Grandstream networks Gac2500 User manual

Grandstream Networks, Inc.

GAC2500

Audio Conference Phone for AndroidTM

Security Guide

 
P a g e  | 1
 
GAC2500 Security Guide 
Table of Contents 
OVERVIEW.....................................................................................................................3
WEB UI/SSH ACCESS ...................................................................................................4
GAC2500 Web UI Access ....................................................................................................................4
Web UI Access Protocols .....................................................................................................................4
User Login ............................................................................................................................................5
User Management Levels ....................................................................................................................6
SSH Access..........................................................................................................................................6
DEVICE CONTROL SECURITY .....................................................................................7
Configuration via Keypad Menu ...........................................................................................................7
Permission to Install/Uninstall Apps .....................................................................................................7
GUI Config Tool Settings ......................................................................................................................8
SECURITY FOR SIP ACCOUNTS AND CALLS ............................................................9
Protocols and Ports ..............................................................................................................................9
Anonymous/Unsolicited Calls Protection ........................................................................................... 11 
SRTP ..................................................................................................................................................12 
NETWORK SECURITY.................................................................................................13 
VPN ....................................................................................................................................................13 
802.1X ................................................................................................................................................13 
Bluetooth ............................................................................................................................................14 
SECURITY FOR GAC2500 SERVICES........................................................................15 
Provisioning via Configuration File .....................................................................................................15 
Firmware Upgrading ...........................................................................................................................17 
TR-069................................................................................................................................................18 
FTP Server .........................................................................................................................................18 
ADB Service .......................................................................................................................................19 
LDAP ..................................................................................................................................................19 
Syslog.................................................................................................................................................20 
SECURITY GUIDELINES FOR GAC2500 DEPLOYMENT ..........................................21 

 
P a g e  | 2
 
GAC2500 Security Guide 
Table of Figures 
Figure 1: Web UI Access Settings.................................................................................................................4
Figure 2: GAC2500 Web UI Login ................................................................................................................5
Figure 3: GAC2500 Admin Password Change..............................................................................................5
Figure 5: Disable SSH Access on GAC2500 ................................................................................................6
Figure 6: Limit Access to Advanced Settings on LCD...................................................................................7
Figure 7: Cust File Provision Page ...............................................................................................................8
Figure 8: Configure TLS as SIP Transport ....................................................................................................9
Figure 9: SIP TLS Settings on GAC2500......................................................................................................9
Figure 10: Additional SIP TLS Settings .......................................................................................................10 
Figure 11: Settings to Block Anonymous Call .............................................................................................11 
Figure 12: Settings to Block Unwanted Calls..............................................................................................11 
Figure 13: SRTP Settings ...........................................................................................................................12 
Figure 14: VPN Settings..............................................................................................................................13 
Figure 16: 802.1X Settings..........................................................................................................................14 
Figure 17: 802.1X for GAC2500 Deployment .............................................................................................14 
Figure 19: GAC2500 Config File Provisioning ............................................................................................15 
Figure 20: Validate Certification Chain........................................................................................................16 
Figure 21: Certificate Management.............................................................................................................16 
Figure 22: GAC2500 Firmware Upgrade Configuration..............................................................................17 
Figure 23: Validate Certification Chain........................................................................................................17 
Figure 25: TR-069 Connection Settings Page ............................................................................................18 
Figure 26: FTP Service On .........................................................................................................................19 
Figure 27: Developer Mode Enabled ..........................................................................................................19 
Figure 28: GAC2500 LDAP Settings...........................................................................................................20 
Figure 29: Syslog Protocol ..........................................................................................................................20 
 

P a g e | 3

GAC2500 Security Guide

OVERVIEW

This document presents a summary of security measures, factors, and configurations that users are

recommended to consider when configuring and deploying the GAC2500.

Note: We recommend using the latest firmware for latest security patches.

The following sections are covered in this document:

•Web UI/SSH Access

Web UI access is protected by username/password and login timeout. Two-level user management is

configurable. SSH access is supported for mainly troubleshooting purpose and it’s recommended to disable

it in normal usage.

•Device Control Security

The GAC2500 has multiple ways to limit the use for network settings, apps, and other settings if not

necessary for the end user.

•Security for SIP Accounts and Calls

The SIP accounts use specific port for signaling and media stream transmission. It also offers configurable

options to block anonymous calls and unsolicited calls.

•Network Security

The GAC2500 supports VPN, 802.1X, Bluetooth. VPN secures remote connection and 802.1X provides

network access control. it’s recommended to turn off Bluetooth if not used.

•Security for GAC2500 Services

GAC2500 supports service such as HTTP/HTTPS/TFTP provisioning, TR-069, LDAP, as well as allows

ADB and FTP access. For provisioning, we recommend using HTTPS with username/password and using

password-protected XML file. For services such as ADB and FTP, we recommend disabling them if not

used to avoid potential port exposure.

•Deployment Guidelines for GAC2500

This section introduces protocols and ports used on GAC2500 and recommendations for routers/firewall

settings.

This document is subject to change without notice.

Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for

any purpose without the express written permission of Grandstream Networks, Inc. is not permitted.

P a g e | 4

GAC2500 Security Guide

WEB UI/SSH ACCESS

GAC2500 Web UI Access

The GAC2500 embedded web server responds to HTTP/HTTPS GET/POST requests. Embedded HTML

pages allow users to configure the device through a web browser such as Microsoft IE, Mozilla Firefox,

Google Chrome and etc. With this, administrators can access and configure all available GAC2500

information and settings. It is critical to understand the security risks involved when placing the GAC2500

phone on public networks and it’s recommended not to do so.

Web UI Access Protocols

HTTP and HTTPS are supported to access the GAC2500 web UI and can be configured under web UI →

Maintenance → Security Settings. To secure transactions and prevent unauthorized access, it is highly

recommended to:

1. Use HTTPS instead of HTTP.

2. Avoid using well known port numbers such as 80 and 443.

Figure 1: Web UI Access Settings

P a g e | 5

GAC2500 Security Guide

User Login

Username and password are required to log in the GAC2500 web UI.

Figure 2: GAC2500 Web UI Login

The factory default username is “admin” and the default password is “admin”. The GAC2500 web UI require

to change the default password at first time login.

Figure 3: GAC2500 Admin Password Change

To change the password for default user "admin", Press on Change Password in the highlighted upper

corner or navigate to Maintenance → Security Settings. The password length must between 6 and 32

characters. Strong password with a combination of numbers, uppercase letters, lowercase letters, and

special characters is always recommended for security purpose.

P a g e | 6

GAC2500 Security Guide

User Management Levels

Two user privilege levels are currently supported:

•Admin

•User

Admin login has access to all of the GAC2500’s web UI pages and can execute all available operations.

User login has limited access to the web UI pages. With user login, the user is allowed to configure the

following settings:

•Call

•Contacts

•Account: Call Settings

•Advanced: MPK General Settings, MPK LCD Settings

•Maintenance: Network Settings, Time & Language, Security Settings, Device Manager

•Status: Account Status, Network Status, System Info

Even if user login can access certain web UI pages, it has less options compared to admin login.

It is recommended to keep admin login with administrator only. And end user should be provided with user-

level login only, if web UI access is needed.

SSH Access

The GAC2500 allows access via SSH for advanced troubleshooting purpose. This is usually not needed

unless the administrator or Grandstream support needs it for troubleshooting purpose. SSH access on

GAC2500 is enabled by default with port 22 used. It’s recommended to disable it for daily normal usage. If

SSH access needs to be enabled, changing the port to a different port other than the well-known port 22 is

a good practice.

Figure 4: Disable SSH Access on GAC2500

P a g e | 7

GAC2500 Security Guide

DEVICE CONTROL SECURITY

From GAC2500 web UI → Maintenance → Security Settings. administrator can set whether the user can

use specific features:

Figure 5: Limit Access to Advanced Settings on LCD

Configuration via Keypad Menu

This option configures access for keypad Menu settings on the Settings interface of the phone. It is

recommended to use “Constraint Mode” for end users.

•Unrestricted:

Configure all settings on the LCD settings interface.

•Basic Settings Only:

Advanced Settings, Wireless & Network options will not be displayed in LCD settings menu.

•Constraint Mode:

The user is required to enter the correct admin password to access Wireless & Network options and

Advanced Settings.

Permission to Install/Uninstall Apps

This option configures the permission for users to install/uninstall 3rd party applications. “Unknown Sources”

setting is under LCD → Advanced Settings → General Settings. It is recommended to use “Not allow” if the

device is used at public properties.

•Allow:

The user can install/uninstall any 3rd party apps as needed.

•Require admin password:

The user needs to enter the correct admin password before he/she can install/uninstall 3rd party apps.

•Require admin password if the app source is unknown:

The user needs to enter the correct admin password only when installing apps from unknown source.

Admin password is also required when the user uninstalls the 3rd party apps.

•Not allow:

The user cannot install/uninstall third-party apps. Unknown sources setting is not available under this

mode.

P a g e | 8

GAC2500 Security Guide

GUI Config Tool Settings

The GUI config tool is a tool designed to customize the GUI desktop layout as well as GUI configuration

for devices. Here is the link to download the GUI config tool:

http://www.grandstream.com/tools/gui_customization_tool_v3.9.0.zip

From there, the administrator can build a customized file to remove access for certain apps and task bar

features. The tool would generate a file “GAC2500cust” which should be uploaded to a HTTP/TFTP server.

Then the user needs to configure the server address as GUI Customization File URL under web UI →

Maintenance → Upgrade → Cust Config Server Path to download the file to GAC2500.

Figure 6: Cust File Provision Page

For more details, please refer to the guide:

http://www.grandstream.com/tools/gac2500_gui_customization_guide.pdf

P a g e | 9

GAC2500 Security Guide

SECURITY FOR SIP ACCOUNTS AND CALLS

Protocols and Ports

By default, after factory reset, the SIP account 1 is active. Since the default local SIP port is 5060 for account

1, this allows user to make direct IP call even if the account is not registered to any PBX. If the user is not

using any account, it is recommended to uncheck the settings from web UI → Account → General Settings

→ Account Active to deactivate account 1.

Below are the ports/protocols used on GAC2500 SIP accounts. GAC2500 supports up to 6 SIP accounts.

•SIP transport protocol:

The GAC2500 supports SIP transport protocol “UDP” “TCP” and “TLS”. By default, it’s set to “UDP”.

It’s recommended to use “TLS” so the SIP signaling is encrypted. SIP transport protocol can be

configured per SIP account under web UI → Account → Account x → SIP Settings. When “TLS” is used,

we recommend using “sips” instead of “sip” for SIP URI scheme to ensure the entire SIP transaction is

secured instead of “best-effort”.

Figure 7: Configure TLS as SIP Transport

SIP TLS certificate, private key and password can be configured under GAC2500 web

UI→Maintenance → Security Settings → SIP TLS.

Figure 8: SIP TLS Settings on GAC2500

Other manuals for GAC2500

Table of contents

Other Grandstream Networks Conference Phone manuals

Grandstream Networks

Grandstream Networks GAC2570 User manual

Grandstream Networks

Grandstream Networks GAC2500 User manual

Grandstream Networks

Grandstream Networks GAC2500 User manual

Grandstream Networks

Grandstream Networks GXV3450 User manual

Grandstream Networks

Grandstream Networks GAC2500 User manual

Grandstream Networks

Grandstream Networks GAC2570 User manual

Grandstream Networks

Grandstream Networks GAC2500 User manual

Grandstream Networks

Grandstream Networks GAC2500 User manual

Grandstream Networks

Grandstream Networks GAC2500 Instruction manual

Grandstream Networks

Grandstream Networks GAC2500 Instruction Manual

Grandstream Networks

Grandstream Networks GAC2500 User manual

Grandstream Networks

Grandstream Networks GAC2500 Instruction Manual

Grandstream Networks

Grandstream Networks GAC2500 Instruction Manual

Popular Conference Phone manuals by other brands

Polycom

Polycom SoundStation 2W User and administrator guide

Vixtel

Vixtel glass 1100 user guide

Oregon Scientific

Oregon Scientific OS200 user manual

Polycom

Polycom SoundStation IP 4000 user guide

AbleNet

AbleNet Prism C user guide

Albrecht

Albrecht Multicom manual

Fortinet

Fortinet FortiFone FON-C70 user guide

Avaya

Avaya B159 Series Quick setup guide

Konftel

Konftel Konftel 55W Quick reference guide

Mitel

Mitel 6867i Premium Quick reference guide

Polycom

Polycom SoundStation 2W User and administrator guide

Yealink

Yealink CP920 quick start guide

Polycom

Polycom SoundStation IP 6000 quick start guide

Mitel

Mitel 6970 IP Quick reference guide

Yealink

Yealink CPE860 Quick start up guide

Konftel

Konftel 60W Quick reference guide

Mitel

Mitel UC360 user guide

Cortelco

Cortelco CP4400 Series Owner's instruction manual