Cybersecurity with Automated Certificate and Password Management for Surveillance

Similar documents
Changing default password of root user for idrac9 by using Dell EMC License Manager

Milestone Systems. Quick guide: Register software license codes on Milestone Customer Dashboard. Milestone Customer Dashboard

CyberArk Privileged Threat Analytics

Changing unique password of root user for idrac9 by using Dell EMC License Manager

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

ENTERPRISE HYBRID CLOUD 4.1.1

Dell EMC Ready Solution for VMware vcloud NFV 3.0 OpenStack Edition Platform

Dell EMC OpenManage Mobile. Version User s Guide (Android)

Dell EMC Ready System for VDI on XC Series

Dell EMC OpenManage Mobile. Version 3.0 User s Guide (Android)

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Avaya Converged Platform 130 Series. idrac9 Best Practices

Partner Center: Secure application model

Milestone Systems XProtect Advanced VMS System Architecture. 1

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

Surveillance Dell EMC Storage with Digifort Enterprise

AKAMAI CLOUD SECURITY SOLUTIONS

Dell EMC OpenManage Mobile. Version User s Guide (ios)

IndigoVision. Control Center. Security Hardening Guide

Dell EMC Ready System for VDI on VxRail

Side-by-side comparison of the features of Dell EMC idrac9 and idrac8

Dell EMC Ready Architectures for VDI

Strong Security Elements for IoT Manufacturing

Office 365 Buyers Guide: Best Practices for Securing Office 365

Backup and Restore of the vcenter Server using the Avamar VMware Image Protection Solution

Securing Your Most Sensitive Data

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Veeam Cloud Connect. Version 8.0. Administrator Guide

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Boot Mode Considerations: BIOS vs. UEFI

epldt Web Builder Security March 2017

Dell EMC Ready Architectures for VDI

Imperva Incapsula Website Security

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Dell EMC Ready Solution for VMware vcloud NFV 3.0 OpenStack Edition Platform

Ryan KS office thesee

CIP Security Pull Model from the Implementation Standpoint

IC32E - Pre-Instructional Survey

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Surveillance Dell EMC Storage with Aimetis Symphony

Dell EMC Ready Solution for VMware vcloud NFV 3.0 OpenStack Edition Platform

Internet of Things Security standards

Dell EMC OpenManage Mobile Version 2.0 User s Guide (ios)

IT, Physical Security and IoT - Layers of Convergence

Privileged Account Security: A Balanced Approach to Securing Unix Environments

GFI product comparison: GFI LanGuard 12 vs Microsoft Windows Intune (February 2015 Release)

User Manual of MIP HikAssistant Plug-ins. MIP HikAssistant Plug-ins. User Manual

Product Brief. Circles of Trust.

PCI Compliance Updates

Dell EMC vsan Ready Nodes for VDI

PKI is Alive and Well: The Symantec Managed PKI Service

OpenManage Integration for VMware vcenter Version 4.2. Compatibility Matrix

Network Security Guide. Network Security Guide UD07965B

Full file at

Certified Solution for Milestone

Symantec Endpoint Protection Family Feature Comparison

Milestone Systems XProtect Professional 8.1. Getting Started Guide

Solutions to prevent IoT devices to be used for DDOS attacks. WISeKey General Business Use

Understanding idrac Quick Sync 2

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Cyber Security for Process Control Systems ABB's view

IPM Secure Hardening Guidelines

Surveillance Dell EMC Storage in Physical Security Solutions with Axis NAS-Attached Cameras

The Common Controls Framework BY ADOBE

Securing Devices in the Internet of Things

Surveillance Dell EMC Storage with Bosch Video Recording Manager

Migration and Building of Data Centers in IBM SoftLayer

One Hospital s Cybersecurity Journey

DELL EMC VMAX UNISPHERE 360

Milestone Systems. XProtect Smart Client 2018 R1. Hardware acceleration guide

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Data Security at Smart Assessor

Cyber security tips and self-assessment for business

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Surveillance Dell EMC Storage with Cisco Video Surveillance Manager

GSE/Belux Enterprise Systems Security Meeting

Kaspersky Managed Service Providers Program

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

SYMANTEC DATA CENTER SECURITY

Vendor: CompTIA. Exam Code: Exam Name: CompTIA A+ Certification Exam (902) Version: Demo

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Comodo Certificate Manager

CLOUDIQ OVERVIEW. The Quick and Smart Method for Monitoring Unity Systems ABSTRACT

Surveillance Dell EMC Storage with Milestone XProtect Corporate

NexentaStor VVOL

SECURITY & PRIVACY DOCUMENTATION

Recommendations for Device Provisioning Security

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

CIS Controls Measures and Metrics for Version 7

Surveillance Dell EMC Storage with FLIR Latitude

Evidence.com 1.31 Release Notes

McAfee Network Security Platform Administration Course

Handling the Firmware Update Dependency by using Lifecycle Controller in the 14th generation Dell EMC PowerEdge servers

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

SafeNet Authentication Client

Data Breach Risk Scanning and Reporting

Google Identity Services for work

USING DEVICE LIFECYCLE MANAGEMENT TO FUTURE PROOF YOUR IOT DEPLOYMENT

Transcription:

Cybersecurity with Automated Certificate and Password Management for Surveillance October 2017 ABSTRACT This reference architecture guide describes the reference architecture of a validated solution to deploy and manage cybersecurity using automated certificate management for surveillance cameras. H15980.2 This document is not intended for audiences in China, Hong Kong, and Taiwan. REFERENCE ARCHITECTURE GUIDE

Copyright The information in this publication is provided as is. Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any software described in this publication requires an applicable software license. Copyright 2017 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA 09/17 H15980.2. Dell Inc. believes the information in this document is accurate as of its publication date. The information is subject to change without notice. 2 Cybersecurity with Automated Certificate and Password Management for Surveillance

Contents Contents Executive summary... 4 Solution architecture... 6 Key components... 9 Security requirements... 11 References... 12 Cybersecurity with Automated Certificate and Password Management for Surveillance 3

Executive summary Executive summary Business case Most video surveillance deployments lack sufficient cybersecurity measures, which makes them an attractive target to hackers who run distributed denial of service (DDoS) attacks. The Mirai botnet attack in October 2016 is a good example. Mirai is a type of malware that turns networked devices running Linux into remotely controlled "bots," or web robots. These bots can be used to flood a target host or resource with requests in an attempt to disrupt legitimate traffic. The 2016 attack took down or slowed well-known websites including Twitter, PayPal, Spotify, Reddit, and many others. Many viewed it as a test for potential future attacks that could threaten safety and cause significant financial impact to businesses. In the video surveillance marketplace, security has long been the responsibility of the end customer. However, businesses have recently begun demanding that system integrators, architects, consultants, and engineers address cybersecurity as part of the solutions that they design and deploy. Businesses need improved cybersecurity for surveillance cameras to help prevent third parties from gaining remote access to cameras and enabling them to launch DDoS attacks that expose businesses to potential future liability claims. X.509 certificates, which have been used for more than 20 years, are a well-known and trusted way of authenticating devices. Most IT environments use them in networked computers, servers, printers, and so on, to prevent third parties from compromising systems. The role of the X.509 certificate is to associate a public key with the identity that is contained in the certificate. Unfortunately, because of the cost and complexity, most companies do not provision cameras and video management software (VMS) servers with certificates when deploying video surveillance systems. One vulnerability that hackers use to gain access to remote devices is through default user names and passwords that are never changed. Despite efforts by manufactures to educate customers, many still do not take the time to create and deploy unique credentials. When they do, they often create one username and password for all cameras and do not update these credentials when an admin employee leaves. These unchanged credentials are an increasing cyber security risk that exposes companies and their networks to malicious attacks. Solution overview This solution enables customers to install a complete end-to-end video surveillance solution that automatically establishes a unique root of trust to securely authenticate Axis Communications IP cameras to Milestone Systems XProtect VMS. The solution uses products from Dell EMC OEM partners Device Authority and Seneca. These partner products specifically address the challenge of automating the deployment of certificates, authenticating them to the VMS, and creating a secure communications channel for all devices in the security surveillance fabric. 4 Cybersecurity with Automated Certificate and Password Management for Surveillance

Executive summary Key benefits Document purpose This solution provides the following key benefits: Simplicity Deploying x.509 certificates to manually provision cameras can take up to 3 minutes per camera for experienced technicians. This reference architecture automates the entire process and enables customers to deploy certificates to devices and systems in under 30 seconds. This task can be performed on all devices in parallel. Automated Admin Password Management eliminates the requirement for users to create and manage passwords across devices. Automated x.509 key and admin password rotation enhances the security. At times changing passwords across the devices when an employee leaves is a must. Security Device registration ensures that only trusted devices can enroll with the Device Authority KeyScaler TM platform and communicate with other trusted devices and servers in the ecosystem. This registration prevents unauthorized access to customer networks and ensures that only trusted devices can connect to the Axis cameras and the Milestone VMS. Scalability In addition to simplifying the security deployment, this solution provides extremely high scalability from 10 cameras or devices to 100,000 cameras or devices. Flexibility Device Authority provides increased automation and operational efficiencies by enabling customers to schedule the rotation of certificates, which increases the existing security posture. This document describes the reference architecture of a validated solution to deploy and manage cybersecurity using automated certificate and password management for surveillance cameras. We value your feedback Dell EMC and the authors of this document welcome your feedback on the solution and the solution documentation. Contact EMC.Solution.Feedback@emc.com with your comments. Authors: Ken Mills, John Holleran, John Pratt, Larry Mann Cybersecurity with Automated Certificate and Password Management for Surveillance 5

Solution architecture Solution architecture The Automated Certificate and Password management architecture provides rapid customer-centric certificate generation and provisioning for video surveillance systems, including automated certificate lifecycle management with revocation and renewal. KeyScaler enables hands-free bulk provisioning for large-scale deployments, and it removes the associated logistical challenges, enabling efficient deployment of video surveillance systems. On setting a Certificate and Password policy in Device Authority s control panel, the following steps show how to automatically provision certificates: 1. The Device Authority agent on the Axis camera connects to the KeyScaler server for secure device registration, as shown in Figure 1. Figure 1. KeyScaler connection diagram 2. The KeyScaler system automatically generates a certificate and connects to the certificate authority to request a signature, as shown in Figure 2. Figure 2. Signature request diagram 6 Cybersecurity with Automated Certificate and Password Management for Surveillance

Solution architecture 3. A unique certificate, signed by the certificate authority, is delivered to the camera and stored as an encrypted file on persistent storage, as shown in Figure 3. Default Passwords for the Root and user accounts are changed and managed per the policy. Figure 3. Camera certificate diagram 4. The Milestone XProtect system completes the same secure registration process with the KeyScaler server and receives its own unique certificate, as shown in Figure 4. Figure 4. Milestone registration diagram Cybersecurity with Automated Certificate and Password Management for Surveillance 7

Solution architecture 5. Seneca xconnect software monitors uptime and system health of all components within this reference architecture, as shown in Figure 5. Figure 5. Seneca xconnect monitor diagram 8 Cybersecurity with Automated Certificate and Password Management for Surveillance

Key components Key components Dell PowerEdge and Dell OpenManage Dell PowerEdge servers provide several levels of inherent security. A digitally signed BIOS ensures that disks, memory, and processors include digital signatures that disable compromised components and prevent malicious content. In addition to having a digitally signed BIOS, PowerEdge servers include digitally signed firmware and driver files, further ensuring that attackers cannot compromise systems during routine maintenance and upgrade cycles. Dell OpenManage Server Configuration Manager enables administrators to create a template of a server configuration and receive an alert when configuration drift causes changes to the hardware, BIOS settings, and RAID configurations. Configuration drift occurs when hardware and software configurations become different from a secondary or recovery configuration, which often causes disaster recovery and high-availability systems to fail. Dell OpenManage software provides robust performance monitoring and alerts to power or thermal events and drive failures. PowerEdge includes an integrated Dell Remote Access Controller (idrac), which provides external access to each server, with direct access to view performance, allow remote configuration, and deploy the OS. This capability significantly reduces the cost of support for integrators by reducing the need to send technicians to a customer environment to resolve issues. Seneca xconnect Seneca assists surveillance customers by completing many complex and time-consuming deployment tasks, such as creating RAID containers and automating the installation of the preferred VMS. This solution employs Seneca xconnect monitoring software to capture alerts for all solution components, including cameras, VMS, compute, and storage elements. xconnect will soon include remote monitoring capabilities that work with Dell Edge Gateway 5000 Series systems. It will provide local alerts in a decentralized solution, while also having centralized visibility by consolidating monitoring in a distributed architecture. Axis and Milestone both provide hardening guidelines that are specific to their products, including important steps that integrators and installers must take before they begin the deployment process. They can perform these steps on isolated networks to further minimize any infrastructure vulnerabilities that might exist. Axis also provides configuration utilities to assist in configuring Axis cameras. Device Authority KeyScaler The Device Authority KeyScaler security platform uses a unique device-centric trust anchor to securely register devices. When devices are registered, KeyScaler can provision, revoke, and renew certificates at scale. The process to deploy a certificate can take from 3 to 5 minutes per camera, making certificate management a complex and timeconsuming process, especially for large deployments. The KeyScaler platform automates this process, reducing the time from days to minutes and eliminates human error related security issues. While this process greatly reduces deployment times and costs, it also provides certificate rotation on a customer-definable schedule, such as daily, weekly, or monthly. Cybersecurity with Automated Certificate and Password Management for Surveillance 9

Key components The KeyScaler platform also has built-in, automated integrity checks that can detect suspicious devices and prevent them from participating in the ecosystem by revoking certificates and other credentials that are associated with potentially malicious devices. KeyScaler automatically quarantines new devices, preventing them from running malicious content. It scans all quarantined devices, deploying an agent and provisioning a certificate when the device is validated by unique identifiers that are configured in the system. If a device is quarantined, it stays quarantined and generates alerts to the system administrator. Axis Communications Milestone Systems Axis Intelligent Video, Audio, and Access Control solutions use the latest generation of Axis purpose build ARTPEC processors to enable robust onboard client and application programs via the Axis Camera Application Platform (ACAP) and Axis own open API called VAPIX. These platforms enable Axis Application Development and Technology Partner Program members to develop added functionalities and applications, which can then be installed on Axis network cameras and video encoders. Axis open architecture intelligent interface enables the highest level of smart technology including next generation cyber security. Milestone Systems is a global industry leader in open platform IP video management software, founded in 1998 and now operating as a stand-alone company in the Canon Group. Milestone technology is reliable, easy to manage, and proven in thousands of customer installations, providing flexible choices in network hardware and integrations with other systems. Sold through partners in more than 100 countries, Milestone video solutions help organizations to manage risks, protect people and assets, optimize processes and reduce costs. For more information, see: www.milestonesys.com. For news and viewpoints from the Milestone universe, go to http://news.milestonesys.com/ or follow @MilestoneSys on Twitter. 10 Cybersecurity with Automated Certificate and Password Management for Surveillance

Security requirements Security requirements The following requirements are necessary for security: Use unique and complex local-device user passwords for Secure Shell (SSH) remote access. Ensure that security events are logged and audited from all devices within the environment. Use a secure certificate authority as a source repository for keys for the camera and Milestone system to prevent cloning, spoofing, and man-in-the-middle attacks. Use the Device Authority platform to create a device-derived dynamic crypto key that is not stored on cameras or servers and is never passed over the network. This functionality helps to minimize security issues that are related to shared keys and also enhances operational efficiency. Configure Axis cameras on the isolated network according to the Axis Hardening Guide. Cybersecurity with Automated Certificate and Password Management for Surveillance 11

References References Dell documentation and downloads The following documentation on the Dell website provides additional and relevant information. Access to the Dell SalesEdge documents requires a login. If you do not have access to a document, contact your Dell EMC representative. Dell OpenManage documentation and downloads OpenManage Essentials (Dell TechCenter Systems Management wiki) OpenManage Essentials systems management software and download page OpenManage Mobile (Dell TechCenter Systems Management wiki) Dell OpenManage Mobile Android download page (Google Play) OpenManage Mobile download page (itunes Preview) Axis documentation Milestone documentation The following documentation on the Axis website provides additional and relevant information: Axis Hardening Guide The following documentation on the Milestone website provides additional and relevant information: Milestone Systems Hardening Guide 12 Cybersecurity with Automated Certificate and Password Management for Surveillance

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback