Security Rules
The following security guidelines must be adhered to in order to maintain the approved mode of operation:
|
■
|
Telnet must be disabled. |
|
■
|
HTTPS must always be used instead of HTTP. |
|
■
|
A TLS session must be enabled for SIP. |
|
■
|
SNMPv3 keys must be entered in hexadecimal (password derivation must not be used). |
|
■
|
Keys must only be imported through a dedicated physical link or a secure tunnel. |
|
■
|
Configured passwords must contain at least eight characters. |
|
■
|
The configured RADIUS secret must contain at least eight characters. |
|
■
|
The module must be configured to restrict the number of failed authentication attempts to three per minute. |
|
■
|
MD5, HMAC MD5, and 3DES are not to be used, unless mandated by an Acceptable Key Establishment Protocol. |
|
■
|
TLS Context configuration: |
|
●
|
Ciphers of Server/Client should be configured not to use specific ciphers, as follows:
DEFAULT:!RC4:!aNULL:!eNULL:!AECDH:!ADH:!CAMELLIA:!ARIA128:!SEED:!kRSA:!3DES. |
|
●
|
TLS1.3 Cipher of Server/Client should not use TLS_HACHA20_POLY1305_SHA256. |
|
●
|
Key Exchange Groups should not use X25519 and X448 group. |
|
●
|
DH Key size should be 2048. |
|
●
|
PKEY file should not be encrypted with a passphrase. |
|
●
|
PKEY file of PKCS12 format should not be used. |
|
■
|
Only the following algorithms are allowed: |
|
●
|
KexAlgorithms = "diffie-hellman-group-exchange-sha256:diffie-hellman-group14-sha1" |
|
●
|
Ciphers = "aes128-ctr:aes128-cbc:aes256-ctr:aes256-cbc" |
|
●
|
MAC = "hmac-sha1:hmac-sha2-256” |