Hardening the router

If a user is already configured, change the password, if applicable.

When adding a user via the Startup Wizard and the prompt when activating a profile without prior configuration of an authentication, it is possible to adopt or generate a strong password.

Access to the router is possible on several ways.

The following options for access and authentication are available:

This Configuration Guide describes the configuration of the different authentication methods.

The regular synchronisation of date and time in the router with an NTP server is indispensable for many IT security functions such as limited certificates for example. The router provides a certain action for this that can regularly be triggered time-controlled or using various events. An NTP synchronisation is not configured in default settings. Consider necessary settings/verifications of (network) filter rules for this. An NTP synchronisation will be configured during commissioning with the startup wizard. If the startup wizard is not used, set up the NTP synchronisation manually.

Keep the firmware always up to date to prevent that the router contains security vulnerabilities that have already been eliminated. The firmware of the router can be updated automatically using the auto update: function. You are able to operate own update servers besides the INSYS Update Server. Moreover, automatic updates need to be initiated by a certain action, which can regularly be triggered time-controlled or using different events. An event for triggering the automatic update is not yet configured in default settings. Configure the automatic updates manually. Take into account that the automatic updates might require additional filter rules.

INSYS icom offers a simple solution for managing and maintaining your routers with Router Management. Realise the update of the device firmware, the rollout of edge computing applications or the incremental modification of device configurations and the provision of certificates simple and resource-conserving with this.

In default settings, the DHCP server for IPv4 is activated. If an IP address distribution by the router is not required, disable the DHCP server.

In default settings, the DNS relay is activated. Deactivate the DNS relay, If it is not necessary to forward DNS requests from the local network to the WAN, i.e. if no external devices or also containers on the router make DNS requests. DNS request of the router are still possible with deactivated DNS relay.

Activate only those services in the router that are absolutely necessary for the operation of the application. Then, configure the services as secure as possible, such as HTTPS instead of HTTP for the REST interface or only use v3 for SNMP for example. Take into account that the activated services might require additional filter rules.

Activate the IPv4 filters in addition to the IPv6 filters for a secure application. Then, the respective filter rules must be defined for all permitted communication connections. Moreover, check all existing filter rules for their necessity and restrict or deactivate them further, if applicable. Add new filter rules that are necessary for the operation of the application.

SLAAC (StateLess Address AutoConfiguration) serves in local IPv6 networks for automated configuration of IPv6 addresses with an address prefix broadcasted via Router Advertisement. If no IPv6 or no Router Advertisement is used in an IPv6 network, deactivate SLAAC for this local network.

Activate the MAC filters to restrict the communication to certain devices. Any communication with the router is then impossible for other devices

Split networks into segments with different security requirements into several local IP networks at the switch of the router. Isolate them from each other and configure precise communication rules (e.g. firewall) to restrict data exchange between these networks to a necessary minimum.

Add appropriate messages that will then be dispatched within an action when the event occurs in order to be informed about IT security-relevant events at the router, such as login attempts or connecting or disconnecting Ethernet cables.

Encryption technology is subject to technical evolution. Encryption methods that have once been considered as secure, might not be sufficient anymore in the meantime. Check the encryption methods you are using regularly for their security and replace them by more recent encryption methods, if applicable. Use adequately long keys.

If your security procedures are based on a certificate structure, keep this always up-to-date. Replace certificates on a regular basis. Do not configure too long validity periods. Use a certificate revocation list to revoke certificates that became invalid in a timely manner.

INSYS icom offers simple possibilities for regularly rolling out updated certificates and certificate revocation lists to your routers with Router Management.

Routers of INSYS icom feature a variety of options to make connections secure, such as OpenVPN or IPsec. Use the Configuration Guides for the configuration of secure tunnel connections.

Use a certificate-based authentication instead pre-shared keys or user name/password combinations for secure connections to increase security.

Moreover, INSYS icom offers an own VPN service with the icom Connectivity Suite that provides a simple and secure connection of your devices - also in China. A series of Configuration Guides is available to support the configuration for this as well.

Position the router at an access-protected location, e.g. a lockable room with monitored access of responsible administrators. The following requirements apply for the installation location: