Pexip Infinity Secure Mode Deployment Guide

Pexip Infinity Secure Mode
Deployment Guide
Introduction
This guide contains instructions for deploying and using Pexip Infinity in a secure mode of operation.
For further information about the deployment instructions and configuration settings described in this guide, please see:
l
Pexip Infinity Getting Started Guide
l
Pexip Infinity Administrator Guide
Securing the host environment
The VMware host environment must be hardened before deploying Pexip Infinity. It is expected that the host server contains at
least two physical network interfaces and that management access to the ESXi host is restricted to a specific physical network and
that virtual machines (VMs) are connected to a separate physical network.
Instructions for performing VMware-specific hardening are described in the VMware ESXi Server 5.0 Security Technical
Implementation Guide which can be found at http://iase.disa.mil/stigs/Documents/u_ESXi5_Server_v1r5_stig.zip.
Management of the ESXi host can run out-of-band of the video conferencing network.
Reserving virtual machine resources
The resources allocated to each virtual machine must be reserved after it has been deployed. This ensures that each VM has
guaranteed access to the resources that it expects and is thus isolated from any other VMs on the host.
To do this, find the VM in the vSphere client and edit its settings. There are separate settings for CPU, Memory, and Disk hardware.
CPU resource limits
There are three CPU resource settings: Reservation, Limit, and Shares. These specify the guaranteed CPU resource for the VM, the
maximum CPU resource for the VM, and the weighting applied to the VM when sharing resources with its siblings.
© 2015 Pexip AS
Version 8.a January 2015
Page 1 of 9
Pexip Infinity Secure Mode Deployment Guide
Reserving virtual machine resources
These should be configured as follows:
Reservation
Select the menu entry labeled Maximum.
(The value associated with Maximum will then appear in the Reservation field.)
Limit
Select the menu entry labeled Minimum.
Shares
Select Normal.
These settings ensure that the VM is guaranteed access to all of its allocated CPU resource, with no ability to burst above this
resource allocation. Note that the MHz/GHz values for Reservation and Limit should thus be identical. As the resources are
guaranteed, no sharing is necessary, so a setting of Normal is appropriate.
Memory resource limits
There are three memory resource settings: Reservation, Limit, and Shares. These specify the guaranteed memory resource for the
VM, the maximum memory resource for the VM, and the weighting applied to the VM when sharing resources with its siblings.
These should be configured as follows:
Reservation
Select the Reserve all guest memory (All locked) check box.
Limit
Select the menu entry labeled Minimum.
Shares
Select Normal.
These settings ensure that the VM is guaranteed access to all its allocated memory resource, with no ability to burst above this
resource allocation. Note that the MB values for Reservation and Limit should thus be identical. As the resources are guaranteed,
no sharing is necessary, so a setting of Normal is appropriate.
Disk resource limits
There are two disk resource settings: Shares, and Limit - IOPs. These specify the weighing applied to the VM when sharing
resources with other VMs on the host, and the maximum number of IOPs the VM is permitted to consume. These should be
configured as follows:
Shares
Select Normal.
Limit - IOPs
Enter the appropriate number of IOPs for the Virtual Machine. The sum of all IOP limits for all VMs on the same
host must not exceed the capacity of the datastore.
These settings ensure that the VM is limited to its fair share of IOPs. As the sum of all IOP limits on the same host do not exceed
the host capabilities, sharing is not necessary, so a setting of Normal is appropriate.
© 2015 Pexip AS
Version 8.a January 2015
Page 2 of 9
Pexip Infinity Secure Mode Deployment Guide
BIOS configuration
BIOS configuration
The BIOS of each Virtual Machine must be configured and secured after deployment. This ensures that the system boots from the
correct devices and that this configuration cannot be modified by unauthorized personnel.
To do this:
1. Use the vSphere client to edit the configuration of the VM to force it to boot into the BIOS as soon as it is powered on. This is
usually found under VM Options > Boot Options as a configuration item named Force BIOS setup. This option should be
selected to force entry to the BIOS on the next boot.
2. Power on the Virtual Machine and open its console, which should contain the BIOS setup utility.
3. Configure the boot order:
a. Go to the Boot configuration page, and ensure that Hard Drive is the first entry.
b. Expand the Hard Drive device tree and ensure that VMware Virtual SCSI Hard Drive (0:0) is the first entry.
4. Configure the BIOS security:
a. Go to the Security configuration page.
b. Configure a Supervisor password to prevent unauthorized modification of the BIOS configuration.
5. Save and exit.
a. Go to the Exit configuration page.
b. Select the Exit Saving Changes option.
Pexip Infinity Management Node deployment and bootstrap
configuration
This section describes the steps needed to deploy the Pexip Infinity Management Node into the secure environment described
above.
1. Use the vSphere client to deploy the Management Node OVA onto the selected ESXi host system.
See Pexip Infinity Getting Started Guide for full instructions on how to do this.
The VLAN ID used for the Management Node must not conflict with existing reserved VLAN IDs and must not use VLAN ID 4095
(which is reserved for virtual guest tagging), as the system will be locked down according to the VMware ESXi Server Security
Technical Implementation Guide.
2. Log in to the Management Node console as the admin user. A password for this user must be set.
3. Enter the admin user password to permit the installation wizard to start.
4. Complete the installation wizard as described in Pexip Infinity Getting Started Guide, ensuring that:
o
Enable incident reporting is set to no.
o
Send deployment and usage statistics to Pexip is set to no.
On completion, the installation wizard will reboot the system.
5. Use a web browser to connect to the Management Node web interface and ensure that you can log in using the credentials
configured in the installation wizard.
6. Log in to the Management Node console as the admin user. Issue the following command:
$ securitywizard
7. Enter the admin user password to permit the security wizard to start.
8. Complete the security wizard, providing answers as described below:
Setting
Value
Enable FIPS 140-2 compliance mode
YES
© 2015 Pexip AS
Version 8.a January 2015
Page 3 of 9
Pexip Infinity Secure Mode Deployment Guide
Pexip Infinity Conferencing Node deployment
Setting
Value
Disable system administrator account
YES
(this applies to SSH and console access)
Accept ICMPv6 redirects
NO
Drop incoming packets to closed ports rather than reject
YES
Accept multicast ICMPv6 echo requests
NO
Enable IPv6 Duplicate Address Detection
NO
SIP UDP listen port *
5060
SIP TCP listen port *
5060
SIP TLS listen port *
5061
Active management web sessions *
100
Active per-user management web sessions *
10
Enable SSL 3.0
NO
* The SIP listen ports and web session limits may be customized for the target environment, as appropriate.
On completion, the security wizard will reboot the system. After the system has rebooted, no OS-level user access will be
available on the system and it cannot be re-enabled.
Pexip Infinity Conferencing Node deployment
When deploying Conferencing Nodes, note that:
l
Before deploying any Conferencing Nodes, you must complete the Management Node deployment and bootstrap configuration.
l
As the host system will be locked down according to the VMware ESXi Server Security Technical Implementation Guide:
o
All Conferencing Nodes should be deployed manually (see 'Manually deploying a Conferencing Node on an ESXi host' in
Pexip Infinity Administrator Guide).
o
The VLAN ID used for the Conferencing Node must not conflict with existing reserved VLAN IDs and must not use VLAN ID
4095 (which is reserved for virtual guest tagging).
Pexip Infinity application configuration
This section describes the application-specific configuration required for Pexip Infinity to operate in a secure environment.
This configuration is performed using a web browser to access the Management Node web interface. Log in to the web interface
using the credentials configured earlier in the installation wizard.
More information about all of these settings can be found in Pexip Infinity Administrator Guide.
TLS certificates
This section describes the process for bootstrapping the PKI environment.
Management Node and Conferencing Node server certificates
The Pexip Infinity platform ships with default self-signed server certificates for the Management Node and each Conferencing Node.
Because these certificates are self-signed, they will not be trusted by clients. Therefore you must replace these certificates with
your own certificates that have been signed by a trusted certificate authority.
© 2015 Pexip AS
Version 8.a January 2015
Page 4 of 9
Pexip Infinity Secure Mode Deployment Guide
Pexip Infinity application configuration
Creating a certificate signing request (CSR)
To acquire a server certificate from a Certificate Authority (CA), a certificate signing request (CSR) has to be created and submitted
to the CA. One common way of creating a CSR is through the OpenSSL toolkit (http://www.openssl.org ), available for Windows,
Mac and Linux.
After installation, the following example openssl command and input can be used to create a CSR for Conferencing Node
sip.example.com (user input is highlighted in gray):
openssl req -out sip.example.com.csr -new -newkey rsa:2048 -nodes -keyout sip.example.com.key
Country Name (2 letter code) [AU]:NO
State or Province Name (full name) [Some-State]:Oslo
Locality Name (eg, city) []:Oslo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pexip
Organizational Unit Name (eg, section) []:Pexip
Common Name (e.g. server FQDN or YOUR name) []:sip.example.com
Email Address []:
The above command and input will create two files, sip.example.com.csr and sip.example.com.key. The .csr file is the actual CSR,
while the .key file is the certificate private key. The private key should be kept secret, while the CSR file contents should be
submitted to the CA for signing. After the CA has signed the CSR, the certificate will be ready for uploading.
Note that the openssl command will vary depending on which operating system you are using.
In deployments that do not use DNS resolution, the Common Name should contain the IP address of the Conferencing Node instead
of an FQDN.
Uploading a certificate to a Pexip node
To upload a new TLS certificate for the Management Node or a Conferencing Node:
1. From the Pexip Infinity web interface, go to Platform configuration > TLS certificates.
2. For the selected Management Node or Conferencing Node, select Upload certificate.
You will be taken to the Upload certificate page.
3. From the Certificate file section, select Choose File and select the file containing the new TLS certificate.
This file must be a text file in PEM format and must be valid for the hostname or FQDN of the Management Node or
Conferencing Node to which it relates. Certificate files will typically have a .CRT or .PEM extension.
4. From the Private Key file section, select Choose File and select the file containing the private key for the certificate.
This file must be a text file in PEM format. Private key files typically have a .KEY or .PEM extension.
5. Select Save.
Trusted CA certificates
You must also upload the trusted Certificate Authority (CA) certificates for the secure environment. This must include any required
chain of intermediate certificates for the CA that signed the server certificates. Note that the default set of trusted CA certificates
that ship with Pexip Infinity are not used when FIPS 140-2 compliance mode is enabled.
To upload a new file of trusted CA certificates:
1. From the Pexip Infinity web interface, go to Platform configuration > TLS certificates.
2. We recommend that you download and save the existing certificate file.
If you want to preserve the CA certificates contained in the existing certificate file, you must first download it and append the
contents to the new file you are about to upload.
3. Select Upload trusted CA certificates.
You will be taken to the Upload trusted CA certificates page.
© 2015 Pexip AS
Version 8.a January 2015
Page 5 of 9
Pexip Infinity Secure Mode Deployment Guide
Pexip Infinity application configuration
4. Select Choose File and select the file containing the new TLS certificates, in PEM format.
5. Select Save.
IPv6 (optional)
If required, configure the IPv6 address and IPv6 gateway addresses of the Management Node and each Conferencing Node.
To configure these addresses:
l
Go to Platform configuration > Management Node and click on the name of the Management Node.
l
Go to Platform configuration > Conferencing Nodes and click on the name of the Conferencing Node.
Global settings
Go to Platform configuration > Global settings and review — and modify where required — the following settings:
Setting
Action
Media port range start and end
Verify the range of ports (UDP and TCP) that all Conferencing Nodes are to use for media.
Signaling port range start and end
Verify the range of ports (UDP and TCP) that all Conferencing Nodes are to use for signaling.
OCSP state and OCSP responder URL
Set this to Override and specify the OCSP responder URL to which OCSP requests will be sent.
Enable support for Pexip Infinity Connect
and Mobile App
Disable support for these applications.
Enable H.323
Disable these protocols (leave SIP enabled).
Enable WebRTC
Enable RTMP
Enable outbound calls
Disable this option.
Enable SSH
Disable this option.
SIP TLS certificate verification mode
Set this to On.
DSCP value for management traffic
Set a DSCP value for management traffic sent from the Management Node and Conferencing
Nodes. We recommend a value of 16.
Enable HTTP access for external systems
Ensure that this option is disabled.
Login banner text
Configure this field with some appropriate text for your deployment.
Management web interface session
timeout
Set this to 10 minutes or other timeout value suitable for your deployment.
Configure user accounts and authentication settings
You must configure the Pexip Infinity platform to authenticate and authorize login accounts via a centrally managed LDAP-accessible
server.
Account roles
1. Go to System configuration > Account roles.
2. Select the existing Read-only role and remove the following permissions:
o
May view logs
o
May generate system snapshot
© 2015 Pexip AS
Version 8.a January 2015
Page 6 of 9
Pexip Infinity Secure Mode Deployment Guide
Pexip Infinity application configuration
3. Select the existing Read-write role and remove the following permissions:
o
May view logs
o
May generate system snapshot
4. Create an Auditor role:
a. Select Add role.
b. Specify a Name of "Auditor".
c. Assign the following permissions to the role:
n
Is an administrator
n
May use web interface
n
May use API
n
May view logs
n May generate system snapshot
d. Save the role.
LDAP server connection details
You must configure the details of the LDAP-accessible server and, initially, set the system to authenticate both locally and against
the LDAP database:
1. Go to System configuration > User authentication.
2. Set the Authentication source to LDAP database and local database.
3. In the LDAP configuration section, specify the connection details for the LDAP-accessible server.
4. Save the settings.
LDAP group to role mapping
LDAP roles are used to map the LDAP groups associated with LDAP user records to the Pexip Infinity account roles. You must
configure a separate LDAP role for each LDAP group for which you want to map one or more Pexip Infinity account roles.
1. Go to System configuration > LDAP roles.
2. Select Add LDAP role.
3. Configure the role:
Option
Description
Name
Enter a descriptive name for the role.
LDAP group DN
Select the LDAP group against which you want to map one or more account roles.
The list of LDAP groups is only populated when there is an active connection to an LDAP server (System
configuration > User authentication).
Roles
Select from the list of Available roles the account roles to associate with the LDAP group and then use the
right arrow to move the selected roles into the Chosen Roles list.
4. Save the role.
5. Configure as many LDAP roles as required, ensuring that every account role is mapped to at least one LDAP group.
Enable certificate-based authentication
This configuration requires administrators to log in to the Pexip Infinity web interface by presenting (via their browser) a client
certificate containing their user identification details.
1. Install suitable client certificates into the certificate stores of the browsers to be used by the Pexip Infinity administrators. The
identities contained in the certificates must exist in the LDAP database.
2. Go to System configuration > User authentication.
© 2015 Pexip AS
Version 8.a January 2015
Page 7 of 9
Pexip Infinity Secure Mode Deployment Guide
Pexip Infinity application configuration
3. Set Require client certificate to one of the Required options as appropriate for your installation:.
Required (user identity in subject CN): users identify themselves via the identity contained in the subject CN (common name)
of the client certificate presented by their browser.
Required (user identity in subjectAltName userPrincipalName): users identify themselves via the identity contained in the
subjectAltName userPrincipalName attribute of the client certificate presented by their browser.
4. Save the settings.
When a client certificate is required, the standard log in screen is no longer presented. Administrators will not be able to
access the Pexip Infinity web interface if their browser does not present a valid certificate that contains a user identity which
exists in the selected Authentication source.
Disable local authentication
Complete the authentication configuration by disabling the local authentication source:
1. Log in to the Pexip Infinity web interface (via certificate-based authentication).
2. Go to System configuration > User authentication.
3. Set the Authentication source to LDAP database.
4. Save the settings.
All authentication is now performed against the LDAP server and no local account information is used.
Note that the "SSH password" is never used, as SSH access is disabled.
Securing network services
DNS servers
Configure at least two DNS servers (System configuration > DNS servers).
NTP servers
Configure at least two NTP servers (System configuration > NTP servers).
The configuration for each NTP server must include key authentication credentials.
© 2015 Pexip AS
Version 8.a January 2015
Page 8 of 9
Pexip Infinity Secure Mode Deployment Guide
Contingency deployment
Remote syslog servers
Configure at least one remote syslog server (System configuration > Syslog servers).
SNMP
Configure the Management Node and each Conferencing Node to use secure SNMPv3:
1. Go to Platform configuration > Management Node and click on the name of the Management Node.
2. Set SNMP mode to SNMPv3 read-only .
3. Configure the SNMPv3 credentials (SNMPv3 username, privacy password and authentication password) for this SNMP agent
to match those used in requests from the SNMP management station.
4. Change the SNMP community to something other than "public".
5. Save the SNMP settings for the Management Node.
6. Apply the same configuration settings to each Conferencing Node (go to Platform configuration > Conferencing Nodes and
click on the name of each Conferencing Node in turn).
Secure SNMPv3 read-only mode uses SHA1 authentication and AES 128-bit encryption.
Location DSCP tags and MTU
Configure DSCP tags for signaling and media, and set the MTU size for each location:
1. Go to System configuration > Locations.
2. Select the first location.
3. Configure the DSCP tags. We recommend:
o
DSCP value for media is set to 51.
o
DSCP value for signaling is set to 40.
4. Configure the MTU. We recommend a value of 1400 bytes to account for the overhead associated with the encryption headers.
5. Save the settings.
6. Repeat for every other location.
Contingency deployment
We recommend that you maintain a secondary deployment that you can switch to in the event that your primary deployment fails
or is compromised.
This fallback system should mimic the primary installation with the following exceptions:
l
In addition to supporting authentication and authorization via LDAP, in case connectivity to the LDAP server is down it should
also maintain the local admin account and should not use certificate-based authentication:
a. Go to System configuration > User authentication.
b. Set Authentication source to LDAP database and local database.
c. Set Require client certificate to Not required.
d. Save the settings.
l
It should be deployed without licensing.
After the fallback system has been configured, all VMs should be completely powered off and remain off until required.
If the primary deployment is compromised and must be torn down, you should contact your Pexip support representative to return
the original license key and then re-activate the same license on the fallback system after it has been brought up.
© 2015 Pexip AS
Version 8.a January 2015
Page 9 of 9