Professional Documents
Culture Documents
Security Document
R591482_12
August 2021
Barco OpSpace Security Document
Trademarks
Brand and product names mentioned in this manual may be trademarks, registered trademarks, or copy-
rights of their respective holders. All brand and product names mentioned in this manual serve as com-
ments or examples and are not to be understood as advertising for the products or their manufacturers.
Document history
Date Author Reason for Changes
27-Jun-2016 HEKR DRAFT version
20-Dec-2016 HEKR Release OpSpace 1.0
22-Dec-2016 HEKR Add Barco P/N R591482
30-Mar-2017 EREB Release OpSpace 1.1
18-May-2018 EREB Release OpSpace 1.3
05-Feb-2019 HEKR Release OpSpace 1.4
13-Aug-2019 GRIM Release OpSpace 1.5
17-Sep-2019 HEKR Release OpSpace 1.5 (section 13.2)
27-Jan-2020 PHIHE Release OpSpace 1.7
05-May-2020 PHIHE Release OpSpace 1.8
27-Jul-2020 PHIHE Release OpSpace 1.9
15-Oct-2020 PHIHE Release OpSpace 1.9.1
17-Dec-2020 PHIHE Release OpSpace 1.9.2
14-Apr-2021 PHIHE Release OpSpace 1.9.3
Review history
Date Reviewer Review performed and feedback received
14-Dec-2016 KLK, THKA, EREB,
GRIM
20-Dec-2016 ELVMU
19-Jun-2018 ERIBE
06-Feb-2019 HOLLE ELVMU
13-Aug-2019 ELVMU
15-Aug-2019 HOLLE
27-Jan-2020 HEKR
06-May-2020 HEKR
28-July-2020 HEKR
15-Oct-2020 HEKR
19-Apr-2021 HEKR
Contents
1 General Information ........................................................................................................................................ 6
2 Description ........................................................................................................................................................ 7
3 Scope .................................................................................................................................................................. 8
4 Architecture ...................................................................................................................................................... 9
4.1 Deployment View................................................................................................................................................... 9
4.2 Component View .................................................................................................................................................. 9
4.3 Overview of APIs .................................................................................................................................................. 10
4.4 Configuration Flow ............................................................................................................................................. 10
4.4.1 EDP Control Service ....................................................................................................................................................... 10
4.4.2 Auto Discovery and Registration of Barco Devices ................................................................................................. 11
4.4.3 Configuring OpSpace ..................................................................................................................................................... 11
5 Components ................................................................................................................................................... 12
5.1 OpSpace Device Agent ........................................................................................................................................12
5.2 OpSpace Virtual Environment............................................................................................................................12
5.3 OpSpace System Manager .................................................................................................................................12
5.4 OpSpace Application Service .............................................................................................................................13
5.5 OpSpace Workstation ..........................................................................................................................................13
5.6 OpSpace Client Appliance ..................................................................................................................................13
5.6.1 Keyboard/Mouse.............................................................................................................................................................. 13
5.6.2 Audio .................................................................................................................................................................................. 13
5.7 Session Gateway Service .................................................................................................................................... 14
5.8 Media Service ........................................................................................................................................................ 14
5.9 Barco Encoders .....................................................................................................................................................15
5.9.1 NGS-D200 ......................................................................................................................................................................... 15
5.9.2 NGS-D220 ......................................................................................................................................................................... 15
5.9.3 NGS-D320 ......................................................................................................................................................................... 15
5.10 Deployment & Upgrade Server .......................................................................................................................15
5.11 Barco Device Discovery Tool ...........................................................................................................................15
5.12 OpSpace Logout Tool .......................................................................................................................................15
6 Communication............................................................................................................................................. 16
6.1 Well-Known Service Listening Ports ................................................................................................................ 16
6.2 Ephemeral Ports ................................................................................................................................................... 25
7 Identity & Access Management .................................................................................................................. 27
7.1 User Access Rights Management ..................................................................................................................... 27
7.1.1 System Admin User Management ................................................................................................................................ 27
7.1.2 Operator Group Management ...................................................................................................................................... 27
7.1.3 Component Description ................................................................................................................................................ 28
7.2 Barco Service Access Password ........................................................................................................................31
7.3 Device Password ...................................................................................................................................................31
7.4 Barco Encoders .....................................................................................................................................................31
Page IV
8 Logging ............................................................................................................................................................ 32
8.1 Audit logging ......................................................................................................................................................... 32
8.2 System log ............................................................................................................................................................. 32
9 High Availability / Redundancy ................................................................................................................... 34
9.1 Network Interface Bonding ............................................................................................................................... 34
9.2 Redundant Setup ................................................................................................................................................. 34
9.3 OpSpace Client Appliance................................................................................................................................. 34
9.4 OpSpace Server Cluster ..................................................................................................................................... 34
9.4.1 EDP Control Service ....................................................................................................................................................... 35
9.4.2 OpSpace Application Service ....................................................................................................................................... 35
9.4.3 Session Gateway Service ............................................................................................................................................... 35
9.4.4 General Network Failure Behavior .............................................................................................................................. 35
9.5 Media Service ........................................................................................................................................................ 35
10 Health Monitoring ....................................................................................................................................... 36
10.1 System Status ...................................................................................................................................................... 36
10.2 SNMP .................................................................................................................................................................... 36
10.3 Monit ..................................................................................................................................................................... 36
11 Backup & Restore ......................................................................................................................................... 37
11.1 System Maintenance .......................................................................................................................................... 37
11.2 Replacement ....................................................................................................................................................... 37
12 Patch Management ..................................................................................................................................... 38
12.1 Deployment & Upgrade Server ....................................................................................................................... 38
13 Public key infrastructure ............................................................................................................................. 39
13.1 Step-by-step guide OpSpace ........................................................................................................................... 39
13.2 Certificate formats ............................................................................................................................................. 41
13.2.1 PEM format ...................................................................................................................................................................... 41
13.2.2 DER format...................................................................................................................................................................... 41
13.2.3 PKCS#7 or P7B format ................................................................................................................................................. 41
13.2.4 PKCS#12 or PFX format ............................................................................................................................................... 42
13.3 Certificate key matching .................................................................................................................................. 42
14 Threat Analysis & Mitigation ...................................................................................................................... 43
14.1 Default Passwords .............................................................................................................................................. 43
14.2 Device Password ................................................................................................................................................ 43
14.3 Threats During System Administration ......................................................................................................... 43
14.4 Threats During Initial System Setup............................................................................................................... 43
14.4.1 DNS Spoofing ................................................................................................................................................................. 43
14.5 Threats during operation ................................................................................................................................. 44
14.5.1 Malware/Viruses .............................................................................................................................................................44
15 Contact........................................................................................................................................................... 45
Page V
1 General Information
Manufacturer Barco N.V.
System OpSpace
Release 1.9.4
This document describes security objectives and controls implemented in the Barco OpSpace (Operator
Workspace) product.
Main intent is to provide customers running an Information Security Management System (ISMS) for their
installation with the necessary information about security controls. The OpSpace product is designed to
contain basic security features required in various environments. Based on this information, customers
can align the detailed requirements from their ISMS with the security features of the OpSpace product.
Page 6
2 Description
OpSpace provides operators with a single, personalized, concurrent view on applications, remote desk-
tops and video streams - all freely combined onto a single high-resolution unified display surface span-
ning multiple displays on their desk.
OpSpace is a hardware independent, networked visualization and collaboration software suite providing
unparalleled flexibility and scalability through the use of industry standard networks, application servers
and software decoding technologies for video, from standard and high definition to 4K resolution, as well
as screen-scraped and virtualized computer desktops or application, from a single workplace up to a large
number of interconnected workstations. The software supports full redundancy from a network level up
to fully redundant servers and workstations.
The distributed architecture of this revolutionary solution enables sources including remote applications
or video content to be captured once—in any location—and distributed and displayed as many times as
required in any location.
For detailed information, consult the section What is OpSpace? in the OpSpace
Setup & Configuration Manual (R591480).
Page 7
3 Scope
The security concept describes the security measures implemented in the product regarding the
confidentiality
integrity
availability
of the system and the data at rest or in transit.
This implies to have a user management that provides for:
authentication
authorization
accountability.
The foundation of a Security Concept is a declaration of assets to protect. This of course mainly depends
on the specific security requirements of a customer’s installation. The OpSpace product has been devel-
oped with the objective to achieve a high availability of the system and to preserve confidentiality and in-
tegrity of data processed. The implemented measures are documented herein so the customer can align
them with their specific requirements.
Confidentiality is addressed by:
controlling access to video sources per user permissions
limiting access to configuration data per user permissions
logging access to data by user and operation
Integrity of configuration data is achieved by verifying component configurations regularly.
The security of the network infrastructure connecting the systems components with each other and the
outside are not in the scope of the security concept.
The video & audio data which is transported as multicast/unicast streams over the network is not covered
either.
Availability of the system is addressed by:
redundant network connection and setup
fast and easy replacement of failing components
backup/restore of system configuration data
patch management to keep the system up to date with security fixes
Accountability is addressed by:
sending audit logging to a remote SysLog service.
Page 8
4 Architecture
4.1 Deployment View
The OpSpace system features several components that can be fully distributed across an IP network. It
can also be configured for more complex environments where multiple networks are used for either se-
curity or performance reasons.
The OpSpace components are categorized into server and workstation (client) components.
Interconnection of all relevant server room (yellow) and control room (blue) components:
The physical server components are designed as standard rack-mountable chassis and have sophisticated
redundancy features.
The server software is independent from specific hardware. It is available for virtual environments and can
also be configured for full redundancy.
Source adapter components include both hard- and software encoders as well as VDI protocols. In addi-
tion, OpSpace is capable to directly connect to IP camera streams of all major camera brands and codecs
such as Axis, Bosch, or Pelco.
OpSpace uses Ethernet networking technology as the backbone for distributing real-time content.
Page 9
In the Initial Setup, you will be guided through a series of settings to configure
your OpSpace system.
For detailed information, consult the section Initial Setup in the OpSpace Setup
and Configuration Manual (R591480).
The Timezone Setting affects the time added into the logfiles and audit logging
events.
You can change the admin password (and edit your initial settings) on the
OpSpace Configuration page. Select the button System Configuration on the
System Manager homepage, navigate to SysAdmin User Mgmt, and edit the user
admin.
Page 10
Page 11
5 Components
5.1 OpSpace Device Agent
Barco provides a generic device agent as part of the BaseOS to handle device detection and configura-
tion within the EDP Control Service.
OpSpace devices (virtual & hardware appliances) self-register with the EDP Control Service for device
management.
The Barco BaseOS is a tailored Debian based Linux system which is supposed to
run on Barco PC appliances.
For detailed information, consult the section Installing OpSpace Software in the
OpSpace Setup and Configuration Manual (R591480).
For detailed information, consult the section OpSpace System Manager in the
OpSpace Setup and Configuration Manual (R591480).
Page 12
5.6.1 Keyboard/Mouse
Keyboard and mouse are routed transparently via network across several PC-based appliances in an
OpSpace workstation.
Keyboard and mouse are connected to the master appliance, but HID information reaches all machines
configured within a master-slave setup.
5.6.2 Audio
Audio sources are routed via network from the OpSpace client appliances (OpSpace audio client) where
the audio is decoded to the OpSpace audio master appliance (OpSpace audio server) which has a
speaker or headphone connected.
Page 13
Page 14
5.9.2 NGS-D220
The NGS-D220 is a networked H.264 encoder and decoder, both for DVI and DisplayPort content, with
or without audio and integrated keyboard and mouse control.
5.9.3 NGS-D320
The NGS-D320 is an evolution of the NGS-D220 with the same networked H.264 encoder and decoder,
but additional features like HDMI input/output and more. Furthermore, NGS-D320 is also a networked
V2D (Video-to-Data codec) encoder and decoder, both for DVI content, with or without audio and inte-
grated keyboard and mouse control.
Page 15
6 Communication
List of Open TCP/UDP ports by service & device
** can be firewalled on
FTP ftp 21 TCP Not in use x
network level
pw/ pub-
SSH ssh 22 TCP setup computer lic SSH x x x x x x x x x x
key
x x x x x x x x x
WebUI http 80 TCP setup computer pw/- - x * redirect to :443
* * * * * * * * *
P 16
D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
OpSpace Ap-
https 443* TCP OpSpace client pw/cert TLS x
plication
Streaming TCP
rtsp 554 BaseOS - - x x x x x x x x
Server UDP
OpSpace Applica-
LDAP Server ldaps 636 TCP pw/cert TLS x
tion Service
P 17
D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
x
corosync corosync 2140 UDP HA cluster
RDP
Screenscrap- rdp 3389 TCP OpSpace client x
ing
** can be firewalled on
xmpp XMPP 5223 TCP not in use x
network level
** can be firewalled on
xmpp XMPP 5229 TCP not in use x
network level
P 18
D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
** can be firewalled on
xmpp XMPP 5275 TCP not in use x
network level
Chrome Zero- x
5353 UDP Pepper plugin
browser conf
Health Moni-
5845 TCP
tor Web UI
1
will be enabled for NGS-D320 in Managed Mode only!
P 19
D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
OpSpace
5896 TCP
server
OpSpace cli-
5897 TCP
ent Proxy
VNC screen-
vnc 5900 TCP OpSpace client x
scraping
Falcon
Vnc 5900 TCP OpSpace client pw/- - x x x
VNC2HID
OpSpace client
non-mixer 5918 UDP x
audio
P 20
D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
APP Server
ZMQ 7000 TCP OpSpace client - - x x
Push
APP Server
ZMQ 7001 TCP OpSpace client - x x x
Push
** can be firewalled on
Openfire 7070 TCP not in use x
network level
** can be firewalled on
Xmpp 7443 TCP not in use x
network level
8000: x x x x
GStreamer UDP Streaming server - - x
8999
GStreamer x
8005 UDP Streaming server x x x x
blockwatcher
P 21
D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
** can be firewalled on
device control http 8880 TCP not in use x
network level
P 22
D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
not in use
GStreamer / (Session An- ** can be firewalled on
SAP 9875 UDP x x x x x
SAP nouncement Pro- network level
tocol)
P 23
D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
18999
-
Jack Audio netjack2 UDP OpSpace client - - x
1900
0
2480
Synergy Synergy TCP OpSpace client - - x
0
P 24
D D D
Client-/ O S O O S E D
used 2 2 3
Service Protocol Port Transport Server- Encryption V M A C G M U Remark
by 0 2 2
AuthN E S S A S S S
0 0 0
* A lighttpd runs as proxyserver on port 443 on all devices to forward the https/REST requests depending on the URL to the different services running on lo-
calhost only.
** All TCP ports in the range from 0 to 65535 and the UDP ports in the range from 0 to 1023 are blocked by default by the firewall.
F* - service listening but port is blocked by firewall
L* - service listening on localhost only & port is blocked by firewall
P 25
P 26
You can edit users, i.e. change the full username (not the login name) and the password.
Deleting users will cause an alert message which must be acknowledged.
P 27
For detailed information, consult the section Operator Group Management in the
OpSpace Setup and Configuration Manual (R591480).
User
Represents one single user.
The default user is opsadmin.
Group
Represents a set of users.
The default groups are opsusers & opsadministators.
OpSpace Application
P 28
Exclusive Sources
The administrator can configure a source as exclusive in the System Manager which means that this
source can only be used by one operator at a time.
Permission
Permissions in OpSpace are grouped in roles; a specific role has a fixed set of permissions.
The access control is limited to the permissions of the current role, but the admin can exclude permis-
sions when assigning the role to a user group.
Type Permission
Role
OpSpace provides built-in roles that group the permissions needed for the different levels of access in the
system.
A higher role includes the permissions of the lower one:
Admin
Supervisor
Operator
API
Each role has a predefined set of permissions which can be fully granted or reduced to customize the
permissions as needed.
Role Permissions
Deny or grant access rights (view or control) to the available source Media Groups to
All roles
any of the roles.
Administra- Deny or grant access rights (view or control) to the available source Media Groups and
tor give or deny system permissions and console permissions (granted by default).
Deny or grant access rights (view or control) to the available source Media Groups and
Supervisor
give or deny console permissions (granted by default).
Operator Deny or grant access rights (view or control) to the available source Media Groups.
Deny or grant access rights (view or control) to the available source Media Groups and
API
give or deny console permissions (granted by default).
P 29
P 30
This password will also be used for the local default user accounts (admin, barco)
which can e.g. login via SSH.
The password provided in the Group Information of the Cluster settings is used as
common device password on all servers within the cluster which will also be used for
the communication within the server cluster.
A shared SSH key is used for the communication between the MongoDB services in a
redundant OpSpace Application Service.
P 31
8 Logging
8.1 Audit logging
The audit log contains all the information necessary to follow a user's interaction with the system. It con-
tains more sensitive information than other system logs so access to it should be restricted.
Hence audit logging in OpSpace is disabled by default and, once enabled, will only forward the audit
events to an external syslog server but never store it inside the OpSpace system.
For more information refer to the chapter Audit logging in the OpSpace Setup & Configuration Manual
(R591480).
If not yet visible, unhide the toolbar (toggle) with the respective appliance selected,
and choose the desired action.
Set Log
• Specify the log level, i.e. select the desired log level from a drop-down list (e.g. FATAL, ERROR, WARN,
INFO, DEBUG, TRACE)
The Time Zone setting affects the time added into the log files.
Get Log
A compressed log file (.tar format, e.g. ops-app-srv_1463138594921_logs.tar.gz,
ops-appsrv_1463138693178_logs.tar.gz) is prepared for the device selected, and a Save As dialog is dis-
played to select the desired destination folder.
For detailed information on how to backup the logfiles, consult the section
Monitor/Maintain System | System Maintenance in the OpSpace Setup and
Configuration Manual (R591480).
P 32
Log level
Default Log level: INFO
Level Description
FATAL The system was not able to recover from the error
Records that something went wrong, i.e. some sort of failure occurred, and either:
The system was not able to recover from the error, or
ERROR The system was able to recover, but at the expense of losing some information or failing
to honor a request.
The error level logs are always included in the log files.
A warn message records that something in the system was not as expected.
It is not an error, i.e. it is not preventing correct operation of the system or any part of it,
WARN but it is still an indicator that something is wrong with the system that the operator should
be aware of and may wish to investigate.
The warn level logs are always included in the log files.
Info priority messages are intended to show what’s going on in the system, at a broad-
INFO brush level.
The info level logs include info, error and warn level logs in the log files.
Debug messages are intended to help isolate a problem in a running system, by showing
DEBUG the code that is executed, and the context information used during that execution.
The debug level logs include debug, info, error and warn level logs in the log files.
You can use this log level to very detailed logic or helper logic.
TRACE
The trace level logs include trace, debug, info, error and warn level logs in the log files.
P 33
All cluster members send pings to the default gateway in their network to ensure
network connectivity and cluster functionality.
If this ping is blocked, the cluster cannot be established.
For detailed information, consult the section Manage Server Cluster in the OpSpace
Setup and Configuration Manual (R591480).
P 34
P 35
10 Health Monitoring
10.1 System Status
This part of the user interface serves to verify the system status, obtain log files, device, health and net-
work information.
The dialog shows all appliances together with their status, device type, alarm description, software ver-
sion, location, and media group.
Moreover, this page enables to replace broken devices.
For detailed information, consult the section Monitor/Maintain System in the OpSpace
Setup and Configuration Manual (R591480).
10.2 SNMP
SNMPv3 is enabled on all BaseOS devices by default for the Barco Health Monitoring Service.
On the Barco encoders (NGS-D200/-D220/-D320) you can enable SNMP manually.
10.3 Monit
Each BaseOS Systems runs a monit daemon which checks the system’s parameters.
If a critical threshold is exceeded or a service is no longer running, monit will recognize this and report to
the EDP Control Service.
P 36
For detailed information, consult the section Configuring OpSpace in the OpSpace
Setup and Configuration Manual (R591480).
11.2 Replacement
If your hardware or virtual machine needs to be replaced because it is broken (or after an upgrade), you
can use the Replace function to configure your replacement hardware or virtual machine.
For detailed information, consult the section Monitor/Maintain System in the OpSpace
Setup and Configuration Manual (R591480).
P 37
12 Patch Management
12.1 Deployment & Upgrade Server
The System Manager tools provide a central Deployment & Upgrade Server which can update all Barco
devices from a central position at the click of a button.
P 38
barco.web-server-
Root certificate of signing CA copy of self-signed certificate
ca.crt
barco.web-ser-
Certificate private key created on installation of device
ver.key
Those files are created on first boot and bound to the device (hostname, IPv4 address) itself. Hence, they
are not part of any backup/restore operation.
Since self-signed TLS certificates cause issues/warnings e.g. in current web browsers a customer might
want to exchange the existing certificates with certificates signed by his own Public Key Infrastructure
(PKI) or an external PKI.
Exchanging the certificate therefore means that on replacement or reinstallation of a device, the certifi-
cate must be replaced again.
P 39
o sudo /usr/sbin/barco.sslcert
With new key & CSR
o sudo /usr/sbin/barco.sslcert --force
Adding additional SubjectAlternativeNames (e.g. cluster IP)
o sudo /usr/sbin/barco.sslcert --subjectAltName="DNS:ecs-vlan75-VIP,
IP:172.20.75.21"
• Copy the root certificate and the full certificate chain with SCP back to the home directory on the
device:
o Certificate chain from signed certificate up to root CA (see 13.2.1):
sudo cp ~/certificate-chain.crt /etc/ssl/barco/barco.web-server.crt
o Root CA certificate:
sudo cp ~/root-ca-certificate.pem /etc/ssl/barco/barco.web-server-
ca.crt
• set permission for SSL certificate files
o sudo chown root:barco-ssl /etc/ssl/barco/barco.web-server*
o sudo chmod 640 /etc/ssl/barco/barco.web-server*
• reload nginx web server configuration
o sudo systemctl reload nginx
The root certificate of the certificate authority needs to be imported into the truststore
of the Windows host or browser from where you will access the site via HTTPS:
• Right click - Install certificate
• Store Location: Local Machine
• Place all certificates in the following store: 'Trusted Root Certification Authorities'
P 40
Depending on the PKI the chain can contain several levels of intermediate CA
certificates
• Server certificate:
cat server-certificate.pem > ~/certificate-chain.crt
• Issuing CA certifcate:
cat issuing-ca-certificate.pem >> ~/certificate-chain.crt
• Intermediate CA certificate:
cat intermediate-ca-certificate.pem >> ~/certificate-chain.crt
• Root CA certificate:
cat root-ca-certificate.pem >> ~/certificate-chain.crt
P 41
This will always check for the first certifcate in the file, hence the chain in barco.web-
server.crt needs to start with the webserver certificate!
P 42
Default
Component Scope Type User Name Where to Change
Password
Device
Administration local user admin System Manager:
All devices b4rc0,BCD
Manage Virtual account barco <device password>
Environment
system man-
System System
agement ac- admin b4rc0,BCD System Manager
Manager Administration
count
LDAP Account
OpSpace Manager /
OpSpace ldap opsadmin b4rc0,BCD
Administration OpSpace User
Management
The root account is disabled by default on all devices, but the admin account is part of the sudo group,
hence can be used to execute commands with full root privileges.
P 43
P 44
15 Contact
Visit Barco at www.barco.com
Barco N.V.
Beneluxpark 21 – 8500 Kortrijk (Belgium)
Registered Office:
Barco N.V.
Pres. Kennedypark 35 – 8500 Kortrijk (Belgium)
RPR Kortrijk - BE0473191041
P 45