Resources & Documentation
Common security Requests
Crestron devices vary with regards to onboard features and configurable security settings. Common security requests include password protection (AUTHENTICATION), communications encryption (SSL), certificate deployment (802.1X), and disabling certain ports or features (TELNET, FTPSERVER, etc.).
Secure Deployment considerations should also be made when designing system topology. For example, many secure sites request devices be placed on a processor's Control Subnet to provide isolation from the client's LAN. In these scenarios the processor acts as a secure gateway providing regulated access to the rest of the devices/environment. Refer to Control Subnet - Getting Started & NAT / Port Mapping (Answer ID: 1000110) for additional information.
The Crestron Toolbox® Security Audit Tool can be used to check 3-Series processors, ensure they meet a specific target security level, and provide guided corrective actions. Please refer to instructions here: About the Security Audit Tool.
NOTE: Crestron supports the use of TLS/SSL when connecting user interface devices to the control processor. Some Smart Graphics Applications such as the Media Player, Pyng Objects and TV Presets may also create direct, unencrypted connections, but only on a local LAN which provides its own security.Any communication meant to be remotely accessible via port forwarding supports encryption.
- Enable to provide password protection.
- Create an Administrator account and add other Users / Groups with various permissions
- Configure max failed login attempt limits, moderate blocked IP addresses resulting from failed logins, set a user logout after idle time, etc.
Refer to the Crestron Toolbox Authentication help file and the Enable Authentication Example Script.
- Enable to provide SSL (Secure Sockets Layer) encryption to Ethernet communications.
- When enabled, communication is performed over secure Ethernet ports (SCIP, SCTP, HTTPS, SSH) rather than default ports (CIP, CTP, HTTP, Telnet).
- Manage certificate settings (Self-Signed, CA-Signed), permitted encryption types (weak vs strong ciphers), permitted connections (SSLv3 fallback), etc.
Refer to the Crestron Toolbox SSL Management help file.
802.1X / Certificate Deployment
- Enable for environments that require IEEE 802.1X Authentication / Certificate Authority (CA) for Ethernet communication.
- Load and manage CA-signed certificates on the device.
Refer to the Crestron Toolbox 802.1X help file.
Documentation for Your Crestron System
The documents below describe in-depth the steps needed to secure a Crestron installation. These documents assume the reader has a basic understanding of security functions and protocols.