Background

Before installing Solstice Pods on the enterprise network, certain security baselines should be configured to harden the security of your deployment. This document outlines the Baseline Security Standard (BSS) that Mersive recommends for environments that are security-sensitive. Pods that are not configured properly can be vulnerable to user and network security breaches, including unauthorized user access, screen capture and recording, unauthorized changes to configuration settings, and denial-of-service attacks.
The Pod is a network-attached device that provides straightforward and secure wireless access to existing display infrastructure by leveraging a host IT network. By configuring your Solstice Pod(s) according to these guidelines, users will be able to quickly connect and share content to the displays in Pod-enabled rooms while still maintaining network security standards.

Audience

This policy applies to any organization that operates in a security-conscious environment. Small deployments, collaboration hotspots, and open-to-public use of the Pod are perfectly valid, and usually do not require strict adherence to the security baselines outlined in this document, but these steps should be considered for larger, centrally-managed Pod deployments.
Given that the Pod is a network-attached device, IT administration and Network Security should be involved in designing an appropriate deployment. Each deployment can differ based on network configuration specifics and policies. However, the BSS provides an outline for secure deployment that can then be adjusted to meet specific needs.


Some content in this section was adopted from NIST 800-53, ‘Security and Privacy Controls for Federal Information Systems and Organizations’ and NIST 800-123, ‘Guide to General Server Security’. The section outlines the installation and configuration steps that should be taken prior to enabling a Pod deployment.

This section assumes familiarity with configuration and management of the Pod. We recommend the use of the Solstice Dashboard for both initial configuration and future monitoring of the Pod.

Initial Setup

Initial configuration operations for each of your Pods should take place on a standalone network prior to deployment on your enterprise network. This will ensure that your Pods are configured to match the security baseline recommendations before being attached to your network. The Solstice Dashboard will need to be installed and run on the same network as the Pods on a secure Windows host PC or server.

  1. Set up standalone network. Before Pods are connected to the enterprise network, they will be configured on a standalone network for both convenience and security.
  2. Power on and deploy the Pod on the standalone network. The Pod ships with both DHCP/Ethernet and the unit’s WAP enabled. Plug the Ethernet cable into your standalone configuration network so the device can receive a local IP address.
  3. (Optional) Standalone configuration. You can also configure the Pod using the steps below without a network. This requires a keyboard and mouse to be connected directly to the device using a USB hub. However, Mersive recommends using the Solstice Dashboard to configure your Pods.
  4. Launch the Solstice Dashboard on the standalone network. The Dashboard will be used to configure your Pods and should be running on the standalone network with the Pod devices. To launch the Dashboard on the network, first download and install the Dashboard from the Mersive website on your Windows host PC or server, and then connect the Windows host to the standalone network.
  5. Import Pods into the Dashboard. Once the Pods have been deployed (one at a time or all at once) on the local network, click the ‘discover’ button to import those Pods into your Dashboard. If Pods do not appear, they are on a network that does not support UDP/Broadcast traffic. If this is the case, use the ‘CSV’ import option to import Pods or enter them manually. Refer to the Solstice Dashboard User Guide for import options and instructions.

Back to Top

Secure Configuration Options

It is important to secure access to configuration options in order to avoid unwarranted changes that could compromise security. This is done by disabling all configuration access except from authenticated users in the Solstice Dashboard.

  1. In the Solstice Dashboard, select all Pods in the deployment and visit the ‘Security’ tab.
  2. Enter an administrator password. Access to the Pods configuration options will now require an administrator password to be modified remotely via the Dashboard. ‘Enforce password validation rules’ should be enabled.

Passwords entered into the admin field in the dashboard will be subjected to enterprise policy rules to ensure that they do not pose a security risk. Passwords must be at least 8 characters in length, contain at least one uppercase and one lowercase letter, contain no dictionary words, and contain at least one number or symbol. Any password will also not contain three consecutive characters. These rules are enforced by the dashboard and passwords that do not comply to these settings are rejected.

  1. Disable ‘Allow Local Configuration’ to ensure users cannot physically access configuration settings by connecting a keyboard/mouse to the unit in the room.

Note: Administrators that configure a Pod in Dual-Network Mode will have the option to completely disable configuration traffic from one of the networks. This ensures that guest or un-authenticated networks can be restricted from configuration of the Pod.

  1. Disable ‘Allow Browsers to Configure Pod’. At this point only authenticated users from the Solstice Dashboard can modify Pod settings.

Back to Top

Set Access Controls

Solstice’s access control settings address runtime security issues related to how users are authenticated and are granted or denied access to share and control content on the Solstice display.

  1. Select all Pods in the Dashboard and visit the ‘Security’ tab.
  2. Select ‘Screen Key Enabled’ to ensure only users who have line-of-sight to the display and are on a valid network can connect to the display.

Note: Screen Key is required when Multi-Room is enabled.  If the ‘Start/Sync Multi-Room Session enabled’ box is checked, the Screen Key box will also fill.

  1. Enable ‘Encryption’ on the same configuration tab. This is needed to ensure that all Solstice traffic on the network is encrypted. Additionally, once encryption is enabled, third-party devices leveraging the Solstice OpenControl API will need to authenticate with Pods using the administrator password before they can interface with your Solstice endpoints.

Back to Top

Configure Network Settings

The Solstice Pod supports secure access to two independent, onboard network interfaces. Each is configured independently and uses its own routing table, supporting secure simultaneous access to the Pod from two segmented networks (e.g. corporate and guest networks). When this configuration is chosen, the Firewall feature should be enabled.

  1. Select all Pods in the Dashboard and visit the ‘Network’ tab.
  2. Configure either the Ethernet interface (recommended) or wireless interface settings to establish connectivity to your enterprise network. Consult the Network Deployment Guide for more detail on how to select and set up the configuration that supports your network topology.
  3. Disable ‘Broadcast display name on the network’ under the ‘Display Discovery’ Tab.
  4. In the case of a dual-network configuration, configure the second network interface (either Ethernet or wireless) to establish connectivity to the second network. Then select ‘Firewall Settings’ and select ‘Block all traffic between wired and wireless networks’ to isolate network traffic to the two independent network interfaces.

Back to Top

Physical Location Considerations

Because the Pod does not store user credential information, unencrypted passwords, or users’ data that has been shared to the display, the physical Pods do not have to be located in secure locations. However, other considerations related to theft and environmental conditions should be considered.

  1. Select an appropriate physical mounting solution for the Pod that cannot be detached. Consider the use of mounting locks and/or hidden VESA mounting systems behind the display.
  2. Specific mounting orientation is not an important factor as the Pod is operational in any orientation.
  3. Ensure that appropriate environmental controls have been taken into account. The device should operate within an ambient temperature range of 0° C (32° F) to 35° C (95° F). The device should operate within an ambient temperature range of 0° C (32° F) to 35° C (95° F). This may require ventilation or even active airflow.  Solstice Pods should never be stacked on top of each other.
  4. The Pod should not be mounted in direct contact with a surface that exceeds 30° C (86° F).

Back to Top

Ongoing Baseline Security Practices

Once your Pods have been deployed, it is important to monitor your deployment for continued security.

  1. Ensure that appropriate security and administration personnel have registered their email addresses with Mersive. Security alerts, if needed, will be emailed to those users. Visit our 'Downloads' page and click 'Notification sign up' under 'Stay up to date'. Fill out the form and that's it. 
  2. Periodic and scheduled monitoring of the available updates is recommended. Visit the ‘Licensing’ tab and select ‘Check for Updates’. Read the update release notes to make sure that an update isn’t related to a security vulnerability. These issues will be marked with a boldface Security marker in the release notes. If a security update is found, apply the update using the Solstice update mechanism. Refer to the Solstice Dashboard User Guide.
  3. Standard monitoring of the Security Configuration Baseline is recommended. This can be accomplished through the OpenControl protocol. We recommend that security audits are performed periodically via the OpenControl protocol, enabling the auditor to connect to a Pod, capture its settings, and compare them to the Configuration Baseline.

Back to Top