Red Lion’s Crimson 3.2 products are on occasions deployed with cellular modems that use public IPs. Such deployments come with inherent risks as the IP addresses are by definition reachable from any computer with Internet access. Ideally, a private IP or a VPN should be employed, but if a public IP must be used, careful configuration is required to ensure that security is maintained.
Rule 1 – Do Not Set Cellular Interfaces to Trusted
Setting an interface in Crimson to Trusted disables virtually all of the firewall protection, so cellular interfaces should always be configured as Untrusted unless a private APN is being used.
Rule 2 – Do Not Allow More Traffic Than Required
Untrusted interfaces still allow certain traffic. The exact traffic that is permitted is defined in the Untrusted Traffic section of the system configuration. The default settings are restrictive, allowing only VPN traffic. Do not enable any more features than you need for your application. Every time you enable something, you make a hole in the firewall and expose yourself to mischief.
Rule 3 – Use White Lists Wherever Possible
If you allow access to services like the device’s web server, use white lists to restrict the source addresses from which connections will be accepted. It is not always possible to tie things down to a single source IP, but restrict the inbound traffic to the minimum set of IP addresses that will work for your application.
Rule 4 – Never Ever Enable SSH Without White Lists
The SSH service should never, ever, ever be accessible via untrusted interfaces unless you are using a very restrictive white list. If you open this port, within minutes or hours you will find your device under constant attack from bots running dictionary password attacks. While the bots are unlikely to gain access to the device, the constant attacks will burn up your data plan like you will not believe. Since Red Lion does not provide SSH access to customers, opening the port is pointless in any case. The same in general applies to FTP. While this is a more useful service, a publicly accessible FTP server will be swarmed by bots in short order.
Rule 5 – Make Sure You Have Good Passwords
Factory DA50A and DA70A units have high-entropy device-specific passwords for both their Linux accounts and the Crimson system web server. Devices converted from DA50N and DA70N units, though, have weak Linux passwords equal to the last six digits of the serial number—and those digits reset to 000001 on the daily date code change. An informed attacker can thus typically crack the password with less than 100 attempts. Luckily, most bots mounting attacks do not know this and run dictionary attacks without trying simple numeric passwords, but suffice it to say that opening SSH on a converted N is a recipe for disaster. On such units, the UI password should also be changed from its default, and on all units, the Crimson runtime web server should be secured, ideally using form security. (Form security is harder for an automated attacker to figure out than HTTP security, and it also provides a better user experience.)
Rule 6 – Did I Mention SSH Was a Bad Idea?
Just don’t do it. There is no benefit. And it will end badly.
Disclaimer
It is the customer's responsibility to review the advice provided herein and its applicability to the system. Red Lion makes no representation about specific knowledge of the customer's system or the specific performance of the system. Red Lion is not responsible for any damage to equipment or connected systems. The use of this document is at your own risk. Red Lion standard product warranty applies.
For more information: http://www.redlion.net/support/policies-statements/warranty-statement