<< Click to Display Table of Contents >> Navigation: Library Information > Safety Notices |
Navigation: Library Information >
This topic describes the product-related safety notices, including notices for secure operations, personal data, feature usage, passwords, protocols, encryption algorithms, and sensitive words.
ϒ⁄Notices About Sensitive Words
Before performing maintenance operations, engineers must comply with the following requirements:
ϒ⁄All maintenance operations must be authorized by the customer. Do not perform any operations beyond the customer's authorization.
ϒ⁄The customer's authorization must be obtained before taking troubleshooting data out of the customer's network. Personal information in such data must be rendered anonymous to ensure that the device provider cannot restore personal information in any ways.
During service operation or troubleshooting, the product, service, or feature you purchased may obtain or use certain personal data of users. Therefore, you are obliged to formulate necessary user privacy policies in accordance with local laws and regulations and take sufficient measures to protect personal data.
You are advised to enable the following functions only within the purpose and scope allowed by applicable laws and regulations. When using or storing personal data or communication contents of users, you must take adequate measures to ensure that such information is strictly protected.
ϒ⁄Audio recording, recording, video recording, file download, or play
Using these functions involves personal data of users. It is recommended that you comply with local laws and regulations when using these functions and take sufficient measures to protect personal data. OpenVox alone cannot collect or store users' communication contents. Whether to enable audio recording, recording, or video recording function is solely determined by users themselves. Before recording a call, the system will clearly remind users that "The call will be recorded".
§Agent call recording: Each call between an agent and a customer is recorded by the media engine on the agent's local PC to facilitate call query for the agent. Recording files are stored on the agent's local PC or a console server. The storage mode and time are determined by the agent.
§P2P call recording: Calls between users are recorded by a recording server to facilitate query and auditing. Recording files are stored on the recording server. The storage time is determined by an enterprise administrator. Before recording a call, the system will clearly remind users that "The call will be recorded".
§Voice conference recording: Conversations in voice conferences are recorded by a recording server to facilitate conference management, query, and auditing. Recording files are stored on the recording server. The storage time is determined by an enterprise administrator. Before recording a call, the system will clearly remind users that "The call will be recorded".
§Channel tone recording: System announcements of the X1900 gateway can be recorded on phones. These announcements are played to users when they perform operations. Voice files are stored on the X1900 unified gateway.
§Audio and video recording file download or play: Audio and video recording files can be downloaded to and played on local terminals.
ϒ⁄User information storage or usage
To provide call services for users, the system needs to configure and store user information such as user numbers, authentication accounts, and passwords. It is recommended that you comply with local laws and regulations and obtain the customer's authorization when using the information and take sufficient measures to protect personal data.
ϒ⁄SMS, fax, or voicemail
The system provides SMS, fax, and voice mail functions. Using these functions involves personal data of users. It is recommended that you take sufficient measures to protect personal data.
ϒ⁄CDR
When users make calls or hold conferences, the system generates CDRs, including the calling number, called number, and call duration. It is recommended that you comply with local laws and regulations and obtain the customer's authorization when using CDRs and take sufficient measures to protect personal data.
ϒ⁄Data backup
To prevent system faults or user data errors caused by data misoperation, the product promotes enterprises to back up different data periodically. Backup data may involve user information, such as user numbers and contact information. Backup data is used only for data restoration. Do not store backup data in an unauthorized manner or use it for other purposes. Expired backup data must be deleted in a timely manner.
ϒ⁄Log
Logs are used to locate faults. When exporting logs from the customer's network, ensure that no personal data is collected. It is recommended that you comply with local laws and regulations when using this function and take sufficient measures to protect personal data. For example, you should delete log files copied to the local PC immediately when faults are rectified.
ϒ⁄Message, data, or signaling tracing
This function is used to commission services and locate faults. Using this function involves personal data, such as user numbers. This function provides anonymity processing for personal data. Traced messages are used only for locating faults. Delete related information immediately when faults are located.
ϒ⁄Fault information collection
To find fault causes, the system may collect necessary service data, which may contain user information, such as user numbers. User information in collected logs is rendered anonymous. Comply with local laws and regulations when using the fault information collected. Do not take such information out of the enterprise network. Such information shall be deleted immediately when fault causes are found.
The product contains many default passwords. After logging in to a server or an application using a default password, change the password immediately.
To ensure security, passwords must meet complexity requirements. It is highly recommended that enterprises set complex passwords.
Configure passwords in ciphertext mode if possible. To ensure device security, do no disable the password complexity check function, and change passwords periodically.
For a list of default passwords, see the tab of accounts and passwords in Integration Design. For the password change method, see the Security Maintenance.
ϒ⁄TFTP/FTP/FTPS/SFTPv1/SFTPv2
Used to transfer files. TFTP/FTP/SFTPv1 has security risks. You are advised to use SFTP/FTPS/SFTPv2 for file operations.
If you must use TFTP/FTP/SFTPv1, pay attention to data security during the use and disable the protocol immediately when it is no longer used.
ϒ⁄Telnet/STelnetv1/STelnetv2/SSHv1/SSHv2
Used to log in to the device. Telnet/STelnetv1/SSHv1 has security risks. You are advised to use STelnetv2/SSHv2 for login.
If you must use Telnet/STelnetv1/SSHv1, pay attention to data security during the use and disable the protocol immediately when it is no longer used.
ϒ⁄HTTP/HTTPS
Used to access web applications. HTTP has security risks. In an untrusted network, you are advised to HTTPS for application access.
ϒ⁄SNMPv1/SNMPv2c/SNMPv3
Used to manage the device. SNMPv1/SNMPv2c has security risks. You are advised to use SNMPv3 for device management.
ϒ⁄SIP TLS/SRTP
SIP TLS, an industry-standard signaling encryption protocol, and SRTP, a media encryption protocol, are used to encrypt TCP/UDP-borne data, ensuring data communication security. You are advised to enable SIP TLS or SRTP in an insecure network. You are advised to use TLS1.0 or later versions.
ϒ⁄LDAP
Used by IP phones to obtain the address book from an LDAP server. LDAP is an insecure protocol. Unless necessary, do not use LDAP. Pay attention to data security during the use.
ϒ⁄SMTPS
Protocol used by a mail server. SMTPS is an insecure protocol. Unless necessary, do not use SMTPS. Pay attention to data security during the use.
ϒ⁄NFS
NFS server protocol. You are advised to use NFS4.0 or later versions.
The solution uses industry-standard encryption algorithms. Determine the algorithm based on the scenario. Use encryption algorithms with high strength preferentially.
When SSH is used for unified gateway login or when the unified gateway functions as the client of the SIP trunk, Diffie-Hellman (DH) of 2048 bits or above is used by default. For compatibility with different types of CLI clients, parameter 520 of the unified gateway can be set to support less-than-2048bit DH. To avoid security risks, DH of 2048 bits or above is recommended.
To ensure algorithm compatibility, the RSA_3DES_EDE_CBC_SHA algorithm as well as the high-level RSA_AES_256_CBC_SHA256 algorithm are supported for SSL/TLS used in interaction between a browser and the unified gateway. You are advised to use the high-level encryption algorithm to avoid security risks.
The product documentation describes the commands that you will use when you use OpenVox devices or deploy/maintain networks. Commands and interfaces used for production, assembly, returned repair are not described in the documentation.
Misuse of some advanced commands used only for engineering implementation and troubleshooting and upgrade commands may result in device faults or service interruption. It is recommended that these commands be used by engineers with higher rights.
This section describes the scenarios where sensitive words are used in the product.
ϒ⁄Database listening: a service provided by a database server to listen on access requests from clients. If the listening status of a database is abnormal, clients cannot access the database properly.
ϒ⁄Tracing: Signaling tracing provides a function for tracing narrowband signaling and parsing messages so that users can quickly locate faults. Message tracing provides a function for tracing service signaling so that users can learn service transfer and communication information from traced services. Neither signaling tracing nor message tracing involve personal data or privacy of users or customers. After the tracing function is used, disable it in a timely manner.
ϒ⁄Call record: used by agents or administrators to query calls, and by IP phone users to query their own calls. Call records can be provided to a CDR server or third-party server in CDR format for charging or enterprise call traffic statistics collection.
ϒ⁄Equipment serial number (ESN): a string that uniquely identifies a device. The ESN is used to apply for licenses and ensures that a license is grant to the specified device.
ϒ⁄Media Access Control (MAC) address: a hardware address that uniquely identifies a network adapter. The MAC address is used to bind network adapters and apply for licenses.
ϒ⁄IP address: a unique address of each device/host for network communication. IP addresses are the basis for network operation.
ϒ⁄Uniform resource locator (URL): path for accessing websites or files in web mode. The URL is often used to configure such path information.
ϒ⁄Topology: refers to a network topology diagram and its management. The network topology diagram shows the physical layout of the device and presents logical or physical connections with other devices in a virtual manner.
ϒ⁄Serial port: used to log in to the device for modifying the default IP address.
ϒ⁄Management network port: used to manage the device. For example, you can use the management network port on a board of the X1900 unified gateway to manage the gateway, and use the management network port of the RH2285 V2 and RH2288 V3 to view hardware status or install the operating system.
ϒ⁄Plaintext password: password in plaintext. The system uses a password encryption tool to convert plaintext into ciphertext and then writes ciphertext to the configuration file.
ϒ⁄Internal user: a phone user inside an enterprise or an intra-office phone user.
ϒ⁄Play: used in scenarios where voice files, recording files, and alarm tones are played.
ϒ⁄User name: displayed on the called party's terminal.
When installing software, upgrading the system, or installing patches, use the software digit signature verification tool (OpenPGP) to verify the software integrity.
Parent Topic: Library Information