[KBA-01394] Best practices for HID to NAT connection and logon credentials - Security Center | HID

series
Security Center | HID
revised_modified
2015-10-26

[KBA-01394] Best practices for HID to NAT connection and logon credentials

This article explains the Genetec Inc. recommendations for HID controllers that are connected to Security Center over the internet using Network Address Translation (NAT).

Summary

  • On the router that provides the unit access to the internet, filter traffic based on the source IP to ensure that only traffic from the Access Manager role reaches the controller.
  • Disable the modem1 and router1 accounts used for dial-up access, to ensure that only the admin and root accounts are able to access the unit.

    To disable modem1 and router1, use telnet to logon to the unit and run the following commands:

    • passwd -l modem1
    • passwd -l router1
  • Perform password rotation by resetting the admin and root user passwords on a regular basis. These passwords should be alphanumeric with a minimum of 5 characters and a maximum of 8 characters.
    CAUTION:
    Telnet data is not encrypted. Using telnet to reset passwords over the internet can expose the passwords to third parties. For security reasons, it is highly recommended to perform password changes on the local network.

    To change the admin and root user passwords, use telnet to log on to the unit and run the following commands:

    • passwd root
    • passwd admin