Security
Access Code
When Access Code is enabled, the user will be asked to enter an
access code before he/she can make a call. The system will verify
if the entered access code is valid by checking the code with the
allowed codes listed in the access.txt file on the ftp-server in the
system. If no access.txt file is uploaded, registration of the code
will be done without validation. Read more about Access Codes in
Call Control with Access Codes.
Administrator Password
Access to the Control Panel menus on the video system can
be controlled by using password protection. An Administrator
Password can be set in Menu Settings, in Security or from the
dataport:
menupassword set <pin-code>
. The pin-code
should be maximum 5 - five digits. To erase the password, enter
an empty pin-code.
Codec Password
To set or change the password that controls the access to the
codec, you need to log into the Command Line Interface. Type
xConfiguration SystemUnit Password: <S: 0, 16>
, where
<S: 0,16> is a password with zero to 16 characters.
Streaming password
By setting a streaming password in the streaming menu on the
system, a password has to be entered on the streaming client to be
able to see the video stream from the system.
IP Password
By setting an IP Access Password on the system, all access to
the system using IP (Telnet, FTP and WEB) requires a password.
This password can be enabled from telnet or dataport using the
command:
ippassword <ip-password>
. The default IP user
name and password is “TANDBERG”. To remove this password, use
the command: “
ippassword
”. From telnet, this is only possible by
first entering the correct password.
IP Services
The different IP services on the system - FTP, Telnet, Telnet
Challenge, HTTP, HTTPS, SNMP, SSH, H.323 and SIP can be
disabled to prevent access to the system. By using the commands
below, the services can be independently enabled/disabled:
xconfiguration Telnet/TelnetChallenge/FTP/HTTP/HTTPS/
SSH/H323 Mode: <On/Off>
xconfiguration TelnetChallenge Mode: <On/Off> [port]
xconfiguration SNMP Mode: <On/Off/ReadOnly/
TrapsOnly>
SNMP Security alert
This function will notify any Management Application (such as
TMS - Cisco TelePresence Management Suite ) if anyone tries
to perform Remote Management on the system using an illegal
password.
The Security alert that is sent to the Management Application will
contain information about the IP address and the service (WEB,
Telnet, FTP) being used for the attempt. If TMS is used, email
notifications or alarms about the attempt can be sent to specified
persons.
Encryption
All Cisco systems support both AES and DES encryption. By
default this feature is enabled such that when connecting with
any other video system or MCU, a Cisco system will attempt to
establish a secure conference using AES or DES encryption. The
Cisco system will attempt this for both IP and ISDN connections.
Where a remote system or MCU supports encryption, the highest
common encryption algorithm will be selected on a port-by-port
basis.
The type and status of the encryption negotiated is indicated by
padlock symbols and on-screen messages. Encryption on the
Cisco systems is fully automatic, and provides clear security status
indicators;
•
An open padlock indicates that encryption is being initialized,
but the conference is not yet encrypted.
•
Single padlock indicates DES encryption.
•
Double padlock indicates AES encryption.
In addition to on-screen indicators the Call Status menu provides
two information fields regarding call encryption. The first field is
the Encryption Code, which will identify either AES or DES. The
second field is the Encryption Check Code and is comprised of
an alphanumeric string. This string will be the same for systems
on either side of an encrypted conference. If the Check Codes do
not match, this would indicate that the call has been exposed to a
“Man In The Middle” attack.
When a system with MultiSite functionality hosts a conference,
the highest possible encryption algorithm will be negotiated on a
site-by-site basis. MultiSite conferences can therefore support a
mix of AES and DES encrypted endpoints in the same conference.
A conference will be as secure as its weakest link.
All systems supporting DES encryption can upgrade to AES
encryption. Please contact your Cisco representative for more
information.
The standards supporting the encryption mechanisms are:
AES, DES, H.233, H234 and H.235 (H235v3 & v2 for backwards
compatibility) with extended Diffie Hellman key distribution via
H.320, H.323 and Leased Line connections.
The AES implementation is validated as conforming to the
Advanced Encryption Standard (AES) Algorithm, as specified
in Federal Information Processing Standard Publication 197,
Advanced Encryption Standard, by The National Institute of
Standards and Technology (NIST).
IEEE 802.1x /EAP (Extensible Authentication
Protocol)
This is a standard for authentication and authorization of units/
systems onto the network.
Static configuration
•
System ID and Password
•
Anonymous ID for encryption challenge
•
Enable methods
Supported methods
•
MD5 (simple challenge)
•
PEAP (encrypted channel)
•
TTLS
Note that 802.1x wireless LAN is not supported.
139
Cisco TelePresence MXP Series
Administrator guide
D14791.01 MXP Series Administrator Guide F90, August
2011.
Copyright © 2010-2011 Cisco Systems, Inc. All rights reserved.
www.cisco.com
Contents
Contact us
Introduction
The menu structure
The settings library
Getting started
Appendices
Appendices
