airOS – Network Security Best Practices

Hi everyone,

In recent weeks, the news of the VPNFilter malware has caused many network operators to look at their network designs, device configurations and general operational security to make sure they are protected against this issue, as well as any others that may occur in the future.

Although recent airOS software is not vulnerable to this attack, keeping your device software up to date is just one part of a sound network security strategy. In talking to and advising network operators over the years, I’ve found myself returning to a few common points of security advice:

1. Use Complex Login Credentials

I get it – no one likes being told what to do, and when you manage many devices throughout a large network, it’s tempting to stick to the default credentials or use the same simple, easy to remember username and password combination on each and every one of them. But this is one of, if not the most common ways in which your devices and your network can be compromised.

There are many different schools of thought today on how complex a username and password combination needs to be. Modern versions of airOS will prompt you to use reasonably-complex credentials in an attempt to avoid the use of default or simple credentials. Some studies have disagreed with the use of character requirements, and at the same time many others have not.

By prompting the use of a complex set of credentials that meet defined character requirements, airOS attempts to help you secure your network devices without having to think about it. If you manage a large number of devices through their web UI, consider using a password manager in your browser to remember and automatically fill in the complex credentials you set on each unit.

2. Remove Public Access

There are many different approaches to network design, and many varied and complicated edge cases that I can’t cover here in enough detail. But, a good general piece of advice on securing the network is to limit access to the management interfaces of your network devices. Only those who are supposed to operate these devices should be able to access them; any devices that are accessible on the public internet are a prime target for attacks from outside.

Wherever possible, take your network devices off of the public internet. In cases where you have to have them publicly accessible, consider limiting management access to these devices such that only people within your private network can access them. This can be achieved using a firewall, and we will be adding a management whitelist feature to airOS in the future which will simplify configuring this on the airOS network device itself, without requiring an external firewall.

If your network design is such that you need to access the management interfaces of your network devices remotely over the internet, consider using a firewall, VPN or proxy server to provide an additional layer of security between the outside world and your network. Wherever possible, rationalize your network design to leave as few places open as possible to access it.

3. Disable or Block Unused Features

Not using Telnet? How about HTTP? The functions of both of these protocols, just to take two examples, can be performed with more modern, secure protocols. If you are not using them or other protocols which can communicate with external devices, turn them off. This can be done in two ways: first, disable the protocol or the feature that uses it on the network device itself. Many network devices will let you activate and deactivate specific services easily in this way.

Second, block these protocols at the border of your network using a firewall. After all, if you are not using Telnet for example and yet Telnet traffic is repeatedly trying to enter your network, addressed to part of your network infrastructure, it is a solid sign someone is attempting to gain access to that device. If this communication is blocked at the network edge, the threat is gone.

4. Use Secure Protocols

Look at anywhere you are using HTTP in your network operations today. HTTP is unencrypted, and if a man in the middle were positioned correctly he may be able to intercept your credentials and use them to attack your network infrastructure. This is obviously something we want to avoid, so where a secure alternative such as HTTPS is available, make sure it is used.

Once usage of the secure protocol is established, as mentioned above it is prudent to disable the insecure protocol to protect your network. This combination of secure protocols and the removal of insecure protocols will greatly reduce your attack surface and threat vulnerability.

5. Keep your Software Up to Date

Check regularly to make sure the software operating on all of your network devices is up to date. Many releases contain security fixes, and it is best practice to keep up to date. We will continue to announce new airOS releases on this blog, and updates for other products can be found in their respective ubnt.com/downloads section and on their community forum section.

6. Block by Default

This is more of a mindset than a specific piece of configuration or a feature; but to improve your network security now and in the future, don’t think ‘what do I need to block’; it is more effective to think instead ‘what do I need to allow’. If you allow only the protocols, connections and users you need to, the opportunities for forgetting things you should’ve blocked are much smaller.

This is far from an exhaustive list of network security advice, but I’ve personally found these few points very helpful in both designing and operating my own networks, and talking to network operators across the world about their networks too. If you aren’t doing all of these today, take a look and see what you could be doing to quickly and easily improve your network security.

The airMAX sections at community.ubnt.com are the ideal place to ask if you have a question on network security and airOS. We’ll continue to post updates there on any issues that come up as well as responses to concerns from the community as best we can. Stay safe and stay secure.