Security Hardening Procedure

https//www.racom.eu/eng/products/m/ripex2/appendix.html

Print version

Appendix A. Security Hardening Procedure

RipEX2/M!DGE3 are wireless cellular IP-enabled telecommunication devices providing a 24/7 reliable service for wireless data transfer in mission-critical applications like Industrial control systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems.

This appendix contains several steps that can be considered when deploying wireless telecommunications infrastructures.

A.1. Password and accounting

Create a new account with an “Admin” Role (full access) and delete default “admin” user

  • SETTINGS > Security > Local authentication > User accounts

Configure a strong password for this newly created “Admin” role user. Consider enabling the “Password complexity rules” feature

  • SETTINGS > Security > Local authentication > Settings

  • Insecure default credentials are:
    user: admin
    password: admin

  • Using complex passwords is your first line of defense in protecting your device. Consider periodic updates

  • The recommended length is at least 8-10 characters including A-z, 0-9 and special characters (@?* etc.)

Role-based access control (RBAC) enables you to assign privileges and access rights to administrative/read-only users through role assignment. You create user accounts (local authentication or remote RADIUS) and assign them roles via which they can access RipEX2/M!DGE3 GUI or API.

  • There are four different levels of user access privileges – they are bound with four different user access roles:

    Guest
    Technician
    Security technician
    Administrator

  • Note: You may export Local authentication users and import them to other units in your network. You do not need to create them separately in each device

    The file consists of hashed/salted passwords, i.e. not readable and non backwards deductible

Web inactivity timeout

  • When the user account is not active for some time, the user will be automatically logged-out. The inactivity timeout of the account is set for 1 day by default. It is possible to change in the range of 5 minutes up-to 2 days

  • ADVANCED > Generic > UserAccess > Web inactivity timeout

  • Note: A mechanism against brute-force attacks is implemented. When the wrong combination of the Account / Password is entered, you have to wait a while for the following attempt. The time is growing with every wrong attempt.

A.2. Physical access

Restrict physical access to the device to only authorized personnel.

Disable physical ports which are not used

Ethernet ports

  • SETTINGS > Interfaces > Ethernet > Ports

Serial ports

  • SETTINGS > Interfaces > COM

USB port

  • for USB/ETH and USB/WiFi management access

  • SETTINGS > Device > Unit > Service USB

Cellular ports (if any)

  • SETTINGS > Interfaces > Cellular > MAIN/EXT

Wi-Fi (if any)

  • SETTINGS > Interfaces > Wi-Fi

Tamper detection

RipEX2 and M!DGE3 units are equipped by case opening detection. The behaviour in case of this event shall be set in menu SETTINGS > Device > Events > Tamper.

A.3. Encrypt data on Radio network (RipEX2)

Encrypting your wireless radio data prevents anyone who might be able to access your network from viewing it. Radio traffic can be encrypted via AES-256-CCM (passphrase or key), or utilizing IPsec/OpenVPN secure VPN options (but these are not bandwidth-optimized options for a Radio channel).

Radio AES256

For the encryption is possible to set primary and secondary Passphrase or Key. This option allows to change credentials in the whole network without service outage.
The radio traffic encryption has an additional option AES-256-CCM + KEX, which enables periodical key replacement.

  • SETTINGS > Interfaces > Radio > Encryption

VPN

  • SETTINGS > VPN > IPsec

  • SETTINGS > VPN > OpenVPN

A.4. Encrypt data on cellular network

Cellular networks are in control of operators and public APNs are connected to the public Internet. Any data sent or received by RipEX2 (EXT) or M!DGE3 (MAIN, EXT) can be captured by experienced hackers. If such data are not encrypted, sensitive data can be read by these hackers and misused.

It is highly recommended to encrypt all sensitive data via supported VPN options – IPsec or OpenVPN.

Note: Private APNs resemble private Radio networks. Such APNs are restricted from the Internet by the operator’s firewalls and should be more secure. Nevertheless, it is still recommended to encrypt your sensitive data.

Note: Routing LAN2LAN (end2end) data through the operator’s APN/network is blocked by their firewalls and tunnelling or port-forwarding are the only ways to pass end2end data successfully.

A.5. Disable Remote access or configure it securely

Remote access is used to configure and manage remote units via bandwidth-friendly volumes of transmitted data. You must login to the local unit via username and password. There is no need to provide any other credentials to access other units remotely via Remote access. The security is based on QSSH protocol (TCP port 8889) and a private key. Enable only the interfaces you will use for Remote access or switch it off fully (SETTINGS > Security > Management access > Remote access).

  • SETTINGS > Security > Management access > Remote access

Hints for set in a secure way for enabled interfaces:

User generated Remote access key

The private key is the same for ALL manufactured units. It is highly recommended to generate such a key in one unit and distribute it to all others within your network. No other unit with default key (or other user key) can access your units via Remote access.

  • SETTINGS > Security > Credentials

    • to generate/download/upload the key

  • SETTINGS > Security > Management access > Remote access

    • to set “user” key for Remote access

    • to define the user key ID

Firewall

You can restrict TCP/8889 in your INPUT L3 firewall settings to particular IP addresses only, or particular interfaces (Radio, cellular MAIN/EXT, ETH, GRE L3, …).

A.6. Exchange of certificates

It is recommended to change certificates for certificates trusted by the RipEX2 user.

The default certificates are part of installation of all units, so the replacement for your own certificates will increase the security of all processes and services (e.g. web access, radio encryption), which use certificates (see SETTINGS > Security > Credentials).

It is also possible to generate certificates with parameters required by the user application (see parameters in SETTINGS > Security > Credentials > Settings).

A.7. Services

Enable only services utilized on the device and disable all other services

Disable unused SSH

  • ADVANCED > Security > Management access

Disable SNMPv2c, if SNMP is required, use SNMPv3

  • SETTINGS > Services > SNMP

  • or use “SNMPv3”

    • security level: AuthPriv

    • Use secure Authentication and Encryption algorithms

    • Set strong passphrases

Change default HTTP and HTTPs ports

  • ADVANCED > Security > Management access

Disable SMS or adjust allowed phone numbers

  • SETTINGS > Services > SMS

    • set strong SMS password

WiFi

  • Only available if USB/WiFi adapter for management access is used (plugged)

  • Enable WPA2-PSK with strong password to ensure WiFi security

    • SETTINGS > Device > Unit > Service USB

  • If not used, the feature can be disabled completely within the same menu

A.8. Firewall

Protect the unit via Firewall settings

  • SETTINGS > Firewall > L2 / L3 / NAT

  • Especially important if RipEX2/M!DGE3 has a public IP address!

Limit access to RipEX2/M!DGE3 GUI

  • Only allow authorized IPv4 addresses to access your network. Each piece of hardware connected to a network has an assigned IPv4 address. You can restrict access to your network by filtering these IPv4 addresses within the L3 firewall.

  • Local access can be restricted by filtering MAC addresses via L2 firewall (blacklist, whitelist).

  • SETTINGS > Firewall > L2 / L3

A.9. HTTPS certificate

Since FW 2.1.0.0 and its feature Credentials, you can generate or upload your own certificates and keys, including HTTPs.

  • SETTINGS > Security > Credentials

  • SETTINGS > Security > Local authentication > Settings

A.10. Configuration files

Configuration files are stored as unencrypted JSON files or encrypted zip files. It is possible to set that only encrypted files will be allowed and the rules for the password can be set as well.

  • ADVANCED > Generic > CnfSecurity

You can download configuration files from the complete network smoothly via NetSPIDER tool.

Note: Each user can only download a configuration file which includes configuration parameters available for a particular user level role.

A.11. Firmware

Keep the firmware up-to-date.

The latest FW can be downloaded from the RACOM website:

RipEX2 FW: https://www.racom.eu/eng/products/radio-modem-ripex.html#dnl_fwr2

M!DGE3 FW: https://www.racom.eu/eng/products/cellular-router-midge.html#dnl_fwr3

Utilize direct Upload and Activation for locally connected RipEX2/M!DGE3 devices.

  • SETTINGS > Device > Firmware > Local

Utilize USB flash drive – for FW upgrade via USB disk – this service is on by default, it can be disabled.

  • SETTINGS > Device > Firmware > USB

Utilize Firmware distribution for RipEX2 networks in a bandwidth optimized way.

  • FW distribution uses the authentication key during the process – the key is the same in all manufactured units – you can generate and use your own.

  • SETTINGS > Services > Firmware distribution

  • SETTINGS > Device > Firmware > Distributed

  • ADVANCED > Device > Firmware distr. – receiver

Utilize NetSPIDER to speed the FW distribution process in the whole network.

©  2024 RACOM s.r.o. All Rights Reserved.