Hardening guide

Owned by Dev BAS-IP
Nov 05, 2024
2 min read

This document provides recommendations for enhancing the security of BAS-IP devices. By following these measures, you can minimize vulnerabilities exposed to external threats and protect your network, devices, and provided services. Adhering to these guidelines should be a priority at all stages of device operation and maintenance to ensure reliable performance.

BAS-IP Devices in a Network Environment

To prevent physical sabotage, vandalism, or unauthorized access to BAS-IP devices, it is recommended to use vandal-resistant enclosures and install the equipment according to our guidelines.

Limiting Internet Exposure

Avoid exposing BAS-IP devices to public access. It is strongly recommended to restrict access to these devices from within the local network.

Limiting Local Network Exposure

For full functionality, BAS-IP devices require access to other network devices and systems. It is advised to grant access only to necessary systems and personnel, preferably using a segmented network.

Access via Web Browser

BAS-IP devices are equipped with a web server that provides an interface for configuration and technical maintenance but is not intended for daily operation. Always end the session once configuration is complete.

Data Confidentiality

Do not share BAS-IP device credentials with third parties, avoid distributing configuration files that contain unfiltered sensitive information, and refrain from sharing network logs and security keys.

Setting a Strong Password

All BAS-IP devices require an administrator password to access settings. Use a strong password and keep it confidential.

Firmware Update

Regular firmware updates are an important step in maintaining security. New firmware versions may contain patches for known vulnerabilities. Ensure that the device is always running the latest software version available on the BAS-IP website.

SIP Accounts

When using SIP-PBX for calls, it is recommended to enable authentication and avoid using anonymous accounts. Use the SIP-TLS protocol to secure calls.

Access Control

Use time profiles to control access. If 24/7 access is not required, limit the timeframes accordingly.

Video Streaming and Data Transmission

When using video streaming alone, disable audio transmission. Configure access with a strong password and an authorized IP address list.

Email

When sending notifications, it is recommended to use an SMTP server that requires authentication and verify the server identity using certificates.

HTTP API

For API security, TLS encryption and a strong password should be used.

Relay

It is recommended to use the SH-42 remote relay to prevent unauthorized access to the device. For PIN access codes, assign unique codes for each user.

Â