Home

Hardening Guide - Axis Communications

1. Applications 10 0 0 0 255 0 0 0 172 16 0 0 use to separate local networks Local networks gt Events Save Reset gt Recordings Languages System Options y Security Date amp Time Network TCP IP SOCKS QoS SNMP UPnP RTP Bonjour Disable QoS SANS 11 Limitation and control of network ports protocols and services If Quality of Services is not being used QoS should be disabled 1 Go to System Options Network QoS 2 To disable QoS enter the value zero in the QoS DSCP Settings fields 3 Click Save gt Basic Setup QoS Settings Q QoS DSCP Settings Video amp Audio Live Video DSCP b sODffo 63 gt Live View Config Live Audio DSCP 0 0 63 Event Alarm DSCP 0 0 63 gt Detectors Management DSCP 0 0 63 Applications Metadata DSCP 0 7 0 63 gt Events Save Reset gt Recordings Languages System Options Security Date amp Time Network TCP IP SOCKS Qos SNMP UPnP Disable always multicast video SANS 11 Limitation and control of network ports protocols and services To prevent the camera from multicasting video by default disable multicast video streaming The camera can still multicast video upon request 1 Go to System Options gt Network gt RTP 2 Clear Always Multicast Video 18 Hardening Guide Enterprise protection 3 Click Save Basic Setup gt
2. Hardening Guide Installation Guide About this Document The intended use of this guide is to harden devices and also provide collateral for deployment teams to deal with local network policy configurations and specification All settings described in this document are made in the product s webpages To access the webpages see the User Manual of the specific product Liability Every care has been taken in the preparation of this document Please inform your local Axis office of any inaccuracies or omissions Axis Communications AB cannot be held responsible for any technical or typographical errors and reserves the right to make changes to the product and manuals without prior notice Axis Communications AB makes no warranty of any kind with regard to the material contained within this document including but not limited to the implied warranties of merchantability and fitness for a particular purpose Axis Communications AB shall not be liable nor responsible for incidental or consequential damages in connection with the furnishing performance or use of this material This product is only to be used for its intended purpose Intellectual Property Rights Axis AB has intellectual property rights relating to technology embodied in the product described in this document In particular and without limitation these intellectual property rights may include one or more of the patents listed at www axis com patent htm and one or more a
3. Account monitoring and control SANS 18 Incident response and management 1 Go to System Options gt Advanced gt Scripting gt Open Script Editor 2 For cameras with firmware 5 80 and later select etc rsyslog d 40 remote_log conf For cameras with firmware 5 70 and older select etc rsyslog conf Advanced Scripting OQ gt Basic Setup Video To modify your own scripts click Open Script Editor gt Live View Config Axis strongly recommends that you do not use this function unless you fully understand the consequences gt Detectors If the editing of a script does cause problems the only recourse then will be to reset the gt Applications product to its factory default settings gt Events Recordings B 172 25 33 184 admin bin editcgi cgi file etc Languages Directory etc System Options drwxr xr x 60 root root 6496 Mar 7 02 27 x drwxrwxr x 4 root root 288 Jun 16 2015 E Security rw r r 1 root root 5 Mar 7 02 26 TZ Date amp Time drwxr xr x 4 wsd wsd 296 Jun 16 2015 ws Network drwxrwx 2 root admin 232 Jun 16 2015 bck Storage drwxr xr x 4 ptzadm admin 656 Jun 16 2015 ptz Maintenance drwxr xr x 2 root root 296 Jun 16 2015 gos Support drwxrwxr x 2 scm scm 232 Jun 16 2015 scm Advanced drwxr xr x 2 root root 296 Mar 7 02 26 ssh Scripting drwxrwxr x 3 root root 224 Jun 16 2015 xdg File Upload rw r r 1 root root 924 May 25 2012 nsswitch conf Plain Config rw r r 1 root roo
4. Please see the online help for more information Firmware version 5 60 1 gt Video amp Audio MAC address AC CC 8E 01 00 18 b live View Confin Upgrade the firmware SANS 1 Inventory of authorized and unauthorized devices SANS 2 Inventory of authorized and unauthorized software Note Before upgrading the firmware read the instructions in the User Manual 1 Download the latest firmware file to your computer available free of charge at www axis com techsup firmware php 2 Upgrade the firmware Server Maintenance O Maintain Server gt Basic Setup gt Video amp Audio Restart Restart the AXIS Q8414 Network Camera gt Live View Config Restore Resets all parameters except the IP and focus parameters to the original factory settings gt PTZ Default Resets all parameters to the original factory settings gt Detectors Optics gt Applications PP Calibrate Calibrate focus and zoom Events Upgrade Server s Upgrade the AXIS Q8414 with the latest firmware gt Recordings Specify the firmware to upgrade to V lj fil Ingen fil har valts and click Upgrade Languages Note Do not disconnect power to the unit during the upgrade The unit restarts automatically after the upgrade has completed 1 10 minutes System Options Security Date amp Time Network Storage Ports amp Devices Maintenance Support Advanced Flash LED for 10
5. Video amp Audio gt Live View Config gt Detectors Applications gt Events gt Recordings Languages System Options y Security RTP Settings Q Port Range Start port 50000 1024 65534 End port 50999 1025 65535 Multicast Video address 239 193 0 24 Video port 0 0 1024 65534 even values only Audio address 239 193 0 152 Audio port O _ 0 1024 65534 even values only Time to live 5 1 255 LJ Always Multicast Video H 264 Y LJ Always Multicast Audio Q Port automatically selected within the port range specified above Date amp Time Save Reset Network TCP IP SOCKS QoS SNMP UPnP RTP Qaninnr Disable SSH SANS 11 Limitation and control of network ports protocols and services Axis cameras support Secure Shell SSH and is disabled by default Make sure that it is disabled by doing the following 1 Go to System Options gt Advanced gt Plain Config v System Options Security Date amp Time Network Storage Ports amp Devices Maintenance Support Advanced Scripting Plain Config About 2 In the drop down menu select Network and click Select group Select a group of parameters to modify Network v Select group 3 Make sure that Network SSH is disabled by clearing SSH Enabled Network SSH SSH Enabled 4 If needed click Save Set IP address filter SANS 13 Boundary defense
6. computer time Date 2015 05 22 Time 12 47 13 Synchronize with NTP server NTP server 10 0 2 201 10 0 2 202 Set manually Date 2002 01 14 Date amp Time Format Used in Images Time 00 45 15 Specify date format predefined YYYY MM DD v Ovin F Specify time format predefined 24h Y With resolution 1 second Own T SANS 11 Limitation and control of network ports protocols and services If the network camera has audio support that is not used in daily operation you should prevent clients from requesting audio streams by disabling the audio support 1 Go to System Options gt Security gt Audio Support 2 Clear Enable audio support 10 Hardening Guide Standard protection Basic Setup SE Support Q Video amp Audio E Enable audio support Live View Config sae gt Detectors Applications gt Events Recordings Languages v System Options Security Users ONVIF IP Address Filter HTTPS IEEE 802 1X Certificates Audio Support Date amp Time 11 Hardening Guide Enterprise protection Enterprise protection The enterprise protection level is about minimizing risks by reducing the possible attack area of the network camera Note Some of the settings described in this section are preset at the factory Make sure that they are correct by following the instructions below Enable encryption SANS 17 Data protection Access the camera
7. e SNMP v2c May be used on a protected network segment e SNMP v3 Recommended for monitoring purposes The cameras support monitoring MIB Il and Axis Video MIB Axis Video MIB can be downloaded at www axis com global en support downloads axis video mib For more information about SNMP see the User Manual 1 Go to System Options gt Network gt SNMP 2 f needed install certificates and enable HTTPS for SNMP v3 see also Enable encryption on page 12 gt Basic Setup gt Video gt Live View Config Enable SNMP v2c SNMP Settings SNMP vi v2c Enable SNMP vi Q Detectors Read community public Write community write gt Applications gt Events Enable traps Trap address Recordings Trap community public Languages Available traps Cold start v System Options Security Warm start Date amp Time um Network TCP IP Authentication failed SOCKS tL SNMP v3 SNMP UPnP V Enable SNMP v3 RTP SNMP v3 Initial user s password Bonjour Storage Note j Mai g Inital user password is activated only when HTTPS is enabled and can only be set once aintenance If SNMP v3 is enabled then SNMP v1 v2c traps should be disabled Support Advanced Ahnutt 22 Save Reset Hardening Guide Managed enterprise protection Remote system log SANS 4 Continuous vulnerability assessment and remediation SANS 14 Maintenance monitoring and analysis of audit Logs SANS 16
8. easily extended manipulated isi Ze Save file 23 Installation Guide Ver M1 4 Hardening Guide Date October 2015 Axis Communications AB 2015 Part No 1488265
9. response If you are connected to the Internet you can e download user documentation and software updates e find answers to resolved problems in the FAO database Search by product category or phrase report problems to Axis support staff by logging in to your private support area e chat with Axis support staff e visit Axis Support at www axis com techsup Should you require any technical assistance please contact appropriate channels according to your AVHS license agreement to ensure a rapid response Should you require any technical assistance please contact ADP Helpdesk to ensure a rapid response Learn More Visit Axis learning center www axis com academy for useful trainings webinars tutorials and guides Hardening Guide Table of Contents MIMOOUCTION r 4 Security cameras in a network environment 4 Colmpensatili Controls vss care as eet de eee ae dpud e eee Kee 4 About the protection levels 5 2 etw Eri E S cue Qe me n 5 Marise 6 Standard protectio 33 3 x 8i 8t bre Foe they e eee 8 ie CR e etes 7 CHECKING MWANG EP SUI tae 7 Upgrade the firmware menner tenn REPERI RUE RESP E dran DE PINE 7 Reset to factory default settings 8 DEL NO TOO DISONS an ae D ene SION EQ de ME 8 Set user PEMMISSIONS Ras a E55 2 3 desormais ta aeris 8 Configure basic network settings 9 SEL IMG ANO DAS a dans
10. using HTTPS which encrypts the traffic between the client and the camera All camera administrative tasks should go through HTTPS Video streamed over RTP RTSP is still unencrypted If the video stream contains sensitive data tunnel RTP RTSP over HTTPS This is controlled by and depends on the video client VMS capabilities Create certificate SANS 3 Secure configuration for hardware and software A self signed certificate is adequate for providing encryption but the web browser will warn that the certificate cannot be validated A CA signed certificate is needed for the client to authenticate that it is accessing the correct camera 1 Go to System Options Security Certificates 2 Create a self signed certificate For instructions see the User Manual Basic Setup Certificates Q Server Client Certificates Video amp Audio Certificate Id Expires On temporaryHTTPS SelfSigned 1 2016 05 21 gt Live View Config gt Detectors gt Applications gt Events gt Recordings Languages v System Options Create self signed certificate Properties Delete Security Create certificate signing request Install certificate Users ONVIF IP Address Filter CA Certificates HTTPS Certificate Id Issued On Expires On IEEE 802 1X 1010895543 2010 09 06 2030 05 24 Certificates 1010895544 2010 09 06 2030 05 24 Audio Support AmericaOnline1 2002 05 28 2037 11 19 Enable HTTPS
11. 028 08 01 Class 2 Public Primary Certification Authority G 1998 05 18 2028 08 01 Class 3 Public Primary Certification Authority 1996 01 29 2028 08 02 Class 3 Public Primary Certification Authority G2 1998 05 18 2028 08 01 Class 4 Public Primary Certification Authority G2 1998 05 18 2028 08 01 DigiCertAssuredIDRootCA 2006 11 10 2031 11 10 Maintenance Support Advanced About h Install certificates Properties Delete 4 Go to System Options gt Security gt IEEE 802 1x 5 Select the CA certificate and the Client Certificate 6 Configure the settings 7 Select Enable IEEE 802 1x 8 Click Save 21 Hardening Guide Managed enterprise protection que IEEE 802 1X EAPOL using EAP TLS Q Certificates gt Video amp Audio If no certificates are available go to certificates to manage CA Certificate 1010895543 v gt Live View Config EE s Client Certificate temporaryHTTPS SelfSigned v Detectors Settings EAPOL version E Y gt Applications EAP identity XXX gt meee Y Enable IEEE 802 1X Stopped Recordings Save Reset Languages System Options Security Users ONVIF IP Address Filter HTTPS IEEE 802 1X Certificates Configure SNMP monitoring SANS 14 Maintenance monitoring and analysis of audit logs Axis cameras support the following SNMP protocols e SNMP v1 Supported only for legacy reasons and should not be used
12. 19 Hardening Guide Enterprise protection SANS 15 Controlled access based on the need to know We recommend that video clients access live and recorded video only through the VMS they should not be allowed to access any video directly through the cameras Enabling IP filtering for authorized clients will prevent the camera from responding to network traffic from any other clients Make sure to add all authorized clients VMS server and administrative clients to the white list 1 2 Select Enable IP address filtering and add the allowed IP addresses For more instructions see the User Manual gt Basic Setup gt Video amp Audio gt Live View Config gt Detectors gt Applications Events gt Recordings Languages System Options Security Users ONVIF IP Address Filter HTTPS IEEE 802 1X Certificates Audio Support Date amp Time Network Storage Ports amp Devices Maintenance Support Advanced About Go to System Options Security IP Address Filter IP Address Filtering 2 General Enable IP address filtering Allow Y the following IP addresses Apply Filtered IP Addresses fx beeps 172 25 33 110 admin restrictIP_setup shtml doAction add amp newPolicy allow amp che Filtered IP Address Setup Q IP address Remove 20 Hardening Guide Managed enterprise protection Managed enterprise protection Man
13. 2 168 0 90 Test Subnet mask 255 255 255 0 gt Recordings Default router 192 168 0 1 Languages IPv6 Address Configuration Enable 1Pv6 v System Options arsi Security Services Date amp Time Enable ARP Ping setting of IP Address Network TCP IP Enable AVHS Basic AXIS Internet Dynamic DNS Service Settings Advanced a eee SOCKS Save Reset QoS Disable discovery services SANS 3 Secure configuration for hardware and software Discovery protocols are support services that make it easier to find the cameras on the network After deployment you should stop the cameras from announcing their presence on the network by disabling the discovery protocol 14 Hardening Guide Enterprise protection Disable UPnP 1 Go to System Options gt Network gt UPnP 2 Clear Enable UPnP You can enable it temporarily when needed for maintenance 3 Click Save gt Basic Setup gt Video amp Audio gt Live View Config gt Detectors gt Applications gt Events gt Recordings Languages System Options Security Date amp Time Network p TCP IP SOCKS Qos SNMP UPnP RTP Bonjour Disable Bonjour UPnP Settings Enable UPnP Friendly name AXIS XXXX ACCC8E010018 Save Reset 1 Go to System Options gt Network gt Bonjour 2 Clear Enable Bonjour You can enable it temporarily when needed for maintenance 3 Click Save gt
14. Basic Setup gt Video amp Audio Live View Config gt Detectors gt Applications gt Events gt Recordings Languages System Options Security Date amp Time Network TCP IP SOCKS QoS SNMP UPnP RTP Bonjour Storage Disable link local address Bonjour Settings LJ Enable Bonjour Friendly name AXIS XXXX ACCC8E010018 Save Reset 1 Go to System Options gt Network gt Advanced 2 Clear Auto Configure Link Local Address 15 Hardening Guide Enterprise protection 3 Click Save Host Name Configuration r System Options Security Obtain host name via IPv4 DHCP Date amp Time Network TCP IP Enable dynamic DNS updates Basic Advanced SOCKS Qos SNMP UPnP RTP Bonjour HTTP port Storage Ports amp Devices HTTPS Maintananra HTTD amp marks Configure advanced network settings SANS 1 Inventory of authorized and unauthorized devices SANS 3 Secure configuration for hardware and software SANS 11 Limitation and control of network ports protocols and services 1 Go to System Options gt Network gt Advanced 2 Configure Domain Name Service DNS If possible use both a primary and a secondary DNS 3 To set the fully qualified domain name FODN manually select Use the host name 4 Select Use the following DNS server address and specify the following Enter the domain s to search for the host name used by the Axis prod
15. Reset SANS 3 Secure configuration for hardware and software Hardening Guide standard protection From a security perspective it is important that the date and time is correct so that for example the system logs are time stamped with the right information It is recommended to synchronize the camera clock with an Network Time Protocol NTP server If there are no NTP servers on the system use a public NTP server available online for example pool ntp org Without NTP synchronization date and time must be set manually Most cameras models has a battery backup RTC Real Time Clock that will maintain the time without power 1 Go to System Options gt Date amp Time 2 Set Time mode to Synchronize with NTP server 3 Click Save 4 Click on the link NTP server 5 Set the NIP server and click Save 6 Set the Time zone 7 Select Automatically adjust for daylight saving time changes gt Basic Setup gt Video amp Audio gt Live View Config gt Detectors gt Applications gt Events gt Recordings Languages System Options Security Date amp Time b Network Storage Ports amp Devices Maintenance y Support Advanced Ahout Disable audio Date amp Time Settings Current Server Time Date 2002 01 14 Time 01 25 43 New Server Time Time zone GMT Dublin Lisbon London Reykjavik Automatically adjust for daylight saving time changes Time mode Synchronize with
16. SANS 3 Secure configuration for hardware and software Users with administration rights should enerypt traffic between the clients and the camera This requires that the client supports HTTPS 1 Go to System Options gt Security gt HTTPS 2 To enable HTTPS select the created certificate in the drop down list 3 Demand that administrators use HTTPS If additional user accounts are added with viewer and operator level privileges set the connection policy accordingly 12 Hardening Guide Enterprise protection 4 Click Save HTTPS Settings Certificates If ne certificates are available go to certificates to manage Certificate temporaryHTTPS SelfSigned r Ciphers HTTPS Connection Policy Administrator will use HTTPS Y Operator will use Viewer will use HTTP id Create a backup admin account SANS 3 Secure configuration for hardware and software SANS 12 Controlled use of administrative privileges Good practice is to create a backup administrator account with a different password than the primary administrator account 1 Go to System Options Users 2 Add a backup administrator account For password requirements see Set the root password 3 Click Save Basic Setup gt Video amp Audio Live View Config gt Detectors gt Applications gt Events Recordings Languages System Options Security User
17. acters Confirm password The password for the pre configured administrator root must be changed before the product can be used If the password for root is lost the product must be reset to the factory default settings by pressing the button located im the product s casing Please see the user documentation for more information ONVIF will be disabled To enable ONVIF go to Setup gt System Options gt Security gt ONVIF Set user permissions SANS 3 Secure configuration for hardware and software SANS 11 Limitation and control of network ports protocols and services 1 Go to System Options gt Security gt Users 2 To prevent clients to login with plain text passwords make sure that Allow password type is set to Encrypted only 3 Make sure that both Enable anonymous viewer login and Enable anonymous PTZ control login are disabled Hardening Guide standard protection 4 Click Save gt Basic Setup gt Video amp Audio Live View Config gt Detectors gt Applications gt Events gt Recordings Languages System Options Security Users ONVIF IP Address Filter HTTPS IEEE 802 1X Certificates Audio Support Date amp Time Network Storage Ports amp Devices Maintananca Users User List User Group Administrator Operator Add Modify Remove HTTP RTSP Password Settings Allow password type Encrypted only v User Sett
18. aged enterprise networks are systems that typically have additional management tools and services that the cameras need to be aligned with Access to IEEE 802 1x network SANS 1 Inventory of authorized and unauthorized devices SANS 13 Boundary defense To be accepted in a network protected by IEEE 802 1x the cameras need to have appropriate certificates and settings 1 Go to System Options gt Security gt Certificates 2 Install the CA certificate for the network 3 Install the client certificate Certificates O Server Client Certificates gt Basic Setup gt Video amp Audio Expires On temporaryHTTPS SelfSigned 2015 05 21 2016 05 21 gt Live View Config gt Detectors gt Applications Events gt Recordings Languages v System Options Create self signed certificate Properties Delete Security Create certificate signing request Install certificate Users ONVIF IP Address Filter CA Certificates HTTPS ifi Issued On Expires On IEEE 802 1X 1010895543 2010 09 06 2030 05 24 Certificates 1010895544 2010 09 06 2030 05 24 Audio Support AmericaOnlinei 2002 05 28 2037 11 19 Date amp Time AmericaOnline2 2002 05 28 2037 09 29 Network Class 1 Public Primary Certification Authority 1996 01 29 2028 08 01 Storage Class 1 Public Primary Certification Authority G 1998 05 18 2028 08 01 Ports amp Devices Class 2 Public Primary Certification Authority 1996 01 29 2
19. asic Setup Users VY User List gt Video amp Audio User Group Administrator gt Live View Config gt Detectors Applications gt Events gt Recordings amp betps 172 25 33 157 admin users_set sht Languages System Options Add L Modify Remove User Setup OQ Security Users HTTP RTSP Password Settings ONVIF IP Address Filter Allow password type Encrypted amp unencrypted Y Password max 64 characters HTTPS Confirm password IEEE 802 1X User Settings User group Certificates Audio Support Date amp Time Enable anonymous PTZ control login no user name or password Network Storage e e aparece Ports amp Devices Save Reset Maintenance Support Advanced User name Viewer Enable anonymous viewer login no user name or password req Operator Administrator Y Enable Basic Setup Enable PTZ control Disable AVHS SANS 11 Limitation and control of network ports protocols and services If the camera is not connected to a hosted video service disable AVHS 1 Go to System Options Network 2 Clear Enable AVHS 3 Click Save S Basic TCP IP Settings O Network Settings es View current network settings view gt Live View Config IPv4 Address Configuration Enable IPv4 gt Detectors Obtain IP address via DHCP Applications Use the following IP address gt Events IP address 19
20. ating controls These compensating controls are part of the industry s control sets the SANS list of compliances that Axis uses for hardening cameras and video surveillance solutions Hardening Guide About the protection levels About the protection levels This guide uses different protection levels depending on system size and needs Each level assumes that the previous level s recommendations are followed Protection level Recommended for Procedures Default protection Only recommended for demo purposes N A and test scenarios Standard protection Minimum recommended level of Check the firmware protection This level is adequate for small businesses or office installations Upgrade the firmware where typically the operator is also the administrator Reset to factory default settings Set the root password Set user permissions Configure basic network settings Set time and date Disable audio Enterprise protection Recommended settings for Enable encryption corporations that have a dedicated system administrator Create a backup admin account Create video client account Disable AVHS Disable discovery services Configure advanced network settings Disable SOCKS Disable QoS Disable always multicast video Disable SSH Set IP address filter Managed enterprise protection Large network infrastructure with an Access to IEEE 802 1x network IT IS department For environments where cameras may need to be C
21. dditional patents or pending patent applications in the US and other countries This product contains licensed third party software See the menu item About in the product s user interface for more information This product contains source code copyright Apple Computer Inc under the terms of Apple Public Source License 2 0 see www opensource apple com apsi The source code is available from https developer apple com bonjour Trademark Acknowledgments AXIS COMMUNICATIONS and AXIS are registered trademarks or trademark applications of Axis AB in various jurisdictions All other company names and products are trademarks or registered trademarks of their respective companies Apple Boa Apache Bonjour Ethernet Internet Explorer Linux Microsoft Mozilla Real SMPTE QuickTime UNIX Windows Windows Vista and WWW are registered trademarks of the respective holders Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and or its affiliates UPnP is a certification mark of the UPnP Implementers Corporation Contact Information Axis Communications AB Emdalavagen 14 223 69 Lund Sweden Tel 46 46 272 18 00 Fax 46 46 13 61 30 WWW axis com Support Should you require any technical assistance please contact your Axis reseller If your questions cannot be answered immediately your reseller will forward your queries through the appropriate channels to ensure a rapid
22. ings Enable anonymous viewer login no user name or password required Enable anonymous PTZ control login no user name or password required W Enable Basic Setup 7 Save E Reset Configure basic network settings SANS 3 Secure configuration for hardware and software 1 Go to System Options Network to get the expanded list of basic network settings 2 Select Enable IPv4 3 Select Use the following IP address and specify the IP address subnet mask and default router 4 f the network uses IPv6 select Enable IPv6 Otherwise leave it disabled to avoid unintended access 5 Clear Enable ARP Ping setting of IP address 6 Save parameters and reconnect to management interface on the assigned IP address gt Basic Setup Video amp Audio gt Live View Config gt Detectors gt Applications gt Events gt Recordings Languages System Options Security Date amp Time Network TCP IP Basic Advanced SOCKS QoS Set time and date Basic TCP IP Settings Network Settings View current network settings View IPv4 Address Configuration Enable IPv4 Obtain IP address via DHCP Use the following IP address IP address 192 168 0 90 Test Subnet mask 255 255 255 0 192 168 0 1 Default router IPv6 Address Configuration Enable IPv6 Services Enable ARP Ping setting of IP Address Enable AVHS AXIS Internet Dynamic DNS Service Settings _ Sav
23. n NTP server address via DHCP View Use the following NTP server address Network address 10 0 2 201 Host Name Configuration Obtain host name via IPv4 DHCP View eenn eM axis accc8e010018 LJ Enable dynamic DNS updates Register DNS name TTL 30 Link Local IPv4 Address LJ Auto Configure Link Local Address View HTTP HTTP port Bo HTTPS HTTPS port 443 OO NAT traversal port mapping for IPv4 NAT traversal is disabled Enable LJ Use manually selected NAT router LAN IP address Alternative HTTP port 0 If set to blank or 0 a port number will be set automatically upon enable FTP Enable FTP server RTSP W Enable RTSP server RTSP port 554 H 264 video streams will be unavailable if this is disabled Save Reset SANS 11 Limitation and control of network ports protocols and services If the network is not using SOCKS disable it in the network camera as well 1 Go to System Options gt Network gt SOCKS 2 Clear Enable SOCKS 3 Click Save 17 Q i use to separate names host name or IP address Axisproduct example com Hardening Guide Enterprise protection SOCKS Settings O SOCKS Settings gt Basic Setup gt Video amp Audio Enable SOCKS gt Live View Config Server socks Server port 1080 gt Detectors Server type SOCKS version4
24. onfigure SNMP monitoring integrated into an enterprise network infrastructure Remote system log Hardening Guide Default protection Default protection Cameras are delivered with predefined default settings and a default password Adjust the settings to meet the challenges from the network environment and the result of a risk analysis Hardening Guide standard protection Standard protection The standard protection level is the minimum recommended level of protection This level is adequate for small businesses or office installations where typically the operator is also the administrator Check the firmware Firmware is the software that enables and controls the functionality of network devices Always use the latest firmware so that you get all possible security updates and bug fixes Check the current firmware version in page Setup gt Basic Setup or in Setup gt About Basic Setup Basic Setup Instructions Before using the AXIS Q8414 Network Camera there are certain settings that should be made 1 Users most of which require Administrator access privileges To quickly access these settings use the 2 TCP IP numbered shortcuts to the left All the settings are also available from the standard setup links 3 Date amp Time in the menu 4 Video Stream 5 Focus amp Zoom 6 Audio Settings Note that the only required setting is the IP address which is set on the TCP IP page All other settings are optional
25. s ONVIF IP Address Filter HTTPS IEEE 802 1X Certificates Audio Support Date amp Time Network Storage Ports amp Devices Maintenance Support Advanced About Create video client account Users OQ User List User Group Administrator amp amp beeps 172 25 33 157 admin users_set sht Add Modify Remove User Setup HTTP RTSP Password Settings User name Allow password type Encrypted amp unencrypted Y Password max 64 characters Confirm password User Settings User group ae Enable anonymous viewer login no user name or password req Operator e um Enable anonymous PTZ control login no user name or password Administrator Y Enable Basic Setup Enable PTZ control Save Reset SANS 3 Secure configuration for hardware and software SANS 12 Controlled use of administrative privileges A client or a Video Management System VMS should normally use the operator group with restricted administrator privileges Video systems and clients should not use the administrator account In most cases the operator group is sufficient However the VMS may use services that require administrator rights 1 Go to System Options Users 13 Hardening Guide Enterprise protection 2 Add anew account with an appropriate user group and set a strong password that matches the video system and clients For password requirements see Set the root password B
26. seconds Y 1 60 About Hardening Guide standard protection Reset to factory default settings Make sure that the product is in a known state by resetting to factory default settings For instructions see the User Manual Set the root password SANS 3 Secure configuration for hardware and software SANS 12 Controlled use of administrative privileges The password is the most important protection measure of a network camera Make sure to use a strong password and keep it protected On a multi camera installation the cameras can have the same password or unique passwords Using the same password simplifies management but increases the risk if one camera s security is compromised Important e When setting the initial password the password is sent in clear text over the network If there is a risk of network sniffing first set up a secure an encrypted HTTPS connection before resetting the passwords e Axis cameras do not impose a password policy as products may be used in various types of installations Use a password with at least 8 characters preferably using a password generator To set the password via a standard HTTP connection enter it directly in the dialog AXIS CE ET EE EEE SEL II Set password over HTTPS Secure configuration of the root password wia HTTPS requires a certificate which will be created automatically Use HTTPS User Settings using HTTP User name root Password max 64 char
27. ss tas ee 0 ci cocuct 9 DISAVICGUGIO Mr 10 Enterprise protection uasa ux Ramo xx MR ER Rm Rm xs dennie 12 Enable EN T 12 Create a backup admin account iuseseu eve se 13 Create video cllent account iara euam bacs erc o Cent CR Ecos ENNE 13 Disable AUS sesacgate s adire nto Coates ar a debt an db dnd Parr eee d 14 Disable discovery servICes sisi das wa vam and dea uS 14 Configure advanced network settings 16 DISSE SOENS atrata arden eden te ee ne AE 17 DISADIE BOS A r 18 Disable always multicast video 18 DISADIE SSF saveeeousncunvees de gt 19 Set IP address filter ee Te ee RIEN EE ee ee ee 19 Managed enterprise protection 21 Access to IEEE 802 Dx network 2 542 educi ud a d oer ed un dos 21 Configure SNMP monitoring 22 REMO system TOU uu xosed dure v1 9x3 0 45 28 9o 2 39 EEUU E caf Dos ae dedi se 23 Hardening Guide Introduction Introduction The responsibility to secure a network its devices and the services it supports falls across the entire vendor supply chain as well as on the end user organization A secure environment depends on its users processes and technology This hardening guide provides technical advice for anyone involved in deploying Axis video solutions It establishes a baseline configuration and a hardening strategy that deals with the evol
28. t 129 May 23 2011 pwdb conf rw r r 1 root root 2258 Jun 19 2014 About drwxrwxr x 2 root root 160 Jun 16 2015 binfmt d rw r r 1 root root 382 Aug 19 2014 event desc list drwxr xr x 3 root root 320 Jun 16 2015 parhand LI lrwxrwxrwx 1 root root 12 Jun 16 2015 mtab gt proc mounts druveroiveiy 2 naed naed ar Mar 7 0 2 amp nacd 3 Add credentials for remote syslog server e g 2 10 2 0 2 and click Save file 4 Reconnect to activate the changes O 172 25 33 184 admin bin editcgi cgi file etc rsyslog conf File etc rsyslog conf Length 2258 bytes Select new file Save as Mode Convert CRLF to LF Jetc rsyslog conf 0100644 Save file _ FEFHHSHSSHHSHHSSHRSRSFSHSHSHSSS SRS RSS REYR SASS RSS SHS ERAAN A EEE DO NOT EDIT THIS UNLESS YOU KNOW WHAT YOU RE DOING HRHR EE EER ERSE ZRESZBISRBZZSSBSZPBSSESZSSSEBSZSSPBSPBSSESIZBSSZPBSIZSSZPBSSESISSSZSSNSSBZSSSSSSSSSSSSSBSESS EEE The way rsyslog processes SIGHUP It does NOT reload its configuration but simply closes all open files which is a lightweight operation This makes it appropriate to use when rotating log files To apply a changed configuration rsyslogd needs to be restarted Using the directive IncludeConfig etc rsyslog d conf see below means that all the configuration files in etc rsyslog d with a conf file i extension are read by rsyslog This way the rsyslog configuration can be
29. uct Multiple domains can be separated by semicolons The host name is always the first part of a fully qualified domain name for example myserver is the host name in the fully qualified domain name myserver mycompany com where mycompany com is the domain name Enter the IP addresses of the primary and secondary DNS servers The secondary DNS server is optional and is used if the primary is unavailable 5 Keep the default values HTTP port 80 and HTTPS port 443 6 Clear Enable FIP server 7 To keep H 264 video streams available select Enable RTSP Keep the default port 554 8 Click Save and reconnect to management interface on the assigned IP address Use the host name Register DNS name 16 Axisproduct example com Hardening Guide Enterprise protection Basic Setup gt Video amp Audio gt Live View Config gt Detectors gt Applications gt Events gt Recordings Languages v System Options Security Date amp Time Network TCP IP Basic Advanced SOCKS QoS SNMP UPnP RTP Bonjour Storage Ports amp Devices Maintenance gt Support Advanced About Disable SOCKS Advanced TCP IP Settings DNS Configuration Obtain DNS server address via DHCP View Use the following DNS server address Domain name se axis com Primary DNS server 10 0 2 200 Secondary DNS server 10 0 2 201 NTP Configuration Obtai
30. ving threat landscape Like many other security organization do the Axis baseline uses the SANS Top 20 Critical Security Controls Version 5 see www sans org critical security controls Security cameras in a network environment The most apparent threat to a network camera is physical sabotage vandalism and tampering To protect the product from these threats it is important to select a vandal resistant model or casing to mount it in the recommended way and to protect the cables From an IT network perspective the camera is a network endpoint similar to business laptops desktops and mobile devices Unlike a business laptop a network camera is not exposed to the common threat of users visiting potentially harmful websites opening malicious email attachments or installing untrusted applications However the camera is a network device with an interface that may expose risk This guide focuses on reducing the exposure area of these risks Compensating controls Compensating controls are solutions add ons customizations rules or tuning of the deployment that address controls that a system cannot otherwise address For example if a network camera does not support remote syslog or SNMP it is possible to connect the camera through a switch that supports these control functions Firewalls encrypted access methods and constrained configuration on switches for example ACLs Access Control Lists are other examples of commonly used compens

Hardening Guide - Axis Communications

Contents

Download Pdf Manuals

Related Search

Related Contents