No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Box 500 V600R019C00 Product Description

Describes the features, network, and technical specifications of the Huawei Box.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security and Reliability

Security and Reliability

Operating System Security

Security maintenance for the system layer ensures that the operating system runs smoothly and also supports stable services at the application layer. The Touch of the Box 500 uses a custom Android operating system, which provides higher security and virus immunity than the Windows operating system.

Network Layer Security

On-premises, IMS hosted, and SP hosted networks each comply with different network layer security policies.

  • On-premises networks:
    • The Box 500, SMC2.0, and MCU are deployed in the trusted zone, isolated from the Demilitarized Zone (DMZ) and the untrusted zone. Firewalls are deployed for security domain division and access control.
    • Terminals (such as TE Desktop and TE Mobile) in the untrusted zone communicate with NEs in the trusted zone through the Session Border Controller (SBC) or Switch Center (SC) in the DMZ.
  • IMS hosted and SP hosted networks:
    • The Box 500 is deployed in the untrusted zone, isolated from the DMZ and the trusted zone through the SBC or the extranet firewall.
    • If a DMZ is deployed, you need to install the SBC, SC, USM Proxy, and MediaX Proxy in the DMZ for the Box 500 to establish connections.
    • If no DMZ is deployed, the Box 500 connects to the trusted zone through the SBC. The USM Proxy and MediaX Proxy are not required.
    • On network borders between the DMZ and the trusted and untrusted zones, firewalls are deployed to implement security domain division and access control.

Firewall Technology (NAT)

The firewall protects your IP network by separating the internal and external network communication data. Using Network Address Translation (NAT) technology and signaling exchange between public network protocols and private network protocols, the firewall enables participants on local area networks (LANs) in different places to make use of video conferences. With NAT, a device on a LAN is allocated a dedicated internal IP address that uniquely identifies the device on the LAN, and the device uses an external IP address to communicate with external devices. Through NAT mapping, multiple internal IP addresses are mapped to one external IP address. NAT mapping not only reduces the number of IP addresses that are needed for users on a private network to access the Internet, but also enhances the security of the private network.

Traversal Between Public and Private Networks

The standard H.460 and Security Traversing Gateway (STG) traversal technologies are used to set up secure connections between the public and private networks through the firewall.

Email Security

To ensure the security of email accounts and sent emails, the STARTTLS protocol is used by default to authenticate the mail server and send encrypted emails.

Web Request Authentication

  • When a user requests access to a specified web page or submits a Servlet request, the Box 500 checks whether the user's session identifier is valid and whether the user is authorized to perform the operation.
  • The server implements the final authentication on the user.
  • Before transmitting user-generated data to clients, the server verifies the data and encodes it using HyperText Markup Language (HTML) to prevent malicious code injection and cross-site scripting attacks.
  • Web security software is used to scan the web server and applications to ensure that there are no high-risk vulnerabilities.

Protocol Anti-Attack Measures

  • The communication matrix is provided in the product documentation. Do not enable the services and ports that are not described in the communication matrix.

    The communication matrix contains the following information:

    • Open ports
    • Transport layer protocols used by the ports
    • NEs that use the ports to communicate with peer NEs
    • Application layer protocols used by the ports and description of the services at the application layer
    • Whether services at the application layer can be disabled
    • Authentication modes adopted by the ports
    • Port functions (such as data traffic control)
  • To ensure the security and stability of the video conferencing system, the Box 500 utilizes multiple encryption measures, including H.235 (for encryption of media and signaling streams), SRTP, TLS, and HTTPS.
  • For network management, the Box 500 supports the SNMP v3 protocol, which features higher adaptability and security. User names and passwords are needed to connect the network management system to the Box 500.
  • Robustness testing tools are used to scan protocols to ensure that there are no high-risk vulnerabilities.
  • By default, the LDAP over SSL (LDAPS) protocol is used to encrypt the address book, ensuring data integrity and preventing data from being stolen.

Protection of Sensitive Data

Sensitive data is protected in the following ways:

  • The log, diagnostics, debug, and alarm information do not contain sensitive data such as passwords and ciphering contexts. If sensitive data is included, it is displayed as "***".
  • Sensitive data is transmitted only through secure channels or after being encrypted.
  • In the collaborative application scenario, the uPortal uses the root certificate for authentication through HTTPS to protect sensitive information such as accounts and passwords.
  • The Box 500 checks the complexity of passwords. When a password is being entered, each stroke is displayed as "." or "*", and the entered password cannot be copied.
  • Only standard encryption algorithms and key negotiation mechanisms are used. Proprietary algorithms are not allowed.

Protection of AI Voice Commands

The Box 500 collects voice commands that users give to the AI voice assistant and transmits the commands to the AI server through the TLS1.2 secure channel for parsing. After being transmitted to the AI server, the voice commands are immediately deleted from the Box 500, and cannot be obtained through any method.

Facial Recognition Privacy Protection

The Box 500 utilizes the facial recognition technology to implement its intelligent sign-in and electronic name tag functions. This technology saves user face images to local cache and submits them to the facial recognition server for registration and identification. The Box 500 deletes user face images periodically. After users leave a meeting or the Box 500 is restarted, user face images are also deleted. In addition, the images are used only for facial recognition services.

System Management and Maintenance Security

  • Software packages (including patches) are released only after they are scanned by at least five types of mainstream antivirus software and no issues are detected. In special cases, explanation is provided for alarms.
  • All user operations and system exceptions are logged.
  • A level-2 certificate chain is supported to ensure the transmission security of confidential data.

Security Design

  • The non-metal parts of the exterior use the V1 flame retardant (FR) materials.
  • The component security design meets the requirements of the nine countries in the EU, North America, Australia, Canada, and the Middle East, as well as China. The components of mechanical parts comply with the EU Machinery Directive 2006/42/EC.
  • Labels and security tips are used.

Disaster Recovery

The Box 500 can simultaneously connect to the active and standby corporate directories or SCs for disaster recovery (DR). When the active corporate directory or SC is faulty, the Box 500 automatically switches to the standby corporate directory or SC to continue providing services.

Updated: 2019-08-19

Document ID: EDOC1100038522

Views: 2991

Downloads: 50

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next