TANDBERG F1 D13642.01 User Manual

6 Appendix

127

To remove this password, use the command: "ippassword

”

. From telnet, this is only possible

by first entering the correct password.

Services

The different IP services on the system - FTP, Telnet, Telnet Challenge, HTTP, HTTPS,
SNMP and H.323 can be disabled to prevent access to the system. By using the commands
below, the services can be independently enabled/disabled:
services <telnet/telnet challenge/ftp/http/https/h323/remote-parameter/remote-software>
<enable/disable>
services <snmp> <read-only/enable/disable>
services <telnetchallenge> <enable/disable> [port]

SNMP Security alert

This function will notify any Management Application (such as TMS - TANDBERG
Management Suite) if anyone tries to perform Remote Management on the system using an
illegal password. The Security alert that is sent to the Management Application will contain
information about the IP address and the service (WEB, Telnet, FTP) being used for the
attempt. If TMS is used, email notifications or alarms about the attempt can be sent to
specified persons.

Encryption

All TANDBERG systems support both AES and DES encryption. By default this feature is
enabled such that when connecting with any other video system or MCU, a TANDBERG
system will attempt to establish a secure conference using AES or DES encryption. The
TANDBERG system will attempt this for both IP and ISDN connections. Where a remote
system or MCU supports encryption, the highest common encryption algorithm will be
selected on a port-by-port basis.

The type and status of the encryption negotiated is indicated by padlock symbols and on-
screen messages. Encryption on the TANDBERG systems is fully automatic, and provides
clear security status indicators;



An open padlock indicates that encryption is being initialized, but the conference is
not yet encrypted.



Single padlock indicates DES encryption.



Double padlock indicates AES encryption.

In addition to on-screen indicators the Call Status menu provides two information fields
regarding call encryption. The first field is the Encryption Code, which will identify either AES
or DES. The second field is the Encryption Check Code and is comprised of an alphanumeric
string. This string will be the same for systems on either side of an encrypted conference. If
the Check Codes do not match, this would indicate that the call has been exposed to a Man
In The Middle attack.

When a system with MultiSite functionality hosts a conference, the highest possible
encryption algorithm will be negotiated on a site-by-site basis. MultiSite conferences can
therefore support a mix of AES and DES encrypted endpoints in the same conference. A
conference will only be as secure as its weakest link. Even though conference participants
may have negotiated and are running AES encryption, if just one participant has negotiated
DES encryption, the AES system will display the single padlock symbol to advise all users of
the lowest encryption mechanism currently in effect.

All systems supporting DES encryption can upgrade to AES encryption. Please contact your
TANDBERG representative for more information. The standards supporting the encryption
mechanisms employed by TANDBERG are: AES, DES, H.233, H234 and H.235 (H235v3 &
v2 for backwards compatibility) with extended Diffie Hellman key distribution via H.320, H.323
and Leased Line connections.