Bosch 7100i-2MP OC Quick Start Manual Download Page 11 | Manualshive

Page: 11 / 14

background image

IP Camera Hardening and Cybersecurity Guide |

Secure Configuration and Operation

11 |

14

Data subject to change without notice | August 22

Security Systems / Video Systems

SIEM System

A Security Information and Event Management (SIEM) system is used to collect and analyse information from different
devices and systems. The cameras can be integrated with a SIEM system by sending the logs via syslog protocol.
Analysing these logs can help with maintenance, detect configuration errors or attacks on the camera (e. g. false logins).

PKI

PKI or Public Key Infrastructure refers to the systems needed to generate and manage digital certificates. For HTTPS,
network authentication with 802.1x, user authentication with certificates and other encryption functions, custom certificates
can be installed on the camera. The most secure variant of certificate deployment is to generate a signing request on the
camera and request a certificate from an internal or external CA (certification authority). This way the private key of the
certificate never leaves the device and is securely stored in the Secure Element (SE) of the camera.

AD FS

Active Directory Federation Services (AD FS) is a service offered by Microsoft, allowing authentication to a local Active
Directory (using an AD FS server) or to the Azure Cloud. Besides local user authentication with either passwords or
certificate-based authentication, integration of the cameras into an Active Directory Domain is possible with AD FS to
authenticate and mange user access centrally.

«
...
9
10
11
12
13
...
»

Summary of Contents for 7100i-2MP OC

Page 1: ...ersecurity Guide Secure Configuration and Operation 1 14 Data subject to change without notice August 22 Security Systems Video Systems IP Camera Hardening and Cybersecurity Guide Secure Configuration and Operation of IP Cameras ...

Page 2: ...eature Description and Hardening Decisions 5 Defense in Depth 8 Firmware protection 8 Authentication Access Control 8 Network Layer 9 Operational Environment 10 Physical Security 10 Network Separation 10 Network Authentication 10 Central configuration 10 SIEM System 11 PKI 11 AD FS 11 Security Maintenance Activities 12 Checking of Log files 12 Check for Updates 12 Check for Security Advisories 12 ...

Page 3: ...ings to allow easy integration into existing environments Even though it is recommended to reach the settings as shown below Level 2 there can be limitations of the operational environment that mandates the use of a certain protocol or feature which is less secure e g SNMPv1 The Reasoning chapter describes why a certain protocol should be enabled or disabled to allow a better informed choice Harde...

Page 4: ...led Discovery Enabled Enabled Disabled ONVIF discovery Enabled Enabled Disabled GBT 28181 Disabled Disabled Disabled Password reset mechanism Enabled Disabled Disabled Ping response Enabled Enabled Disabled RTSPS Enabled Enabled Enabled Network Network Access Minimum TLS version 1 0 1 2 1 2 HSTS Disabled Enabled Enabled Network Advanced 802 1x Disabled Optional Enabled Syslog Disabled TCP TLS Netw...

Page 5: ...s is the configuration protocol for Bosch IP cameras Plain RCP is unencrypted so settings are transferred unencrypted All Bosch tools now use RCP over HTTPS communication for some time but it might be needed for 3rd party integration tools or scripting tools still relying on this protocol Recommendation Disable RCP if not used by 3rd party tools or legacy systems SNMPv1 SNMP is the common network ...

Page 6: ...eeded it is recommended to disable this feature Ping Response Configures if the camera answers to ping requests in the network Can help with debugging in a high secure network this can be disabled to avoid device enumeration via ping sweep although there are several other means of device discovery that can be used by an attacker Recommendation Risk based approach can be disabled for high security ...

Page 7: ...rk subnets can be defined that are allowed to access the camera It is recommended to define the computers or networks accessing the camera here Recommendation It is recommended to use the IP filter to define allowed hosts or networks Date Time For having the correct timestamp on logs and video data is it recommended to sync the time to a central timeserver Both SNTP and TLS date can be used to ach...

Page 8: ...ware root of trust This prevents an attacker to modify bootloader or firmware on the device Authentication Access Control 3 2 1 User Authentication Bosch IP cameras support different methods of authentication Pre configured is password based authentication with three different roles that can be assigned to a user Optional certificate based authentication or ADFS integration into an active director...

Page 9: ...traffic when using HTTPS HSTS HTTP Strict Transport Security HSTS protects against man in the middle attacks and protocol downgrade attacks For more details see chapter 1 RTSPS RTSPS is the encrypted variant of RTSP providing a secure means of transporting video data 3 3 2 Least Protocol It is recommended to activate only the protocols that are needed for operation of the camera All other protocol...

Page 10: ...ation The network in which the cameras are operated should support network authentication with 802 1x to allow only valid devices and actors on the network Central configuration The cameras can not only be configured locally via web based interface but there are several possibilities to centralize management 4 4 1 Configuration Manager The Configuration Manager offers the possibility to manage one...

Page 11: ...ntication with 802 1x user authentication with certificates and other encryption functions custom certificates can be installed on the camera The most secure variant of certificate deployment is to generate a signing request on the camera and request a certificate from an internal or external CA certification authority This way the private key of the certificate never leaves the device and is secu...

Page 12: ... it is advised to send the logs of the camera to a syslog server or a SIEM system as each camera will reserve a fixed space for logging internally but will overwrite older logs if that space is filled Check for Updates The device should be always updated to the latest firmware version to include security or functional fixes To get more information about the release cycle of firmware versions as we...

Page 13: ...tificates and the respective keys that were stored in the TPM or secure element will also be deleted It is recommended to set devices to factory default also in case that they must be moved into another installation that may use other credentials or certificates Reporting Security Vulnerabilities It is an essential part of the Bosch Quality Promise that we provide product security and protect our ...

Page 14: ...cure Configuration and Operation 14 14 Data subject to change without notice August 22 Security Systems Video Systems Bosch Sicherheitssysteme GmbH Robert Bosch Ring 5 85630 Grasbrunn Germany www boschsecurity com Bosch Sicherheitssysteme GmbH 2022 ...

Reviews:

No comments

Related manuals for 7100i-2MP OC

Brand: OCO Pages: 11

Brand: D-Link Pages: 8

Lumix H-FS14140

Brand: Panasonic Pages: 28

Brand: Rae Pages: 49

Brand: UbiBot Pages: 11

Brand: Eneo Pages: 52

Brand: Response Pages: 38

Brand: System Sensor Pages: 2

Brand: ACTi Pages: 2

MAXXUM 2XI - PART 1

Brand: Minolta Pages: 24

Brand: Tasco Pages: 24

EAGLE EYES CAMIP12N

Brand: Velleman Pages: 63

Brand: Avigilon Pages: 31

Brand: Idis Pages: 8

Brand: Duevi Pages: 19

Surveillance Detector

Brand: Mini Gadgets Pages: 2

Brand: Ganz Pages: 4

Brand: Walimex Pro Pages: 32

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands