AppendixTANDBERG Director Videoconferencing System
103
Services
The different IP services on the TANDBERG codec - FTP, Telnet, HTTP, SNMP and H.323 can be
disabled to prevent access to the system. By using the commands below, the services can be
independently enabled/disabled:
services <telnet/ftp/http/h323/remote-software> <enable/disable> .
In addition, the command ‘services <snmp> <read-only/enable/disable>’ will make it possible to read
SNMP messages in addition to enable/disable SNMP.
SNMP Security alert
This function will notify any Management Application (such as TMS - TANDBERG Management Suite)
if anyone tries to perform Remote Management on the TANDBERG Codec using a illegal password.
The Security alert that is sent to the Management Application will contain information about the IP
address and the service (WEB, Telnet, FTP) being used for the attempt.
If TMS is used, email notifications or alarms about the attempt can be sent to specified persons.
Encryption
All TANDBERG systems support both AES and DES encryption. By default this feature is enabled
such that when connecting with any other video system or MCU, a TANDBERG system will attempt
to establish a secure conference using AES or DES encryption. The TANDBERG system will attempt
this for both IP and ISDN connections. Where a remote system or MCU supports encryption, the
highest common encryption algorithm will be selected on a port by port basis.
The type and status of the encryption negotiated is indicated by padlock symbols and on-screen
messages. Encryption on the TANDBERG systems is fully automatic, and provides clear security status
indicators;
An open padlock indicates that encryption is being initialized, but the conference is not yet
encrypted.
Single padlock indicates DES encryption.
Double padlock indicates AES encryption.
In addition to on-screen indicators the ‘Call Status’ menu provides two information fields regarding
call encryption. The first field is the ‘Encryption Code’ which will identify either ‘AES’ or ’DES’. The
second field is the ‘Encryption Check Code’ and is comprised of an alphanumeric string. This string
will be the same for systems on either side of an encrypted conference. If the Check Codes do not
match this would indicate that the call has been exposed to a ‘Man In The Middle’ attack.
When a TANDBERG codec with MultiSite functionality hosts a conference, the highest possible
encryption algorithm will be negotiated on a site by site basis. MultiSite conferences can therefore
support a mix of AES and DES encrypted endpoints in the same conference.
A conference will only be as secure as its ‘weakest link’. Even though conference participants may
have negotiated and be running AES encryption, if just one participant has negotiated DES
encryption, the AES system will display the single padlock symbol to advise all users of the lowest
encryption mechanism currently in effect.
All TANDBERG endpoint supporting DES encryption can upgrade to AES encryption by applying
TANDBERG’s AES Encryption option. Please contact your TANDBERG representative for more
information.
The standards supporting the encryption mechanisms employed by TANDBERG are: AES, DES,
H.233, H.234 and H.235 with extended Diffie Hellman key distribution via H.320, H.323 and Leased
Line connections.