Networking Best Practices

Router Configuration

To harden/protect the router, before connecting the device to the ISP/outside, the following recommendations should be implemented:

Segment Your Network

Network Segmentation is good a practice, as it adds an additional layer of security, by isolating Guests & IoT (Internet of Things) devices from your main/primary network.

Network segmentation can be implemented by adding a second router, or using a router with the ability to configure each port to be a different network segment.

Once such smart router is the Ubiquiti Networks EdgeRouter X

Disable the Ubiquiti Discovery Service

Ubiquiti devices were being exploited and used to conduct denial-of-service (DoS) attacks using a service on 10001/UDP. (2019)

Responses to the port 10001 exposure also reveals the name, model, firmware version, IPs, MACs, and sometimes the ESSID if it is a wireless device.

The default WAN firewall policies added by the Basic Setup wizard will block all probes to UDP/TCP port 10001, and will prevent the EdgeRouter from being discoverable on the WAN.

  • ubnt-discover Controls whether the EdgeRouter is able to discover nearby Ubiquiti devices.
  • ubnt-discover-server Controls whether the EdgeRouter is discoverable by other nearby devices.

You can disable the Ubiquiti Discovery Service from the CLI:

ubnt@ubnt:~$ show configuration
ubnt@ubnt:~$ configure 
ubnt@ubnt# set service ubnt-discover disable 
ubnt@ubnt# set service ubnt-discover-server disable
ubnt@ubnt# commit 
ubnt@ubnt# exit
ubnt@ubnt# disconnect

Reference

Monitor Devices on the Network

Use SNMP and/or syslog to monitor devices on the network. For Windows, as Microsoft has deprecated SNMP, use WMI (Windows Management Instrumentation)

You can monitor device availability, free space on drives, CPU and memory usage, temperature, etc.

Reference