Contents
Router Configuration
To harden/protect the router, before connecting the device to the ISP/outside, the following recommendations should be implemented:
- Change the default username
- Change to a strong password/passphrase
- Update the firmware in all devices
- Disable Web administration, to prevent access from outside your network.
- Disable UPnP (Universal Plug n Play), to prevent apps/devices from opening ports in the firewall, without your knowledge.
- Disable WPS (Wireless Protected Setup)
- Disable Port Forwarding
- Backup the configuration of all devices
Segment Your Network
Network Segmentation is good a practice, as it adds an additional layer of security, by isolating Guests & IoT (Internet of Things) devices from your main/primary network.
Network segmentation can be implemented by adding a second router, or using a router with the ability to configure each port to be a different network segment.
Once such smart router is the Ubiquiti Networks EdgeRouter X
- Each port is a separate network segment.
- Make sure to immediately update the firmware/EdgeOS
- Home-Network Implementation: Using the Ubiquiti EdgeRouter X and Ubiquiti AP-AC-LR Access Point by Mike Potts
- Ubiquiti Router Hardening
- EdgeRouter – OpenVPN Server
- Available from Amazon.com
- Security Now Episode 569 Notes – Page 7 of 14
- “Three Dumb Routers” …or… ONE SuperSmart Router!
- Ubiquity EdgeRouter X $50, 5 separate interfaces, w/power supply
- Update the firmware!
- Packet switching rate (~500 Mbits)
- “Normal Router” is a two interface NAT connected to a multiport hub or switch. On the LAN side, it has a single LOGICAL interface and five to eight physical interfaces.
- A “super smart” router has a separate network logical interface for every physical interface.
Disable the Ubiquiti Discovery Service
Ubiquiti devices were being exploited and used to conduct denial-of-service (DoS) attacks using a service on 10001/UDP. (2019)
Responses to the port 10001 exposure also reveals the name, model, firmware version, IPs, MACs, and sometimes the ESSID if it is a wireless device.
The default WAN firewall policies added by the Basic Setup wizard will block all probes to UDP/TCP port 10001, and will prevent the EdgeRouter from being discoverable on the WAN.
ubnt-discover
Controls whether the EdgeRouter is able to discover nearby Ubiquiti devices.ubnt-discover-server
Controls whether the EdgeRouter is discoverable by other nearby devices.
You can disable the Ubiquiti Discovery Service from the CLI:
ubnt@ubnt:~$ show configuration ubnt@ubnt:~$ configure ubnt@ubnt# set service ubnt-discover disable ubnt@ubnt# set service ubnt-discover-server disable ubnt@ubnt# commit ubnt@ubnt# exit ubnt@ubnt# disconnect
Reference
Monitor Devices on the Network
Use SNMP and/or syslog to monitor devices on the network. For Windows, as Microsoft has deprecated SNMP, use WMI (Windows Management Instrumentation)
You can monitor device availability, free space on drives, CPU and memory usage, temperature, etc.
Reference
- Keep an eye on your network – Observium Tutorial
- Observium is a low-maintenance auto-discovering network monitoring platform supporting a wide range of device types, platforms and operating systems.
- Windows: SNMP is deprecated. Instead, use the Common Information Model (CIM), which is supported by the WS-Management web services protocol and implemented as Windows Remote Management.