RipEX2/M!DGE3 are wireless cellular IP-enabled telecommunication devices providing a 24/7 reliable service for wireless data transfer in mission-critical applications like Industrial control systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems.
This appendix contains several steps that can be considered when deploying wireless telecommunications infrastructures.
Create a new account with an “Admin” Role (full access) and delete default “admin” user
SETTINGS > Security > Local authentication > User accounts
Configure a strong password for this newly created “Admin” role user. Consider enabling the “Password complexity rules” feature
SETTINGS > Security > Local authentication > Settings
Insecure default credentials are:
user: admin
password: adminUsing complex passwords is your first line of defense in protecting your device. Consider periodic updates
The recommended length is at least 8-10 characters including A-z, 0-9 and special characters (@?* etc.)
Role-based access control (RBAC) enables you to assign privileges and access rights to administrative/read-only users through role assignment. You create user accounts (local authentication or remote RADIUS) and assign them roles via which they can access RipEX2/M!DGE3 GUI or API.
There are four different levels of user access privileges – they are bound with four different user access roles:
Guest
Technician
Security technician
AdministratorNote: You may export Local authentication users and import them to other units in your network. You do not need to create them separately in each device
The file consists of hashed/salted passwords, i.e. not readable and non backwards deductible
Web inactivity timeout
When the user account is not active for some time, the user will be automatically logged-out. The inactivity timeout of the account is set for 1 day by default. It is possible to change in the range of 5 minutes up-to 2 days
ADVANCED > Generic > UserAccess > Web inactivity timeout
Note: A mechanism against brute-force attacks is implemented. When the wrong combination of the Account / Password is entered, you have to wait a while for the following attempt. The time is growing with every wrong attempt.
Restrict physical access to the device to only authorized personnel.
Disable physical ports which are not used
Ethernet ports
SETTINGS > Interfaces > Ethernet > Ports
Serial ports
SETTINGS > Interfaces > COM
USB port
for USB/ETH and USB/WiFi management access
SETTINGS > Device > Unit > Service USB
Cellular ports (if any)
SETTINGS > Interfaces > Cellular > MAIN/EXT
Wi-Fi (if any)
SETTINGS > Interfaces > Wi-Fi
Tamper detection
RipEX2 and M!DGE3 units are equipped by case opening detection. The behaviour in case of this event shall be set in menu SETTINGS > Device > Events > Tamper.
Encrypting your wireless radio data prevents anyone who might be able to access your network from viewing it. Radio traffic can be encrypted via AES-256-CCM (passphrase or key), or utilizing IPsec/OpenVPN secure VPN options (but these are not bandwidth-optimized options for a Radio channel).
Radio AES256
For the encryption is possible to set primary and secondary Passphrase or Key. This option allows to change credentials in the whole network without service outage.
The radio traffic encryption has an additional option AES-256-CCM + KEX, which enables periodical key replacement.SETTINGS > Interfaces > Radio > Encryption
VPN
SETTINGS > VPN > IPsec
SETTINGS > VPN > OpenVPN
Cellular networks are in control of operators and public APNs are connected to the public Internet. Any data sent or received by RipEX2 (EXT) or M!DGE3 (MAIN, EXT) can be captured by experienced hackers. If such data are not encrypted, sensitive data can be read by these hackers and misused.
It is highly recommended to encrypt all sensitive data via supported VPN options – IPsec or OpenVPN.
Note: Private APNs resemble private Radio networks. Such APNs are restricted from the Internet by the operator’s firewalls and should be more secure. Nevertheless, it is still recommended to encrypt your sensitive data.
Note: Routing LAN2LAN (end2end) data through the operator’s APN/network is blocked by their firewalls and tunnelling or port-forwarding are the only ways to pass end2end data successfully.
Remote access is used to configure and manage remote units via bandwidth-friendly volumes of transmitted data. You must login to the local unit via username and password. There is no need to provide any other credentials to access other units remotely via Remote access. The security is based on QSSH protocol (TCP port 8889) and a private key. Enable only the interfaces you will use for Remote access:
ADVANCED > Interfaces > Ethernet > Network interface
ADVANCED > Interfaces > Radio > Radio interface
Or switch it off fully:
SETTINGS > Security > Management access > Remote access
Hints for set in a secure way for enabled interfaces:
- User generated Remote access key
The private key is the same for ALL manufactured units. It is highly recommended to generate such a key in one unit and distribute it to all others within your network. No other unit with default key (or other user key) can access your units via Remote access.
SETTINGS > Security > Credentials
to generate/download/upload the key
SETTINGS > Security > Management access > Remote access
to set “user” key for Remote access
to define the user key ID
It is recommended to change certificates for certificates trusted by the M!DGE3 user.
The default certificates are part of installation of all units, so the replacement for your own certificates will increase the security of all processes and services (e.g. web access, radio encryption), which use certificates (see SETTINGS > Security > Credentials).
It is also possible to generate certificates with parameters required by the user application (see parameters in SETTINGS > Security > Credentials > Settings).
Enable only services utilized on the device and disable all other services
Disable unused SSH
ADVANCED > Security > Management access > Administration website > Enable SSH → Off
Disable SNMPv2c, if SNMP is required, use SNMPv3
SETTINGS > Services > SNMP
or use “SNMPv3”
security level: AuthPriv
Use secure Authentication and Encryption algorithms
Set strong passphrases
Change default HTTPs port
SETTINGS (or ADVANCED) > Security > Management access > Administration website > HTTPS port
Disable HTTPaccess
SETTINGS (or ADVANCED) > Security > Management access > Administration website > Enable HTTP → Off
Disable SMS or adjust allowed phone numbers
SETTINGS > Services > SMS
Set strong SMS passphrase
WiFi
Only available if USB/WiFi adapter for management access is used (plugged)
Enable WPA2-PSK with strong password to ensure WiFi security
SETTINGS > Security > Management access > Service USB > Wi-Fi > Security, Passphrase
If not used, the feature can be disabled completely within the same menu
Protect the unit via Firewall settings
SETTINGS > Firewall > L2 / L3 / NAT
Especially important if RipEX2/M!DGE3 has a public IP address!
Limit access to RipEX2/M!DGE3 GUI
Only allow authorized IPv4 addresses to access your network. Each piece of hardware connected to a network has an assigned IPv4 address. You can restrict access to your network by filtering these IPv4 addresses within the L3 firewall.
Local access can be restricted by filtering MAC addresses via L2 firewall (blacklist, whitelist).
SETTINGS > Firewall > L2 / L3
Since FW 2.1.0.0 and its feature Credentials, you can generate or upload your own certificates and keys, including HTTPs.
SETTINGS > Security > Credentials
SETTINGS > Security > Local authentication > Settings
Configuration files are stored as unencrypted JSON files or encrypted zip files. It is possible to set that only encrypted files will be allowed and the rules for the password can be set as well.
ADVANCED > Generic > CnfSecurity
You can download configuration files from the complete network smoothly via NetSPIDER tool.
Note: Each user can only download a configuration file which includes configuration parameters available for a particular user level role.
Keep the firmware up-to-date.
The latest FW can be downloaded from the RACOM website:
RipEX2 FW: https://www.racom.eu/eng/products/radio-modem-ripex.html#dnl_fwr2
M!DGE3 FW: https://www.racom.eu/eng/products/cellular-router-midge.html#dnl_fwr3
Utilize direct Upload and Activation for locally connected RipEX2/M!DGE3 devices.
SETTINGS > Device > Firmware > Local
Utilize USB flash drive – for FW upgrade via USB disk – this service is on by default, it can be disabled.
SETTINGS > Device > Firmware > USB
Utilize Firmware distribution for RipEX2 networks in a bandwidth optimized way.
FW distribution uses the authentication key during the process – the key is the same in all manufactured units – you can generate and use your own.
SETTINGS > Services > Firmware distribution
SETTINGS > Device > Firmware > Distributed
ADVANCED > Device > Firmware distr. – receiver
Utilize NetSPIDER to speed the FW distribution process in the whole network.