| Line 44: |
Line 44: |
| | | | |
| | Understandably, every production environment is different and some features may be altered or changed in newer firmware versions – please always make sure to test & verify newer firmware versions '''before deploying any such firmware onto devices in production environment'''. | | Understandably, every production environment is different and some features may be altered or changed in newer firmware versions – please always make sure to test & verify newer firmware versions '''before deploying any such firmware onto devices in production environment'''. |
| − |
| |
| − | ==Security recommendations==
| |
| − |
| |
| − | Security features will not help if you won't use them properly, below you can find a table with recommendations.
| |
| − |
| |
| − | <table class="wikitable">
| |
| − | <tr>
| |
| − | <th width="300">Topic</th>
| |
| − | <th width="300">Recommendation</th>
| |
| − | <th width="550">Comment</th>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td rowspan="2">SSH access</td>
| |
| − | <td>Use a different port than 22</td>
| |
| − | <td>22 is the default port used by SSH protocol. You should not use the default port as it is easy to guess and more vulnerable to brute-force attacks.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Use strong passwords and passphrases</td>
| |
| − | <td>Most of the servers security are compromised because of the weak passwords. They use easy to guess passwords like the brand name of the device or some universal password like 123456 or Admin123. Weak password is more likely to be cracked by brute-force attacks. You should be using a very strong password or passphrase to log in your SSH server.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td rowspan="2">Firewall</td>
| |
| − | <td>Block traffic by default</td>
| |
| − | <td>Start blocking all traffic by default and only allow specific traffic to identified services. This approach provides quality control over the traffic and decreases the possibility of a breach. This behavior can be achieved by configuring the last rule in an access control list to deny all traffic. </td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Reviewing firewall rules</td>
| |
| − | <td>Networks are constantly changing by gaining new users and new devices. New services and new applications are being accessed which means new firewall rules will need to be added. The old firewall rules will need to be reviewed and deleted if necessary.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>VPN</td>
| |
| − | <td>Always use VPN if you have the possibility</td>
| |
| − | <td>Encrypted traffic is more secure than unencrypted traffic. Unencrypted traffic can be easily sniffed or even altered by malicious 3rd party.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td rowspan="3">WiFi AP</td>
| |
| − | <td>Use WPA2-PSK (AES) encryption</td>
| |
| − | <td>This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Use WiFi AP strong key (password/passphrase)</td>
| |
| − | <td>"If malicious 3rd party is able to capture encrypted 4-way handshake, with strong password, decryption time can increase up to n years.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Separate clients</td>
| |
| − | <td>Separate clients also known as wireless client isolation is a security feature that prevents wireless clients from communicating with one another. This feature adds additional level of security to limit attacks and threats between devices connected to the wireless networks.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td rowspan="2">WiFi Hotspot</td>
| |
| − | <td>Setting up a guest network for visitors</td>
| |
| − | <td>By setting up a guest Wi-Fi. A guest Wi-Fi network is essentially a separate access point on your router with separate IP pool. For example with guest network malware that somehow ended up on a guest’s smartphone will not be able to get into your main business LAN</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Hotspot configuration</td>
| |
| − | <td>Setup data bandwidth limit. In that case malicious 3rd party will be unable to drain all your bandwidth. Use session time limit. In that case malicious 3rd party will be unable to drain your mobile data limit </td>
| |
| − | </tr>
| |
| − | <td>WiFi SSID</td>
| |
| − | <td>Don't broadcast your router details</td>
| |
| − | <td>Service set identifier (SSID) should be changed. Default name will broadcast your device model.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>DNS server</td>
| |
| − | <td>Don't use your Internet Service Providers (ISP) default Domain Name System (DNS)</td>
| |
| − | <td>There may come a time when the DNS servers used by your ISP come under attack, by a distributed denial-of-service (DDoS) attack, for example, or someone changing the DNS to effect a cloned banking fraud.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Password</td>
| |
| − | <td>Always use only strong passwords</td>
| |
| − | <td>Strong password requirements:
| |
| − |
| |
| − | *Has 12 characters, minimum;
| |
| − | *Includes numbers, symbols, capital letters, and Lower-Case Letters;
| |
| − | *Isn’t a dictionary word or combination of dictionary words;
| |
| − | *Doesn’t rely on obvious substitutions.
| |
| − |
| |
| − | You can check your current password strength here: https://howsecureismypassword.net/"</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Firmware update</td>
| |
| − | <td>Keep firmware up to date</td>
| |
| − | <td>With new firmware comes a lot of improvements:
| |
| − |
| |
| − | *Security fixes;
| |
| − | *Performance enhancements;
| |
| − | *Visual updates;
| |
| − | So where is no reason why you shouldn't update firmware.</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Secure firmware update</td>
| |
| − | <td>Always update firmware from official website</td>
| |
| − | <td>Always update firmware downloaded from our official page or use firmware over the air (FOTA).</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>RMS</td>
| |
| − | <td>Use RMS for remote access to the router</td>
| |
| − | <td>Disable remote access to your public IP and use RMS for remote management instead. You can find more details about RMS here:
| |
| − | https://teltonika-networks.com/product/rms/</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Unused features</td>
| |
| − | <td>Turn off router features you don’t use that could pose a security risk</td>
| |
| − | <td>This would include remote access, Universal Plug and Play (UPnP), etc...</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Common sense</td>
| |
| − | <td>Always use common sense while configuring any network device</td>
| |
| − | <td>-</td>
| |
| − | </tr>
| |
| − | </table>
| |
| | | | |
| | ==RUT2xx security features== | | ==RUT2xx security features== |