Template:Security guidelines: Difference between revisions
No edit summary |
No edit summary |
||
| (55 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
==Summary== | |||
This article provides details about security features and recommendations used in Teltonika Networks products and how to properly implement them ensuring cyber-security best practices. | |||
==Security Guidelines== | |||
Listed below are general security recommendations and hardening techniques. These should be applied not only to Teltonika Networks products, but to all internet-facing devices to ensure the best possible security posture and resilience to cyber-attacks. | |||
== Guideline Categories == | |||
# General Security Best Practices | |||
# Device Hardening Recommendations | |||
# Secure Operation & Maintenance | |||
---- | |||
=== General Security Guidelines === | |||
{| class="wikitable" | |||
|+ | |||
|- | |||
! Recommendation !! Priority !! Details | |||
|- | |||
| Keep Firmware Updated || Critical || Always run the latest stable firmware. Firmware updates contain critical vulnerability patches. | |||
|- | |||
| Use Complex Passwords || Critical || Use complex passwords. At the least password should contain minimum 12 characters and include numbers, symbols, capital and lowercase letters. Avoid using common words. | |||
|- | |||
| Enforce HTTPS and SSH || Critical || Only use secure protocols ('''''HTTPS, SSH'''''). Avoid the usage of HTTP, Telnet and other insecure protocols where available. | |||
|- | |||
| Install Only Trusted Packages || Critical || Only install packages from verified and trusted sources. To ensure the integrity Teltonika Networks digitally signs all its firmware and packages. | |||
|- | |||
| Disable Unused Services || Critical || Turn off unused interfaces like Web CLI, WiFi, SMS utilities, etc., to reduce the attack surface. | |||
|- | |||
| Use WPA3 WiFi || High || WPA2 is still considered secure. However '''WPA3''' introduces features that provide better support IoT device security. | |||
|- | |||
| Assign Minimum Necessary Permissions || High || Make sure to provide the least amount of required permissions for any additionally created user account. | |||
|- | |||
| Use Key-Based SSH Authentication || High || If possible, use public/private key pair SSH authentication instead of password-based SSH logins. | |||
|- | |||
| Regularly Review SIM Usage || Medium || Monitor and limit SIM card SMS/data use. Disable SMS management if not in use. | |||
|} | |||
---- | |||
=== Security Hardening Recommendations === | |||
{| class="wikitable" | |||
|+ | |||
|- | |||
! Recommendation !! Priority !! Details | |||
|- | |||
| Limit Administrative Access || Critical || Do not expose WebUI or SSH to the public internet. Use a VPN or allowlist IPs if remote access is needed. | |||
|- | |||
| Use a VPN for Remote Access || Critical || Use IPsec, OpenVPN, WireGuard or other reliable VPN service for remote access. Never expose management interfaces directly. | |||
|- | |||
| Apply IP Whitelisting || Critical || Restrict access to remote services based on specific IP addresses using a firewall. | |||
|- | |||
| Do Not Rely on Obscure Ports Alone || High || Avoid using non-standard ports as a primary defense. Use in conjunction with firewall rules. | |||
|- | |||
| Disable WiFi if Not Needed || High || Disable WiFi instead or reduce transmission power. | |||
|- | |||
| Use Secure Firmware Validation || High || Teltonika Networks firmware is digitally signed and authorized for security. Additionally only apply firmware with verified '''SHA-256''' hashes. Avoid '''MD5/SHA-1'''. | |||
|- | |||
| Disable SMS/Call Utilities by Default || Medium || Disable SMS command features unless explicitly required. Use phone number whitelists and log all commands. Authentication is available via administrative password, custom password or device serial number. | |||
|} | |||
---- | |||
=== Secure Operation & Maintenance === | |||
{| class="wikitable" | |||
|+ | |||
|- | |||
! Recommendation !! Priority !! Details | |||
|- | |||
| Continuous Access Monitoring || Critical || Regularly monitor login attempts and access logs. Enable Event Juggler alerts for critical changes. | |||
|- | |||
| Review and Audit Firewall Rules || Critical || Keep firewall rules up to date. Remove unused or overly permissive rules. | |||
|- | |||
| Rotate Passwords & SSH Keys Periodically || High || Rotate credentials and SSH keys at regular intervals. Immediately revoke compromised credentials. | |||
|- | |||
| Audit Protocols and Services || High || Ensure only secure protocols are used. Disable legacy or insecure options ('''''e.g., FTP, Telnet'''''). | |||
|- | |||
| Conduct Periodic WiFi Audits || Medium || Reassess SSID use, encryption standards, and user access. | |||
|- | |||
| Verify Backups Securely || Medium || Encrypt backups. Use '''SHA-256/SHA-512''' hashes to validate backups before restoring them. Store securely. | |||
|} | |||
---- | |||
Latest revision as of 13:13, 18 August 2025
Summary
This article provides details about security features and recommendations used in Teltonika Networks products and how to properly implement them ensuring cyber-security best practices.
Security Guidelines
Listed below are general security recommendations and hardening techniques. These should be applied not only to Teltonika Networks products, but to all internet-facing devices to ensure the best possible security posture and resilience to cyber-attacks.
Guideline Categories
- General Security Best Practices
- Device Hardening Recommendations
- Secure Operation & Maintenance
General Security Guidelines
| Recommendation | Priority | Details |
|---|---|---|
| Keep Firmware Updated | Critical | Always run the latest stable firmware. Firmware updates contain critical vulnerability patches. |
| Use Complex Passwords | Critical | Use complex passwords. At the least password should contain minimum 12 characters and include numbers, symbols, capital and lowercase letters. Avoid using common words. |
| Enforce HTTPS and SSH | Critical | Only use secure protocols (HTTPS, SSH). Avoid the usage of HTTP, Telnet and other insecure protocols where available. |
| Install Only Trusted Packages | Critical | Only install packages from verified and trusted sources. To ensure the integrity Teltonika Networks digitally signs all its firmware and packages. |
| Disable Unused Services | Critical | Turn off unused interfaces like Web CLI, WiFi, SMS utilities, etc., to reduce the attack surface. |
| Use WPA3 WiFi | High | WPA2 is still considered secure. However WPA3 introduces features that provide better support IoT device security. |
| Assign Minimum Necessary Permissions | High | Make sure to provide the least amount of required permissions for any additionally created user account. |
| Use Key-Based SSH Authentication | High | If possible, use public/private key pair SSH authentication instead of password-based SSH logins. |
| Regularly Review SIM Usage | Medium | Monitor and limit SIM card SMS/data use. Disable SMS management if not in use. |
Security Hardening Recommendations
| Recommendation | Priority | Details |
|---|---|---|
| Limit Administrative Access | Critical | Do not expose WebUI or SSH to the public internet. Use a VPN or allowlist IPs if remote access is needed. |
| Use a VPN for Remote Access | Critical | Use IPsec, OpenVPN, WireGuard or other reliable VPN service for remote access. Never expose management interfaces directly. |
| Apply IP Whitelisting | Critical | Restrict access to remote services based on specific IP addresses using a firewall. |
| Do Not Rely on Obscure Ports Alone | High | Avoid using non-standard ports as a primary defense. Use in conjunction with firewall rules. |
| Disable WiFi if Not Needed | High | Disable WiFi instead or reduce transmission power. |
| Use Secure Firmware Validation | High | Teltonika Networks firmware is digitally signed and authorized for security. Additionally only apply firmware with verified SHA-256 hashes. Avoid MD5/SHA-1. |
| Disable SMS/Call Utilities by Default | Medium | Disable SMS command features unless explicitly required. Use phone number whitelists and log all commands. Authentication is available via administrative password, custom password or device serial number. |
Secure Operation & Maintenance
| Recommendation | Priority | Details |
|---|---|---|
| Continuous Access Monitoring | Critical | Regularly monitor login attempts and access logs. Enable Event Juggler alerts for critical changes. |
| Review and Audit Firewall Rules | Critical | Keep firewall rules up to date. Remove unused or overly permissive rules. |
| Rotate Passwords & SSH Keys Periodically | High | Rotate credentials and SSH keys at regular intervals. Immediately revoke compromised credentials. |
| Audit Protocols and Services | High | Ensure only secure protocols are used. Disable legacy or insecure options (e.g., FTP, Telnet). |
| Conduct Periodic WiFi Audits | Medium | Reassess SSID use, encryption standards, and user access. |
| Verify Backups Securely | Medium | Encrypt backups. Use SHA-256/SHA-512 hashes to validate backups before restoring them. Store securely. |