Our organization currently has a number of GX, LS and RV series modems in the field. A malware attack recently has forced us to revisit how we secure these modems which are assigned a Public IP address.
The devices in the field are connected to traffic sensors which utilize specific IP ports as a means to configure, collect and manage roadside traffic data. Since the IPs of the modems are public and hackers see public infrastructure as fair game and easy targets, we are looking for security solutions that are sound but, do not dramatically change the way we do business as our customers expect the same service as they do today.
Tactics such as password hardening, port blocking, white listing, and others have been implemented. We have implemented LDAP and radius as a means to control access to the modem itself.
With this in mind, is there an easy means of authenticating any user that connects to the modem and utilizes a specific port via IP? We would like to block all unused IPs but, require authentication to use any open port.
Any past life experiences or feedback regarding this scenario would be welcome.
You should only be able to access services on the modem that are enabled. Turn off telnet, SSH, etc, if you aren’t using them and force remote access to ACEmanager to only use SSL. You can even set it where only a specific set of address have access to ACEmanager. Set a strong password for management of the modem and call it a day. I’ll assume from the limited info you left that your modems were hit by Mirai. A non-default password on the modem would have mitigated that issue. I’m managing “several” devices on static IP addresses, and that’s how I have them setup.
However if you are forwarding ports to devices on the LAN side of the modem or placing a specific LAN IP in the DMZ, you will need to take the necessary precautions to secure those devices or services. Nothing to do with the modem in that context since it is only forwarding traffic as you asked it to and the problem in that case is with the security on your traffic sensors.
Another option would be contacting your cellular provider and see if a private APN might be an option for you. I have “a few” devices setup that way too. The only way to access those devices is for traffic originate from our internal network. So either be physically located here or authenticated via VPN. Of course we have a couple applications that are accessible from the outside world on these systems and it’s a simple port forward (a NAT rule really) to allow the traffic in to the private network.