RUGGEDCOM ROX II
CLI User Guide
Chapter 1
Introduction
Security Recommendations 7
• Use strong passwords. Avoid weak passwords (e.g. password1, 123456789, abcdefgh) or repeated characters
(e.g. abcabc). For more information about creating strong passwords, refer to the password requirements in
Section5.9, “Managing Passwords and Passphrases”.
This recommendation also applies to pre-shared keys (PSK) configured on the device.
• Make sure passwords are protected and not shared with unauthorized personnel.
• Do not re-use passwords across different user names and systems, or after they expire.
• Record passwords in a safe, secure, off-line location for future retrieval should they be misplaced.
• When RADIUS or TACACS+ user authentication is done remotely, make sure all communications are within the
security perimeter or on a secure channel.
• TACACS+ uses the MD5 algorithm for key encryption. Make sure to follow the security recommendations
outlined in this User Guide and configure the environment according to defense in depth best practices.
• PAP (Password Authentication Protocol) is not considered a secure protocol and should only be enabled when
required. Consider using CHAP (Challenge-Handshake Authentication Protocol) whenever possible.
• Use IPsec in conjunction with the L2TP protocol for increased security.
Physical/Remote Access
• It is highly recommended to enable Brute Force Attack (BFA) protection to prevent a third-party from obtaining
unauthorized access to the device. For more information, refer to Section6.3, “Enabling/Disabling Brute Force
Attack Protection”.
• SSH and SSL keys are accessible to users who connect to the device via the serial console. Make sure to take
appropriate precautions when shipping the device beyond the boundaries of the trusted environment:
▫ Replace the SSH and SSL keys with throwaway keys prior to shipping.
▫ Take the existing SSH and SSL keys out of service. When the device returns, create and program new keys for
the device.
• Replace all default and auto-generated SSL certificates with certificates and keys signed by a trusted Certificate
Authority (CA). Default and auto-generated certificates are self-signed by RUGGEDCOM ROX II.
• Restrict physical access to the device to only trusted personnel. A person with malicious intent in possession of
the flash card could extract critical information, such as certificates, keys, etc. (user passwords are protected by
hash codes), or reprogram the card.
• Passwords/passphrases for service mode and maintenance mode should only be given to a limited number of
trusted users. These modes provide access to private keys and certificates.
• Control access to the serial console to the same degree as any physical access to the device. Access to the serial
console allows for potential access to BIST mode, which includes tools that may be used to gain complete access
to the device.
• When using SNMP (Simple Network Management Protocol):
▫ Limit the number of IP addresses that can connect to the device and change the community names. Also
configure SNMP to raise a trap upon authentication failures. For more information, refer to Section15.2,
“Managing SNMP”.
▫ Make sure the default community strings are changed to unique values.
• When using RUGGEDCOM ROX II as a client to securely connect to a server (such as, in the case of a secure
upgrade or a secure syslog transfer), make sure the server side is configured with strong ciphers and protocols.
• Limit the number of simultaneous Web Server, CLI, SFTP and NETCONF sessions allowed.
To Next Page
Loading...
Need help?
General
