30
1 Network Security Hardening Guide v1.0 April 2017
1
NetworkSecurityHardeningGuide
v1.0 April 2017
2
AboutThisDocumentThisdocumentprovidesinformationandexplainsmeasuresthatuserscantaketosecurenetwork
devicestoimprovenetworksecurity.
TrademarksAcknowledgementHikvision®andotherHikvisiontrademarksandlogosarethepropertiesofHikvisioninvarious
jurisdictions.Othertrademarksandlogosmentionedbelowarethepropertiesoftheirrespective
owners.
ContactInformationNo.555QianmoRoad,BinjiangDistrict,Hangzhou310052,China
Tel:+86-571-8807-5998
Fax:+86-571-8993-5635
Email:[email protected];[email protected]
TechnicalSupport:[email protected]
HSRC(HikvisionSecurityResponseCenter)Email:[email protected]
3
TableofContentsIntroduction............................................................................................................................................4
Passwords...............................................................................................................................................4Whatisafirewall?...................................................................................................................................5
Abouttheprotectionlevels....................................................................................................................6Defaultprotection...................................................................................................................................7Standardprotection................................................................................................................................8
Activatethedevicebysettingastrongpassword...................................................................................8Systemrestoringandupgrading...........................................................................................................14
Enterpriseprotection............................................................................................................................17Enableencryption.................................................................................................................................17Useraccesscontrol...............................................................................................................................18DisableUPnP.........................................................................................................................................19DisableQoS...........................................................................................................................................20Disablemulticastvideo.........................................................................................................................20SetIPaddressfilter...............................................................................................................................21LockillegalloginIPaddress...................................................................................................................22DisableSSH............................................................................................................................................22
Managedenterpriseprotection............................................................................................................23AccesstoIEEE802.1xnetwork..............................................................................................................23ChooseSNMPV3...................................................................................................................................23Firewallsetuponrouter........................................................................................................................25Createaportforwardingrule...............................................................................................................26
Conclusion.............................................................................................................................................30
4
Introduction
Hikvisionnetworkdevices,likeanyothernetworkdevices,maybeexposedtocybersecurityrisks.To
protectthenetworkfromtherisk,HikvisiontakesmeasuressuchasdisablingtheTelnetandFTP
interface,andadoptingthesecurityactivationmechanism.
Note:Thisdocumentiswrittenasageneralguideline.Theappropriatemeasuresmaydiffer
dependingontheapplicationscenario.
Passwords
Howtocreateastrongpassword?Weallknowthecommonguidelinesforchoosingastrongpassword:
• Includenumbers,symbols,uppercaseandlowercaseletters.• Passwordshouldbemorethaneightcharacterslong.• Avoidanypasswordbasedonrepetition,dictionarywords,letterornumbersequences,usernames,
relativeorpetnames,orbiographicalinformation(birthday).ThePasswordPhraseMethod:Thephrasemethodisaneasywaytoremembercomplicatedpasswordsthatarehardtocrack.UsethePasswordPhraseMethod:
• Chooseaphrasethathasnumbers.• Useonlythefirstletterineachword.• Usethepropercaseforeachletter,justasitappearsinthephrase.• Useactualnumberswheneverpossible.Use“2”for“two”or“to”and“4”for“four”or“for.”• Includepunctuation.
Let’stakethefollowingphraseasanexample:"MyflighttoNewYorkwillleaveatthreeintheafternoon!"UsingthePasswordPhrasemethodexplainedabove,thepasswordbecomes:"MftNYwla3ita!"
5
Somegeneralpassword/securitytips
• Avoidusingdictionarywordsinanylanguage.• Avoidsequencesorrepeatedcharacters.• Changeyourpasswordonaschedule.• DonotallowInternetExplorertostorepasswords.• Donottypepasswordsoncomputersthatyoudonotcontrol.• Neverprovideyourpasswordviaemail.• Neverrespondtoanemailaskingforpersonalinformation.(Bankswillneveraskyouforyour
personalinformationinanemail.)• Patchandupdatethesoftwareyouuseonaregularbasis.• Usecautionwhenopeningemailattachments.• Limittheamountofpersonalinformationyoupostaboutyourself.
Whatisafirewall?
Theshortansweristhis:AfirewallinterceptsallcommunicationsbetweenyouandtheInternet,anddecidesiftheinformationisallowedtopassthroughtoyou.Mostfirewalls,bydefault,willblockalltrafficbothinandout.This iswhatwecall“DenyallbyDefault.” Inthisdefaultstate,itisasifyourcomputerisnotevenconnectedtotheInternet.Whilethisisaverysafestatetobein, it isnotveryuseful.So,wehavetocreateasetofrulestotellthefirewallwhatweconsidersafe.Everythingelseis,bydefault,considerednotsafe.Asyoucreaterulestoallowtrafficinandout,youarecreatingtinyholesinyourfirewallforthetraffictoflowthrough.That iswhymany Internetusers call it “creating rulespinholingyour firewall.”Themorepinholesyoucreateinyourfirewall,thelesssecureyournetworkbecomes.Youshouldonlycreateasmanypinholes,orrules,asyouneed.
6
Abouttheprotectionlevels
Thisguideusesdifferentprotectionlevelsdependingonsystemsizeandneeds.Eachlevelassumes
thatthepreviouslevel’srecommendationsarefollowed.
Protectionlevel Recommendedfor Procedures
0Defaultprotection Onlyrecommendedfordemo
purposesandtestscenarios.N/A
1Standardprotection Minimumrecommendedlevel
ofprotection.Thislevelis
adequateforsmallbusinesses
orofficeinstallationswhere,
typically,theoperatorisalso
theadministrator.
Activatethedevicebysettinga
strongpassword
Systemrestoringandupgrading
Configurebasicnetwork
settings
2Enterpriseprotection Recommendedsettingsfor
corporationsthathavea
dedicatedsystemadministrator.
Enableencryption
Useraccesscontrol
DisableUPnP
DisableQoS
Disablemulticastvideo
SetIPaddressfilter
LockillegalloginIPaddress
DisableSSH
3Managedenterprise
protection
Largenetworkinfrastructure
withanIT/ISdepartment.For
environmentswheredevices
mayneedtobeintegratedinto
anenterprisenetwork
infrastructure.
AccesstoIEEE802.1xnetwork
ConfigureSNMPmonitoring
Firewallsetuponrouter
Createaportforwardingrule
7
Defaultprotection
Networkdevicesaredeliveredwithpredefineddefaultsettingsandadefaultpassword.Adjustthe
settingstomeetthechallengesfromthenetworkenvironmentandtheresultofariskanalysis.
8
Standardprotection
Thestandardprotectionlevelistheminimumrecommendedlevelofprotection.Thislevelis
adequateforsmallbusinessesorofficeinstallationswhere,typically,theoperatorisalsothe
administrator.
Activatethedevicebysettingastrongpassword
Youarerequiredtoactivatethedevicefirstbysettingastrongpasswordforitbeforeyoucanuse
thedevice.
Activationviawebbrowser,ActivationviaSADP,andActivationviaclientsoftwareareallsupported.
ActivateviawebbrowserSteps:
1.Poweronthedevice,andconnectthedevicetothenetwork.
2.InputtheIPaddressintotheaddressbarofthewebbrowser,andclickEntertoenterthe
activationinterface.
Notes:
l ThedefaultIPaddressofthedeviceis192.168.1.64.
l ThedeviceenablestheDHCPbydefault,theIPaddressisallocatedautomatically.Itisnecessary
toactivatethedeviceviaSADPsoftware.PleaserefertothefollowingchapterforActivationvia
SADP.
9
3.Createapasswordandinputthepasswordintothepasswordfield.
4.Confirmthepassword.
5.ClickOKtosavethepasswordandentertheliveviewinterface.
ActivateviaSADPsoftwareSADPsoftwareisusedfordetectingtheonlinedevice,activatingthedevice,andresettingthe
password.
GettheSADPsoftwarefromthesupplieddiskortheofficialwebsite,andinstalltheSADPaccording
totheprompts.Followthestepstoactivatethedevice.
Steps:
1.RuntheSADPsoftwaretosearchtheonlinedevices.
2.Checkthedevicestatusfromthedevicelist,andselecttheinactivedevice.
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
10
3.Createapasswordandinputthepasswordinthepasswordfield,andconfirmthepassword.
4.ClickOKtosavethepassword.
Youcancheckwhethertheactivationiscompletedonthepopupwindow.Ifactivationfailed,please
makesurethatthepasswordmeetstherequirementandtryagain.
5.ChangethedeviceIPaddresstothesamesubnetwithyourcomputerbyeithermodifyingtheIP
addressmanuallyorcheckingthecheckboxofEnableDHCP.
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
11
6.InputthepasswordandclicktheSavebuttontoactivateyourIPaddressmodification.
ActivateviaclientsoftwareTheclientsoftwareisversatilevideomanagementsoftwareformultiplekindsofdevices.
Gettheclientsoftwarefromthesupplieddiskortheofficialwebsite,andinstallthesoftware
accordingtotheprompts.Followthestepstoactivatethedevice.
Steps:
1.Runtheclientsoftwareandthecontrolpanelofthesoftwarepopsup,asshowninthefigure
below.
12
2.ClicktheDeviceManagementicontoentertheDeviceManagementinterface,asshowninthe
figurebelow.
3.Checkthedevicestatusfromthedevicelist,andselectaninactivedevice.
4.ClicktheActivatebuttontopopuptheActivationinterface.
13
5.Createapasswordandinputthepasswordinthepasswordfield,andconfirmthepassword.
4.ClickOKtosavethepassword.
6.ClickOKbuttontostartactivation.
7.ClicktheModifyNetinfobuttontopopuptheNetworkParameterModificationinterface,as
showninthefigurebelow.
8.ChangethedeviceIPaddresstothesamesubnetwithyourcomputerbyeithermodifyingtheIP
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
14
addressmanuallyorcheckingthecheckboxofEnableDHCP.
9.InputthepasswordtoactivateyourIPaddressmodification.
Systemrestoringandupgrading
Firmwareisthesoftwarethatenablesandcontrolsthefunctionalityofnetworkdevices.Alwaysuse
thelatestfirmwaresothatyougetallpossiblesecurityupdatesandbugfixes.
Checkthecurrentfirmware
Checkthecurrentfirmwareversioninpage:Configuration>Maintenance>Upgrade&
Maintenance
Upgradethedevicetoacertainversion
Steps:
1.SelectFirmwareorFirmwareDirectorytolocatetheupgradefile.
Firmware:Locatetheexactpathoftheupgradefile.
FirmwareDirectory:Onlythedirectorytheupgradefilebelongstoisrequired.
2.ClickBrowsetoselectthelocalupgradefileandthenclickUpgradetostartremoteupgrade.
Note:Theupgradingprocesswilltake1to10minutes.Pleasedon'tdisconnectpowerofthedevice
15
duringtheprocess.Thedevicerebootsautomaticallyafterupgrade.
Restoredefaultsettings
Ifyouarenotsureaboutwhathasbeenchangedtothedevice,youcanalwayssetittothedefault
settingstomakeitinaknownstatus.
Steps:
EntertheMaintenanceinterface:Configuration>System>Maintenance>Upgrade&
Maintenance.
l Restore:Resetalltheparameters,excepttheIPparametersanduserinformation,tothedefaultsettings.
l Default:Restorealltheparameterstothefactorydefault.
Note:Afterrestoringthedefaultsettings,theIPaddressisalsorestoredtothedefaultIPaddress,
pleasebecarefulwiththisaction.
Configurebasicnetworksettings
Steps:
1.GotoConfiguration>Network>BasicSettings>TCP/IP.
2.SpecifytheIPaddress,subnetmaskandDefaultGateway.
3.Saveparameters.
16
17
Enterpriseprotection
Theenterpriseprotectionlevelisaboutminimizingrisksbyreducingthepossibleattackareaofthe
networkdevice.
Enableencryption
AccessthenetworkdeviceusingHTTPS,whichencryptsthetrafficbetweentheclientandthedevice.
HTTPSprovidesauthenticationofthewebsiteanditsassociatedwebserver,whichprotectsagainst
man-in-the-middleattacks.PerformthefollowingstepstosettheportnumberofHTTPS.
E.g.,Ifyousettheportnumberas443andtheIPaddressis192.168.1.64,youmayaccessthedevice
byinputtinghttps://192.168.1.64:443viathewebbrowser.
Steps:
1.EntertheHTTPSsettingsinterface.Configuration>Network>AdvancedSettings>HTTPS.
2.CheckthecheckboxofEnabletoenablethefunction.
3.Createtheself-signedcertificateorauthorizedcertificate.
l Createtheself-signedcertificate
(1)SelectCreateSelf-signedCertificateastheInstallationMethod.
(2)ClickCreatebuttontoenterthecreationinterface.
(3)Enterthecountry,hostname/IP,validityandotherinformation.
(4)ClickOKtosavethesettings.
Note:Ifyoualreadyhadacertificateinstalled,theCreateSelf-signedCertificateisgrayedout.
18
l Createtheauthorizedcertificate
(1)SelectCreatethecertificaterequestfirstandcontinuetheinstallationastheInstallation
Method.
(2)ClickCreatebuttontocreatethecertificaterequest.Fillintherequiredinformationinthepopup
window.
(3)Downloadthecertificaterequestandsubmitittothetrustedcertificateauthorityforsignature.
(4)Afterreceivingthesignedvalidcertificate,importthecertificatetothedevice.
4.Therewillbethecertificateinformationafteryoursuccessfullycreatingandinstallingthe
certificate.
5.ClicktheSavebuttontosavethesettings.
Useraccesscontrol
Setpermissionleveltousers
Whenyouaddandmodifyusersettings,youcansetthepermissionlevelforeachusertoset
limitationsonthedevicecontrol.
Steps:
1.GotoConfiguration>System>UserManagement.
19
UserManagementInterface
2.ClickAddorModifytoaddauserormodifyauser.
3.SetUserName,LevelandPassword.
4.Checkoruncheckthepermissions.
5.ClickOKtofinishtheuseraddition.
DisableUPnP
Universal Plug and Play (UPnP™) is a networking architecture that provides compatibility among
networkingequipment,softwareandotherhardwaredevices.TheUPnPprotocolallowsdevicesto
connect seamlessly and to simplify the implementation of networks in the home and corporate
20
environments.Ifthedeviceisnotconnectedtoahostedvideoservice,disableUPnP.
Steps:
1.GotoConfiguration>Network>BasicSettings>NAT.
2.UncheckthecheckboxtodisabletheUPnP™function.
DisableQoS
IfQualityofServicesisnotbeingused,QoSshouldbedisabled
Steps:
1.GotoConfiguration>Network>AdvancedSettings>QoS
2.TodisableQoS,enterthevaluezerointheQoSDSCPSettingsfields.
Disablemulticastvideo
Topreventthedevicefrommulticastingvideobydefault,disablemulticastvideostreaming.The
devicecanstillmulticastvideouponrequest.
Steps:
1.GotoConfiguration>Network>BasicSettings>TCP/IP
21
2.ClearEnableMulticastDiscovery
3.ClickSave
SetIPaddressfilter
EnablingIPfilteringforauthorizedclientswillpreventthedevicefrombeingaccessedbyanyother
unauthorizedclients.
Steps:
1.GotoConfiguration>System>Security>IPAddressFilter
2.CheckthecheckboxofEnableIPAddressFilter.
3.SelectthetypeofIPAddressFilterinthedrop-downlist,ForbiddenandAllowedareselectable.
4.SettheIPAddressFilterlist.
Steps:
(1)ClicktheAddtoaddanIP.
(2)InputtheIPAddress.
(3)ClicktheOKtofinishadding.
22
LockillegalloginIPaddress
TheIPaddresswillbelockediftheadminuserperformssevenfailedusername/passwordattempts
(fivetimesfortheoperator/user)
1.GotoConfiguration>System>Security>SecurityService.
2.CheckthecheckboxofEnableIllegalLoginLock,andthentheIPaddresswillbelockedifthe
adminuserperformssevenfailedusername/passwordattempts(fivetimesfortheoperator/user).
Note:IftheIPaddressislocked,youcantrytologinthedeviceonlyafter30minutes.
DisableSSH
Hikvision’sdevicessupportSecureShellandisdisabledbydefault.Makesureitisdisabledby
checkingthesecurityserviceconfigurationinterface:Configuration>System>Security>Security
Service.
Note:Fordeviceswithoutthisconfigurationinterface,SHHisdisabledbydefault.
23
Managedenterpriseprotection
Managedenterprisenetworksaresystemsthattypicallyhaveadditionalmanagementtoolsand
servicesthatthedevicesneedtobealignedwith.
AccesstoIEEE802.1xnetwork
TheIEEE802.1Xstandardissupportedbythenetworkdevices,andwhenthefeatureisenabled,the
devicedataissecuredanduserauthenticationisneededwhenconnectingthedevicetothe
networkprotectedbytheIEEE802.1X.
Steps:
1.GotoConfiguration>Network>AdvancedSettings>802.1x.
2.ClickEnableIEEE802.1x.
3.InputUserName,Passwordandthenconfirm.
4.ClickSave.
ChooseSNMPV3
Steps:
1.GotoConfiguration>Network>AdvancedSettings>SNMP.
24
2.CheckthecheckboxofEnableSNMPv1,EnableSNMPv2c,EnableSNMPv3toenablethefeature
correspondingly.
3.ConfiguretheSNMPsettings.
Note:ThesettingsoftheSNMPsoftwareshouldbethesameasthesettingsyouconfigurehere.
4.ClickSavetosaveandfinishthesettings.
Notes:
•Arebootisrequiredforthesettingstotakeeffect.
•Tolowertheriskofinformationleakage,youaresuggestedtoenableSNMPv3insteadofSNMP
v1orv2.
25
Firewallsetuponrouter
Pleasekeepinmindthatallfirewallsetupsaredifferent.Theexamplesbelowareintendedtogivea
generalexampleandoverviewofwhatportsshouldbesetupinafirewall.
Setup:
1. GotoyourrouterIPaddress
2. Logintoyourrouter
3. Gototheportforwardingsection
26
Findthesectionthatmentionsprotocols,internalandexternalports,andadestinationIPaddressor
ServerIPaddress,suchasthis:
Createaportforwardingrule
PortsthatneedtobeusedforHikvision80WebPort 443SecureWebPort 8000,10554forIVMS
Tocreatetheportforwardingrule,firstlysetanamefortherule.It'sjustareminderofwhattypeof
serviceyouareforwardingtheportfor.
In"protocol,"selectTCP,UDP,orBothdependingonwhichapplication(s)needportforwarding.
27
Forinstance,youneedbothTCPandUDPprotocolsforwarding.SomeroutersonlyhaveaTCPoran
UDPoption,notboth.Onthoserouters,ifbothprotocolsareneeded,tworulesmustbecreated,
oneforTCPandoneforUDP.
Theexternalanddestinationportwillbethesame.Becausesomelower-numberedportsarebeing
usedbythesystembydefault,orbyspecificapplications,it'sbesttochooseaportbetween50000
and65535.
Finally,onthedestinationIPaddress,selectthestaticIPpreviouslychosenforthePC.
Afterthat,savethenewrule.
Onmostrouters,portforwardingactivatesimmediately.Somerouters,though,needarebootto
applytherule.
28
CheckPortForwarding
TomakesurethatPortForwardingworkscorrectly,useoneofthemultiplefreeservicesonthe
Internet.
First,ensurethattheprogramordevicethatneedsportforwardingisupandrunning,andusesthe
properport.
Then,navigatetocanyouseeme.org
Addtheproperportandselect"CheckPort."
Thisisafreeutilityforremotelyverifyingifaportisopenorclosed.Itisusefultouserswhowishto
verifyportforwardingandchecktoseeifaserverisrunningortodetermineifafirewallorISPis
blockingcertainports.
29
CantwodevicesonthesameLANusethesameportforwarding?
PortforwardingissetuponauniqueIPaddress,andcan'tsetuparuleforthesameportwithtwo
ormoreIPaddresses.
Tosetupthesameprogramontwodifferentdevices,itisnecessarytocreatetworulesfortwo
separateports,oneforeachdevice.
30
Conclusion
Thishardeningguideisintendedtobealivingdocumentandwillbeupdatedregularlytoreflectthe
mostup-to-datecybersecuritybestpractices.Itisoneofthemanyindustry-leadingcybersecurity
resourcesprovidedbyHikvision. PleasevisittheHikvisionSecurityCenteronourwebsite
http://www.hikvision.com/us/SecurityCenter_10636.htmltolearnaboutotheravailable
cybersecurityresources.Ifyouhavequestions,pleasecontactyourHikvisionrepresentativeor
