Hardening the router
|This guide will enable you to ensure a safety of your application. Use the Secure Configuration Guide for requirements to IT security beyond this. This demonstrates you a configuration that is in compliance with the accelerated security certification of the German Federal Office for Information Security (BSI).
1.1. Router in default settings
All functions and services that might be able to open IT security-relevant connections outwards and are not necessary for commissioning are disabled in default settings.
The first configuration takes place via a local configuration port at the router using a PC with Internet browser. If possible, reset routers that have already been configured to default settings (Configuration Guide) to get a defined and secure initial state for the configuration.
The Quick Installation Guide describes how to establish the first connection of the router to the Internet using the startup wizard.
The startup wizard takes the router to a first online state and makes the following settings:
Setting up an automatic time synchronisation with every establishment of an Internet connection
Adding a user for an authentication using user name and password
Adding a WAN connection (Internet); different options depending on the router
Setting up a VPN connection, (e. g. to the icom Connectivity Service, optional)
Assigning a static IP address in the local network (plant network)
Setting up a connection to the icom Router Management
Setting up an automatic time synchronisation with every establishment of an Internet connection
During the following configuration of your application, check all settings made by the startup wizard and customise them regarding functionality and security, if applicable.
1.2. Security concept
Prepare the IT security concept for the planned application beforehand in any case.
Configure the router with utmost IT security step by step for the planned application starting with the commissioning using the startup wizard. Use this Guide for securing the router for this.
The wizards in the router are intended for assisting with a quick first commissioning of devices.
The wizards are available in the Help → Wizards menu in the web interface of the router and make a series of settings for achieving the desired configuration target. They also inform about all changes made.
When using wizards, verify the settings made regarding IT security of the application again. If no wizards are used, an individual configuration of the single functions permits a targeted tailoring to the application. You’ll then have full control over the security of your application.
|The new user interface of the router is displayed from firmware version 5.5. This does not yet support all configuration options for configuring a router according to the following instructions.
2. Users and access to the router
If a user is already configured, change the password, if applicable.
The password must be long enough and hard to guess.
Refer to the general recommendations for strong passwords.
Use individual passwords for each router/user in case of several routers/users in an application.
If several users are necessary, add these now and provide them with restricted rights, if applicable.
When adding a user via the Startup Wizard and the prompt when activating a profile without prior configuration of an authentication, it is possible to adopt or generate a strong password.
Access to the router is possible on several ways.
Basically, restrict the access options only to those that are required for the application.
Additionally, make these access options as secure as possible (encryption, authentication).
The following options for access and authentication are available:
REST interface (REST API)
CLI (command line)
This Configuration Guide describes the configuration of the different authentication methods.
2.1. Web interface
The default settings permit access to the web interface with an authentication via user name/password via HTTPS only. If access to the web interface via HTTP has been activated, disable it, if possible.
In addition to an authentication via user name/password, authentication with certificates and/or a RADIUS server is possible. If an authentication with certificates or a RADIUS server is configured, the authentication via user name/password can be prevented by deleting the password for each user.
A certificate structure must exist or be generated for an authentication with certificates. This is possible using user or client certificates and described in the Online Help in detail in the Protected access to the web interface of the router section.
For an authentication using a RADIUS server, the RADIUS server must be configured in the Administration → Radius menu.
Access to the web interface can also be protected additionally via a session timeout. In default settings, a session will be terminated automatically after 15 minutes of inactivity.
2.2. REST interface (REST API)
The REST interface is deactivated in default settings. If access is required, permit this only via HTTPS. If access is permitted, this is possible using an authentication via user name/password.
The activation of the REST interface for an access via HTTPS is described in this Configuration Guide.
2.3. CLI (command line)
The CLI is deactivated in default settings. If access is required, permit this only via SSH.
If access is permitted, this is possible using an authentication via user name/password. In addition, authentication with certificates and/or a RADIUS server is possible. If an authentication with certificates or a RADIUS server is configured, the authentication via user name/password can be prevented by deleting the password for each user. Take into account that this also prevents the authentication via user name/password for the web interface.
3. Set up NTP synchronisation
The regular synchronisation of date and time in the router with an NTP server is indispensable for many IT security functions such as limited certificates for example. The router provides a certain action for this that can regularly be triggered time-controlled or using various events. An NTP synchronisation is not configured in default settings. Consider necessary settings/verifications of (network) filter rules for this. An NTP synchronisation will be configured during commissioning with the startup wizard. If the startup wizard is not used, set up the NTP synchronisation manually.
4. Configuring automatic updates
Keep the firmware always up to date to prevent that the router contains security vulnerabilities that have already been eliminated. The firmware of the router can be updated automatically using the auto update: function. You are able to operate own update servers besides the INSYS Update Server. Moreover, automatic updates need to be initiated by a certain action, which can regularly be triggered time-controlled or using different events. An event for triggering the automatic update is not yet configured in default settings. Configure the automatic updates manually. Take into account that the automatic updates might require additional filter rules.
INSYS icom offers a simple solution for managing and maintaining your routers with Router Management. Realise the update of the device firmware, the rollout of edge computing applications or the incremental modification of device configurations and the provision of certificates simple and resource-conserving with this.
5. Deactivate the DHCP Server
In default settings, the DHCP server for IPv4 is activated. If an IP address distribution by the router is not required, disable the DHCP server.
6. Deactivate DNS relay
In default settings, the DNS relay is activated. Deactivate the DNS relay, If it is not necessary to forward DNS requests from the local network to the WAN, i.e. if no external devices or also containers on the router make DNS requests. DNS request of the router are still possible with deactivated DNS relay.
7. Activate necessary services only
Activate only those services in the router that are absolutely necessary for the operation of the application. Then, configure the services as secure as possible, such as HTTPS instead of HTTP for the REST interface or only use v3 for SNMP for example. Take into account that the activated services might require additional filter rules.
8. Activate IP filters (Firewall)
Activate the IPv4 filters in addition to the IPv6 filters for a secure application. Then, the respective filter rules must be defined for all permitted communication connections. Moreover, check all existing filter rules for their necessity and restrict or deactivate them further, if applicable. Add new filter rules that are necessary for the operation of the application.
9. Deactivate SLAAC
SLAAC (StateLess Address AutoConfiguration) serves in local IPv6 networks for automated configuration of IPv6 addresses with an address prefix broadcasted via Router Advertisement. If no IPv6 or no Router Advertisement is used in an IPv6 network, deactivate SLAAC for this local network.
10. Activate MAC filters
Activate the MAC filters to restrict the communication to certain devices. Any communication with the router is then impossible for other devices
11. Segment networks
Split networks into segments with different security requirements into several local IP networks at the switch of the router. Isolate them from each other and configure precise communication rules (e.g. firewall) to restrict data exchange between these networks to a necessary minimum.
12. Set up messages for IT security-relevant events
Add appropriate messages that will then be dispatched within an action when the event occurs in order to be informed about IT security-relevant events at the router, such as login attempts or connecting or disconnecting Ethernet cables.
13. Use up-to-date and strong encryption methods
Encryption technology is subject to technical evolution. Encryption methods that have once been considered as secure, might not be sufficient any more in the meantime. Check the encryption methods you are using regularly for their security and replace them by more recent encryption methods, if applicable. Use adequately long keys.
14. Keep the certificate structure up-to-date
If your security procedures are based on a certificate structure, keep this always up-to-date. Replace certificates on a regular basis. Do not configure too long validity periods. Use a certificate revocation list to revoke certificates that became invalid in a timely manner.
INSYS icom offers simple possibilities for regularly rolling out updated certificates and certificate revocation lists to your routers with Router Management.
15. Use secure connections
Routers of INSYS icom feature a variety of options to make connections secure, such as OpenVPN or IPsec. Use the Configuration Guides for the configuration of secure tunnel connections.
Use a certificate-based authentication instead pre-shared keys or user name/password combinations for secure connections to increase security.
16. Requirements on the installation location
Position the router at an access-protected location, e.g. a lockable room with monitored access of responsible administrators. The following requirements apply for the installation location:
Physical protection against unauthorised access
Installation in a locked switch cabinet, additional notification via door contact if necessary
Physical access monitoring, e. g. using a camera