General Security Guidelines
- Architect a LAN/WAN-only or LAN/WAN plus direct-dial solution
The most obvious way to protect hosts is to avoid connecting them to the Internet at all. However, that limits connectivity from other hosts already connected to the Internet (typically BUI users or other NiagaraAX hosts).- Implement a firewall between your NiagaraAX host and the rest of the Internet community. Firewalls provide a barrier between the Internet community and protected hosts
- Implement a VPN between NiagaraAX hosts
- Implement strong passwords on each NiagaraAX host and station
Implementing strong passwords may prevent an attacker from guessing a NiagaraAX host or station password- Change the default administrator password or establish a new administrator account on each host and delete or disable the default one that ships with the product. Each JACE ships with at least one default host administrator user name and password (typically tridium/niagara). If you do not change or disable this account, any person familiar with NiagaraAX software can gain administrative access to the host.
- If you change the password (or create a new account and disable the default), be sure to record your changes and store them in a place you (and your colleagues) can find them again. If you forget or lose the name or password you must ship the unit back for recovery.
- Change the default HTTP port (and other ports)—Changing server-side ports keeps out novice attackers, but may not stop more sophisticated ones.
Copyright © 2000-2014 Tridium Inc. All rights reserved.