maintenance of the application layer is to protect the and its web management systemso that they can provide services to users with a smooth operation.System LayerSecurity maintenance of the system layer is to ensure a smooth operation of the operating system,which can support the operation of application software.Network LayerSecurity maintenance of the network layer is to ensure that network devices, such as the switch,router, and firewall, function properly and that security strategies are implemented at the networklayer.HUAWEI DP300 Desktop PresenceSecurity Maintenance 1 OverviewIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.1

Management LayerSecurity maintenance of the management layer is to strengthen people's management and avoidthreats. Maintenance from the management layer involves the maintenance operations at allpreceding layers.HUAWEI DP300 Desktop PresenceSecurity Maintenance 1 OverviewIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.2

2 Application Layer Security2.1 Setting the Interaction ModeOn the DP300 display, tap in the lower right corner to switch between the PC mode andvideoconferencing mode.In PC mode, the DP300 display can be used as the PC monitor, on which you can answer callsto join conferences.In videoconferencing mode, the DP300 display functions as a platform for users to interact withthe videoconferencing system using the touchscreen or remote control.lTouchscreen (default): Perform operations on the screen by touches, such as tap and slide.In this case, the DP300 display is called touchscreen.lRemote control: Perform operations on the screen using the remote control. In this case,the DP300 display is called remote control screen.To set the interaction mode, perform the following steps:lOn the touchscreen, tap , choose Advanced > Settings > General, and set Controlmode.lOn the remote control screen, choose Advanced > Settings > General, and set Controlmode.lOn the web interface, choose System Settings > General, and set Control mode.2.2 Application Layer Account List2.2.1 Administrator Password for the DisplayThe default administrator password for logging in to the display is 12345678. To improve devicesecurity, set a password at your first login and regularly change the password afterwards. Toenhance user experience, the administrator password can be digit-only or empty.NOTEIt is recommended that you set a complex password. A simple or empty password brings security risks.To set the administrator password for logging in to the display, perform the following steps:HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.3

lOn the touchscreen, tap and choose Advanced > Settings > Security > Password.lOn the remote control screen, choose Advanced > Settings > Security > Password, andset the password.lOn the web interface, choose System Settings > Security > GUI, and set the password.When using the administrator password for logging in to the display, note that:lOn the touchscreen, the administrator password is required for accessing the Settingsscreen. On the remote control screen, the administrator password is required forcustomizing the option bar.lStandard users: By default, they can directly access Advanced but must enter theadministrator password to access the Settings screen under Advanced and customize theoption bar. (The administrator password can be obtained from the administrator.)lIf the administrator select Encryption advanced settings, standard users can directlyaccess Settings but must enter the administrator password to access the Advanced menuand customize the option bar. If the administrator password is set to null, no password isrequired for accessing any menu.2.2.2 Web Management AccountThe DP300 supports a maximum of 10 concurrent logins to the web interface, and controls userpermissions by setting permission levels. Table 2-1 describes the web management account.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.4

Table 2-1 Web management accountAccountNameDefaultPasswordDescription Remarksadmin Change_Me This account is thedefault account withthe highest permissionand cannot be deleted.For details aboutaccount levels, seesection WebManagement Users.To ensure account security, you areadvised to change the password at thefirst login and regularly change thepassword afterward.To change the password:lOn the touchscreen, tap andchoose Advanced > Settings >Security > Web Login.lOn the remote controlled UI,choose Advanced > Settings >Security > Web Login.lOn the web interface, chooseSystem Settings > General >Personal.To change the Administrator name,you can tap and chooseAdvanced > Settings > Security >Web Login from the touchscreen.To change the Administrator name,you can choose Advanced > Settings> Security > Web Login from theremote controlled UI. NOTEThe web management account has the permission of exporting the address book, exporting logs or exportingsettings. Keep the account safe to prevent disclosure of personal information.If the number of user attempts to log in to the web interface reaches a predefined number, theuser account will be locked and cannot be used for login until the locking duration ends. To setthe maximum number of user login attempts and locking duration, perform the followingoperations:On the web interface, choose System Settings > Security > Web Login. On the displayedscreen, set Maximum login attempts and Lock time.2.2.3 API AccountThe API account is required for a third party (for example, a touch panel) to log in to theDP300, or for the SMC2.0 to to add a manageable site. Table 2-2 describes the API account.Table 2-2 describes the touch panel account.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.5

Table 2-2 API accountAccountNameDefaultPasswordDescription Remarksapi Change_Me The account is required for a thirdparty (for example, a touch panel)to log in to the DP300, or for theSMC2.0 to to add a manageablesite.This account is the default account.To change the name: On the webinterface, choose System Settings> General > Personal > Passwordof API user.To ensure accountsecurity, you are advised tochange the password at thefirst login and regularlychange the passwordafterward.For details about how tochange the password, seesection 2.6.2 Changingthe Password. 2.2.4 SSH and Telnet LoginThe DP300 supports the Telnet login and Security Shell (SSH) login. Telnet is an insecureprotocol. SSH is a cybersecurity protocol for remote access using the encryption andauthentication mechanism in an insecure cyber environment. During SSH login, all user dataare encrypted. To ensure the security, you are advised to use the SSH login.lYou can log in to the DP300 through port 23 using Telnet. Telnet login is set to Do notallow by default. Telnet is an insecure communication protocol. You are advised to disableit. If you want to log in using Telnet, see section 2.8.1 Enabling SSH or Telnet.lYou can log in to the DP300 through port 22 using SSH. SSH is set to Do not allow bydefault. If you want to log in using SSH, see section 2.8.1 Enabling SSH or Telnet.SSH and Telnet Login Under the Normal SystemThe normal system supports SSH and Telnet logins. Table 2-3 describes the account names andpasswords used for SSH and Telnet logins.Table 2-3 SSH and Telnet login accountsAccountNameDefaultPasswordDescription Remarksdebug Change_Me Administrator account with thehighest permission for systemdebugging.This is a special accountand not for common users.admin Change_Me Common user account with lowerpermission than the debugaccount.-HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.6

AccountNameDefaultPasswordDescription Remarksuser Change_Me Common user account with lowerpermission than the adminaccount.-apiuser Change_Me Special account with lowerpermission than the user account.This is a special accountand not for common users.test Change_Me Dedicated account for testing withlower permission than the useraccount.- NOTElTo secure your account, it is recommended that you change the password upon the first login andregularly change the password afterwards.lAfter you log in using the debug account, you can run the command mnt debug setpwd [name] tochange other accounts' passwords.Telnet Login Under the Mini SystemThe mini system supports Telnet logins only. The login account and default password aredescribed in Table 2-4.Table 2-4 Telnet login accountAccountNameDefaultPasswordDescription Remarksdebug Change_Me Administratoraccount for systemdebuggingTo ensure account security, change thepassword at the first login and regularlychange the password afterward. For details about how to change the password and use the debug commands, see the HUAWEIDP300 Desktop Presence V500R002C00 Command Reference.2.2.5 Serial Port AccountThe DP300 allows for logins using serial ports to commission applications and locate faults. Theserial port account and default password are described in Table 2-5.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.7

Table 2-5 Serial port accountAccountNameDefaultPasswordDescription Remarksroot Change_Me This account isused for a computerto log in to theDP300 throughserial ports.To secure your account, it isrecommended that you change thepassword upon the first login andregularly change the passwordafterwards. To change the password, runthe passwd command. 2.2.6 Upgrade PasswordTo upgrade the DP300 under the normal system with the upgrade tool, you must enter the upgradepassword.By default, the upgrade password is Change_Me.You are advised to change the password at the first login and regularly change the passwordafterward:lTouchscreen: Tap and choose Advanced > Settings > Security > Upgradepassword.lOn the remote controlled UI, choose Advanced > Settings > Security > Upgradepassword.lOn the web interface, choose System Settings > Security > Upgrade password.2.2.7 Air Content Sharing PasswordThe air content sharing password is used by an air content sharing client to connect to theDP300. Users can download the air content sharing client from the DP300 web interface. Afterthe air content sharing client successfully connects to the DP300, users can connect theDP300 to presentation sources and share presentations without the use of any physical ports.The default air content sharing password is Change_Me.You are advised to change the password at the first login and regularly change the passwordafterward:lTouchscreen: Tap and choose Advanced > Settings > Security > Air ContentSharing.lOn the remote controlled UI, choose Advanced > Settings > Security > Air ContentSharing.lOn the web interface, choose System Settings > Security > Air Content Sharing.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.8

2.2.8 Network Diagnostics Tool AccountAfter the network diagnostics function is enabled, the network diagnostics tool can use the H.323 call port, RAS source port, RAS destination port, or SIP call port to diagnose the DP300.Table 2-6 describes the network diagnostics tool account.Table 2-6 Network diagnostics tool account descriptionAccountNameDefaultPasswordDescription Remarksadmin Change_Me Specify the accountname and passwordthat the networkdiagnostics tooluses forauthenticationwhen attempting tocommunicate withthe DP300.To ensure account security, you areadvised to change the password at thefirst login and regularly change thepassword afterward.On the web interface, choose SystemSettings > Network > Networkdiagnostics, enable Networkdiagnostics, and change the values ofDiagnostics tool user name andDiagnostics tool password. 2.2.9 Information Required for Connecting to theVideoconferencing Network Management SystemThe DP300 communicates with and is remotely managed by the videoconferencing networkmanagement system using SNMP. The videoconferencing network management systemimplements the following:lConfigures DP300 settings, including the H.323 and SIP.lQueries DP300 status.lChecks DP300 alarms.lBacks up and restores DP300 settings.lUpgrades the DP300 online.To remotely manage the DP300 from the videoconferencing network management system, login to the web interface of the DP300, choose System Settings > Network > SNMP Settings,and set SNMP parameters, as shown in Table 2-7.When the videoconferencing network management system connects to the DP300 throughSNMP V2, configure required SNMP V2 information. When the videoconferencing networkmanagement system connects to the DP300 through SNMP V3, configure the SNMP V3 account,password, and protocol.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.9

Table 2-7 Information required for connecting to the videoconferencing network managementsystemParameter DefaultSettingDescription RemarksSNMPV2Getcommunity nameChange_PublicSpecifies thecredential thatthevideoconferenc-ing networkmanagementserver uses toobtain DP300settings.The parameter settings must bethe same as those in thevideoconferencing networkmanagement system.Set these parameters whenEnable SNMP is set to Enableand SNMPv2 to Enable.Setcommunity nameChange_PrivateSpecifies thecredential thatthevideoconferenc-ing networkmanagementserver uses tospecify DP300settings.Trapcommunity nameChange_Me Specifies thecredential thatthe DP300 usesto report alarmsto thevideoconferenc-ing networkmanagementserver.SNMPV3Usernamev3user Specifies the username forconnecting yourDP300 to thevideoconferenc-ing networkmanagementsystem throughSNMPv3.The parameter setting must be thesame as that in thevideoconferencing networkmanagement system.AuthenticationprotocolSHA Specify theauthenticationmode andpassword forconnecting thevideoconferenc-ing networkThe parameter settings must bethe same as those in thevideoconferencing networkmanagement system.When the videoconferencingnetwork management systemHUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.10

Parameter DefaultSettingDescription RemarksAuthenticationpasswordmanagementsystem to yourDP300.attempts to connect to yourDP300, Authentication protocoland New password set on yourDP300 are required.Change_MeEncryptionprotocolAES Specify theencryptionprotocol andpassword forconnecting thevideoconferenc-ing networkmanagementsystem to yourDP300.The parameter settings must bethe same as those in thevideoconferencing networkmanagement system.EncryptionpasswordChange_Me NOTElTo secure your account, it is recommended that you change the password upon the first login andregularly change the password afterwards. The password you set on the DP300 must be the same asthat set in the videoconferencing network management system.lFor details about how to set SNMP parameters, see the HUAWEI DP300 Desktop PresenceV500R002C00 Administrator Guide.2.3 Restoring Systems to Default SettingsIf you forget the passwords of the normal or mini system, restore the system (including thepasswords) to its default settings.lNormal systemRestores the DP300 to its default settings, if you press and hold the RESET button for 10 secondsor more when the DP300 is operating properly.NOTEPlace the DP300 face down on the desktop, and open its rear cover. Then you can view the interfaces onthe rear panel. The RESET button is located at the second position on the left of the rear panel.lMini System1. Press and hold the RESET button for 10 seconds or more when the DP300 is starting.The DP300 enters the mini system.2. In mini system, press and hold the RESET button for 10 seconds or more to restore theTelnet login password to its default settings.2.4 SiteCall SecurityHUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.11

The DP300 uses Hypertext Transfer Protocol Secure (HTTPS) mode to upload the multipointconference information and supports Transmission Control Protocol (TCP) mode when amultipoint conference is initiated. If HTTPS mode is disabled, the DP300 uses the insecureTCP mode. You are advised to use HTTPS mode for better communication security.If HTTPS mode is enabled, you are advised to enable Multipoint conferenceauthentication.Enable HTTPS mode and Multipoint conference authentication.lOn the touchscreen, tap and choose Advanced > Settings > Network > IP > H.323, and then select HTTPS mode and Multipoint conference authentication.lOn the remote controlled UI, choose Advanced > Settings > Network > IP > H.323, andselect HTTPS mode and Multipoint conference authentication.lOn the web interface, choose System Settings > Network > H.323/SIP Settings, and setHTTPS mode and Multipoint conference authentication to Enable.2.5 Configuring EncryptionYou can enable encryption to improve video communication security.BackgroundOn an IP network that is neither quality-guaranteed nor secure, encryption can be used to increasethe video communication security, though it may affect the call rate. Both parties incommunication must support encryption, including H.235 encryption and Secure Real-timeTransport Protocol (SRTP) encryption.To improve communication security, you are advised to enable encryption.Before initiating a Session Initiation Protocol (SIP) encrypted conference, you are advised toenable encryption and Transport Layer Security (TLS) registration to improve communicationsecurity.ProcedureTo configure encryption on the touchscreen:1. Tap and choose Advanced > Settings > Security > Encryption, and then select oneof the following options:lDisable: No stream is encrypted.lEnable: Streams are forced to be encrypted. If you select this option, your DP300 canattend encrypted conferences only. To improve communication security, select thisoption.lMaximum interconnectivity: Streams are encrypted only when a call is set up. If youselect this option for the local site and encryption is disabled at a remote site, theconference between the local and remote sites is not encrypted.2. Select Save.To configure encryption on the remote controlled UI:HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.12

1. Choose Advanced > Settings > Security > Encryption and select one of the followingoptions:lDisable: No stream is encrypted.lEnable: Streams are forced to be encrypted. If you select this option, your DP300 canattend encrypted conferences only. To improve communication security, select thisoption.lMaximum interconnectivity: Streams are encrypted only when a call is set up. If youselect this option for the local site and encryption is disabled at a remote site, theconference between the local and remote sites is not encrypted.2. Select Save.To configure encryption on the web interface:1. Log in to the web interface, choose System Settings > Security > Encryption andconfigure the encryption mechanism.2. Select Save.2.6 Web Management UsersThe web interface of the DP300 supports two types of users: administrators and common users.lAdministrators: Administrators have all permissions to the web interface.NOTEAdministrators can modify accounts and passwords of common users, as well as system configurationoperations.lCommon users: They have some permissions on the web interface and can configure onlypersonal settings but not system settings.2.6.1 Logging In to the Web InterfaceThe DP300 supports logins in HTTP and HTTPS modes. HTTPS mode, which is more secure,is used by default. If you use HTTP to log in to the web interface of the DP300, the systemautomatically switches to the HTTPS mode.Step 1 Open a browser on the computer. In the address box, enter the IP address, such as https://192.168.1.1.Step 2 Press Enter.The login page is displayed, as shown in Figure 2-1.NOTEIf the security certificate is invalid, click Continue to this website to resume the login.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.13

Figure 2-1 Web login pageStep 3 Enter the user name and password. Select a language.Step 4 Click Log In, or press Enter.NOTETo ensure data security, after accessing the web interface, close the browser and delete browser caches.----End2.6.2 Changing the PasswordOn the web interface, you can change the passwords for the web management account, commonuser accountand API account as follows:Step 1 Choose System Settings > General > Personal.Step 2 Change the account password.The password can contain 8 to 32 characters and must include at least two of the following:uppercase letter, lowercase letter, digit, or special character.Step 3 Click Save.----End2.7 Web Access ControlThe DP300 adopts HTTPS mode, which is the secure version of Hypertext Transfer Protocol(HTTP). Following are methods to control the web access:lSupport the user to submit the log out application.When you have logged in to the web interface, you can click Exit in the upper right. Thelogin interface is displayed.lYou are allowed to use the touchscreen to control web login.To disable web login, choose Advanced > Settings > Secured > Web Login on thetouchscreen and deselect Web Login.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.14

lYou are allowed to use the remote control to control web login.To disable web login, choose Advanced > Settings > Secured > Web Login on the remotecontrol and deselect Web Login.lThe supports a maximum of 10 concurrent logins to the web interface.2.8 SSH Access ControlDuring remote access and data transmission, SSH commands can be run to create an encryptedchannel between the application layer and client.2.8.1 Enabling SSH or TelnetUse either of the following ways to enable SSH or Telnet.lOn the touchscreen, tap and choose Advanced > Settings > Security > SSH/Telnet, and then select SSH or Telnet.lOn the remote controlled UI, choose Advanced > Settings > Security > SSH/Telnet, andselect SSH or Telnet.lOn the web interface, choose System Settings > Security > SSH/Telnet, and set SSH orTelnet to Enable.Telnet is an insecure communication protocol. You are advised to disable it.2.8.2 User LoginFollowing describes SSH access control methods using the PuTTY as an example.NOTEPuTTY is a login application for remote login across different platforms. It can be obtained from HuaweiUnified Communications and Collaboration (UC&C) Security Center by Huawei technical support ordownloaded from the Internet. Use PuTTY 0.63 or a later version.Step 1 Run PuTTY on your computer.The PuTTY Configuration dialog box is displayed, as shown in Figure 2-2.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.15

Figure 2-2 PuTTY Configuration dialog boxStep 2 In Host Name (or IP address), enter the IP address, such as 10.10.10.1.Step 3 Select SSH for Protocol. Use the default value for Port.Step 4 Click Open.The login interface is displayed.Step 5 Enter the user name and password and run the commands. For details, see the HUAWEI DP300Desktop Presence V500R002C00 Command Reference.NOTEThe default administrator account of Telnet and SSH is debug and the password is Change_Me by default.----End2.8.3 Logging In Using the SSH Public KeyTo secure and simplify SSH login, use the SSH public key to log in to the DP300.NOTEBefore logging in to the DP300 using the SSH public key, ensure that SSH has been enabled. For details,see 2.8.1 Enabling SSH or Telnet.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.16

Creating An SSH Private-Public Key PairCreate a SSH private-public key pair and associate the private-public key pair with the localcomputer or server.Step 1 Log in to the Linux operating system, run the ssh-keygen command in any CLI, and pressEnter.Step 2 Enter the name (for example, DP300) of the SSH private-public key pair as prompted and pressEnter.The SSH public key DP300.pub and SSH private key DP300 are created.Step 3 Go to the directory where DP300.pub and DP300 are created and copy them to the localcomputer or server.----EndImporting the SSH Public KeyImport the SSH public key using the DP300 web interface.Step 1 Choose System Settings > Installation. The Installation page is displayed.Step 2 Click Import SSH Public Key. The Import SSH Public Key dialog box is displayed.Step 3 Click Select File and select the SSH public key DP300.pub from the local computer or server.Step 4 Click Import.Step 5 Click Return when OK is displayed.----EndLogging In Using the SSH Public KeyThe following takes the SSH client SecureCRT as an example to describe how to log in to theDP300 using the SSH public key.NOTESecureCRT is a login application for remote login across different platforms. It can be obtained fromHuawei Unified Communications and Collaboration (UC&C) Security Center by Huawei technical supportor downloaded from the Internet. Use SecureCRT 6.7.1 or a later version.Step 1 Run SecureCRT on your computer.The SecureCRT quick connect dialog box is displayed, as shown in Figure 2-3.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.17

Figure 2-3 Initial Quick Connect dialog boxStep 2 Select SSH2 for Protocol.Step 3 In Hostname, enter the IP address, such as 10.10.10.1. Use the default value for Port.Step 4 In the Authentication area, select PublicKey only.Step 5 Click PublicKey, then click Properties.... The Public Key Properties dialog box is displayed.Step 6 In the Use identity or certificate file text box, click ... and select the SSH public keyDP300.pub, as shown in Figure 2-4. (The Use global public key setting and Use identity orcertificate file options are selected by default.)HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.18

Figure 2-4 Selecting the SSH public keyStep 7 Click OK to return to the Quick Connect dialog box, as shown in Figure 2-5.Figure 2-5 Quick Connect dialog boxStep 8 In the Username text box, enter the SSH login account, for example, SSH administrator accountdebug.Step 9 Click Connect.The login interface is displayed.Step 10 Run the commands.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.19

For details, see the HUAWEI DP300 Desktop Presence V500R002C00 Command Reference.----End2.9 Viewing LogsLogs record all non-query events during the DP300 running, such as non-query user operationsand commands. These events can help you locate and rectify faults, as well as assist you inauditing.lOn the touchscreen, tap and choose Advanced > Diagnostics > Logs.lSelect Advanced > Diagnostics > Logs on the remote control UI.lCheck logs on the web interface:1. Log in to the web interface and choose Maintenance > Logs.2. On the Logs page, click Export.3. Click Save in the displayed dialog box.4. Choose the folder to save the logs and click Save.5. Open the exported logs and check them.2.10 Enabling FTPSThe DP300 supports File Transfer Protocol over SSL (FTPS) and File Transfer Protocol (FTP).To improve communication security, enable FTPS. If FTPS is disabled, the DP300 uses insecureFTP.You can enable FTPS in one of the following ways:lOn the touchscreen, tap and choose Advanced > Settings > Network > NetworkAddress Book > Network Address Book, and select FTPS.lOn the remote controlled UI, choose Advanced > Settings > Network > Network AddressBook > Network Address Book, and select FTPS.lOn the web interface, choose System Settings > Network > Network Address Book, andenable FTPS.lUse commands to enable FTPS. For details, see the HUAWEI DP300 Desktop PresenceV500R002C00 Command Reference.2.11 Configuring an FTPS ServerFTPS is an extension of the commonly used FTP to support the SSL. The FTPS server ensuresthe security of the DP300 network address book.NOTETo configure the network address book after the FTPS client is configured, see the HUAWEI DP300Desktop Presence V500R002C00 Administrator Guide.Following uses the FileZilla server as an example to describe how to configure an FTPS server.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.20

Step 1 Set the IP address of the computer on which the FTPS server (for example, FileZilla server) isto be installed. Ensure that the IP addresses of the computer and DP300 are in the same networksegment.Step 2 Run the FTPS server installer (for example, FileZilla_Server-0_9_41.exe) to install the FTPSserver on the computer.Step 3 Double-click to run the FTPS server. Click OK in the displayed dialog box, as shown inFigure 2-6.Figure 2-6 Connect to Server dialog box Step 4 Choose Edit > Settings.Step 5 Click SSL/TLS settings in the left column and select Enable FTP over SSL/TLS support(FTPS), click Browse to import the certificate, and click OK, as shown in Figure 2-7.NOTElBefore importing a certificate, make sure it is issued by a security authority to prevent security risks.lIf no certificate is available, click Generate new certificate.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.21

Figure 2-7 FTPS Server Options dialog box Step 6 Choose Edit > Users. The Users dialog box is displayed, as shown in Figure 2-8.Figure 2-8 Adding a userHUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.22

Step 7 Click Add to add a user. Select Enable account and Password and enter the Password.Step 8 Click Shared folders under Page, then click Add, and set the path for the user root directoryof FTPS server, as shown in Figure 2-9.Figure 2-9 Specifying the path for the user root directory of FTPS server Step 9 Click OK.----End2.12 Video MonitoringThis function involves personal privacy. Ensure that its use complies with local laws andregulations.To ensure conference security and protect conference privacy, this function is disabled by defaultand can be enabled on the touchscreen and remote controlled interface.2.12.1 Enabling Video MonitoringTo enable video monitoring:On the touchscreen, tap and choose Advanced > Settings > Security > Web Login andthen select Monitor video.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.23

On the remote controlled UI, choose Advanced > Settings > Security > Web Login and selectMonitor video.2.12.2 Taking PictureAfter the video monitoring and management function is enabled, you can capture and view localand remote videos and presentations on the web interface.Step 1 On the web interface, choose Device Control > Device Control > Video Control.NOTEAfter you access the Video Monitor page, appears on the DP300 display screen to indicate that sitemonitoring is enabled.Step 2 Select the source you want capture of and click Capture.Step 3 In the displayed interface, select the picture and right-click it.Step 4 From the displayed shortcut menu, choose Save Picture As to save the picture.----End2.13 Upgrading Using the Mini SystemIf the DP300 cannot start as usual because the local upgrade fails due to power outage or otherincidents, you can use the mini system for the upgrade instead.You can use the mini system for upgrades whenever the DP300 software malfunctions. Thismethod can be repeatedly used, and can ensure successful software upgrades when there are nohardware failures.2.13.1 Preparing for the UpgradeBefore the upgrade, note the following prerequisites:lSave the software package for upgrading on the computer.lConnect the computer to the DP300 through a crossover cable or specifies the IP addressof the computer and the DP300 in the same segment.lObtain the upgrade password. The upgrade password is Change_Me by default. For details,see section 2.2.6 Upgrade Password.lThe default administrator user name and password of Telnet is debug and Change_Merespectively. If you forget the password, use the mini system to restore the DP300 to itsdefault settings. For details, see section 2.3 Restoring Systems to Default Settings.2.13.2 Performing an UpgradeStep 1 While the DP300 is restarting or powering on, press and hold the RESET button for 10 seconds.The DP300 enters the mini system.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.24

NOTEAt this time, the DP300 has two IP addresses available: the static IP address of the normal system and thedefault IP address (192.168.1.1). If the connection setup using the normal system IP address fails or theDP300 IP address is dynamic and unknown, you can use the default IP address for the upgrade.Step 2 Use Telnet to log in to the DP300 and run mnt upgswitch on to enable the mini system upgradefunction.NOTEBy default, the mini system upgrade function is disabled.Step 3 Extract the compressed file of the upgrade software on the computer.Step 4 Run the upgrade program UpgMaster.exe.The upgrade dialog box is displayed.Step 5 (Optional) Click Browse. Find and select the file in .dat format.NOTEBy default, the path of the .dat file is displayed in Upgrade File.Step 6 In Remote Teminal IP Address, enter your DP300 IP address, for example, 192.168.1.1. Thenclick Upgrade.Step 7 In the displayed dialog box, enter the upgrade password and click OK.Step 8 Restart the DP300.----End2.14 U-Boot OperationsStep 1 Use a serial cable to connect the serial port on the computer to the COM serial port on theDP300.Step 2 Start the serial port tool and set information such as the serial port number and baud rate.Set the baud rate to 115200.Step 3 Start the DP300. When the interface shown in Figure 2-10 is displayed on the serial port tool,press Ctrl+C repeatedly until Password: is displayed.Figure 2-10 Starting the system HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.25

Step 4 Enter the password to the U-boot system as shown in Figure 2-11. The default password is12345678.To improve device security, set a password at your first login and regularly change the passwordafterward. Use the passwd command to change the password. The new password must be astring of eight characters, consisting of digits, letters, and special characters.Figure 2-11 Enter password Step 5 Enter the command as show in Figure 2-12. For details, see the HUAWEI DP300 DesktopPresence V500R002C00 Command Reference.Figure 2-12 Enter command ----End2.15 Verifying a Digital SignatureTo prevent software packages from being maliciously corrupted or damaged during transmissionand to protect the carrier's network security, verify software package integrity after obtainingthe packages. Only verified software packages can be deployed.HUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.26

BackgroundEach software package corresponds to one digital signature file. A digital signature file isa .asc file named after a software package. For example, the digital signature file for the softwarepackage HUAWEI-DP300.exe is HUAWEI-DP300.exe.asc.Procedure1. Obtain the verification tool package.Open http://support.huawei.com/enterprise/toolsinfo?lang=en to enter the Tools andResources page.2. Under Tools and Resources, choose Tools software > Enterprises Common > Softwaredigital signature (OpenPGP) validation tool > V100R001C00.3. Refer to the OpenPGP Signature Validation Guide to verify software package integrity.2.16 Importing a CertificateYou can import client, server, SiteCall and 802.1x authentication certificates into your DP300from the DP300 web interface. These certificates can be used to identify users, certificateauthorities, and servers to improve communication security. For example, a client certificate isrequired when your DP300 registers with the SIP server using the Transport Layer Security(TLS) protocol.NOTICEBefore importing a certificate, make sure it is issued by a security authority to prevent securityrisks.Step 1 Choose System Settings > Installation. The Installation page is displayed.Step 2 Click Import Certificate. The Import Certificate dialog box is displayed.Step 3 Click Select File to select the certificate you want to import.Step 4 Select the desired certificate type.lTo import a certificate for authentication calls and when the DP300 functions as the server,select Server certificate.lTo import a certificate for authentication registration or calls and when the DP300 functionsas a client (for example, TLS-based registration), select Client certificate.lTo import a certificate used for SiteCall security, select Multipoint conferencecertificate.lTo import certificates used for 802.1x wired or wireless network authentication, select thedesired certificates. When selecting the certificate type, choose the network type, which isWireless and wired by default.Step 5 Click Import.Step 6 Click Return when OK is displayed.----EndHUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.27

2.17 Importing Web CertificatesTo help ensure communication security, import web certificates, including the trusted CertificateAuthority (CA) file, local certificate file, local private key file, and local private key passwordfile, to the DP300 through the DP300 web interface.NOTICEProfessional guidance is required for importing certificates. Make sure the certificate to beimported matches the certificate type selected; otherwise, the may malfunction.Step 1 Choose System Settings > Installation.The Installation page is displayed.Step 2 Click Import Web Certificate.The Import Web Certificate dialog box is displayed.Step 3 Click and select a certificate type.Step 4 Click , select the certificate you want to import, and click Import.Step 5 Click Return when OK is displayed.After importing the web certificate, click Update Web Certificates and restart the DP300 asprompted for the web certificate to take effect.----End2.18 Importing and Exporting SettingsImport and Export Settings on the Web InterfaceYou can import or export settings on the DP300 web interface to a configuration file. After yourDP300 is restored to its default settings, you can import previously exported settings from theconfiguration file.NOTEKeep the configuration file safe to prevent disclosure of personal information.Step 1 Choose System Settings > Installation. The Installation page is displayed.Step 2 Click Import/Export Settings. The Import/Export Settings page is displayed.Step 3 Click Import Settings to import or Export Settings to export system settings.The web administrator password is required when you import the configuration file. After theconfiguration file is imported successfully, the DP300 automatically restarts for theconfiguration file to take effect.----EndHUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.28

Import Settings on the USB DeviceNOTICEUse the USB device to import the configuration file only in videoconferencing mode.Step 1 Use the USB configuration tool to import the configuration file to a USB device.Step 2 Insert the USB device into the DP300's USB port.Step 3 Using the remote controlor on the touchscreen, enter the administrator password as prompted.NOTEWhen compressing the configuration file, set the password to the same as the administrator password;otherwise, the configuration file cannot be imported to your DP300. If the administrator password is empty,set the password to 123455678, which is the default password for the administrator.The DP300 restart automatically.Step 4 After the restart is complete, remove the USB device.----EndHUAWEI DP300 Desktop PresenceSecurity Maintenance 2 Application Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.29

3 System Layer SecuritySecurity maintenance of the system layer is to ensure a smooth operation of the operating system,which can support the operation of application layer. The DP300 uses Linux, which is moresecure and immune to viruses than Windows.Patches are released regularly. To improve system security, it is recommended that usersdownload latest patches at http://e.huawei.com regularly and apply them after performingantivirus checks.HUAWEI DP300 Desktop PresenceSecurity Maintenance 3 System Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.30

4 Network Layer SecurityFigure 4-1 show the DP300 security networking.Figure 4-1 DP300 security networkingHUAWEI DP300 Desktop PresenceSecurity Maintenance 4 Network Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.31

Over the network:The DP300 is connected to the Multipoint Control Unit (MCU) through the private network,which connects to different networks through different ports. The DP300s in the private or publicnetwork can join the conference even if you do not change H.323 protocol or the firewall settings(such as opening the port).HUAWEI DP300 Desktop PresenceSecurity Maintenance 4 Network Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.32

5 Management Layer SecurityThis chapter describes some management recommendations on users' daily security maintenanceand can be referred to when users set the rules on security management.HUAWEI DP300 Desktop PresenceSecurity Maintenance 5 Management Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.33

5.1 Principles of System Security Maintenance5.1.1 Account ManagementlManage the accounts strictly.lControl the permissions of accounts of different levels. Only users of higher levels canchange the passwords for users of lower levels.5.1.2 Permission ManagementlMinimize permissions to the system service and permissions of accounts.lStrictly control the operation authorization on the web interface.5.1.3 Auditing PrincipleslUse logs and other feasible methods to monitor operations on the DP300.lAudit the failed access to the system's important resources.lAudit the successful access to the system's important resources.lAudit the failed and successful access control strategy modification.5.2 Guidelines for Password Security MaintenanceUser identities must be authenticated before users can log in to application systems. Thecomplexity and validity periods of accounts and passwords can be configured according tosystem security requirements. Guidelines for password security maintenance are as follows:lChange the password periodically to prevent risks.lDesignate specialist personnel to manage the administrator account and password.lEncrypt passwords during data transmission.lRemind users to change their passwords after system deployment.lChange passwords periodically. Do not use the default passwords or old passwords usedlast five times.5.3 Logs Maintenance RecommendationsUse logs to identify suspicious activities. The system must record the operations, such as systemparameter settings and conference calls in the logs. Reinforce the system to protect the logs.5.3.1 Checking Logs RegularlyHUAWEI DP300 Desktop PresenceSecurity Maintenance 5 Management Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.34

Check the system logs, applications logs, and security logs regularly and report to the departmentof a higher level once abnormal logs are found. Ask the local representative office for help ifthe issues cannot be located or resolved.5.3.2 Backing Up Logs RegularlyBack up logs regularly by exporting them manually and store the logs on devices, such as thedisc, tape, or compact disc. The system supports a maximum of 100,000 logs. Once the numberof logs exceeds 100,000, new logs will replace the old ones. In this case, users must back uptimely.5.4 Guidelines on Signaling DiagnosticsYou are obligated to take considerable measures, in compliance with the laws of the countriesconcerned and the user privacy policies of your company, to ensure that the personal data ofusers is fully protected. The signaling diagnostics on the DP300 may contain personalinformation. To protect information security, make sure that your account is secure and properlymanaged. Use the signaling diagnostics only for problem identification and delete themimmediately after use.5.5 Security Evaluation RecommendationsYou are advised to look for a qualified organization to evaluate the system security and contactHuawei technical support engineers when problems occur during the evaluation.5.6 Backup RecommendationsIn the following scenarios, back up the logs to ensure security.lBefore daily security maintenance, and before and after the system troubleshooting.lBefore patch installation and DP300 upgrade. For details about the upgrade, see theHUAWEI DP300 Desktop Presence V500R002C00 Administrator Guide.5.7 Defects Feedback RecommendationsYou are advised to give feedback to Huawei once a security incident happens when theDP300 is used. Huawei will take the following actions accordingly.lIf a security incident happens, Huawei technical support engineers will support customersremotely or on site to reduce the impact on the system and improve the report on the accidenttreatment.lIf no security incident happens, Huawei technical support engineers record defects in tothe database and send to the R&D team. Once the R&D team prescribes a solution, thetechnical support engineers will analyze the solution's possible impact on the site operationsand provide a final solution.HUAWEI DP300 Desktop PresenceSecurity Maintenance 5 Management Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.35

5.8 Common Measures Against AttackslDeploy firewall devices on the network where the DP300 is located.lDisable protocols that may impose attacks, such as Telnet and SSH. By default, Telnet andSSH are disabled. To check the settings of Telnet and SSH, choose System Settings >Security > SSH/Telnet on the DP300 web interface.lIf the DP300 is deployed on a public network, power off the DP300 when it is not in use.5.9 Security Emergency Response MechanismUsers need to build a security emergency response mechanism to ensure that the system canimmediately respond to security issues and return to proper operations to minimize losses.5.10 Security Emergency Response Email AddressContact the Huawei Product Security Incident Response Team (PSIRT) viaPSIRT@huawei.com if you wish to:lProvide feedback on vulnerabilities of Huawei products.lObtain emergency response service from Huawei.lObtain information about vulnerabilities of Huawei products.Encrypt the files that contain sensitive information before sending them. Go to http://www.huawei.com/en/security/psirt/about-huawei-psirt/index.htm to obtain the encryptionkey.HUAWEI DP300 Desktop PresenceSecurity Maintenance 5 Management Layer SecurityIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.36

A AppendixThe communication matrix is used for checking the firewall strategy. For details, see theHUAWEI DP300 Desktop Presence V500R002C00 Communication Matrix.HUAWEI DP300 Desktop PresenceSecurity Maintenance A AppendixIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.37

B Default SettingsTo better use your DP300, get to know the default values of common user names and passwords.NOTETo secure your account, it is recommended that you change the password upon the first login and regularlychange the password afterwards.Table B-1 lists the default user names and passwords for the DP300.Table B-1 Default user names and passwordsItem Default SettingAdministrator Password for theDisplay12345678.Administrator password for theremote controlled UI12345678.Administrator user name andpassword for the DP300 webinterfaceThe default user name and password are admin andChange_Me respectively.User name and password forconnecting the third party (forexample, a touch panel orSMC2.0) to the DP300The default user name and password are api andChange_Me respectively.Upgrade password Change_Me.Air content sharing password Change_Me.HUAWEI DP300 Desktop PresenceSecurity Maintenance B Default SettingsIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.38

Item Default SettingUser name and password forlogging in to the DP300 in SSH/Telnet modelDebug user: The default user name and passwordare debug and Change_Me respectively.lCommon user: The default user name and passwordare admin and Change_Me respectively.lCommon user: The default user name and passwordare user and Change_Me respectively.lSpecial user: The default user name and passwordare apiuser and Change_Me respectively.lTest user: The default user name and password aretest and Change_Me respectively.User name and password forconnecting the DP300 to a web-based diagnostics toolThe default user name and password are admin andChange_Me respectively.User name and password forlogging in to the DP300 in serialport modeThe default user name and password are root andChange_Me respectively.U-Boot password 12345678.Default IP address after the DP300is restored to its default settings192.168.1.1.Informationrequired for thenetworkmanagementsystem to connectto the DP300through SNMP V2GetcommunitynameChange_Public.SetcommunitynameChange_Private.TrapcommunitynameChange_Me.Account,password, andprotocol requiredfor the networkmanagementsystem to connectto the DP300through SNMP V3User name v3user.Authentication protocolSHA.Authentication passwordChange_Me.EncryptionprotocolAES.EncryptionpasswordChange_Me.HUAWEI DP300 Desktop PresenceSecurity Maintenance B Default SettingsIssue 01 (2015-09-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.39

Navigation menu