Webinar - DrayTek Network Security Solutions
Hello everyone and welcome to i-LAN Technology's presentation where we'll examine DrayTek network security solutions. With the increasing number of internet related network security threats, network administrators need to stay one step ahead of cyber attackers. In today's presentation, I'll review what DrayTek offers to protect your router and data network and provide some tips to help you improve network security. My name is Darren and I'm the Queensland Sales Rep at DrayTek Australia and New Zealand. I'll start by discussing what is meant by network security, then introduce cyber attacks and how they can affect your network and organisation. Then we'll look at the security features built into DrayTek routers and how to use these to protect a network.
If you have any questions during the video, please comment in the chat box on the right side of the screen and stick around at the end for a five minute Q&A session. Don't forget you can pause the video if you'd like a longer look at anything or skip back anytime if you'd like to hear it again. Let's start with what is meant by the term network security. Network security is any activity designed to protect the usability and integrity of the network and its data. It includes both hardware and software technologies and targets various threats.
It stops these threats from entering or spreading on your network. Essentially, effective network security manages access to the network. There are several reasons to invest in network security. Some of these are to protect business data, which often contains sensitive information that, if compromised, can result in data breaches, identity theft, fraud, espionage or legal liabilities. In addition, if a network is compromised or attacked, it can damage the business's reputation and credibility. Productivity is another vital asset for a business.
It reflects efficiency, effectiveness and profitability in the market. If the network is compromised or attacked, it can disrupt operations and services. Finally, it may be required to comply with various regulations or standards for a particular industry. Now let's look at cyber attacks. What are they and what can we do about them? Here's the definition of the term cyber attack. Essentially a cyber attack is an attempt to gain access to a network from the internet with the goal of disrupting, disabling, destroying or gaining control of the network infrastructure.
The main aim of cyber criminals in most cases is to steal personal or financial information for financial gain. There are many methods used by cyber criminals to gain access to or disrupt network and services. These include denial of service attacks, phishing attacks, ransomware, malware, man in the middle attacks, whale phishing attacks, spear phishing attacks, password attacks, SQL injection attacks as well as many others not listed here.
Every day we hear in the news that there has been another cyber attack on some organisation somewhere around the world, so there's a constant need to harden the security of a network. Cyber attacks can come from different angles as mentioned previously. One of them, denial of service attacks, can cause a server to become inaccessible from the internet. Spoofing attacks attempt to log into a router or even attempt to gain access through VPN connections.
So what can we do about it? Let's look at what we can do to improve network security. Firewalls are usually the first line of defense to protect a network. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks such as the internet. It's important to remember that firewalls cannot protect against viruses coming from infected media such as an infected office document that a staff member might bring in on a USB flash drive. This will circumvent any security measures you have in place and requires the use of antivirus software installed on PCs to minimise this risk. DrayTek routers have several features which can protect against threats from the internet.
Let's take a look. Here they are, these features are free and do not require license fees except if you want to use the Web Content Filter, now known as URL Reputation and IP Reputation which is a new feature with daily updates being added to later model high-end routers. Most of these are easy configuration changes that can help with network security while others are built-in features that only need to be enabled. Let's go over each of these in more detail. First up, DrayTek release regular firmware updates.
Ensure your router has the latest firmware version installed as it usually includes the latest security patches. For example, the latest firmware includes a fix for cross-site scripting vulnerability which could have allowed a hacker to modify the wlogin.cgi script and userlogin.cgi script of the router's web application management portal. More information on firmware security fixes is available on the DrayTek Security Advisory webpage shown here. Many routers on the market use the same default password for management making it easy for an attacker to gain access to them. So ensuring that the default login credentials are changed as soon as the router is put into service will improve security.
To change the router login password, go to the System Maintenance > Administrator Password page and use a secure password. Use a maximum of 83 characters and have at least one upper case and a non-alpha numeric character and remember to change the password often. With later firmware versions, you will be forced to change the router's password if it is left at the default setting. If you need to access the router remotely to manage it, then it's recommended to restrict access to only known sources.
You can do this by using the Access List function in System Maintenance > Management tab. This way only the IP addresses listed in the access list will be able to get access. Beware not to lock yourself out while doing this. When accessing the router management page over a VPN connection, you can also restrict access by entering the peer IP address of the VPN connection. This will be the IP address of the PC at the other end of the tunnel. This way only authorised users will be able to access the router management page.
Another option you can use is to enable the validation code option which appears when you try to log into the router's admin web user interface. Each time anyone then tries to log into the router, they'll need to enter the temporary code that appears. This can protect the router from bot attacks where an automated bot or application continues to try a list of passwords found in a password list. Given enough time, any common password can be cracked, but if you need to enter a validation code with each attempt, then the job becomes much more difficult.
While this still may not provide 100% protection, the idea is to make the job much harder so that the hacker moves on to find an easier target. Two-factor authentication provides strong protection against hacking, so it's a good idea to take advantage of it whenever it's available. This option is found in the VigorACS 2 or 3 network management platforms. It makes use of an app on a smartphone which makes it easier to sync the second factor of authentication. You may have come across two-factor authentication before where you receive a validation code via text message on your mobile phone number. That code then has to be entered, along with the correct username and password, in order to gain access.
In a moment, I'll also go over another instance where two-factor authentication can be used in a remote dial-in VPN connection using DrayTek's SmartVPN Client. Another tip is to change the management ports in the router. The default ports used are well known, so changing the values to different numbers will make it more difficult for hackers to guess. However, a more secure way to manage a router is to disable management from the internet completely and use a VPN to access the router management page. It's also recommended to enable brute force protection in the management setup page.
Brute force protection for VPN is now available in the latest firmware versions. I mentioned an example of a brute force attack when talking about validation codes. These are when a hacker tries to log into the router remotely, and they have no idea what the password is, so they'll try every possible passphrase until the correct login password is eventually found.
Enabling brute force protection allows the router to identify an IP address that has failed many login attempts and block them for a set period. Next we can use the firewall features in the router. One is DoS defense, which helps prevent denial of service attacks.
DoS (denial of service) is a networking attack that makes devices unavailable by flooding them with fake connection requests. These attacks are usually categorised into two types, flooding type attacks and vulnerability attacks. Flooding type attacks will attempt to exhaust all your system's resources, while vulnerability attacks will try to paralyse a system by taking advantage of vulnerabilities of the protocol or operating system.
Another firewall setting that can be enabled is spoofing defense. This prevents hackers from modifying the packet header source address to appear as if coming from a trusted source, such as another computer on a local network, and accepting it. It can be applied to WAN and LAN data packets. A new firewall feature is IP reputation defense, which is currently available in the Vigor3912S router, but will be added to other higher-end routers in due course.
It's part of the Web Content Filter license and works by analysing the reputation of the IP addresses, attempting to connect to the router, and blocking any identified as associated with known malicious activity. This helps prevent attacks from known malicious IP addresses and reduces the risk of security breaches. It uses Brightcloud, which gives every IP address a score or reputation based on its security risk. So, a score between 1 and 20 is high risk, and a score over 81 is trustworthy.
To see how the reputation score works, we have two examples here. On the left, we have a score of 88 for draytek.com, making it a trustworthy website. But on the right, the site proftrafficcounter.com has a score of 10, making it a high-risk site and is classified as a malware site. Let's now look at how IP reputation works.
The Vigor3912 router updates its IP reputation cache from Brightcloud every five minutes. The router cache stores high-risk IP addresses with an IP reputation score between 1 and 20. The size of the cache can be adjusted in the Firewall > Defense Setup > IP Reputation Defense menu page. So, incoming connections from IP addresses with bad reputations are dropped and the IP address is stored in the router's IP reputation cache. Another best practice is to disable any unneeded VPN services.
This closes some doors for hackers. In later firmware versions, DrayTek have disabled some of these services by default, so you will need to enable the required service if you need to use it. Similarly, you should always disable unused services such as Telnet, SNMP and SSH. You can even limit access to the management console to certain LAN subnets. The syslog is a very powerful tool that will record a lot of events and will sometimes show attempts to start a VPN tunnel or the IP address of a possible attacker.
A USB flash drive is adequate to collect the logs from the router. Also, when collecting syslogs, it's a good idea to ensure that the correct time and date is configured in the router so that the syslog entries will have the correct timestamp. This helps to work out when an event occurred. It's good practice to check the router syslogs on a regular basis to check if there have been attempts to gain access to your network. Here's an example of an attempted login attempt from the internet.
Here's another example of an attempted VPN login. All of those maximum retries exceed messages, indicate a possible brute force attack and will give you an idea of what to look for when checking the syslogs. Another good idea is to make passwords as long as possible. An easy and effective way to do this is to use sentences or several common words stuck together to make it longer.
According to a number of security experts, just having a sentence as your password can create a nightmare for hackers. The advantage in using a sentence is that it's much easier to remember than a string of random characters, and it's also more secure when used in the proper manner. In addition to using secure passwords, it's recommended to change them on a regular basis. That way, if someone has managed to guess one, they'll be cut off and have to start the process all over again.
Do that often enough and they're not likely to keep trying. Another tip I mentioned earlier is to consider using two-factor authentication for web or mOTP (Mobile One Time Password) for dial-in VPN login connections. The mOTP app, which can be downloaded and installed on a smartphone, manages the time-based authentication and password response with its securely held mOTP secret. The end user doesn't need to know the mOTP secret value, just the username and four-digit PIN.
To connect the VPN tunnel, the user enters their VPN username and one-time VPN password, which is generated by entering their PIN into the mOTP app. Security certificates. Vigor routers allow administrators to create and sign a custom certificate for SSL VPN and HTTPS connections. Due to security concerns, it is strongly recommended to have a unique private key on each device for self-signed SSL.
A recommended practice in the event of an attack is to re-sign and change the default security certificates, just in case they were compromised. More details on how to generate a customised self-signed certificate and then replace the default one on Vigor routers is covered in Knowledge Base Article 5135, shown in the link shown here. I'll include that link in the description below. A security feature in the Vigor3912 is Suricata.
This is an open-source network intrusion detection and prevention system (IDS/IPS) feature. It provides real-time monitoring and analysis of network traffic and is designed to detect and respond to various network-based threats and attacks. In addition, we now have the new Smart Action feature that can block IP addresses or perform another action if an event is detected in the console or Suricata logs. Finally, DrayTek Vigor routers provide an internal RADIUS server, which can be used as the authentication server for 802.1x authentication.
More details in Knowledge Base Article 5146. Okay, let's take a look at a new security approach taken by DrayTek, which will be available in the new DrayOS 5 routers such as the Vigor2136. This is the Zero Trust Security strategy. The concept of the Zero Trust Security model is "Never trust, always verify". So instead of assuming everything behind the firewall is safe, the Zero Trust model verifies each request as though it originates from an untrusted network.
In other words, servers are in a protected area, all users must be authorised or verified first. This means that by default, all devices on a network should not be trusted, even if connected to a permissioned network such as a corporate LAN or previously verified. Using a VPN tunnel is one method that can be used.
But what exactly is the advantage of assuming everything is hostile? I'm glad you asked. There are several benefits to using Zero Trust network architecture that I've listed here. Zero Trust starts with the default "deny" state for everyone and everything, so whenever a user or device requests access to the protected network, they must first be verified before access is granted. Access is usually via an encrypted connection, such as a VPN. There are three critical components in a Zero Trust network.
These are: user application authentication or identity access management (IAM), device authentication and trust. With the Vigor3910, a Zero Trust network can be set up as shown in this diagram. Local users are placed on the WAN side of the router and then use a VPN connection to access the servers in the protected zone. More details are in Knowledge Base Article 10648 at the link shown here. In later firmware versions of the Vigor3910, there is an option to allow a dial-in VPN connection from another LAN on the router. This removes the need to connect from the router's WAN side.
Here we have the config menu option where you can select from which LAN users can establish the dial-in VPN connection. A further enhancement to this type of security is to prevent VPN users from being able to communicate with each other since they will be on the same LAN subnet when connected to the secure network. To do this, simply select the option "Isolate VPN users from each other". The newly released DrayOS 5 routers are Zero Trust ready. These routers include the identity and access management features which include: micro-segmentation, conditional IAM and adaptive firewall.
With IAM, each user within a VLAN must be identified before accessing a resource in the protected zone. Here's a peek at the IAM menu available in the Vigor2136 router. In DrayOS 5 routers, the first step is to set up the LANs and the associated VLANs. Then, access and group policies can be set for each VLAN.
The next step is to configure IAM. Here, access policies are created to control user access to protected resources. By default, identity access control is disabled.
You can set up an allow or block list or log in with a built-in user function. The MAC address filter can be entered manually or selected from a profile. Setting up a profile may be the best way to go about it. The filter mode can be either allow list or block list and then added to the list using the MAC address filter table. Access to resources can be done according to IP or MAC addresses. A more detailed explanation of the configuration process will be covered in an upcoming webinar on user management in DrayOS5 routers.
So, to summarise, today we briefly looked at what cyberattacks are and what steps you can take to protect your router and your network from these attacks. This included looking at what security features are available in DrayTek routers. We finished by looking at Zero Trust Network security and how it's applied to DrayTek routers, including the newly released Vigor2136. Okay, that's it for me, but please stay tuned. Our technical team will be answering questions in the live chat on the right of your screen for the next five minutes. If you're watching this after the live premiere, please comment below or send us an email.
For more information about DrayTek products, please check out our website at www.draytek.com.au or send us an email to sales@draytek.com.au or give us a call on 02-9838-8899. Don't forget to like and subscribe below and if you'd like a notification of new premiere videos we're about to launch or any time we put up a new video, please select "All" from the subscribe drop down menu as well. Thanks and bye for now.
Question time [Music] The end.
2025-02-05 04:45
