Hardening the router

Caution This guide will enable you to ensure a safety of your application. Use the Secure Configuration Guide for requirements to IT security beyond this. This demonstrates you a configuration that is in compliance with the accelerated security certification of the German Federal Office for Information Security (BSI).

1. Configuration

1.1. Router in default settings

All functions and services that might be able to open IT security-relevant connections outwards and are not necessary for commissioning are disabled in default settings.

The first configuration takes place via a local configuration port at the router using a PC with Internet browser. If possible, reset routers that have already been configured to default settings (Configuration Guide) to get a defined and secure initial state for the configuration.

The Quick Installation Guide describes how to establish the first connection of the router to the Internet using the startup wizard.

The startup wizard takes the router to a first online state and makes the following settings:

  • Setting up an automatic time synchronisation with every establishment of an Internet connection

  • Adding a user for an authentication using user name and password

  • Adding a WAN connection (Internet); different options depending on the router

  • Setting up a VPN connection, (e. g. to the icom Connectivity Service, optional)

  • Assigning a static IP address in the local network (plant network)

  • Setting up a connection to the icom Router Management

  • Setting up an automatic time synchronisation with every establishment of an Internet connection

During the following configuration of your application, check all settings made by the startup wizard and customise them regarding functionality and security, if applicable.

1.2. Security concept

Prepare the IT security concept for the planned application beforehand in any case.

Configure the router with utmost IT security step by step for the planned application starting with the commissioning using the startup wizard. Use this Guide for securing the router for this.

1.3. Wizards

The wizards in the router are intended for assisting with a quick first commissioning of devices.

The wizards are available in the HelpWizards menu in the web interface of the router and make a series of settings for achieving the desired configuration target. They also inform about all changes made.

When using wizards, verify the settings made regarding IT security of the application again. If no wizards are used, an individual configuration of the single functions permits a targeted tailoring to the application. You’ll then have full control over the security of your application.

Note The new user interface of the router is displayed from firmware version 5.5. This does not yet support all configuration options for configuring a router according to the following instructions.

2. Users and access to the router

If a user is already configured, change the password, if applicable.

  • The password must be long enough and hard to guess.

  • Refer to the general recommendations for strong passwords.

  • Use individual passwords for each router/user in case of several routers/users in an application.

  • If several users are necessary, add these now and provide them with restricted rights, if applicable.

When adding a user via the Startup Wizard and the prompt when activating a profile without prior configuration of an authentication, it is possible to adopt or generate a strong password.

Access to the router is possible on several ways.

  • Basically, restrict the access options only to those that are required for the application.

  • Additionally, make these access options as secure as possible (encryption, authentication).

The following options for access and authentication are available:

Access/authentication User name/password Certificates RADIUS

User-Interface

check green

check green

check green

REST interface (REST API)

check green

minus

check green

CLI (command line)

check green

minus

check green

Remote Management

minus

check green

minus

This Configuration Guide describes the configuration of the different authentication methods.

2.1. Web interface

The default settings permit access to the web interface with an authentication via user name/password via HTTPS only. If access to the web interface via HTTP has been activated, disable it, if possible.

In addition to an authentication via user name/password, authentication with certificates and/or a RADIUS server is possible. If an authentication with certificates or a RADIUS server is configured, the authentication via user name/password can be prevented by deleting the password for each user.

A certificate structure must exist or be generated for an authentication with certificates. This is possible using user or client certificates and described in the Online Help in detail in the Protected access to the web interface of the router section.

For an authentication using a RADIUS server, the RADIUS server must be configured in the AdministrationRadius menu.

Access to the web interface can also be protected additionally via a session timeout. In default settings, a session will be terminated automatically after 15 minutes of inactivity.

2.2. REST interface (REST API)

The REST interface is deactivated in default settings. If access is required, permit this only via HTTPS. If access is permitted, this is possible using an authentication via user name/password.

The activation of the REST interface for an access via HTTPS is described in this Configuration Guide.

2.3. CLI (command line)

The CLI is deactivated in default settings. If access is required, permit this only via SSH.

If access is permitted, this is possible using an authentication via user name/password. In addition, authentication with certificates and/or a RADIUS server is possible. If an authentication with certificates or a RADIUS server is configured, the authentication via user name/password can be prevented by deleting the password for each user. Take into account that this also prevents the authentication via user name/password for the web interface.

3. Set up NTP synchronisation

The regular synchronisation of date and time in the router with an NTP server is indispensable for many IT security functions such as limited certificates for example. The router provides a certain action for this that can regularly be triggered time-controlled or using various events. An NTP synchronisation is not configured in default settings. Consider necessary settings/verifications of (network) filter rules for this. An NTP synchronisation will be configured during commissioning with the startup wizard. If the startup wizard is not used, set up the NTP synchronisation manually.

4. Configuring automatic updates

Keep the firmware always up to date to prevent that the router contains security vulnerabilities that have already been eliminated. The firmware of the router can be updated automatically using the auto update: function. You are able to operate own update servers besides the INSYS Update Server. Moreover, automatic updates need to be initiated by a certain action, which can regularly be triggered time-controlled or using different events. An event for triggering the automatic update is not yet configured in default settings. Configure the automatic updates manually. Take into account that the automatic updates might require additional filter rules.

INSYS icom offers a simple solution for managing and maintaining your routers with Router Management. Realise the update of the device firmware, the rollout of edge computing applications or the incremental modification of device configurations and the provision of certificates simple and resource-conserving with this.

5. Deactivate the DHCP Server

In default settings, the DHCP server for IPv4 is activated. If an IP address distribution by the router is not required, disable the DHCP server.

6. Deactivate DNS relay

In default settings, the DNS relay is activated. Deactivate the DNS relay, If it is not necessary to forward DNS requests from the local network to the WAN, i.e. if no external devices or also containers on the router make DNS requests. DNS request of the router are still possible with deactivated DNS relay.

7. Activate necessary services only

Activate only those services in the router that are absolutely necessary for the operation of the application. Then, configure the services as secure as possible, such as HTTPS instead of HTTP for the REST interface or only use v3 for SNMP for example. Take into account that the activated services might require additional filter rules.

8. Activate IP filters (Firewall)

Activate the IPv4 filters in addition to the IPv6 filters for a secure application. Then, the respective filter rules must be defined for all permitted communication connections. Moreover, check all existing filter rules for their necessity and restrict or deactivate them further, if applicable. Add new filter rules that are necessary for the operation of the application.

9. Deactivate SLAAC

SLAAC (StateLess Address AutoConfiguration) serves in local IPv6 networks for automated configuration of IPv6 addresses with an address prefix broadcasted via Router Advertisement. If no IPv6 or no Router Advertisement is used in an IPv6 network, deactivate SLAAC for this local network.

10. Activate MAC filters

Activate the MAC filters to restrict the communication to certain devices. Any communication with the router is then impossible for other devices

11. Segment networks

Split networks into segments with different security requirements into several local IP networks at the switch of the router. Isolate them from each other and configure precise communication rules (e.g. firewall) to restrict data exchange between these networks to a necessary minimum.

12. Set up messages for IT security-relevant events

Add appropriate messages that will then be dispatched within an action when the event occurs in order to be informed about IT security-relevant events at the router, such as login attempts or connecting or disconnecting Ethernet cables.

13. Use up-to-date and strong encryption methods

Encryption technology is subject to technical evolution. Encryption methods that have once been considered as secure, might not be sufficient any more in the meantime. Check the encryption methods you are using regularly for their security and replace them by more recent encryption methods, if applicable. Use adequately long keys.

14. Keep the certificate structure up-to-date

If your security procedures are based on a certificate structure, keep this always up-to-date. Replace certificates on a regular basis. Do not configure too long validity periods. Use a certificate revocation list to revoke certificates that became invalid in a timely manner.

INSYS icom offers simple possibilities for regularly rolling out updated certificates and certificate revocation lists to your routers with Router Management.

15. Use secure connections

Routers of INSYS icom feature a variety of options to make connections secure, such as OpenVPN or IPsec. Use the Configuration Guides for the configuration of secure tunnel connections.

Use a certificate-based authentication instead pre-shared keys or user name/password combinations for secure connections to increase security.

Moreover, INSYS icom offers an own VPN service with the icom Connectivity Suite that provides a simple and secure connection of your devices - also in China. A series of Configuration Guides is available to support the configuration for this as well.

16. Requirements on the installation location

Position the router at an access-protected location, e.g. a lockable room with monitored access of responsible administrators. The following requirements apply for the installation location:

  • Physical protection against unauthorised access

  • Installation in a locked switch cabinet, additional notification via door contact if necessary

  • Physical access monitoring, e. g. using a camera