No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

TE30 Videoconferencing Endpoint V600R006C10 Product Description

Describes the features, network, and technical specifications of the TE30 videoconferencing endpoint.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security

Security

The endpoint provides a variety of security features, including system layer security, network layer security, firewall technology (NAT), secure public-private network traversal, network diagnostics, web request authentication, protocol anti-attack measures, protection of sensitive data, and system management and maintenance security.

System Layer Security

Security maintenance of the system layer ensures a smooth running of the operating system and also supports stable services at the application layer. The endpoint uses Linux, which is more secure and immune to viruses than Windows.

Network Layer Security

The on-premises, IMS hosted, and SP hosted networks have implemented different network layer security policies.

  • On-premises network:
    • The endpoint, SMC2.0, and MCU are deployed in the trusted zone, isolated from the Demilitarized Zone (DMZ) and the untrusted zone. Firewalls are deployed for security domain division and access control.
    • Terminals (such as TE Desktop and TE Mobile) in the untrusted zone communicate with NEs in the trusted zone through the Session Border Controller (SBC) or Switch Center (SC) in the DMZ.
  • IMS hosted and SP hosted networks:
    • The endpoint is deployed in the untrusted zone, isolated from the DMZ and the trusted zone through the SBC or the extranet firewall.
    • If the DMZ is deployed, install the SBC, SC, USM Proxy, and MediaX Proxy in the DMZ for endpoint connections.
    • If no DMZ is deployed, the endpoint connects to the trusted zone through the SBC. The USM Proxy and MediaX Proxy are not required.
    • On network borders between the DMZ and the trusted and untrusted zones, firewalls are deployed to implement security domain division and access control.

Firewall Technology (NAT)

The firewall protects your IP network by separating the internal and external network communication data. Using Network Address Translation (NAT) technology and exchanging signaling between public network protocols and private network protocols, the firewall enables sites on local area networks (LANs) in different places to enjoy the convenience of communication through video conferences. With NAT, a device on an LAN is allocated a dedicated internal IP address that uniquely identifies the device on the LAN, and the device uses an external IP address to communicate with external devices. Through NAT mapping, multiple internal IP addresses are mapped to one external IP address. NAT mapping not only reduces the number of IP addresses that are needed for users on a private network to access the Internet, but also enhances the security of the private network.

Secure Public-Private Network Traversal

The standard H.460, SIP Interactive Connectivity Establishment (ICE), and exclusive Super Network Passport (SNP) firewall traversal technologies are used to set up secure connections between the public and private networks or between different private networks through firewalls.

Network Diagnostics

To ensure superb audio and video, you can use the diagnostic tool released with the endpoint software version to check the network performance, including:
  • Connectivity
  • Route information
  • Bandwidth
  • Whether required ports are blocked by firewalls and whether the destination ports are enabled
  • Network quality indexes, including QoS, latency, jitter, packet loss rate, and out-of-order rate
  • NAT device type
  • Whether the changes that the ALG has made for H.323 and SIP messages are correct

To start network diagnostics, connect the diagnostic tool to the endpoint. To set up the connection, the user name and password are required, which are encrypted and then transmitted to the endpoint.

Web Request Authentication

  • When a user requests access to a specified web page or submits a servlet request, the endpoint checks whether the user's session identifier is valid and whether the user is authorized to perform the operation.
  • The server implements the final authentication on the user.
  • Before transmitting user-generated data to clients, the server verifies the data and encodes it using HyperText Markup Language (HTML) to prevent malicious code and cross-site scripting attacks.
  • Web security software is used to scan the web server and applications to ensure that there are no high-risk vulnerabilities.

Protocol Anti-Attack Measures

  • The communication matrix is provided in the product documentation. Do not enable the services and ports that are not mentioned in the communication matrix.

    The communication port matrix contains the following information: open ports, transport layer protocols used by the ports, network elements (NEs) that use the ports to communicate with peer NEs, application layer protocols used by the ports and description of the services at the application layer, whether services at the application layer can be disabled, authentication modes adopted by the ports, and port functions (such as data traffic control).

  • The endpoint utilizes multiple encryption measures, including H.235 (for encryption of media and signaling streams), Secure Real-time Transport Protocol (SRTP), Transport Layer Security (TLS), and Hypertext Transfer Protocol Secure (HTTPS), to ensure secure and stable running of the videoconferencing system.
  • For network management, the endpoint supports the Simple Network Management Protocol v3 (SNMP v3), which features higher adaptability and security. User names are needed to connect the network management system to the endpoint.
  • Robustness testing tools are used to scan protocols to ensure that there are no high-risk vulnerabilities.
  • By default, the File Transfer Protocol over SSL (FTPS) and LDAP over SSL (LDAPS) are used to encrypt the address book, ensuring data integrity and preventing data from being stolen.

Protection of Sensitive Data

  • The log, diagnostic, debug, and alarm information must not contain sensitive data.
  • Sensitive data must be transmitted through secure channels or transmitted after being encrypted.
  • To prevent sensitive data from being disclosed, the endpoint checks the complexity of the password. A password is displayed as "." or "*" when entered in the password input box, and the entered password cannot be copied.
  • Sensitive data such as passwords and ciphering context must not be recorded in logs. If sensitive data really needs to be recorded, it should be displayed as "***".
  • Standard encryption algorithms (proprietary algorithms not allowed) and key negotiation mechanisms are used.

System Management and Maintenance Security

  • Software packages (including patches) are released only after they are scanned by at least five types of mainstream antivirus software and no alarm is generated. Explanations are provided for alarms under special circumstances.
  • All user operations and system abnormalities are recorded into logs.
Translation
Download
Updated: 2019-04-28

Document ID: EDOC1000184605

Views: 10838

Downloads: 74

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next