Honeywell MPA1.4 Security Control Panels Instruction Manual

Honeywell MPA1.4 Security Control Panels

Product Information

Specifications

• Model: MPA2/MPA1.4
• Revision: 0.6
• Author: Pragnesh Patel

FAQ

• Q: What should I do if the package is received damaged?
  • A: If the package is received in a damaged condition, contact customer support for assistance.
• Q: How often should I conduct a system audit?
  • A: It is recommended to conduct a system audit regularly to ensure optimal performance and security.

Overview

This Security manual provide information to maximize security with MPA2/MPA1.4 Access Control Panels. This guide will identify critical information on features, sug-gest options that should be enabled, and include best practices for using the pan-els.

Intended Audience

This guide provides additional information to the end user for a secure deployment and operation of the MPA2/MPA1.4 access panel.

Related Documents

• MPA2/MPA1.4 Quick Startup Guide
• MPA2/MPA1.4
• Installation Guide
• MPA2/MPA1.4 User Guide

Modes of operation

MPA2/MPA1.4 panel supports multiple modes of operation each mode would have special recommendation for protection methods, they are mentioned in appropri- ate sections.

• Standalone
• Host/On-premise
• Cloud/Remote Access

Unpacking

• Before installing MPA2/MPA1.4 panel on site make sure package is received in good condition and seal is not tampered.

Installation

Recommendations include Securing network wiring, securing the enclosure, ensuring the latest firmware and normal operation.

Securing Ethernet Network

MPA2/MPA1.4 uses Ethernet for below type of communications, recommend to use isolated/standalone network for installing MPA2/MPA1.4 panels. Cabling must be concealed in secured area and must not be freely accessible.

• Web browser for the standalone user interface
• Panel networking
• Host/WINPAK access
• Remote/MAXPRO Cloud access

Warning

The MPA2/MPA1.4 panel when used in standalone and host mode is not recommended to connect to any untrusted network, internet. The MPA2/MPA1.4 panel in these modes is designed to work in trusted or protected network where known users can interact with the panel. If the panel is connected to the internet, remote attacker may try to exploit or dam-age the panel.

Note

• The user will own the risk, if the user connects the panel to the internet or any untrusted network standalone and host mode.

Network Firewall settings

The MPA2/MPA1.4 panel when connected to cloud is recommended to install the MPA2/MPA1.4 panel behind the firewall with network traffic from other network restricted to allow only below outbound communication.

Outbound Port| Protocol| Standard/Custom| Changeable| Notes
---|---|---|---|---
443| TCP (TLS 1.2)| HTTPS/WSS| No| MAXPRO Cloud communication
123| UDP| NTP protocol| No| Optional, if site uses NTP
53| UDP| DNS| Yes| DNS Server: Default uses 8.8.8.8, configurable using DHCP

Securing Fieldbus Wiring

The MPA2/MPA1.4 support below types of fieldbus protocols over three wire and RS-485 physical cables.

• Cables used for Wiegand, SNET and Binary Protocol communications must be concealed in the secured area and must not be freely accessible.

Securing the Enclosure

• Install the hardware in the secure enclosure and use the included cabinet tamper to generate notifications when the enclosure is opened.

Ensuring the latest Firmware

• Ensure to check for the new releases of the MPA2/MPA1.4 firmware and update panel to use latest version of the firmware.
• This ensures the latest changes and security improvements are installed.

Configuration

Please refer to the MPA2/MPA1.4 User Guide for detailed steps for the options mentioned in this section,

Web Interface

The MPA2/MPA1.4 panel supports only HTTPs for web interface, Hypertext Transfer Protocol Secure (HTTPS) is a protocol for securing communication over a network. HTTPS is a combination of HTTP and TLS protocols. It is used to provide encrypted communication with the web server.

Note

• HTTP is not supported on the MPA2/MPA1.4 panel, http://request are declined by MPA2/MPA1.4 panel so it is required to use https://always while connecting to standalone mode.

TLS and certificates

By default, unique self-signed certificates are loaded into each controller at production time. It is recommended to change out-of-the-box provided certificates with appropriate CA signed certificate to have right trust level with panel enabled. “Generating and Installing Certificates” of the MPA2/MPA1.4 User Guide for the detailed step by step approach for generating Certificate signing request and uploading new certificates.

Session timer

• The session timer logs off a user when a session is inactive for configured time interval.
• MPA 2 panel is configured with thirty (30) minutes as default session time out which is recommended value to minimize the risk of when an attacker can access active sessions.
• Refer to “Configuring Behavior Settings” of the MPA2/MPA1.4 User Guide for the detailed step by step approach for configuring “Web Session Timeout”.

Accounts and Permission Management

• The MPA2/MPA1.4 has accounts, represented by users in the MPA2/MPA1.4 configuration.
• It is important that these accounts are properly managed. Failure to do so can make it easier for an attacker to penetrate the system, or make it more difficult to detect that an attack has occurred.

Default user account

The Out-of-the-box MPA2/MPA1.4 panel is preloaded with default user credentials as shown below.

• Username: admin
• Password: admin

On initial signing in with the above default login credentials, the user is asked to change the default password to a new password. For details steps by step instructions on password change “Creating MA2 Accounts” in the MPA2/MPA1.4 User manual.

Note

• It is a must to change the default password at initial login to avoid the default user which is admin being missused.

Unique user account

Each user account in the MPA2/MPA1.4 system should represent a single user. Different people should never share the same account. For example, rather than a general “Supervisor” user that many Supervisors could use, each supervisor should have his own, separate account.

There are many reasons for each user to have hisown individual account:

• If each user has his own account, audit logs will be more informative. It will be easy to determine exactly which user did what. This can help detect if an account has been compromised.
• If an account is removed, it does not inconvenience many users. For example, if a user should no longer have access to
• the MPA2/MPA1.4 System, deleting or disabling his individual account is simpler. If it is a shared account, it makes the administrator difficult to manage the account used by multiple users. The only option would be to change the password and notify all users. Leaving the account as-is is not an option – the goal is to revoke the user’s access.
• If each user has
• his own account, it is much easier to tailor permissions to precisely meet their needs. A shared account could result in users having more permissions than they should.
• A shared account means a shared password. It is an extremely bad security practice to share passwords. It makes it much more likely for the password to be leaked, and makes it more difficult to implement certain password best practices.

Each different user should have a unique individual account. Similarly, users should never use accounts intended and used for running administrative services.

Use a unique account for each project

It is a common (bad) practice that some system integrators often use the exact same system/service credentials on every project they install. If one system is compromised, the attacker could potentially have credentials for the access to many other projects installed by the same contractor.

Minimum required permissions

When creating a new user, think about what the user needs to do in MPA2/MPA1.4, and then assign the minimum permissions required to do that job. For example, a user who only needs to acknowledge alarms does not need access to change the net and hardware configuration. Giving non-required permissions increases the possibility of a security breach. The user might inadvertently (or purposefully) change settings that they should not change. Worse, if the account is hacked, more permissions give the attacker more power.

Password policies and settings

The most popular technique for breaking into a system is to guess user names and passwords. Consequently, it is essential that passwords are difficult to guess (refer to “Creating MPA2/MPA1.4 Accounts” for steps to create strong passwords) and that they are changed often.

Password settings

• The Out-of-the box MPA2/MPA1.4 panel is configured with the “Password Expiration” option enabled. It is recommended not to disable this from “Configuring Behavior Settings”

Account lockout

Account lockout policy is default enabled in the MPA2/MPA1.4 The lockout parameters are as per the table described below.
Below are the default configuration parameters for password and account lockout.

this time.
Minimum password length| 8 characters| No| Improves encryption and makes guessing harder.
Password uniqueness| 3 old passwords| No| Prevents reuse of the same password too quickly.
Account lockout| 5 attempts| No| Prevents continual password guessing by disabling account after the specified number of attempts.
Lockout duration| 30 minutes| No| Specifies the period of time during which a user will not be able to log on following an account lockout.
Lockout counter| 29 minutes|  | The time before the account lockout is reset to zero.

Operation

System audit

To discover any un intended activities, it is recommended to perform periodic audit to make sure MPA2/MPA1.4 panel is being used as configured and intended.
MPA2/MPA1.4 panel captures all user and major system events for the auditing purpose when panel is used in Cloud/Host mode audit logs are periodically synced with Host software’s if used in standalone mode users could use “Alarms & Events” section of the web client for the audit logs, refer to “Monitoring Alarms and Events” section in MPA2/MPA1.4 User Guide for detailed instructions about “Alarms and Events” usage.

Device Discovery

MPA2/MPA1.4 panels uses Zeroconf device discovery service to discover other panels on the network to create panel network.
Zeroconf is a standard device discovery method so MPA2/MPA1.4 panels can be discovered by utilizing through services on Windows® and Linux like Apple® Bon-jour® and mDNSResponder. As described in above Installation section, panel net-work needs to be protected to not have untrusted devices or computers connected to avoid someone from discovering the panels.

Encryption and Authentication

• Utilize the following settings to improve encryption and authentication methods.

Encryption Mechanism

The below critically sensitive data and its encryption mechanism used in the MPA2/MPA1.4 system.

User / Password

• Encrypted File: Stores user credentials. Passwords are saved as hash value together with a salt value.

Encryption in Communication

MPA2/MPA1.4 to

Web client

| TLS| TLS 1.2| HTTPS protocol
MPA2/MPA1.4 to

MAXPRO Cloud

| TLS| TLS 1.2| HTTPS and Web socket secure protocol over TLS with both client and server certificate validations
MPA2/MPA1.4 to

MPA2/NetAxs

| AES 256|  | EVL downstream with binary protocol. TLS is used for initial AES key negotiation

Reader Communications

• OSDP (Open Supervised Device protocol) secure channel (V2) is a bi-directional secure protocol using symmetric keys shared between the reader and controller, MPA2/MPA1.4 by default enables secure mode for OSDP.
• OSDP is recommended to use for reader communications as it provides secure method of communication.

Controller to Downstream Module Communications

The MPA2/MPA1.4 panel supports two types of downstream communication.

• RS485 downstream: communication on this network is not encrypted, cables used for these communications must be concealed in the secured area and must not be freely accessible.
• EVL downstream: communication on this network is encrypted using AES 256 keys negotiated with out-of-the box provided unique public-private key pairs for each of the panel

Data at Rest Encryption

• The MPA2/MPA1.4 panel comes default with the “data at rest” encryption enabled to satisfy privacy concerns for end users in the field.
• The encryption will allow the configuration and data files to be stored in an encrypted storage.

Equipment Replacement And Network Ports

Equipment Replacement

When replacing a board, make sure to use factory default option to clear all data in the controller before discard panel. Please refer “To reset the panel to the factory default values” section in the MPA2/MPA1.4 Installation Guide for detailed step by step instructions to put the panel in the factory default condition.

Network Ports

Physical Ports, Protocols and Services

The following inbound ports are used to accept connections:

MPA2/MPA1.4 Panel Inbound ports

Port| Protocol| Standard/Custom| Changeable| Use| Notes
---|---|---|---|---|---
443| TCP (TLS 1.2)| HTTPS| No| Web client|
3001| TCP| Custom| Yes| WINPAK| Configurable on Web client
2101| TCP| Custom| Yes| Secure WINPAK| Configurable on Web client
3001| TCP (TLS 1.2)| Custom| Yes| WINPAK| Configurable on Web client
9876| TCP| Custom| No| EVL

Communication

| When panel is acting as downstream
5353| UDP Multicast| Bonjour| No| Bonjour discovery| When panel is acting as Gateway panel

MPA2/MPA1.4 Panel Outbound ports

Port| Protocol| Standard/Custom| Changeable| Use| Notes
---|---|---|---|---|---
443| TCP (TLS 1.2)| HTTPS/WSS| No| MAXPRO Cloud|
5001| TCP| Custom| Yes| WINPAK| Configurable on Web client
5001| TCP (TLS 1.2)| Custom| Yes| WINPAK| Configurable on Web client
9876| TCP| Custom| No| EVL

Communication

| When panel is acting as gateway
123| UDP| NTP protocol| No| NTP|
53| UDP| DNS| Yes| DNS Server| Default uses 8.8.8.8,

configurable using DHCP

5353| UDP Multicast| Bonjour| No| Bonjour discovery| When panel is acting as Downstream panel

Note: MPA2/MPA1.4 by default support TLS1.2 with WIN-PAK host. It is recommended to use TLS1.2 with WIN-PAK host. Though legacy modes are supported it is not recommended. <Disclaimer – copy from Quick startup guide>

Securing Web interface via USB

Both MPA2 and MPA1.4 panel Web interface can be accessed via micro-USB and USB C interface respectively. A Honeywell USB ethernet driver is needed on the Windows host machine to access the panel over USB connection. Make sure to use only Honeywell’s USB ethernet driver available on https://myhoneywellbuildingsuniversity.com/training/support/

Note: The user will own the risk if any other driver/software is used to connect the panel over USB interface.

Ethernet daisy chain/Cascade

Ethernet daisy chain/Cascade (MPA1.4 only)

MPA1.4 panel supports ethernet daisy chaining. Panel firmware uses Linux bridge to make the network cascade/ethernet daisy chain work. In cascade mode, all the panels need to be gateway panels. All the security guidelines and recommendations described in previous sections are applicable to the panels in cascade mode as well.

STP (spanning tree protocol) is disabled on the bridge. Make sure to not connect last panel’s ETH2 interface to host network, it will create a network loop and network may behave abnormally.

Securing Mobile App (MPA1.4 only)

Caution: It is highly recommended customer does not install or use the Honeywell Device Utility application on a jailbroken device or rooted device. If a customer uses the application on a jailbroken or rooted device, Honeywell will not be liable to the customer for the occurrence of any cyber security breaches, or the disclosure of sensitive data stored within the application.

Touch ID/Face ID policies and settings

• Ensure that you enable the Bio metric (Enable Touch ID/Face ID) while installing the Device Utility App to Keep the safety measures and to protect from vulnerabilities.

Contact

UK Representative:

• Honeywell Building Technology
• Building 5 Carlton Park
• King Edward Avenue
• Narborough Leicester LE19-0AL United Kingdom
• www.honeywell.com/security/de

Notice

This document contains Honeywell proprietary information.
Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell International. While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer.

Honeywell cannot be held responsible for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice.

Copyright 2023 – Honeywell International

Revision History

© 2022 Honeywell International Inc. All rights reserved. No part of this publication may be reproduced by any means without written permission from Honeywell. The information in this publication is believed to be accurate in all respects. However, Honeywell cannot assume responsibility for any consequences resulting from the use thereof. The information contained herein is subject to change without notice. Revisions or new editions to this publication may be issued to incorporate such changes. For patent information, see www.honeywell.com/patents.

References

• Honeywell Virtual Patent Marking (HON VPM)
• About Us | Honeywell
• Login - Learning Management Portal1

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>