This article goes over the basic security measures that we recommend must be implemented as a bare minimum in any network.
Table of Contents
The Ubiquiti Community is a big and varied family, with users of different knowledge levels, different networking needs, and different applications. One of the larger groups of Ubiquiti users are the service-providers: WISPs who provide internet service to their clients, and are responsible for those clients' security. We understand the importance of this relationship and the responsibility it entails. We want our users' clients to be satisfied, it is in our best interest as well. And in networking, security is key for customer satisfaction.
This article reviews easy, security basics all users can—and should apply. But beyond these measures, a network administrator's best weapon is adaptability. Network security is a constant and ever-changing battle: while an admin is busy making sure his network safe, someone on the other side is working to find a vulnerability. Security will always be moving and shifting, an administrator's job is to reevaluate often, adapt and improve, shifting as the networking world shifts around him.
Use a Password Manager
A significant number of Ubiquiti equipment was recently exploited by malware. Sadly, this could have been prevented by something as simple as stronger passwords. In most cases, the clients exploited were found to be using user-default or weak passwords. These kind of exploits are the easiest to avoid with a very simple measure: unique and random (strong) passwords. And you will not be able to use a truly strong password if you are just counting on your memory to remember your passwords. So our first advice is:
Do not try to remember your passwords, let your computer do that for you. There are three common mistakes administrators make regarding passwords. All three of them because they are trying to hold these passwords in their mind, instead of in a password manager. A few examples of good password managers are: LastPass, Dashlane and 1Password.
- Using a weak password: a common example of this is a keyboard pattern (starting on Z and working up to 1 and back down to X). Yes, it's easy to remember, and also very easy to guess. The best password is one that no one can remember, including yourself. A random string of keys and numbers that have no meaning will be virtually impossible to decipher.
- Using the same password for all devices: an administrator managing 100 devices for one client will usually use the same password for all, because again, who can remember 100 different passwords? The problem with this is, if one of the devices in the network is somehow compromised, the remaining 99 will also fall prey to that same attack.
- Never changing passwords: another common mistake is to use the same password for long periods of time. The more often passwords are changed, the more secure they are. Avoid using the same base password and changing the last two digits, as well. When you change a password, change it completely.
Update Your Devices
In the networking world, bugs and vulnerabilities are a given. Even with the strongest of firmwares, there are hundreds of people that at any given time are trying to find a way in. Knowing this, a strong company isn't one that creates invulnerable equipment—it's the one that pays attention, and works hard at fixing those vulnerabilities when they are found. In Ubiquiti we have devoted considerable amounts of resources to fight off these attacks. HackerOne is an example.
The way HackerOne works is: hackers around the world report vulnerabilities to Ubiquiti instead of exploiting them and in turn, they are rewarded with a bounty. This means though, these vulnerabilities are caught when they have already been released (be it in public, beta or alpha releases). Our developers will then immediately go to work, patching up the vulnerability found. The fix for this vulnerability will be available in a next release—not in the current one. So, knowing this: the safest release will always be the newest release. Upgrading is crucial to network security. When users do not update their firmware, they are exposing themselves to an attacker who can easily use an old, known vulnerability to compromise their devices.
Avoid Exposing Devices Unnecessarily
Prevention is one of the best ways to stay safe. If it can't be accessed, it can't be compromised. Unfortunately, it is very common to find Ubiquiti devices exposed to the internet (using non-private IP addresses). This isn't necessarily wrong, but it should be avoided whenever possible.
If a particular device does not need to be accessed by the internet, it is best to disable remote management on the interface that is exposed to the internet. This is why in all our recent releases, remote management is disabled by default.
If you definitely need to access a device remotely though, you can minimize exposure by only exposing your gateway SSH port, and powering off the "-D" parameter in the SSH client (find a sample tutorial here). This parameter create a "Socks Proxy" that allows users to access the network from the gateway point of view, similar to a VPN.
Using this Proxy technique you would be able to access the whole internal network, and yet only have one service in one device exposed to the internet.