Written by Jan Otte, Wednesday 6 June 2018
You are about to read the first article in the series of articles about securing our routers. The series is tailored to our router devices, teaching and showing some general and specific principles and also describing possibilities and use cases. While some of the knowledge here is usable also outside of the router devices, you should keep in mind that we are focusing on our cellular routers running Conel OS 6.x here.
This first article is a basic building block. We are going to describe the device and its basic characteristics and possibilities of accessing the device with an accent on security. Also, some basic use cases are to be touched here and the terminology used for the rest of the series established. If you intend to read any of the further articles, you should definitely read through this one independently on your knowledge level because we need to be clear at least on the terminology before continuing onwards.
You should be aware that when talking about securing things, there is some amount of knowledge required. If you have that kind of knowledge, you can skim through this article. If you don't have it, it would be a tough and long read for you. In that case, you should really take your time in understanding the problemtics because without the knowledge, you will not succeed.
Here are multiple points of view we can start from. Let's talk first about what securing means.
It means changing the router settings to improve security.
Does it mean the routers are not secure or not secure enough right from the factory?
It depends. If by secure enough you actually mean unbreakable, then the secure-enough router would be a box allowing no access (and allowing no changes to its setting, thus being able to work in a predefined environment only).
That's actually not something our users need. Our users need the routers to be able to work in their environment. By saying work we mean quite a lot of different functionality - providing connection between disconnected sites on a private network, allowing PLCs talk to SCADA, converting data messages between different protocols, running VPN tunnels, providing internet access to connected devices, running customer applications in C/C++/Python/NodeRED and a lot of other tasks.
So the term secure enough means a different setting for different use case and/or for different environment. Simple question "Is it secure enough?" does not make sense. "Is it secure enough for that and that environment?" is much better.
Therefore, the point of this series of articles is to teach you how you can do the process of securing the routers exactly for your use-case/environment.
In the case the default factory settings and your expected settings differ, don't forget there are multiple possibilities how you can very quickly configure the router to what you want or (alternatively, based on business case), get it preconfigured exactly for your use-case right from the factory. Just to name a few possibilities:
Now, before we get to something really interesting, we need to establish terminology and describe the default setting of the routers.
We will be recognizing several types of physical interfaces:
Apart the above ones, there may also be other interfaces but access using these interfaces is not that common. Either it needs a non-default service being run or a special hardware being installed:
Next to the physical nature of each interface, it is also important to keep in mind, that from the OS point of view, the interface also has a logical interface role, that can change based on configuration or even during runtime based on configured rules:
The next term we need to dig into is services. While the interfaces are defined, there is no traffic forwarded or accepted over an interface unless there is some service running. A service is responsible either for sending or receiving data (or both). A running service is typically connected with one or more interfaces.
Please note, that a process running on the router may be running in both modes at the same time. It may both consume other services (client mode) and also listen on a interface and offer services to be consumed (server mode).
The above definitions were the very basic ones and it allows us to finally define terms, which are usually connected to the security topics:
Now, we need one more thing to be able to talk about security model and default settings concerning security. We need to have a look at the default services.
There may be a lot of services offered on and consumed by the router. We will be focusing on the ones which are contained in the Conel OS 6.x by default. Please note that the table is capble of describing only the default case. In the wild, there are many sophisticated configuration possibilities which cannot be captured in such simple table (e.g. a service can be configured on different interfaces differently or new interfaces can be defined by bridging or there can be backup or multiple WANs etc.)
In the following table, the server means service being offered (there is a process listening on some interface(s)) while client means the process is consuming the service from another device. Also note, that the default settings differs between v2 and v3 router generation.
|Service||Default Status||Default logical iface|
|HTTP server||on - v2, off - v3||LAN only|
|HTTPS server||on||LAN only|
|Telnet server||on - v2, off - v3||LAN only|
|SSH server||on||LAN only|
|FTP server||on - v2, off - v3||LAN only|
|DynDNS client||off||WAN or LAN|
|NTP client||off||WAN or LAN|
|NTP server||off||LAN only|
|SNMP server||on||LAN only|
|SNMP client||off||WAN or LAN|
|SMTP client||off||LAN or WAN|
|DHCP client||off||WAN or LAN|
|DHCP server||on||LAN only|
Just by looking at the table, you can recognize that are some services offered by default. Also, the defaults differ between the v2 and v3 platform.
We will discuss the different defaults and their purpose, together with security model in the next article - it is too long topic to properly fit in the first article. However there is still one more thing to cover right now as goint through this point is considered a required step in the router deployment (or initial configuration).
The first five services captured in the table are allowing configuration or command-line access to the router (for v3 routers it is just HTTPS and SSH by default). Note that all these services are allowed on LAN interfaces only. Please note that the logical interface limitation is really important here. Once you change the settings (e.g. using Backup Routes configuration), the services are restarted accordingly.
In the default setup, there is only a root user account created on the device (more on this in the next article) and that is the only user allowed to do configuration changes. As you need to be able to use that user for initial access to do initial configuration, there must be some way how to access the device for the first time. In our case, it is by using the default password.
The first thing a user (or a service personell) should do during router deployment is use one of these access services to the router and change default password, so that it is:
While the secrecy is clear, there can be some doubts about which password is safe and which is not. For example, which password is safe against automated password guessing techniques?
There are many sources describing techniques how to create good passwords (see links below), but basically, you need to understand how password guessing techniques work and that would help you finding your own way.
Basically, password guessing techniques are enumerating combinations of elements and trying each of the enumerated possibilities as a password. The art of the guessing is in both crafting the rules how to combine the elements and also choosing the elements.
Just as an example, the elements may be letters (both small caps and capitals) and numbers. You can quickly see, that the length of password is important. If your password is three characters long, the number of possible combinations is much less than if the length is, say, 10 characters.
But the length of password is not the only metric. Consider a password "Christopher1990". It has 15 characters, but it is not safe. Why? The elements of password guessing algorithm may not be just letters. It may be (or it may contain) syllables or whole words. Consider an agorithm contains english names and possible birth dates. The example password above is generated (tried out) very soon.
But this is just a beginning. The algorithms are much more sophisticated - counting with average appearance of letters and numbers for each language and containing most used constructs (rules for combining different parts of password together). The above examples are given so that you understand that the length of password is important, but not the only important metric.
We will continue with the topic of configuring the access to the router in the forthcoming articles within the series. This was just something to prepare the grounds and get you started. If we are to sum up what has been covered in this article the list is like this: