EX Controller Security Guidelines Version 1.0
EX Controller Security Guidelines Version 1.0
EX Controller Security Guidelines Version 1.0
VERSION 1.0
SECURITY GUIDELINES
NOTICE
The information contained in this document is believed to be accurate in all respects but is not warranted
by Mitel Networks™ Corporation (MITEL®). Mitel makes no warranty of any kind with regards to this
material, including, but not limited to, the implied warranties of merchantability and fitness for a particular
purpose. The information is subject to change without notice and should not be construed in any way as a
commitment by Mitel or any of its affiliates or subsidiaries. Mitel and its affiliates and subsidiaries assume
no responsibility for any errors or omissions in this document. Revisions of this document or new editions
of it may be issued to incorporate such changes.
No part of this document can be reproduced or transmitted in any form or by any means - electronic or
mechanical - for any purpose without written permission from Mitel Networks Corporation.
TRADEMARKS
The trademarks, service marks, logos and graphics (collectively "Trademarks") appearing on Mitel's
Internet sites or in its publications are registered and unregistered trademarks of Mitel Networks
Corporation (MNC) or its subsidiaries (collectively "Mitel") or others. Use of the Trademarks is prohibited
without the express consent from Mitel. Please contact our legal department at [email protected] for
additional information. For a list of the worldwide Mitel Networks Corporation registered trademarks,
please refer to the website: http://www.mitel.com/trademarks.
EX Controller
Security Guidelines
Version 1.0
October 2020
TABLE OF CONTENTS
Overview/Introduction................................................................................................... 1
iii
TABLE OF CONTENTS
Disclaimer .................................................................................................................. 24
v
EX CONTROLLER SECURITY GUIDELINES
Overview/Introduction
The Mitel EX Controller is a multi-service business controller capable of running the MiVoice Business,
MiVoice 5000 or MiVoice MX-ONE call manager applications. The EX controller has been developed to
continue Mitel’s commitment to deliver simplified deployments. The Mitel EX controller supports up to 1,400
IP users and offers local survivability and PSTN access for analog users.
The Mitel EX Controller also supports ISDN PRI, E&M, and R2 T1/E1 providing access to the local PSTN.
The EX controller was designed to integrate with a wide variety of legacy and IP systems, Mitel call control
platforms, as well as management tools such as Mitel Performance Analytics.
SNMP management is enabled on UDP port 161 with the following settings:
Protocol Authentication Auth. Privacy Privacy Password
Protocol Protocol
(encryption)
SNMP V1 N/A N/A N/A N/A
SNMP V2c N/A N/A N/A N/A
SNMP V3 With any system MD5 None Not used, but set
user with valid internally to
password “PrivPassword”
1
EX CONTROLLER SECURITY GUIDELINES
SNMP management is enabled on UDP port 161 with the following settings:
Protocol Authentication Auth. Privacy Privacy Password
Protocol Protocol
(encryption)
SNMP V1 N/A N/A N/A N/A
SNMP N/A N/A N/A N/A
V2c
SNMP V3 With any system SHA1 DES default1
user with valid
password
2
EX CONTROLLER SECURITY GUIDELINES
Changing passwords
Reminder: Always follow the instructions for your specific call manager.
It’s possible to change the password at any time after the first synchronization by using the
Administration/System Users, choosing the admin account and choosing Reset password.
This method also handles synchronization of the password in the different interfaces.
3
EX CONTROLLER SECURITY GUIDELINES
SNMP management is enabled on UDP port 161 with the following settings:
Protocol Authentication Auth. Privacy Privacy Password
Protocol Protocol
(encryption)
SNMP V1 Disabled
SNMP Disabled
V2c
SNMP V3 With any system SHA1 DES <automatically
user with valid generated>
password
4
EX CONTROLLER SECURITY GUIDELINES
5
EX CONTROLLER SECURITY GUIDELINES
6
EX CONTROLLER SECURITY GUIDELINES
7
EX CONTROLLER SECURITY GUIDELINES
The EX controller includes a local firewall. The service allows you to protect the host unit from receiving packets
from unwanted or unauthorized peers.
It is designed to offer a basic protection only and not intended as a replacement for a dedicated enterprise grade
firewall. Please read and understand the following section before using the service.
8
EX CONTROLLER SECURITY GUIDELINES
It is also recommended to add two additional rules in case you ever need to reconfigure the IP addresses of the
unit or re-run the EX deploy tool:
• The 192.168.0.0/28 network will allow you to connect to the Lan1 default IP address with a laptop
connected on ETH2-5 using an IP in the 192.168.0.1-192.168.0.14 range.
• The 169.254.10.0/24 is the internal virtual IP that the EX Deployment tool uses to connect to the EX host
when provisioning.
9
EX CONTROLLER SECURITY GUIDELINES
• Then, we add rules to allow the SIP trunk IP to access ports 5060 and 5061 in both UDP and TCP (TLS
uses TCP as well) and drop all other addresses.
10
EX CONTROLLER SECURITY GUIDELINES
o Then we will add a rule to accept only traffic from the 10.0.0.0/8 network to the management
ports, and drop all other IP address: HTTPS (443 TCP), SNMP (161 UDP) and SSH (22 TCP)
• Then, we add rules to allow the SIP trunk IP to access ports 5060 and 5061 in both UDP and TCP (TLS
uses TCP as well) and drop all other addresses.
• The next rule is to allow access to ports 5062-5069 from everywhere. These ports are often use as
alternative SIP trunk ports or used by the SBC or Survivability Proxy services.
• Finally, we add three rules to deal with the RTP traffic:
o The range of ports used by the EX interfaces for the RTP media are 5004-6092 and the range
of ports for T.38 is 6004-6244. Since these ports overlap with the SIP ports, we will split into
ranges 5004-5059 and 5070-6244.
o When using the SBC, the range of ports is 20000-20999.
11
EX CONTROLLER SECURITY GUIDELINES
12
EX CONTROLLER SECURITY GUIDELINES
Using CA Certificates
The EX Controller uses digital certificates, which are a collection of data used to verify the identity of
individuals, computers, and other entities on a network.
Certificates contain:
• the certificate's name
• the issuer and issued to names
• the validity period (the certificate is not valid before or after this period)
• the use of certificates such as:
o TlsClient: The certificate identifies a TLS client. A host authenticated by this kind of certificate can
act as a client in a SIP over TLS connection when mutual authentication is required by the server.
o TlsServer: The certificate identifies a TLS server. A host authenticated by this kind of certificate can
serve files or web pages using the HTTPS protocol or can act as a server in a SIP over TLS
connection.
• whether or not the certificate is owned by a Certification Authority (CA)
Although certificates are factory-installed new ones can also be added. Since certificates have a validity period
(start date and expiry date), the use of NTP (Network Time Protocol) is mandatory when using the security
features.
The EX Controller uses two types of certificates:
• Host Certificates: used to certify the unit (e.g.: a web server with HTTPS requires a host certificate).
• Others: Any other certificate including trusted CA certificates used to certify peers (e.g.: a SIP server with
TLS).
To enable a TLS connection, no CA certificate needs to be installed if the respective parameters for each
secure service (e.g. SIP, Conf, Cwmp, etc) has the NoValidation value. If the value is different than
NoValidation, then at least one CA certificate needs to be installed. This certificate must be uploaded to the
unit. The EX Controller then checks the server identity by validating the host name used to contact it against the
information found in the server's certificate. If the validation fails, the unit refuses the secure connection. For the
SIP over TLS service, we have four (4) levels of validation: HostName, trustedCertificate, DNSSRV, and
NoValidation (for a complete description of the validation levels, refer to the Help of the DGW Web interface
under SIP/Interop). The way that the remote peer is evaluated for secure connection differs for each level.
Remember that the unit must be correctly configured with an SNTP server because the TLS server certificate is
also validated in terms of time (certificate validation/expiration date, etc.).
For example, in a setup for two EX gateways with no SIP proxy in the middle. At least one of the units will
require a Host certificate. If only one unit has a Host certificate, the calls will be allowed in only one direction
(Unit 1 calls Unit 2). For bi-directional calls, both units would require a Host certificate. By default, it is not
possible to upload a Host certificate without first clicking on Activate unsecure certificate transfer. This is
13
EX CONTROLLER SECURITY GUIDELINES
because the certificate upload will be done in clear text, which means the private key will be susceptible to
interception.
Host Certificates
To enable HTTPS or SIP with TLS, the unit requires a Public key certificate. This certificate is not present in the
factory configuration but is generated and installed by the call manager or deployment tool.
• When the unit is provisioned with the EX deployment tool, a certificate is generated with the information
present in the Distinguished name field of the exdeploy web interface.
• For MX-ONE, please refer to the MX-ONE Optional Installations documentation.
14
EX CONTROLLER SECURITY GUIDELINES
Importing a Trusted CA
To import a Trusted CA into the unit:
• Go to Management/Certificates.
• Click Activate unsecure certificate transfer if needed.
• In the Certificate Import Through Web Browser table, from the Type selection list, select Other.
• Click Browse and select your certificate.
• Click Import.
• Click Apply.
• Click restart required services located at the top of the page.
To enable TLS:
• Navigate to the SIP/Transport tab.
• In the Protocol Configuration table, set TLS to Enable.
• Click Apply.
• You will need to restart the required services.
15
EX CONTROLLER SECURITY GUIDELINES
16
EX CONTROLLER SECURITY GUIDELINES
The NIST and PCI DSS standards require use of TLS 1.2 and secure ciphers.
To force TLS 1.2 and the higher CS3 cipher suite, you will need to use the Command Line Interface (CLI),
either through SSH or via the Inline Script interface (recommended).
• Log in to https://<IP of EX Controller/
• Navigate to the Management/Configuration Scripts/Execute tab.
• Copy-paste the following commands:
Web.HttpsCipherSuite=CS3
o Web.HttpMode=Secure
Web.TlsVersion=TLSv1_2
SipEp.TransportTlsCipherSuite=CS3
• Click Execute.
This will disable TLS 1.0, TLS 1.1 and all ciphers but the most secure ones, for the HTTPS and SIP services.
Please refer to the following sections for more information on TLS versions and Cipher suites.
17
EX CONTROLLER SECURITY GUIDELINES
TLS versions
The Mivoice5000 automatically set WEB in TLS1.2 and CS3. For the Sip the configuration is TLSv1 and CS2 (for
compatibility with older release).
The following TLS settings are available on the EX Controller:
• TLSv1: Advertise TLS 1.2, but allow TLS versions 1 and up (default)
• TLSv1_1: Advertise TLS 1.2, but allow TLS versions 1.1 and up.
• TLSv1_2: Allow TLS versions 1.2 and up.
• SSLv3: Allow SSL version 3 and all TLS versions. Note: This parameter will be deprecated in firmware
version 46.0.
The device will always send its highest supported TLS version in the ClientHello message. The server will
select the highest supported TLS version it supports from the ClientHello message. The device will then
validate that the selected version is allowed. If the version is not allowed, the device will close the connection.
Cert.TransferHttpsTlsVersion = "TLSv1_2"
Conf.ScriptsTransferTlsVersion = "TLSv1_2"
Conf.ImageTransferTlsVersion = "TLSv1_2"
Cwmp.TransportHttpsTlsVersion = "TLSv1_2"
File.TransferHttpsTlsVersion = "TLSv1_2"
Fpu.MfpTransferTlsVersion = "TLSv1_2"
Nlm.PCaptureTransferTlsVersion = "TLSv1_2"
SipEp.TransportTlsVersion = "TLSv1_2"
Web.TlsVersion = "TLSv1_2"
Cipher Suites
The Mivoice5000 automatically set WEB in TLS1.2 and CS3. For the Sip the configuration is TLSv1 and CS2 (for
compatibility with older release). Only AES cyphering are used to connect to Mivoice5000.
The following Cipher Suites are available on the EX Controller:
• CS1 (default): most compatible set of ciphers, but contains weak DES and RC4
• CS2: contains additional Diffie-Hellman Ephemeral ciphers, does not contain insecure RC4, but still has
weak DES.
• CS3: contains only the most secure ciphers, including the recommended
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Cert.TransferHttpsCipherSuite = "CS3"
Conf.ScriptsTransferCipherSuite = "CS3"
Conf.ImageTransferCipherSuite = "CS3"
Cwmp.TransportHttpsCipherSuite = "CS3"
File.TransferHttpsCipherSuite = "CS3"
Fpu.MfpTransferCipherSuite = "CS3"
Nlm.PCaptureTransferCipherSuite = "CS3"
SipEp.TransportTlsCipherSuite = "CS3"
18 Web.HttpsCipherSuite = "CS3"
EX CONTROLLER SECURITY GUIDELINES
19
EX CONTROLLER SECURITY GUIDELINES
Additional information
For more information on the different ciphers, please refer to the IANA assignment of TLS parameters web site:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
There are also some interesting websites to get more information on TLS ciphers, such as:
• https://csrc.nist.gov/Publications
• https://www.pcisecuritystandards.org/
• https://ciphersuite.info/
• https://www.openssl.org/docs/
• https://owasp.org/www-project-cheat-sheets/cheatsheets/TLS_Cipher_String_Cheat_Sheet
Configuring SSH
By default, SSH is enabled on port 22, with the Standard Security Level.
To change the SSH settings:
• Navigate to the Management/Misc tab.
• In the CLI configuration table you can change:
o SSH Enable or Disable
o SSH port
o SSH Security Level (see below).
The Standard security level allows a good compromise between security and interoperability. The weakest
encryption algorithms (CBC and 3DES) are excluded. The following are accepted:
• cipher: aes256-ctr, aes128-ctr
• mac: hmac-sha1, hmac-sha2-256
• key exchange: diffie-hellman-group14-sha1, diffie-hellman-group14-sha256, ecdh-sha2-nistp256,
ecdh-sha2-nistp384, ecdh-sha2-nistp521, [email protected]
The Most Secure security level allows only the highest algorithms and may not work with some SSH clients:
• cipher: aes256-ctr
• mac: hmac-sha2-256
• key exchange: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-
[email protected]
The Permissive security level allows all algorithms and should only be used for compatibility with old SSH
clients:
• cipher: aes256-ctr, aes256-cbc, aes128-ctr, aes128-cbc, 3des-ctr, 3des-cbc
• mac: hmac-sha1, hmac-sha2-256
• key exchange: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group14-
sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256
20
EX CONTROLLER SECURITY GUIDELINES
By default, the Virtual Machines are accessible through the VNC protocol on ports 5900 (exdeploy) or 5901 (MIVB
and MiVoice 5000).
Once the configuration is completed, it is strongly recommended to disable VNC access. To do so:
• Navigate to the System/VM tab on the EX host.
• Change the Vnc Id of the call manager to -1.
• Click Apply.
21
EX CONTROLLER SECURITY GUIDELINES
Important notes:
• Always leave SNMP enabled (V3) for MiVB and MiVoice 5000.
• If you disable both Web and CLI, you will not be able to configure your unit unless you perform a
factory reset.
22
EX CONTROLLER SECURITY GUIDELINES
23
EX CONTROLLER SECURITY GUIDELINES
Disclaimer
THIS DOCUMENT IS PROVIDED “AS IS” AND WITHOUT WARRANTY. IN NO EVENT WILL MITEL NETWORKS
CORPORATION OR ITS AFFILIATES HAVE ANY LIABILITY WHATSOEVER ARISING FROM IN CONNECTION WITH THIS
DOCUMENT. You acknowledge and agree that you are solely responsible to comply with any and all laws and
regulations in association with your use of the Mitel EX Controller and/or other Mitel products and solutions
including without limitation, laws and regulations related to call recording and data privacy. The information
contained in this document is not, and should not be construed as, legal advice. Should further analysis or
explanation of the subject matter be required, please contact an attorney.
24