To improve the user experience on this site we use cookies. I agree | I disagree

Blog

Subscribe notifications to the tag: , .

Securing routers - part I


Written by Jan Otte, Wednesday 6 June 2018

Router pwned

You are about to read the first article in the series of articles about securing our routers. The series is tailored to our router devices, teaching and showing some general and specific principles and also describing possibilities and use cases. While some of the knowledge here is usable also outside of the router devices, you should keep in mind that we are focusing on our cellular routers running Conel OS 6.x here.

This first article is a basic building block. We are going to describe the device and its basic characteristics and possibilities of accessing the device with an accent on security. Also, some basic use cases are to be touched here and the terminology used for the rest of the series established. If you intend to read any of the further articles, you should definitely read through this one independently on your knowledge level because we need to be clear at least on the terminology before continuing onwards.

You should be aware that when talking about securing things, there is some amount of knowledge required. If you have that kind of knowledge, you can skim through this article. If you don't have it, it would be a tough and long read for you. In that case, you should really take your time in understanding the problemtics because without the knowledge, you will not succeed.

Here are multiple points of view we can start from. Let's talk first about what securing means.

It means changing the router settings to improve security.

Does it mean the routers are not secure or not secure enough right from the factory?

It depends. If by secure enough you actually mean unbreakable, then the secure-enough router would be a box allowing no access (and allowing no changes to its setting, thus being able to work in a predefined environment only).

That's actually not something our users need. Our users need the routers to be able to work in their environment. By saying work we mean quite a lot of different functionality - providing connection between disconnected sites on a private network, allowing PLCs talk to SCADA, converting data messages between different protocols, running VPN tunnels, providing internet access to connected devices, running customer applications in C/C++/Python/NodeRED and a lot of other tasks.

So the term secure enough means a different setting for different use case and/or for different environment. Simple question "Is it secure enough?" does not make sense. "Is it secure enough for that and that environment?" is much better.

Therefore, the point of this series of articles is to teach you how you can do the process of securing the routers exactly for your use-case/environment.

In the case the default factory settings and your expected settings differ, don't forget there are multiple possibilities how you can very quickly configure the router to what you want or (alternatively, based on business case), get it preconfigured exactly for your use-case right from the factory. Just to name a few possibilities:

  1. Preconfigured router from factory (with your configuration). This is done by installing a so-called 'configuration User Module' during manufacturing.
  2. Preconfiguring router before deployment on your site - you can prepeare the configuration User Module yourself and install it on each router prior to deployment.
  3. Automatic configuration update - our routers do support two types of auto-update (though it is disabled by default). First, updating the operating system from a defined server (may be server on your network where you place the firmware file once you test it on a picked router first). Second, updating configuration over the network, possibly also using MAC address as a key, so that you can easily manage configuration for many routers on one site. One of the interesting possibilities is that you can install a very small UM just to change the auto-config update address and scheduling and store your default configuration(s) on a your server only. This way you do not have to change the UM when you need to change the configuration of routers.
  4. Use setup script. By default, access to ssh is enabled on LAN ports of the router. You can easily write a bash script once and execute it for every router you get from us. It needs some familiarity with scripting but it is a possbility as well. For example, you can also install a ssh key this way.
  5. Use a dedicated tool like SmartWorx Hub. If you use such tool, chances are that the routers being sent to you are already registered in SWH and you just need to allow the routers to connect and deploy the prepared configuration profile on them.

Now, before we get to something really interesting, we need to establish terminology and describe the default setting of the routers.

We will be recognizing several types of physical interfaces:

  • Ethernet interface. These are all of the ethernet connectors on a router (typically RJ-45 but may be physically different).
  • Cellular interface. The cellular network interface also called cellular module. Connects to GSM or LTE network.
  • WiFi interface.

Apart the above ones, there may also be other interfaces but access using these interfaces is not that common. Either it needs a non-default service being run or a special hardware being installed:

  • Serial interface.
  • USB interfaces. E.g. additional ethernet, additional cellular, HID interface or anything else.
  • Debug interface. This is added only for the purpose of having the list complete. The Debug interface is normally not available to our customers and also it requires unmounting of the router housing before installation is possible.

Next to the physical nature of each interface, it is also important to keep in mind, that from the OS point of view, the interface also has a logical interface role, that can change based on configuration or even during runtime based on configured rules:

  1. LAN. The Local Area Network interface. Accessible only to the devices considered 'local' to the installation site. Note that it is up to the user to understand if the LAN is sealed or open (see later on).
  2. WAN. Wide Area Network. Accessible to the wild (outside of the local site - typically internet).
  3. Internal. Other physical or logical ports of the device that are somehow limited - e.g. for only one predefined connection endpoint. Typical example is RS232 connection which is terminated on the router. These interfaces are not being forwarded directly to anywhere as router plays a role of communication endpoint here.

The next term we need to dig into is services. While the interfaces are defined, there is no traffic forwarded or accepted over an interface unless there is some service running. A service is responsible either for sending or receiving data (or both). A running service is typically connected with one or more interfaces.

  • A service, that is being offered is also commonly called server or server mode. Means a service that a router is offering to the outside devices. Such service is represented by a process running on the router CPU. The service is listening on a device(s), waiting for incomming traffic to respond - also being called serving requests, hence the term server.
  • A service, that is being consumed is also commonly called client or client mode. Means that a process, running on a router CPU is connecting to a server running somewhere else. In the client mode, a process running on a router generates requests, that are being served by another device.

Please note, that a process running on the router may be running in both modes at the same time. It may both consume other services (client mode) and also listen on a interface and offer services to be consumed (server mode).

The above definitions were the very basic ones and it allows us to finally define terms, which are usually connected to the security topics:

  • Access. Means an access to the service. The access may be free for all, or protected by some service access restriction techniques, like allowing only specific hosts or using authentication technique. Furthermore, the authentication technique may be considered weak or strong and also the data flowing to and from the service may be readable or encrypted. There may also be access levels connected with a service, like read-only access, write access and a complete access.
  • Attacker. An entity trying to get higher level of access than allowed.
  • Vulnerability. A security fault in a program or a service/system/settings that can be - possibly - used by an attacker to elevate her access level.
  • Exploit. A known way how to use a vulnerability to gain access. Attackers are primarily focusing on known exploits because using something which is prooved to be working is much faster and cheaper than trying to find something new.

Now, we need one more thing to be able to talk about security model and default settings concerning security. We need to have a look at the default services.

There may be a lot of services offered on and consumed by the router. We will be focusing on the ones which are contained in the Conel OS 6.x by default. Please note that the table is capble of describing only the default case. In the wild, there are many sophisticated configuration possibilities which cannot be captured in such simple table (e.g. a service can be configured on different interfaces differently or new interfaces can be defined by bridging or there can be backup or multiple WANs etc.)

In the following table, the server means service being offered (there is a process listening on some interface(s)) while client means the process is consuming the service from another device. Also note, that the default settings differs between v2 and v3 router generation.

 

 
ServiceDefault StatusDefault logical iface
HTTP serveron - v2, off - v3LAN only
HTTPS serveronLAN only
Telnet serveron - v2, off - v3LAN only
SSH serveronLAN only
FTP serveron - v2, off - v3LAN only
DynDNS clientoffWAN or LAN
NTP clientoffWAN or LAN
NTP serveroffLAN only
SNMP serveronLAN only
SNMP clientoffWAN or LAN
SMTP clientoffLAN or WAN
DHCP clientoffWAN or LAN
DHCP serveronLAN only
VRRPoffLAN only

 

Just by looking at the table, you can recognize that are some services offered by default. Also, the defaults differ between the v2 and v3 platform.

We will discuss the different defaults and their purpose, together with security model in the next article - it is too long topic to properly fit in the first article. However there is still one more thing to cover right now as goint through this point is considered a required step in the router deployment (or initial configuration).

The first five services captured in the table are allowing configuration or command-line access to the router (for v3 routers it is just HTTPS and SSH by default). Note that all these services are allowed on LAN interfaces only. Please note that the logical interface limitation is really important here. Once you change the settings (e.g. using Backup Routes configuration), the services are restarted accordingly.

In the default setup, there is only a root user account created on the device (more on this in the next article) and that is the only user allowed to do configuration changes. As you need to be able to use that user for initial access to do initial configuration, there must be some way how to access the device for the first time. In our case, it is by using the default password.

The first thing a user (or a service personell) should do during router deployment is use one of these access services to the router and change default password, so that it is:

  1. Secret. Known only to the appropriate personell - each of them is considered absolute administrator of the device.
  2. Safe. This means it is hard to guess, for both human and automated password guessing techniques.

While the secrecy is clear, there can be some doubts about which password is safe and which is not. For example, which password is safe against automated password guessing techniques?

There are many sources describing techniques how to create good passwords (see links below), but basically, you need to understand how password guessing techniques work and that would help you finding your own way.

Basically, password guessing techniques are enumerating combinations of elements and trying each of the enumerated possibilities as a password. The art of the guessing is in both crafting the rules how to combine the elements and also choosing the elements.

Just as an example, the elements may be letters (both small caps and capitals) and numbers. You can quickly see, that the length of password is important. If your password is three characters long, the number of possible combinations is much less than if the length is, say, 10 characters.

But the length of password is not the only metric. Consider a password "Christopher1990". It has 15 characters, but it is not safe. Why? The elements of password guessing algorithm may not be just letters. It may be (or it may contain) syllables or whole words. Consider an agorithm contains english names and possible birth dates. The example password above is generated (tried out) very soon.

But this is just a beginning. The algorithms are much more sophisticated - counting with average appearance of letters and numbers for each language and containing most used constructs (rules for combining different parts of password together). The above examples are given so that you understand that the length of password is important, but not the only important metric.

We will continue with the topic of configuring the access to the router in the forthcoming articles within the series. This was just something to prepare the grounds and get you started. If we are to sum up what has been covered in this article the list is like this:

  1. We sketched out the topic for the series.
  2. We touched the default configuration and configuration customization topic.
  3. We have established basic terminology.
  4. We had a brief look at the core services of the router.
  5. We have touched the default password change topic.

Links