Secure Deployment Checklist

A Secure Deployment Checklist

The following security checklist includes guidelines that help secure your system

Do NOT connect your system to any untrusted networks, especially the Internet, until all protections have been configured. Customers have reported systems under configuration compromised in minutes due to incomplete configurations.
Harden the management environment.
1. Install HA connections between units over a direct cable vs. a network.
2. Make sure all equipment is in locked cabinets or at least in a secure room.
3. Configure console timeouts.
4. Ensure that the wancom0 management port is connected to a private management LAN with an IP address that is not Internet routable.
5. Set strong passwords for all default accounts prior to configuration.
6. Disable telnet and FTP if they are enabled.
7. Configure system ACLs to limit management traffic to users that really need access.
8. If implementing SNMP, change the default community string and follow the SNMP configuration recommendations in Appendix H:
9. Use strong ciphers for HTTPS web management connection.
Practice the principle of least privilege.
1. Carefully consider who has access to the admin password.
2. Implement RADIUS or TACACS+ authentication if available.
Restrict network access.
1. Use services ACLs where possible.
2. Refrain from configuring host-in-path addresses.
3. Ensure that users coming from an untrusted network have to register prior to providing service.
4. Implement DoS and CAC protections.
5. Mitigate known fraud schemes by implementing sipShield or HMRs.
6. Use strong ciphers for any TLS connections.
7. Enable OCSP and mutual authentication if possible for TLS connections.
Monitor the system for unusual events.
1. Configure the SNMP trap receiver and syslog receiver.
2. Send either CDRs or RADIUS accounting records to a fraud management system or implement a solution that can actively monitor SIP signaling.