EX Controller Security Guidelines Version 1.0

Download as pdf or txt
Download as pdf or txt
You are on page 1of 29

EX Controller

VERSION 1.0

SECURITY GUIDELINES
NOTICE
The information contained in this document is believed to be accurate in all respects but is not warranted
by Mitel Networks™ Corporation (MITEL®). Mitel makes no warranty of any kind with regards to this
material, including, but not limited to, the implied warranties of merchantability and fitness for a particular
purpose. The information is subject to change without notice and should not be construed in any way as a
commitment by Mitel or any of its affiliates or subsidiaries. Mitel and its affiliates and subsidiaries assume
no responsibility for any errors or omissions in this document. Revisions of this document or new editions
of it may be issued to incorporate such changes.

No part of this document can be reproduced or transmitted in any form or by any means - electronic or
mechanical - for any purpose without written permission from Mitel Networks Corporation.

TRADEMARKS
The trademarks, service marks, logos and graphics (collectively "Trademarks") appearing on Mitel's
Internet sites or in its publications are registered and unregistered trademarks of Mitel Networks
Corporation (MNC) or its subsidiaries (collectively "Mitel") or others. Use of the Trademarks is prohibited
without the express consent from Mitel. Please contact our legal department at [email protected] for
additional information. For a list of the worldwide Mitel Networks Corporation registered trademarks,
please refer to the website: http://www.mitel.com/trademarks.

© Copyright 2020, Mitel Networks Corporation


All rights reserved

EX Controller
Security Guidelines
Version 1.0
October 2020
TABLE OF CONTENTS

Overview/Introduction................................................................................................... 1

Important note about password synchronization and management ............................. 1

Default passwords and access ..................................................................................... 1


Factory settings ......................................................................................................................... 1
After running the EX Controller Deployment tool (exdeploy) ..................................................... 2

Choosing a secure password ....................................................................................... 2

Changing passwords .................................................................................................... 3


Changing passwords with MiVoice Business ............................................................................ 3
Changing passwords with MiVoice 5000 ................................................................................... 3
Changing passwords with MX-ONE .......................................................................................... 4
Changing passwords manually on the EX controller ................................................................. 4
Protecting against brute-force attempts ..................................................................................... 5

Securing the SNMP Interface ....................................................................................... 6


Disabling SNMP V1 and V2 ....................................................................................................... 6
Configuring SNMP V3 for secure access .................................................................................. 7

Using the Local Firewall ............................................................................................... 8


Important notes about the Local Firewall ................................................................................... 8
Deciding on a Default Policy ...................................................................................................... 8
Enabling the Firewall and adding management IP addresses................................................... 8
Firewall rules with Default Policy = Accept ................................................................................ 9
Firewall rules with Default Policy = Drop ................................................................................. 10
Ports used by the EX Controller .............................................................................................. 12

Enabling TLS encryption ............................................................................................ 13


Using CA Certificates............................................................................................................... 13
Host Certificates ...................................................................................................................... 14
Importing a Trusted CA............................................................................................................ 15
Enabling TLS Transport for SIP ............................................................................................... 15
Setting the SIP to use Secure RTP ......................................................................................... 16
Forcing the use of HTTPS ....................................................................................................... 16
Disabling TLS 1.0, 1.1 and insecure cipher suites................................................................... 17
TLS versions ............................................................................................................................ 18

iii
TABLE OF CONTENTS

Cipher Suites ........................................................................................................................... 18


Ciphers included in CS1 ...................................................................................................................... 19
Ciphers included in CS2 ...................................................................................................................... 19
Ciphers included in CS3 ...................................................................................................................... 19
Additional information .............................................................................................................. 20
Configuring SSH ...................................................................................................................... 20

Securing the Virtual Machine ..................................................................................... 21

Other security settings................................................................................................ 22


Associating the Network Interface to the System Management Services ............................... 22
Stopping or Disabling Services ................................................................................................ 22
Configuring 802.1x Authentication ........................................................................................... 22
Disabling Partial Reset ............................................................................................................ 23
Disabling DHCP Server Download .......................................................................................... 23

Disclaimer .................................................................................................................. 24
v
EX CONTROLLER SECURITY GUIDELINES

Overview/Introduction
The Mitel EX Controller is a multi-service business controller capable of running the MiVoice Business,
MiVoice 5000 or MiVoice MX-ONE call manager applications. The EX controller has been developed to
continue Mitel’s commitment to deliver simplified deployments. The Mitel EX controller supports up to 1,400
IP users and offers local survivability and PSTN access for analog users.
The Mitel EX Controller also supports ISDN PRI, E&M, and R2 T1/E1 providing access to the local PSTN.
The EX controller was designed to integrate with a wide variety of legacy and IP systems, Mitel call control
platforms, as well as management tools such as Mitel Performance Analytics.

Important note about password synchronization and


management
Since the EX Controller is tightly integrated with the various call managers, it is important to keep in mind
that each one might have different password policies and synchronization mechanisms.
Always follow the instructions for your specific call manager.

Default passwords and access


Factory settings
Out of the box, or after a factory reset, the EX Controller has the following default passwords and access
rights.

System users (web interface and SSH access):


User Name Password Access Rights
admin Administrator Full admin rights
public <blank> Full admin rights

SNMP management is enabled on UDP port 161 with the following settings:
Protocol Authentication Auth. Privacy Privacy Password
Protocol Protocol
(encryption)
SNMP V1 N/A N/A N/A N/A
SNMP V2c N/A N/A N/A N/A
SNMP V3 With any system MD5 None Not used, but set
user with valid internally to
password “PrivPassword”

1
EX CONTROLLER SECURITY GUIDELINES

After running the EX Controller Deployment tool (exdeploy)


When running the EX Controller Deployment tool to install MiVB or MiVoice 5000, the exdeploy tool adds the
mimx user with password default1, and synchronizes this password with the SNMP interface and inside the
call manager Virtual Machine.

System users (web interface and SSH access):


User Name Password Access Rights
admin administrator Full admin rights
mimx default1 Full admin rights
public <blank> Full admin rights

SNMP management is enabled on UDP port 161 with the following settings:
Protocol Authentication Auth. Privacy Privacy Password
Protocol Protocol
(encryption)
SNMP V1 N/A N/A N/A N/A
SNMP N/A N/A N/A N/A
V2c
SNMP V3 With any system SHA1 DES default1
user with valid
password

Choosing a secure password


In order to be compatible with the password policies of the different call managers and management interfaces, you
must change the password according to the following policies:
• Password must be from 8 to 20 characters
o DES (used in SNMPv3) uses a 56-bit key, and the password needs to be 8x7-bit ASCII characters.
o MiVB has a limitation of 20 characters.
• The following policies are also required for MiVB, MSL and other systems using cracklib:
o Should contain all the following:
 Upper-case letters (A-Z)
 Lower-case letters (a-z)
 Numbers (0-9)
 Special characters (` ~ ! @ # $ % ^ & * ( ) - _ = + .)
o Must not contain the user's login ID (username), current password, or the default System
password
o Must not contain a dictionary word (or reversed word)
o Must not be too simplistic/systematic
o Must contain at least 5 unique characters

2
EX CONTROLLER SECURITY GUIDELINES

Changing passwords
Reminder: Always follow the instructions for your specific call manager.

Changing passwords with MiVoice Business


• Log in to the MSL server manager:
o https://<IP of call manager>/server-manager/
o Username: admin
o The default password is default1
• The first time, you will be prompted to change the password
before continuing.
• Make sure the new password contains at least 8
characters.
• The same password will now be used for:
o The “admin” account in MiVB
o The “root” account in MSL
o The “admin”, “mimx” and “public” users on the EX host
o The SNMPv3 Privacy password
• The synchronization can take a few minutes.

It’s possible to change the password at any time after the first synchronization by using the
Administration/System Users, choosing the admin account and choosing Reset password.
This method also handles synchronization of the password in the different interfaces.

Changing passwords with MiVoice 5000


The MiVoice5000 automatically creates a mv5000 account with a password generated with the “PBX secret
element”.
The admin account is modified to have only read access. The mimx account used to deploy the VM is deleted.
The connection to the EX should be raised using the MiVoice5000 MMI
The mv5000 password must not be changed by the user.

3
EX CONTROLLER SECURITY GUIDELINES

System users (web interface and SSH access):


User Name Password Access Rights
Admin administrator Observer rights
Public <blank> Observer rights
mv5000 <automatically generated> Full admin rights

SNMP management is enabled on UDP port 161 with the following settings:
Protocol Authentication Auth. Privacy Privacy Password
Protocol Protocol
(encryption)
SNMP V1 Disabled
SNMP Disabled
V2c
SNMP V3 With any system SHA1 DES <automatically
user with valid generated>
password

Changing passwords with MX-ONE


The password for MX-ONE is changed using a script ’mxone_maintenance’ from the MX-ONE.
It is not possible to change a password for an EX Controller from the MX-ONE it has to be changed manually on the
EX Controller, see section 6.4 Changing passwords manually on the EX controller.

Changing passwords manually on the EX controller


For the Mivoice5000 the password of the mv5000 account must not be changed. Another account can be created if
needed.
If you are not using one of the integrated call managers, you can change the passwords manually on the EX
host itself.
• Log in to https://<IP of EX Controller/ and go to the Management/Access Control tab.
• In the Users table, enter a new password for the user.
• Click Apply.

4
EX CONTROLLER SECURITY GUIDELINES

For more information, refer to the Access Control Management documentation:


https://documentation.media5corp.com/display/DGWLATEST/Access+Control+Management

Protecting against brute-force attempts


The EX Controller has a protection against brute force login attempts.
When this protection is enabled, a user account is temporarily locked after repetitive login failures. The Lock
Protection is set to Enable by default for each user in the Management/Access Control tab.
The maximum number of login attempts before locking the user's account is 5 by default. After the maximum
attempts, the account is disabled for 300 seconds by default.
These values can be configured in the Command-Line interface with the Aaa.LoginLockedMaxRetry and
Aaa.LoginLockedTimeoutS parameters.
On Mivoice5000 these parameters are automatically set.

5
EX CONTROLLER SECURITY GUIDELINES

Securing the SNMP Interface


By default, SNMP access is allowed for all protocol versions. This is required for the initial provisioning of the unit by
the EX Deployment tool, as well as MiCW.
With the MiVoice5000 the SNMP is automatically secured and configured in snmpV3. The SNMP v3 Privacy
Password is the same password as the password generated for the mv5000 account.
SnmpV1 and snmpV2 are disabled by the MiVoice5000. This security feature can be canceled using the MV5000
MMI.

Disabling SNMP V1 and V2


After the system is fully deployed, it is strongly recommended that the Administrator disable SNMP V1 and V2
since they do not use any authentication or encryption.
• Log in to https://<IP of EX Controller/ using the default or current credentials depending on the case.
• Go to the Management/SNMP tab.
• In the SNMP Configuration table, set the following parameters:
o Set Enable SNMP V1 to Disable .
o Set Enable SNMP V2 to Disable .
o Notes:
 Always leave SNMP V3 to Enable . This is required for the correct operation of MiVB.
 When SNMP V2 is set to Disable, the unit will not accept unauthenticated SNMP requests,
but will still be able to send V2 traps if SNMP V3 is also enabled.
• Click Apply.

6
EX CONTROLLER SECURITY GUIDELINES

Configuring SNMP V3 for secure access


Note: do not perform these operations if you are running MiVoice Business or MiVoice 5000. These settings
are configured by the EX Deployment tool and synchronized with the call managers.
• Go to the Management/SNMP tab.
• In the SNMP Configuration table, set the following parameters:
o Set the Authentication Protocol to SHA1 .
o Set the Privacy Protocol to DES .
o Set the Privacy Password. It must contain at least 8 characters. In MiVB, this needs to be the
same as the password for the “mimx” user.
• Click Apply.

7
EX CONTROLLER SECURITY GUIDELINES

Using the Local Firewall


NOTE: The EX controller should never be connected directly to the internet. The EX controller should always
connect to the internet via a properly configured enterprise grade firewall.

The EX controller includes a local firewall. The service allows you to protect the host unit from receiving packets
from unwanted or unauthorized peers.
It is designed to offer a basic protection only and not intended as a replacement for a dedicated enterprise grade
firewall. Please read and understand the following section before using the service.

Important notes about the Local Firewall


• The local firewall only protects the local EX Controller host and does not protect the call manager Virtual
Machine or other hosts on the network.
• It supports IPv4 only.
• The maximum number of firewall rules is 20.
• While dedicated, enterprise-grade firewalls use optimized hardware, the EX Controller firewall is
software-based, and heavy traffic can have impacts on overall performance of the unit.
• Before setting the Default Policy to Drop, always make sure at least one rule accepts incoming packets for
your PC or management networks; otherwise the communication with the EX Controller will be lost.

Deciding on a Default Policy


When configuring a firewall, the key element is the default policy, which determines what happens when traffic
is not matched by any other rules.
The default policy of Accept means everything is allowed except a certain list of ports or IP addresses that are
specifically defined (blacklist). It is generally easier to get reachable services out-of-the-box while preventing,
for example, SIP scanners on port 5060.
The default policy of Drop means that any traffic not matched by an explicit rule will not be allowed. This is akin
to a whitelist. It is the more secure approach. However, it can be more complicated to setup, especially for
VoIP, because of the need to whitelist every possible RTP port range.
It is usually recommended to start with the basic Accept policy when installing a new system, then adopt the
more restrictive approach once the whole scenario has been tested and deployed.

Enabling the Firewall and adding management IP addresses


By default, the local firewall is started automatically at boot-up, with a Default Policy set to Accept. This
means that all incoming packets for established or related connections are allowed.
Before changing the policy, or adding rules to drop packets, it is essential to start by adding specific rules to
allow the management IP tools full access to the device. These generally include the PC you’re using to
configure the unit, as well as the Call Manager and EX Deploy tool IP addresses.

• Go to the Network/Local Firewall tab.


• Leave the Default Policy to Accept.

8
EX CONTROLLER SECURITY GUIDELINES

• Click on the icon to add a new rule for your PC:


o Set Activation to Enable.
o Set Source Address to the IP address of your PC.
o Leave all other fields to their default values (Protocol=All, Action=Accept).
• Perform the same operation with the Call Manager IP address (MiVB, MiVoice 5000).
• Click Save & Apply.

It is also recommended to add two additional rules in case you ever need to reconfigure the IP addresses of the
unit or re-run the EX deploy tool:
• The 192.168.0.0/28 network will allow you to connect to the Lan1 default IP address with a laptop
connected on ETH2-5 using an IP in the 192.168.0.1-192.168.0.14 range.
• The 169.254.10.0/24 is the internal virtual IP that the EX Deployment tool uses to connect to the EX host
when provisioning.

Firewall rules with Default Policy = Accept


In this example, we will show a standard set of firewall rules using the Accept Default Policy. We will assume
only the network 10.0.0.0/8 needs to have access to the management interfaces. Also, we will restrict SIP traffic
to the specific SIP trunk IP.
• First, make sure the section “Enabling the Firewall and adding management IP addresses” has been
performed and make sure your PC and other management have rules defined and applied.
• Next, we will drop all packets to the VNC ports (5900-5901 TCP) and HTTP (port 80 TCP).
o Note that they will still be accessible from your PC since the first matching rule is always
executed first.
• Then we will add a rule to accept only traffic from the 10.0.0.0/8 network to the management ports,
and drop all other IP addresses:
o HTTPS (443 TCP)
o SNMP (161 UDP)
o SSH (22 TCP)

9
EX CONTROLLER SECURITY GUIDELINES

• Then, we add rules to allow the SIP trunk IP to access ports 5060 and 5061 in both UDP and TCP (TLS
uses TCP as well) and drop all other addresses.

Firewall rules with Default Policy = Drop


In this example, we will show the same configuration as the previous section but using the Drop Default Policy.
Again, we will assume only the network 10.0.0.0/8 needs to have access to the management interfaces and
restrict SIP traffic to the specific SIP trunk IP.
• First, make sure the section “Enabling the Firewall and adding management IP addresses” has been
performed and make sure your PC and other management have rules defined and applied.
• Then, we can set the policy to Drop.
• Since the policy is to drop everything by default, we do not need to add rules to drop VNC ports
(5900-5901 TCP) and HTTP (port 80 TCP).

10
EX CONTROLLER SECURITY GUIDELINES

o Then we will add a rule to accept only traffic from the 10.0.0.0/8 network to the management
ports, and drop all other IP address: HTTPS (443 TCP), SNMP (161 UDP) and SSH (22 TCP)
• Then, we add rules to allow the SIP trunk IP to access ports 5060 and 5061 in both UDP and TCP (TLS
uses TCP as well) and drop all other addresses.
• The next rule is to allow access to ports 5062-5069 from everywhere. These ports are often use as
alternative SIP trunk ports or used by the SBC or Survivability Proxy services.
• Finally, we add three rules to deal with the RTP traffic:
o The range of ports used by the EX interfaces for the RTP media are 5004-6092 and the range
of ports for T.38 is 6004-6244. Since these ports overlap with the SIP ports, we will split into
ranges 5004-5059 and 5070-6244.
o When using the SBC, the range of ports is 20000-20999.

11
EX CONTROLLER SECURITY GUIDELINES

Ports used by the EX Controller


Listening ports
Connection Type Default Port(s) Transport Protocol
SSH 22 TCP
HTTP 80 TCP
SNMP (Management) 161 UDP
HTTPS 443 TCP
SIP 5060 UDP / TCP
SIP/TLS 5061 TCP (TLS)
SIP (Alternate ports) 5062-5069 UDP / TCP / TLS
VNC (VM only) 5900-5901 TCP
RTP/SRTP 5004-6092 UDP
40000-40200 (MiVoice5000
Configuration )
T.38 6004-6244 UDP
SBC RTP/SRTP 20000-20999
With the Mv5000 automatic configuration HTTP and SBC port are not used.
Out Bound ports
Connection Type Default Port(s) Transport Protocol
FTP 21 TCP
DNS 53 UDP
DHCP 68 UDP
TFTP 69 UDP
SNTP 123 UDP
SNMP Trap 162 UDP
Syslog 514 UDP
Radius default port for authentication 1812 TCP

Radius default port for accounting 1813 TCP

Debug Signaling Log Host 6000 UDP

Persistent TLS or endpoint gateway 16000-16028 UDP / TCP / TLS

12
EX CONTROLLER SECURITY GUIDELINES

Enabling TLS encryption


With Mivoice5000 ,by default the TLS is activated and a host self-signed certificate is put inside the EX. The
certificate of the Mivoice5000 is also configured to allow a dual authentication. By default, the same host certificate
is assigned on the Web and the SIP.
Trusted CA can be used in place of this as described in Importing a Trusted CA.

Using CA Certificates
The EX Controller uses digital certificates, which are a collection of data used to verify the identity of
individuals, computers, and other entities on a network.
Certificates contain:
• the certificate's name
• the issuer and issued to names
• the validity period (the certificate is not valid before or after this period)
• the use of certificates such as:
o TlsClient: The certificate identifies a TLS client. A host authenticated by this kind of certificate can
act as a client in a SIP over TLS connection when mutual authentication is required by the server.
o TlsServer: The certificate identifies a TLS server. A host authenticated by this kind of certificate can
serve files or web pages using the HTTPS protocol or can act as a server in a SIP over TLS
connection.
• whether or not the certificate is owned by a Certification Authority (CA)

Although certificates are factory-installed new ones can also be added. Since certificates have a validity period
(start date and expiry date), the use of NTP (Network Time Protocol) is mandatory when using the security
features.
The EX Controller uses two types of certificates:
• Host Certificates: used to certify the unit (e.g.: a web server with HTTPS requires a host certificate).
• Others: Any other certificate including trusted CA certificates used to certify peers (e.g.: a SIP server with
TLS).

To enable a TLS connection, no CA certificate needs to be installed if the respective parameters for each
secure service (e.g. SIP, Conf, Cwmp, etc) has the NoValidation value. If the value is different than
NoValidation, then at least one CA certificate needs to be installed. This certificate must be uploaded to the
unit. The EX Controller then checks the server identity by validating the host name used to contact it against the
information found in the server's certificate. If the validation fails, the unit refuses the secure connection. For the
SIP over TLS service, we have four (4) levels of validation: HostName, trustedCertificate, DNSSRV, and
NoValidation (for a complete description of the validation levels, refer to the Help of the DGW Web interface
under SIP/Interop). The way that the remote peer is evaluated for secure connection differs for each level.
Remember that the unit must be correctly configured with an SNTP server because the TLS server certificate is
also validated in terms of time (certificate validation/expiration date, etc.).
For example, in a setup for two EX gateways with no SIP proxy in the middle. At least one of the units will
require a Host certificate. If only one unit has a Host certificate, the calls will be allowed in only one direction
(Unit 1 calls Unit 2). For bi-directional calls, both units would require a Host certificate. By default, it is not
possible to upload a Host certificate without first clicking on Activate unsecure certificate transfer. This is

13
EX CONTROLLER SECURITY GUIDELINES

because the certificate upload will be done in clear text, which means the private key will be susceptible to
interception.

Certificates are used to secure the following connections:


• SIP
• Configuration Web pages
• File transfers (scripts, firmware, etc.) with HTTPS
• Configuration using TR-069
• Wired Ethernet Authentication with EAP (802.1x)

Host Certificates
To enable HTTPS or SIP with TLS, the unit requires a Public key certificate. This certificate is not present in the
factory configuration but is generated and installed by the call manager or deployment tool.
• When the unit is provisioned with the EX deployment tool, a certificate is generated with the information
present in the Distinguished name field of the exdeploy web interface.
• For MX-ONE, please refer to the MX-ONE Optional Installations documentation.

To validate that a Host Certificate is present:


• Log in to https://<IP of EX Controller/ and go to the Management/Certificates tab.
• Make sure there is a certificate present and is within the Valid From and Valid To dates.
• In the Host Certificate Associations, make sure each required service is associated with a certificate.

For more information on host certificates, visit:


https://documentation.media5corp.com/display/DGWLATEST/Creating+a+Media5+Device+Host+Certificate+with+
OpenSSL

14
EX CONTROLLER SECURITY GUIDELINES

Importing a Trusted CA
To import a Trusted CA into the unit:
• Go to Management/Certificates.
• Click Activate unsecure certificate transfer if needed.
• In the Certificate Import Through Web Browser table, from the Type selection list, select Other.
• Click Browse and select your certificate.
• Click Import.
• Click Apply.
• Click restart required services located at the top of the page.

Trusted CA can be used in place of this.


The MiVoice 5000 imports automatically the PBX SIP authority. If the dual homing is configured, two authorities
could be imported.

Enabling TLS Transport for SIP


This is automatically done by Mivoice5000
Important:
• The EX Controller does not support a mix of both TLS and non-TLS links. Once TLS is enabled, all
configured gateways will use TLS, and all other protocols will be disabled.
• Your Call Manager must be also configured in TLS.

To enable TLS:
• Navigate to the SIP/Transport tab.
• In the Protocol Configuration table, set TLS to Enable.
• Click Apply.
• You will need to restart the required services.

15
EX CONTROLLER SECURITY GUIDELINES

Setting the SIP to use Secure RTP


This is automatically done by MiVoice5000
Important: the settings must also match the configuration of your Call Manager.
To enable or force Secure RTP (SRTP):
• Go to the Media/Security tab.
• To set the security for all ports on the system, leave Select Endpoint to Default, or choose a specific
endpoint you want to configure in the drop-down menu.
• Under the RTP section, set Mode to Secure .
• Set the other parameters based on your desired configuration.
• Click Apply .

Forcing the use of HTTPS


This is automatically done on Miv5000
By default, the web management interface is accessible in HTTP mode (port 80), and HTTPS (port 443) if a
certificate is present.
To force the use of HTTPS, you will need to use the Command Line Interface (CLI), either through SSH or via
the Inline Script interface (recommended).
• Log in to https://<IP of EX Controller/
• Navigate to the Management/Configuration Scripts/Execute tab.
• Copy-paste the following command:
o Web.HttpMode=Secure
• Click Execute.

16
EX CONTROLLER SECURITY GUIDELINES

Disabling TLS 1.0, 1.1 and insecure cipher suites


The Mivoice5000 automatically set WEB in TLS1.2 and CS3. For the Sip the configuration is TLSv1 and CS2 (for
compatibility with older release).
Since the EX Controller is designed to be integrated in various environments that may include legacy systems,
the factory defaults are set for maximum compatibility settings:
• The unit always will always advertise the maximum TLS version it supports, TLS 1.2, but will accept
connections using TLS 1.1 or 1.0 if the peer does not support 1.2.
• The negotiated ciphers will always include the secure RSA with AES-CBC-SHA modes, but the unit will
also accept the weak DES-CBC3-SHA and RC4 128 if the peer only supports those.

The NIST and PCI DSS standards require use of TLS 1.2 and secure ciphers.
To force TLS 1.2 and the higher CS3 cipher suite, you will need to use the Command Line Interface (CLI),
either through SSH or via the Inline Script interface (recommended).
• Log in to https://<IP of EX Controller/
• Navigate to the Management/Configuration Scripts/Execute tab.
• Copy-paste the following commands:

Web.HttpsCipherSuite=CS3
o Web.HttpMode=Secure
Web.TlsVersion=TLSv1_2
SipEp.TransportTlsCipherSuite=CS3

• Click Execute.

This will disable TLS 1.0, TLS 1.1 and all ciphers but the most secure ones, for the HTTPS and SIP services.
Please refer to the following sections for more information on TLS versions and Cipher suites.

17
EX CONTROLLER SECURITY GUIDELINES

TLS versions
The Mivoice5000 automatically set WEB in TLS1.2 and CS3. For the Sip the configuration is TLSv1 and CS2 (for
compatibility with older release).
The following TLS settings are available on the EX Controller:
• TLSv1: Advertise TLS 1.2, but allow TLS versions 1 and up (default)
• TLSv1_1: Advertise TLS 1.2, but allow TLS versions 1.1 and up.
• TLSv1_2: Allow TLS versions 1.2 and up.
• SSLv3: Allow SSL version 3 and all TLS versions. Note: This parameter will be deprecated in firmware
version 46.0.
The device will always send its highest supported TLS version in the ClientHello message. The server will
select the highest supported TLS version it supports from the ClientHello message. The device will then
validate that the selected version is allowed. If the version is not allowed, the device will close the connection.

The TLS version is configurable by service by the following CLI commands:

Cert.TransferHttpsTlsVersion = "TLSv1_2"
Conf.ScriptsTransferTlsVersion = "TLSv1_2"
Conf.ImageTransferTlsVersion = "TLSv1_2"
Cwmp.TransportHttpsTlsVersion = "TLSv1_2"
File.TransferHttpsTlsVersion = "TLSv1_2"
Fpu.MfpTransferTlsVersion = "TLSv1_2"
Nlm.PCaptureTransferTlsVersion = "TLSv1_2"
SipEp.TransportTlsVersion = "TLSv1_2"
Web.TlsVersion = "TLSv1_2"

Cipher Suites
The Mivoice5000 automatically set WEB in TLS1.2 and CS3. For the Sip the configuration is TLSv1 and CS2 (for
compatibility with older release). Only AES cyphering are used to connect to Mivoice5000.
The following Cipher Suites are available on the EX Controller:
• CS1 (default): most compatible set of ciphers, but contains weak DES and RC4
• CS2: contains additional Diffie-Hellman Ephemeral ciphers, does not contain insecure RC4, but still has
weak DES.
• CS3: contains only the most secure ciphers, including the recommended
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

The Cipher suite is configurable by service by the following CLI commands:

Cert.TransferHttpsCipherSuite = "CS3"
Conf.ScriptsTransferCipherSuite = "CS3"
Conf.ImageTransferCipherSuite = "CS3"
Cwmp.TransportHttpsCipherSuite = "CS3"
File.TransferHttpsCipherSuite = "CS3"
Fpu.MfpTransferCipherSuite = "CS3"
Nlm.PCaptureTransferCipherSuite = "CS3"
SipEp.TransportTlsCipherSuite = "CS3"
18 Web.HttpsCipherSuite = "CS3"
EX CONTROLLER SECURITY GUIDELINES

Ciphers included in CS1


• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_RC4_128_SHA
• TLS_RSA_WITH_RC4_128_MD5

Ciphers included in CS2


• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Ciphers included in CS3


• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256

19
EX CONTROLLER SECURITY GUIDELINES

Additional information
For more information on the different ciphers, please refer to the IANA assignment of TLS parameters web site:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
There are also some interesting websites to get more information on TLS ciphers, such as:
• https://csrc.nist.gov/Publications
• https://www.pcisecuritystandards.org/
• https://ciphersuite.info/
• https://www.openssl.org/docs/
• https://owasp.org/www-project-cheat-sheets/cheatsheets/TLS_Cipher_String_Cheat_Sheet

Configuring SSH
By default, SSH is enabled on port 22, with the Standard Security Level.
To change the SSH settings:
• Navigate to the Management/Misc tab.
• In the CLI configuration table you can change:
o SSH Enable or Disable
o SSH port
o SSH Security Level (see below).

The Standard security level allows a good compromise between security and interoperability. The weakest
encryption algorithms (CBC and 3DES) are excluded. The following are accepted:
• cipher: aes256-ctr, aes128-ctr
• mac: hmac-sha1, hmac-sha2-256
• key exchange: diffie-hellman-group14-sha1, diffie-hellman-group14-sha256, ecdh-sha2-nistp256,
ecdh-sha2-nistp384, ecdh-sha2-nistp521, [email protected]

The Most Secure security level allows only the highest algorithms and may not work with some SSH clients:
• cipher: aes256-ctr
• mac: hmac-sha2-256
• key exchange: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-
[email protected]

The Permissive security level allows all algorithms and should only be used for compatibility with old SSH
clients:
• cipher: aes256-ctr, aes256-cbc, aes128-ctr, aes128-cbc, 3des-ctr, 3des-cbc
• mac: hmac-sha1, hmac-sha2-256
• key exchange: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group14-
sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256

20
EX CONTROLLER SECURITY GUIDELINES

Securing the Virtual Machine


The EX Controller uses a virtual KVM environment to run:
• The exdeploy VM, which is installed in factory and contains the EX deployment tool which is used to pre-
configure the unit and install either MiVB or MiVoice 5000.
• After provisioning, the exdeploy VM is shut down and the new call manager VM is started.

By default, the Virtual Machines are accessible through the VNC protocol on ports 5900 (exdeploy) or 5901 (MIVB
and MiVoice 5000).
Once the configuration is completed, it is strongly recommended to disable VNC access. To do so:
• Navigate to the System/VM tab on the EX host.
• Change the Vnc Id of the call manager to -1.
• Click Apply.

21
EX CONTROLLER SECURITY GUIDELINES

Other security settings


Associating the Network Interface to the System Management Services
If you do not use the local firewall and want to restrict the management ports (SNMP, SSH, HTTP/HTTPS) to a
specific network interface:
• Navigate to the Management/Misc tab on the EX host.
• From the Network Interface selection list, select the Network Interface you wish to bind to the system
management services to.
o For MiVB/MiVoice 5000, the internal network is ExLan.
o For MX-One and others, the internal network is Lan1.
o For all call managers, the wan is always Uplink.
• Click Apply.

Stopping or Disabling Services


If you want to stop or disable some of the management services, for example CWMP, Web, CLI or SNMP):
• Navigate to the System/Services tab on the EX host.
• In the User Service table, click next to the service you want to stop, and set the Startup Type to
Manual to prevent them from starting at bootup.
• Click Apply .

Important notes:
• Always leave SNMP enabled (V3) for MiVB and MiVoice 5000.
• If you disable both Web and CLI, you will not be able to configure your unit unless you perform a
factory reset.

Configuring 802.1x Authentication


To enable 802.1x authentication:
• Navigate to the Network/Interfaces tab and locate the In the Ethernet Link Configuration table.
• From the 802.1x Authentication select Enable for each Ethernet link requiring 802.1x Authentication.
• Enter the EAP username used to authenticate each Ethernet link interfaces during the IEEE 802.1x
EAPTLS authentication process..
• From the EAP Certificate Validation field, choose the IEEE 802.1x level of validation used by the
device to authenticate the IEEE 802.1x EAPTLS peer's certificate.
• In the EAP 802.1x Configuration table, select the IEEE 802.1x version.
• Click Apply.

22
EX CONTROLLER SECURITY GUIDELINES

Disabling Partial Reset


To disable the Partial Reset function of the unit, you will need to use the Command Line Interface (CLI), either
through SSH or via the Inline Script interface (recommended).
• Log in to https://<IP of EX Controller/
• Navigate to the Management/Configuration Scripts/Execute tab.
• Copy-paste the following command:
o Hardware.ResetButtonManagement="DisablePartialReset"
• Click Execute.

Disabling DHCP Server Download


To ensure that a compromised DHCP server could not be used to send a configuration file to the unit:
• Navigate to the Management/Configuration Scripts tab.
• In the Automatic Script Execution table, set Allow DHCP to Trigger Scripts Execution to Disable .
• Click Apply .

23
EX CONTROLLER SECURITY GUIDELINES

Disclaimer
THIS DOCUMENT IS PROVIDED “AS IS” AND WITHOUT WARRANTY. IN NO EVENT WILL MITEL NETWORKS
CORPORATION OR ITS AFFILIATES HAVE ANY LIABILITY WHATSOEVER ARISING FROM IN CONNECTION WITH THIS
DOCUMENT. You acknowledge and agree that you are solely responsible to comply with any and all laws and
regulations in association with your use of the Mitel EX Controller and/or other Mitel products and solutions
including without limitation, laws and regulations related to call recording and data privacy. The information
contained in this document is not, and should not be construed as, legal advice. Should further analysis or
explanation of the subject matter be required, please contact an attorney.

24

You might also like