Jump to content
  • EN

Template:Security guidelines: Difference between revisions

From Teltonika Networks Wiki
← Older edit
VisualWikitext
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==Summary==
==Summary==
In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly.


==Security guidelines==
This article provides details about security features and recommendations used in Teltonika Networks products and how to properly implement them ensuring cyber-security best practices.


Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way.
==Security Guidelines==


==General Security Guidelines==
Listed below are general security recommendations and hardening techniques. These should be applied not only to Teltonika Networks products, but to all internet-facing devices to ensure the best possible security posture and resilience to cyber-attacks.
 
* '''Keep Firmware Updated''' - Always ensure that firmware is up to date.
* '''Set Strong Passwords''' - Use strong, unique passwords for all services (WebUI, SSH, Post/Get). Passwords should include numbers, symbols, uppercase, and lowercase letters. Passwords should be between 15-20 characters long.
* '''Install Trusted Packages''' - Only install packages from known and trusted sources.
* '''Use Secure Configuration Protocols''' - Use SSH or HTTPS for device configuration. Avoid using insecure protocols like telnet or HTTP, especially for remote configuration.
* '''Disable unused services''' - Disable services that are not used, especially those that provide some sort of administrative capabilities (e.g.: WiFi, SMS Utilities, Web CLI).
* '''Ensure WiFi Security''' - If WiFi is used, ensure it employs the latest encryption standards like WPA3 or WPA2 with AES. Avoid using TKIP.
* '''Assign Minimum Necessary Permissions''' - Make sure to provide the least amount of required permissions for any additionally created user account.
* '''Set SIM Card Limits''' - Set SMS and data limits for your SIM card to prevent misuse.


==Security Hardening Guidelines==
== Guideline Categories ==


* '''Limit Administrative Access''' - Avoid exposing administrative services to the internet. If public access is mandatory, set unconventional ports (e.g., 32768-65535) for common services.
# General Security Best Practices
* '''Secure Exposed Services''' - If remote access is necessary, ensure that it is protected by a firewall. If remote access is required for any administrative interface, modify the rule to only accept traffic from known sources (e.g. modify the SSH WAN access rule to only allow connections from a specific source address).
# Device Hardening Recommendations
* '''Manage WiFi Effectively''' - Disable WiFi if it is not needed. Consider reducing wireless transmission power rather than hiding the ESSID.
# Secure Operation & Maintenance
* '''Use Key-Based Authentication''' - Make sure to use key-based authentication wherever possible (e.g. accessing device via SSH).
* '''Verify Backup Integrity''' - Always write down & compare MD5/SHA hashes of backup files and firmware files before uploading them to the device.
* '''Use Phone Number Whitelisting''' - Create phone number groups for SMS commands to act as a whitelist.
* '''Disable Unnecessary Utilities''' - Review and disable unnecessary SMS/Call utilities and commands, or disable this functionality completely.


==Secure Operation Guidelines==
----
=== General Security Guidelines ===


* '''Regularly Update Firmware''' - Regularly check and apply firmware updates for security patches and improvements.
{| class="wikitable"
* '''Monitor Access Continuously''' - Continuously monitor access to administrative services and restrict as needed. Create and regularly review ”Events Reporting” rules to inform when certain events occur on the device.
|+
* '''Update Passwords Periodically''' - Regularly update passwords and ensure they adhere to strong password policies.
|-
* '''Audit Protocols Regularly''' - Regularly audit the protocols used for configuration and management to ensure they remain secure.
! Recommendation !! Priority !! Details
* '''Review Firewall rules''' - Regularly audit and review firewall and traffic rules.
|-
* '''Review used services''' - Regularly review the services that are being used on the device. Disable services that are not used.
| Keep Firmware Updated || Critical || Always run the latest stable firmware. Firmware updates contain critical vulnerability patches.
* '''Configure Secure VPNs''' - Use secure VPN protocols (e.g., IPsec, OpenVPN, WireGuard) for remote access instead of exposing sensitive services directly.
|-
* '''Conduct WiFi Audits''' - Periodically review WiFi settings and ensure they comply with the latest security requirements.
| Use Complex Passwords || Critical || Use complex passwords. At the least password should contain minimum 12 characters and include numbers, symbols, capital and lowercase letters. Avoid using common words.
* '''Review SIM Card Usage''' - Regularly review SMS and data usage limits and adjust them based on current needs and usage patterns. Disable SMS utilities entirely, if it is not utilized whatsoever.
|-
| Enforce HTTPS and SSH || Critical || Only use secure protocols ('''''HTTPS, SSH'''''). Avoid the usage of HTTP, Telnet and other insecure protocols where available.
|-
| Install Only Trusted Packages || Critical || Only install packages from verified and trusted sources. To ensure the integrity Teltonika Networks digitally signs all its firmware and packages.
|-
| Disable Unused Services || Critical || Turn off unused interfaces like Web CLI, WiFi, SMS utilities, etc., to reduce the attack surface.
|-
| Use WPA3 WiFi || High || WPA2 is still considered secure. However '''WPA3''' introduces features that provide better support IoT device security.
|-
| Assign Minimum Necessary Permissions || High || Make sure to provide the least amount of required permissions for any additionally created user account.
|-
| Use Key-Based SSH Authentication || High || If possible, use public/private key pair SSH authentication instead of password-based SSH logins.
|-
| Regularly Review SIM Usage || Medium || Monitor and limit SIM card SMS/data use. Disable SMS management if not in use.
|}


----


=== Security Hardening Recommendations ===


Please note that regardless of currently running configuration, '''we strongly recommend to keep up with the latest firmware version''' which generally includes not only overall improvements to the router functionality, but also security patches & vulnerability fixes.
{| class="wikitable"
|+
|-
! Recommendation !! Priority !! Details
|-
| Limit Administrative Access || Critical || Do not expose WebUI or SSH to the public internet. Use a VPN or allowlist IPs if remote access is needed.
|-
| Use a VPN for Remote Access || Critical || Use IPsec, OpenVPN, WireGuard or other reliable VPN service for remote access. Never expose management interfaces directly.
|-
| Apply IP Whitelisting || Critical || Restrict access to remote services based on specific IP addresses using a firewall.
|-
| Do Not Rely on Obscure Ports Alone || High || Avoid using non-standard ports as a primary defense. Use in conjunction with firewall rules.
|-
| Disable WiFi if Not Needed || High || Disable WiFi instead or reduce transmission power.
|-
| Use Secure Firmware Validation || High || Teltonika Networks firmware is digitally signed and authorized for security. Additionally only apply firmware with verified '''SHA-256''' hashes. Avoid '''MD5/SHA-1'''.
|-
| Disable SMS/Call Utilities by Default || Medium || Disable SMS command features unless explicitly required. Use phone number whitelists and log all commands. Authentication is available via administrative password, custom password or device serial number.
|}


Understandably, every production environment is different and some features may be altered or changed in newer firmware versions – please always make sure to test & verify newer firmware versions '''before deploying any such firmware onto devices in production environment'''.
----


==Active services==
=== Secure Operation & Maintenance ===


In the table below you can find all the services, which are enabled on default configuration in Teltonika's devices.
{| class="wikitable"
|+
|-
! Recommendation !! Priority !! Details
|-
| Continuous Access Monitoring || Critical || Regularly monitor login attempts and access logs. Enable Event Juggler alerts for critical changes.
|-
| Review and Audit Firewall Rules || Critical || Keep firewall rules up to date. Remove unused or overly permissive rules.
|-
| Rotate Passwords & SSH Keys Periodically || High || Rotate credentials and SSH keys at regular intervals. Immediately revoke compromised credentials.
|-
| Audit Protocols and Services || High || Ensure only secure protocols are used. Disable legacy or insecure options ('''''e.g., FTP, Telnet''''').
|-
| Conduct Periodic WiFi Audits || Medium || Reassess SSID use, encryption standards, and user access.
|-
| Verify Backups Securely || Medium || Encrypt backups. Use '''SHA-256/SHA-512''' hashes to validate backups before restoring them. Store securely.
|}


<table class="wikitable">
----
    <tr>
        <th width="500">Service</th>
      <th width="200">Port</th>
      <th width="200">LAN</th>
<th width="200">WAN</th>
    </tr>
    <tr>
      <td>SSH</td>
      <td>22</td>
      <td>Open</td>
<td>Closed</td>
    </tr>
    <tr>
      <td>HTTP</td>
      <td>80</td>
      <td>Open</td>
<td>Closed</td>
    </tr>
    <tr>
      <td>HTTPS</td>
      <td>443</td>
      <td>Open</td>
<td>Closed</td>
    </tr>
</table>

Latest revision as of 13:13, 18 August 2025

Summary

This article provides details about security features and recommendations used in Teltonika Networks products and how to properly implement them ensuring cyber-security best practices.

Security Guidelines

Listed below are general security recommendations and hardening techniques. These should be applied not only to Teltonika Networks products, but to all internet-facing devices to ensure the best possible security posture and resilience to cyber-attacks.

Guideline Categories

  1. General Security Best Practices
  2. Device Hardening Recommendations
  3. Secure Operation & Maintenance

General Security Guidelines

Recommendation Priority Details
Keep Firmware Updated Critical Always run the latest stable firmware. Firmware updates contain critical vulnerability patches.
Use Complex Passwords Critical Use complex passwords. At the least password should contain minimum 12 characters and include numbers, symbols, capital and lowercase letters. Avoid using common words.
Enforce HTTPS and SSH Critical Only use secure protocols (HTTPS, SSH). Avoid the usage of HTTP, Telnet and other insecure protocols where available.
Install Only Trusted Packages Critical Only install packages from verified and trusted sources. To ensure the integrity Teltonika Networks digitally signs all its firmware and packages.
Disable Unused Services Critical Turn off unused interfaces like Web CLI, WiFi, SMS utilities, etc., to reduce the attack surface.
Use WPA3 WiFi High WPA2 is still considered secure. However WPA3 introduces features that provide better support IoT device security.
Assign Minimum Necessary Permissions High Make sure to provide the least amount of required permissions for any additionally created user account.
Use Key-Based SSH Authentication High If possible, use public/private key pair SSH authentication instead of password-based SSH logins.
Regularly Review SIM Usage Medium Monitor and limit SIM card SMS/data use. Disable SMS management if not in use.

Security Hardening Recommendations

Recommendation Priority Details
Limit Administrative Access Critical Do not expose WebUI or SSH to the public internet. Use a VPN or allowlist IPs if remote access is needed.
Use a VPN for Remote Access Critical Use IPsec, OpenVPN, WireGuard or other reliable VPN service for remote access. Never expose management interfaces directly.
Apply IP Whitelisting Critical Restrict access to remote services based on specific IP addresses using a firewall.
Do Not Rely on Obscure Ports Alone High Avoid using non-standard ports as a primary defense. Use in conjunction with firewall rules.
Disable WiFi if Not Needed High Disable WiFi instead or reduce transmission power.
Use Secure Firmware Validation High Teltonika Networks firmware is digitally signed and authorized for security. Additionally only apply firmware with verified SHA-256 hashes. Avoid MD5/SHA-1.
Disable SMS/Call Utilities by Default Medium Disable SMS command features unless explicitly required. Use phone number whitelists and log all commands. Authentication is available via administrative password, custom password or device serial number.

Secure Operation & Maintenance

Recommendation Priority Details
Continuous Access Monitoring Critical Regularly monitor login attempts and access logs. Enable Event Juggler alerts for critical changes.
Review and Audit Firewall Rules Critical Keep firewall rules up to date. Remove unused or overly permissive rules.
Rotate Passwords & SSH Keys Periodically High Rotate credentials and SSH keys at regular intervals. Immediately revoke compromised credentials.
Audit Protocols and Services High Ensure only secure protocols are used. Disable legacy or insecure options (e.g., FTP, Telnet).
Conduct Periodic WiFi Audits Medium Reassess SSID use, encryption standards, and user access.
Verify Backups Securely Medium Encrypt backups. Use SHA-256/SHA-512 hashes to validate backups before restoring them. Store securely.
Retrieved from "https://wiki.teltonika-networks.com/index.php?title=Template:Security_guidelines&oldid=154142"