Fine-tuning & best practices Page 120 FortiRecorder 2.4.2 Administration Guide
Figure 7: Restricting accepted administrative protocols in the Edit Interface dialog in
System > Network > Interface
Use only the most secure protocols. Disable PING, except during troubleshooting. Disable
HTTP, SNMP, and TELNET unless the network interface only connects to a trusted, private
administrative network. See “NVR configuration”.
• Disable all network interfaces that should not receive any traffic. (i.e. Set the Administrative
status to Down.)
Figure 8: Disabling port4 in System > Network > Interface
For example, if administrative access is typically through port1, the Internet is connected to
port2, and cameras are connected to port3, you would disable (“bring down”) port4. This
would prevent an attacker with physical access from connecting a cable to port4 and
thereby gaining access if the configuration inadvertently allows it.
Operator access
• Authenticate users only over encrypted channels such as HTTPS. Authenticating over
non-secure channels such as Telnet or HTTP exposes the password to any eavesdropper.
For certificate-based server/FortiRecorder authentication, see “Replacing the default
certificate for the web UI”.
• Immediately revoke certificates that have been compromised. If possible, automate the
distribution of certificate revocation lists (see “Revoking certificates”).
Patches
• Upgrade to the latest available firmware to take advantage of new security features and
stability enhancements (see “Updating the firmware”).
To Next Page
Loading...