Table of Contents
Advertisement
8
en | Security precautions
3
Security precautions
PRAESENSA is an IP‑connected, networked Public Address and Voice Alarm system. In order
to ensure that the intended functions of the system are not compromised, special attention
and measures are required during installation and operation to avoid tampering of the system.
Many of such measures are provided in the PRAESENSA configuration manual and installation
manual, related to the products and the activities described. This section provides an
overview of precautions to be taken, related to network security and access to the system.
–
–
–
–
–
–
2021-05 | V1.00 |
Follow the installation instructions with respect to the location of equipment and the
permitted access levels. See section 4.1 of the PRAESENSA installation manual. Make
sure that critical* call stations and operator panels that are configured for alarm functions
only have restricted access using a special procedure, such as being mounted in an
enclosure with lockable door or by configuration of user authentication on the device**.
* Call stations, that address very large areas, are considered as critical.
** Availability of the user authentication function is to be announced.
It is highly recommended to operate PRAESENSA on its own dedicated network, not
mixed with other equipment for other purposes. Other equipment may be accessible by
unauthorized people, causing a security risk. This is especially true if the network is
connected to the Internet.
It is highly recommended that unused ports of network switches are locked or disabled to
avoid the possibility that equipment is connected that may compromise the system. This
is also the case for PRAESENSA call stations that are connected via a single network
cable. Make sure that the connector cover of the device is in place and properly fixed, to
avoid that the second network socket is accessible. Other PRAESENSA equipment should
be installed in an area that is only accessible by authorized people to avoid tampering.
PRAESENSA uses secure OMNEO for its network connections, using encryption and
authentication for all control and audio data exchange, but the system controller allows
the configuration of unsecure Dante or AES67 audio connections as an extension of the
system, both as inputs and as outputs. These Dante/AES67 connections are not
authenticated and not encrypted and form a security risk, as no precautions are taken
against malicious or accidental attacks via their network interfaces. For highest security,
these Dante/AES67 devices should not be used as part of the PRAESENSA system. If such
inputs or outputs need to be used, use unicast connections only. Only Dante devices
should be used that support Device Lock. Device Lock allows you to lock and unlock
supported Dante devices using a 4‑digit PIN (Personal Identification Number). Make sure
that the devices are locked when in normal operation. Dante Controller is needed to set
the PIN and setup the connections. Alternatively use Dante Domain Manager.
For security reasons, by default the PRA-ES8P2S Ethernet switch is not accessible from
the Internet. When the default (special link‑local) IP‑address is changed to an address
outside the link‑local range (169.254.x.x/16), then also the default (published) password
must be changed. But even for applications on a closed local network, for highest security
the password may still be changed. See section 14.5 of the PRAESENSA installation
manual.
The PRA-ES8P2S network switch supports SNMP. By convention, most SNMPv1‑v2c
equipment ships from the factory with a read-only community string set to "public". This
also applies to the PRA-ES8P2S. For security reasons SNMP should be disabled. If SNMP
must be enabled, for example to use the Bosch Network analysis tool OMN‑DOCENT, use
SNMPv3. SNMPv3 provides much better security with authentication and privacy. Select
the authentication level SHA and encryption via AES. To configure the switch accordingly,
see section 14.5 of the PRAESENSA installation manual.
Configuration manual
Advanced public address server
Bosch Security Systems, B.V.
- Quick Links:
- Installation Procedure
- Network Setup
- Pa Settings
Hide quick links:
Advertisement
Table of Contents
