Actions

Cybersecurity (Zenitel Connect Pro)

From Zenitel Wiki

Revision as of 16:08, 22 October 2024 by Asle (talk | contribs) (Created page with "{{C}} ==Introduction== Cybersecurity is one of the main design criteria for Zenitel Connect Pro. For this reason, all requests to Zenitel Connect Pro are authorized and authen...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ZCP IconPlatf.PNG

Introduction

Cybersecurity is one of the main design criteria for Zenitel Connect Pro. For this reason, all requests to Zenitel Connect Pro are authorized and authenticated.

Users and roles

There are a number of distinct user roles, each with their own set of permissions:

  • Administrator
  • Device and Feature Configuration
  • Zenitel Link

There is one default user, which has administrator rights. It is advisable to change the password of this user immediately after the system has been powered for the first time, see User management

Device password

As soon as Zenitel devices (and the OEM devices ITSV-2/3/4/5) are assigned to the Zenitel Connect Pro server they will get a new password. The password is automatically generated from the server. This mechanism will greatly reduce the attack surface in the system.

As the configuration of the devices is done through Zenitel Connect Pro, there is normally no need to know the password of the devices.

However, there is an option to reveal the device password to a Zenitel Connect Pro user with administrator rights. In the device configuration screen, click on ZC EyeIcon.PNG. A dialog will pop up requesting the administrator password of the administrator who is logged in. Once filled in, the device password will be revealed. Within a 10 minute period other device passwords can be made visible without the need to enter the administrator password again.

ZCP DevicePassword.png
Device password requires Administrator user
rights to reveal


WAMP certificates

Native Zenitel devices have 2 protocol connections to Zenitel Connect Pro:

  • SIP
  • WAMP

WAMP is used for device configuration and operational requirements which cannot be served through SIP. During enrollment, further data communication between device and Zenitel Connect Pro is setup using a certificate for authentication and authorization.

Zenitel Link

Encryption

Although it is possible to have the data on Zenitel Link unencrypted (ports 80 and 8087), this is only intended for use during development of an integration. A deployed system should use ports 443 and 8086 and encrypt the data.

Authentication and authorization

Zenitel link requires authentication and authorization. An API is available to log in, which returns a token. This token must then be part of any request which is sent to Zenitel Connect Pro.

HTTPS certificates

The Zenitel web GUI is accessible both via HTTP and HTTPS. Customers are able to upload their own certificates to Zenitel Connect, which will enable a smooth operation via HTTPS. Optionally, port 80 can then be blocked in the firewall.

Firewall

The firewall allows input rules. Filtering is on protocols, destination ports, source addresses and network ports. Adding source addresses to a firewall rule provides an additional layer of security and should ideally be used for every rule.