Template:Security guidelines: Difference between revisions
No edit summary |
No edit summary |
||
Line 8: | Line 8: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td rowspan="5"> DDOS Prevention</td> | <td rowspan="5">DDOS Prevention</td> | ||
<td>SYN Flood Protection</td> | <td>SYN Flood Protection</td> | ||
<td>On</td> | <td>On</td> | ||
Line 32: | Line 32: | ||
<td>Off</td> | <td>Off</td> | ||
<td>HyperText Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td> | <td>HyperText Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td> | ||
</tr> | |||
<tr> | |||
<td rowspan="6">Port Scan Prevention</td> | |||
<td>Port Scan</td> | |||
<td>Off</td> | |||
<td>A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port.</td> | |||
</tr> | |||
<tr> | |||
<td>SYN-FIN attack</td> | |||
<td>Off</td> | |||
<td>An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses.</td> | |||
</tr> | |||
<tr> | |||
<td>SYN-RST attack</td> | |||
<td>Off</td> | |||
<td>SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header.</td> | |||
</tr> | |||
<tr> | |||
<td>X-Mas attack</td> | |||
<td>Off</td> | |||
<td>Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing.</td> | |||
</tr> | |||
<tr> | |||
<td>FIN scan</td> | |||
<td>Off</td> | |||
<td>FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP.</td> | |||
</tr> | |||
<tr> | |||
<td>NULLflags attack</td> | |||
<td>Off</td> | |||
<td>A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags.</td> | |||
</tr> | |||
<tr> | |||
<td rowspan="8">Access Control</td> | |||
<td>Remote SSH access</td> | |||
<td>Off</td> | |||
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td> | |||
</tr> | |||
<tr> | |||
<td>Remote HTTP access</td> | |||
<td>Off</td> | |||
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td> | |||
</tr> | |||
<tr> | |||
<td>Remote HTTPS access</td> | |||
<td>Off</td> | |||
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td> | |||
</tr> | |||
<tr> | |||
<td>Remote CLI access</td> | |||
<td>Off</td> | |||
<td>All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password.</td> | |||
</tr> | |||
<tr> | |||
<td>Local SSH access</td> | |||
<td>On</td> | |||
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td> | |||
</tr> | |||
<tr> | |||
<td>Local HTTP access</td> | |||
<td>On</td> | |||
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td> | |||
</tr> | |||
<tr> | |||
<td>Local HTTPS access</td> | |||
<td>Off</td> | |||
<td>By default turned off - where is no scenario where HTTPS usage would be needed "out side the box".</td> | |||
</tr> | |||
<tr> | |||
<td>Local CLI access</td> | |||
<td>On</td> | |||
<td>Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN.</td> | |||
</tr> | |||
<tr> | |||
<td rowspan="2">Block Unwanted Access</td> | |||
<td>SSH Access Secure</td> | |||
<td>On</td> | |||
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td> | |||
</tr> | |||
<tr> | |||
<td>WebUI Access Secure</td> | |||
<td>On</td> | |||
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source.</td> | |||
</tr> | |||
<tr> | |||
<td>Configuration via SMS</td> | |||
<td>SMS Utilities</td> | |||
<td> By router admin password</td> | |||
<td>Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account.</td> | |||
</tr> | |||
<tr> | |||
<td>Default admin password</td> | |||
<td>First login</td> | |||
<td>On</td> | |||
<td>Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. Recommendation is to use strong password or passphrase*</td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td rowspan="5"> DDOS Prevention</td> | <td rowspan="5"> DDOS Prevention</td> | ||
<td> | <td></td> | ||
<td> | <td></td> | ||
<td> | <td></td> | ||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td rowspan="5"> DDOS Prevention</td> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td rowspan="5"> DDOS Prevention</td> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | |||
<tr> | |||
<td></td> | |||
<td></td> | |||
<td></td> | |||
</tr> | </tr> | ||
</table> | </table> |
Revision as of 13:57, 27 January 2020
Security measurement type | Security measurement name | By default | Details |
---|---|---|---|
DDOS Prevention | SYN Flood Protection | On | A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
Remote ICMP Requests | On | An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings). | |
SSH Attack Prevention | Off | A Secure Shell (SSH) flood attack, is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with SSH requests. | |
HTTP Attack Prevention | Off | A Hypertext Transfer Protocol (HTTP) flood attack is a common denial-of-service attack in which an attacker attempts to overwhelm a targeted device with HTTP requests. | |
HTTPS Attack Prevention | Off | HyperText Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP | |
Port Scan Prevention | Port Scan | Off | A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. |
SYN-FIN attack | Off | An attacker may send TCP/IP packets with the SYN and FIN TCP/IP flags set to a target system, ranging across all ports, to find open TCP/IP ports for further attacks. The target system will drop packets which are destined to open ports and send back RST/ACK packets for closed ports. The attacker may gather information from the system responses. | |
SYN-RST attack | Off | SYN-RST attack, also known as TCP reset attack, is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. TCP reset is identified by the RESET flag in the TCP header. | |
X-Mas attack | Off | Christmas Tree (X-Mas) Attack is designed to send a very specifically crafted TCP packet to a device on the network. This crafting of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. And these flags all are turned on or turned off, depending on what the packet is doing. | |
FIN scan | Off | FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP. | |
NULLflags attack | Off | A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and routers that filter incoming packets with particular flags. | |
Access Control | Remote SSH access | Off | All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password. |
Remote HTTP access | Off | All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password. | |
Remote HTTPS access | Off | All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password. | |
Remote CLI access | Off | All Remote access is disabled by default. If user is using remote access feature it may be a security threat. If user decides to use this feature - it is recommended to use a strong password. | |
Local SSH access | On | Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN. | |
Local HTTP access | On | Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN. | |
Local HTTPS access | Off | By default turned off - where is no scenario where HTTPS usage would be needed "out side the box". | |
Local CLI access | On | Enabled by default for user convenience, allows possibility of configuring the device when user is in the same LAN. | |
Block Unwanted Access | SSH Access Secure | On | By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source. |
WebUI Access Secure | On | By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source. | |
Configuration via SMS | SMS Utilities | By router admin password | Default authorization method for configuration via SMS command is by router admin password. It's very important to have a strong password for admin account. |
Default admin password | First login | On | Default password for Teltonika's devices is admin01 (weak password) but on first login to WebUI - RutOS forcefully requires user to change it. Recommendation is to use strong password or passphrase* |
DDOS Prevention | |||
DDOS Prevention | |||
DDOS Prevention | |||