138
edits
Changes
Template:Security guidelines (view source)
Revision as of 21:50, 2 August 2022
, 21:50, 2 August 2022edit general sec guidelines
==Summary==
==Summary==
In this article you can find details about all Teltonika's supported security features also what device has which security implementations and a guide how to use them properly.
==General security guidelines==
Below you may find some of the most common security recommendations - these recommendations can and should be applied not only to Teltonika devices, but to all internet-facing appliances. It is always advised to adhere to the following security recommendations whenever device is exposed to the internet in some way.
* Do not have Public Access (HTTP(S)/SSH/Telnet/CLI ports) open ''without any restrictions''
* Set strong WebUI/SSH password, including numbers, lowercase and uppercase alphabet letters, symbols. Longer password length also increases overall security of the device
* If public access is necessary, have it firewalled for '''specific source IPs and source ports'''
* If public access is absolutely mandatory and source IPs cannot be specified for any reason, '''set unconventional listening and destination ports''' for any common service (i.e., set HTTP(S) port to a random number in the range of 32768-65535)
* If remote access is required – always '''try to employ the usage of secure VPN protocols''' instead of exposing sensitive services directly to all of the internet
* When configuring VPNs purely for security, opt in to use VPN protocols with TLS (certificate-based) or private/public key-based authentication, such as IPsec, OpenVPN, WireGuard
* '''Disable WiFi if unused'''. Use strong WiFi authentication otherwise (certificate based auth/strong PSK).
* When using router as a public WiFi hotspot, always make sure to restrict access from public WiFi network to the router (create a separate zone with INPUT=DROP default rule for public WiFi network, then configure specific allowed ports only if absolutely necessary)
* Make sure to provide the least amount of required permissions for any additionally created user account
* Do not install extra packages from '''unknown sources'''
* '''Always write down & compare MD5/SHA hashes of backup files''' before uploading them back into the router. In addition – always make sure to verify the hashes of firmware files, before uploading them to the router
* Make sure to use key-based authentication wherever possible (i.e., accessing to the router via SSH)
* Set '''SMS limits, data limits''' for your SIM card plans
* Disable SMS utilities entirely, ''if it is not utilized whatsoever''
Please note that regardless of currently running configuration, '''we strongly recommend to keep up with the latest firmware version''' which generally includes not only overall improvements to the router functionality, but also security patches & vulnerability fixes.
Understandably, every production environment is different and some features may be altered or changed in newer firmware versions – please always make sure to test & verify newer firmware versions '''before deploying any such firmware onto devices in production environment'''.
==Security features==
==Security features==
In the table below you can find all the security features supported by Teltonika's devices:
In the table below you can find all the security features supported by Teltonika's devices.
<table class="wikitable">
<table class="wikitable">
<td>SSH Access Secure</td>
<td>SSH Access Secure</td>
<td>On</td>
<td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH access from that source.</td>
</tr>
</tr>
<tr>
<tr>
<td>WebUI Access Secure</td>
<td>WebUI Access Secure</td>
<td>On</td>
<td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source.</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI access from that source.</td>
</tr>
</tr>
<tr>
<tr>
==Security recommendations==
==Security recommendations==
Security features will not help if you won't use them properly, below you can find a table with recommendations:
Security features will not help if you won't use them properly, below you can find a table with recommendations.
<table class="wikitable">
<table class="wikitable">
<td rowspan="2">WiFi Hotspot</td>
<td rowspan="2">WiFi Hotspot</td>
<td>Setting up a guest network for visitors</td>
<td>Setting up a guest network for visitors</td>
<td>By setting up a guest Wi-Fi. A guest Wi-Fi network is essentially a separate access point on your router with separate IP pool. For example with guest network malware that somehow ended up on a guest’s smartphone will not be able to get into your main bussiness LAN</td>
<td>By setting up a guest Wi-Fi. A guest Wi-Fi network is essentially a separate access point on your router with separate IP pool. For example with guest network malware that somehow ended up on a guest’s smartphone will not be able to get into your main business LAN</td>
</tr>
</tr>
<tr>
<tr>
==RUT2xx security features==
==RUT2xx security features==
In the table below you can find all the security features supported by Teltonika's '''RUT2xx''' devices:
In the table below you can find all the security features supported by Teltonika's '''RUT2xx''' devices.
<table class="wikitable">
<table class="wikitable">
<td>SSH Access Secure</td>
<td>SSH Access Secure</td>
<td>On</td>
<td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH access from that source.</td>
</tr>
</tr>
<tr>
<tr>
<td>WebUI Access Secure</td>
<td>WebUI Access Secure</td>
<td>On</td>
<td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source.</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI access from that source.</td>
</tr>
</tr>
<tr>
<tr>
<td>Root CA</td>
<td>Root CA</td>
<td>Pre-uplouded</td>
<td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwriten by any uploaded file.</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwritten by any uploaded file.</td>
</tr>
</tr>
<td>Universal Plug and Play</td>
<td>Universal Plug and Play</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
<td>UPnP doesn't require any sort of authentication from the user. Any application running on your computer in LAN can ask the router to forward a port over UPnP, which is why the malware can abuse UPnP. Recommendation - If you don’t use it when leave it not installed or turned off.</td>
</tr>
</tr>
<td>Universal Asynchronous Receiver – Transmiter</td>
<td>Universal Asynchronous Receiver – Transmitter</td>
<td>UART</td>
<td>UART</td>
<td> By router admin password</td>
<td> By router admin password</td>
==RUT850 security features==
==RUT850 security features==
In the table below you can find all the security features supported by Teltonika's '''RUT850''' device:
In the table below you can find all the security features supported by Teltonika's '''RUT850''' device.
<table class="wikitable">
<table class="wikitable">
<td>HTTPS Attack Prevention</td>
<td>HTTPS Attack Prevention</td>
<td>Off</td>
<td>Off</td>
<td>HyperText Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
<td>Hypertext Transfer Protocol Secure (HTTPS) flood attack is same as HTTP flood attack but using HTTPS protocol instead of simple HTTP</td>
</tr>
</tr>
<tr>
<tr>
<td>SSH Access Secure</td>
<td>SSH Access Secure</td>
<td>On</td>
<td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH acccess from that source.</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block SSH access from that source.</td>
</tr>
</tr>
<tr>
<tr>
<td>WebUI Access Secure</td>
<td>WebUI Access Secure</td>
<td>On</td>
<td>On</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI acccess from that source.</td>
<td>By default, device allows a maximum of 5 login attempts (user defined). If all attempts are used, device will block WebUI access from that source.</td>
</tr>
</tr>
<tr>
<tr>
<td>Root CA</td>
<td>Root CA</td>
<td>Pre-uplouded</td>
<td>Pre-uplouded</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwriten by any uploaded file.</td>
<td>Root CA certificate are only needed if you want to use HTTPS for your services. There is a default file already preloaded in this device which will be overwritten by any uploaded file.</td>
</tr>
</tr>
<td>Universal Asynchronous Receiver – Transmiter</td>
<td>Universal Asynchronous Receiver – Transmitter</td>
<td>UART</td>
<td>UART</td>
<td> By router admin password</td>
<td> By router admin password</td>
==RUT9xx security features==
==RUT9xx security features==
In the table below you can find all the security features supported by Teltonika's '''RUT9xx''' devices:
In the table below you can find all the security features supported by Teltonika's '''RUT9xx''' devices.
<table class="wikitable">
<table class="wikitable">
==RUTXxx security features==
==RUTXxx security features==
In the table below you can find all the security features supported by Teltonika's '''RUTXxx''' devices:
In the table below you can find all the security features supported by Teltonika's '''RUTXxx''' devices.
<table class="wikitable">
<table class="wikitable">
==TRB14x security features==
==TRB14x security features==
In the table below you can find all the security features supported by Teltonika's '''TRB14x''' devices:
In the table below you can find all the security features supported by Teltonika's '''TRB14x''' devices.
<table class="wikitable">
<table class="wikitable">
<td> By router admin password</td>
<td> By router admin password</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
<td>Many manufacturers are implementing UART interfaces on their devices. If this interface is not password protected, security of the device may be compromised. If malicious 3rd party gains physical access to the device it will have full control of the router via UART interface, this is a reason why our devices have password protected UART interfaces.</td>
</tr>
</table>
==Active services==
In the table below you can find all the services, which are enabled on default configuration in Teltonika's devices.
<table class="wikitable">
<tr>
<th width="500">Service</th>
<th width="200">Port</th>
<th width="200">LAN</th>
<th width="200">WAN</th>
</tr>
<tr>
<td>SSH</td>
<td>22</td>
<td>Open</td>
<td>Closed</td>
</tr>
<tr>
<td>HTTP</td>
<td>80</td>
<td>Open</td>
<td>Closed</td>
</tr>
<tr>
<td>HTTPS</td>
<td>443</td>
<td>Open</td>
<td>Closed</td>
</tr>
</tr>
</table>
</table>
