Template:Security guidelines
Summary
This article provides details about security features and recommendations used in Teltonika Networks products and how to properly implement them ensuring cyber-security best practices.
Security Guidelines
Listed below are general security recommendations and hardening techniques. These should be applied not only to Teltonika Networks products, but to all internet-facing devices to ensure the best possible security posture and resilience to cyber-attacks.
Guideline Categories
- General Security Best Practices
- Device Hardening Recommendations
- Secure Operation & Maintenance
| Recommendation | Priority | Details |
|---|---|---|
| Keep Firmware Updated | Critical | Always run the latest stable firmware. Firmware updates contain critical vulnerability patches. |
| Use Complex Passwords | Critical | Use complex passwords. At the least password should contain minimum 12 characters and include numbers, symbols, capital and lowercase letters. Avoid using common words. |
| Enforce HTTPS and SSH | Critical | Only use secure protocols (HTTPS, SSH). Avoid the usage of HTTP, Telnet and other insecure protocols where available. |
| Install Only Trusted Packages | Critical | Only install packages from verified and trusted sources. To ensure the integrity Teltonika Networks digitally signs all its firmware and packages. |
| Disable Unused Services | Critical | Turn off unused interfaces like Web CLI, WiFi, SMS utilities, etc., to reduce the attack surface. |
| Use WPA3 WiFi | High | WPA2 is still considered secure. However WPA3 introduces features that provide better support IoT device security. |
| Assign Minimum Necessary Permissions | High | Make sure to provide the least amount of required permissions for any additionally created user account. |
| Use Key-Based SSH Authentication | High | If possible, use public/private key pair SSH authentication instead of password-based SSH logins. |
| Regularly Review SIM Usage | Medium | Monitor and limit SIM card SMS/data use. Disable SMS management if not in use. |
| Recommendation | Priority | Details |
|---|---|---|
| Limit Administrative Access | Critical | Do not expose WebUI or SSH to the public internet. Use a VPN or allowlist IPs if remote access is needed. |
| Use a VPN for Remote Access | Critical | Use IPsec, OpenVPN, WireGuard or other reliable VPN service for remote access. Never expose management interfaces directly. |
| Apply IP Whitelisting | Critical | Restrict access to remote services based on specific IP addresses using a firewall. |
| Do Not Rely on Obscure Ports Alone | High | Avoid using non-standard ports as a primary defense. Use in conjunction with firewall rules. |
| Disable WiFi if Not Needed | High | Disable WiFi instead or reduce transmission power. |
| Use Secure Firmware Validation | High | Teltonika Networks firmware is digitally signed and authorized for security. Additionally only apply firmware with verified SHA-256 hashes. Avoid MD5/SHA-1. |
| Disable SMS/Call Utilities by Default | Medium | Disable SMS command features unless explicitly required. Use phone number whitelists and log all commands. Authentication is available via administrative password, custom password or device serial number. |
| Recommendation | Priority | Details |
|---|---|---|
| Continuous Access Monitoring | Critical | Regularly monitor login attempts and access logs. Enable Event Juggler alerts for critical changes. |
| Review and Audit Firewall Rules | Critical | Keep firewall rules up to date. Remove unused or overly permissive rules. |
| Rotate Passwords & SSH Keys Periodically | High | Rotate credentials and SSH keys at regular intervals. Immediately revoke compromised credentials. |
| Audit Protocols and Services | High | Ensure only secure protocols are used. Disable legacy or insecure options (e.g., FTP, Telnet). |
| Conduct Periodic WiFi Audits | Medium | Reassess SSID use, encryption standards, and user access. |
| Verify Backups Securely | Medium | Encrypt backups. Use SHA-256/SHA-512 hashes to validate backups before restoring them. Store securely. |