Hardening EdgeRouter Lite – Part 3


This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Date Title Description
03/13/16 My Home Router – EdgeRouter Lite Quick introduction to EdgeRouter Lite
04/09/16 Ubiquiti’s EdgeOS CLI Introduction EdgeOS CLI Primer
05/01/16 How to configure EdgeRouter Lite via CLI – Part 1 EdgeOS configuration guide for CLI junkies
05/01/16 How to configure EdgeRouter Lite via CLI – Part 2 EdgeOS configuration guide for CLI junkies
12/03/16 Hardening EdgeRouter Lite – Part 1 Basic management hardening
12/04/16 Hardening EdgeRouter Lite – Part 2 EdgeOS with two-factor authentication
12/06/16 Hardening EdgeRouter Lite – Part 4 Remote Access VPN with two-factor authentication

Introduction

I focused on authentication method in the first two posts of this EdgeRouter Lite series. In today’s post, I will focus on access restriction to the management plane. To accomplish this access restriction, we need to create firewall policies on the router and apply it to LAN and sub-interfaces. This post will show what you need for the firewall policy.

Management ACL

While restricting management services to listen on a single address, it is also a good practice to restrict addresses or networks allowed to reach it. The firewall on EdgeOS allows users the creation of address groups and network groups. The groups allow users include more than one address in the firewall policy. Without further ado, below is an example of a firewall policy that one can apply to EdgeRouter Lite.

Firewall group

We need to gather the source IP addresses or network prefixes that will be allowed to connect to the EdgeRouter Lite. It is good practice that these hosts are one of the most secure computers in the network.  We do not want the bad guys taking control of our router since all traffic traverses through it. For example, my Linux hosts have 2FA enabled for both SSH and console access.

The address-group allows users to add multiple IP addresses.

set firewall group address-group SSH-TRUSTED address 192.168.254.100
set firewall group address-group SSH-TRUSTED address 192.168.254.101

The network-group allows users to add network prefixes.

set firewall group network-group GUI-TRUSTED network 192.168.253.0/24
set firewall group network-group GUI-TRUSTED network 192.168.254.0/24

Firewall policy

Once we’ve created the firewall group, we are now ready to create the firewall rules.

The first three lines are what a lot of people will call this as a catch-all rule. Any traffic not defined in our firewall policy will fall under this rule.

set firewall name LAN-LOCAL default-action drop
set firewall name LAN-LOCAL description 'LAN IPv4 inbound traffic to the router'
set firewall name LAN-LOCAL enable-default-log

The next firewall rule is unnecessary, but I like to add it in the beginning. In my environment, this rule has one of the lowest numbers, so it is safe to move it at the end of the firewall policy if you feel so inclined. Alternatively, do not add this rule since the catch-all rule will drop this traffic.

set firewall name LAN-LOCAL rule 10 action drop
set firewall name LAN-LOCAL rule 10 description 'Drop invalid state'
set firewall name LAN-LOCAL rule 10 log disable
set firewall name LAN-LOCAL rule 10 state invalid enable

I will leave the next rule at your discretion. Some people like to allow ICMP for troubleshooting purposes and some people do not.

set firewall name LAN-LOCAL rule 20 action accept
set firewall name LAN-LOCAL rule 20 description 'Allow ICMP'
set firewall name LAN-LOCAL rule 20 log disable
set firewall name LAN-LOCAL rule 20 protocol icmp

The next rule depends if you run SNMP or not. I run the free PRTG Network Monitor in my environment, so I have to add it.

set firewall name LAN-LOCAL rule 30 action accept
set firewall name LAN-LOCAL rule 30 description 'Allow SNMP'
set firewall name LAN-LOCAL rule 30 destination port 161
set firewall name LAN-LOCAL rule 30 log disable
set firewall name LAN-LOCAL rule 30 protocol udp
set firewall name LAN-LOCAL rule 30 source address 192.168.200.200

These next rules are what we need to restrict source IP addresses or network prefixes that can connect to the EdgeRouter Lite. If you disable GUI access then there is no point in adding firewall rules for both HTTP and HTTPS.

set firewall name LAN-LOCAL rule 40 action accept
set firewall name LAN-LOCAL rule 40 description 'Allow SSH'
set firewall name LAN-LOCAL rule 40 destination port 22
set firewall name LAN-LOCAL rule 40 log disable
set firewall name LAN-LOCAL rule 40 protocol tcp
set firewall name LAN-LOCAL rule 40 source group address-group SSH-TRUSTED
set firewall name LAN-LOCAL rule 50 action accept
set firewall name LAN-LOCAL rule 50 description 'Allow HTTPS'
set firewall name LAN-LOCAL rule 50 destination port 443
set firewall name LAN-LOCAL rule 50 log disable
set firewall name LAN-LOCAL rule 50 protocol tcp
set firewall name LAN-LOCAL rule 50 source group network-group GUI-TRUSTED
set firewall name LAN-LOCAL rule 60 action accept
set firewall name LAN-LOCAL rule 60 description 'Allow HTTP'
set firewall name LAN-LOCAL rule 60 destination port 80
set firewall name LAN-LOCAL rule 60 log disable
set firewall name LAN-LOCAL rule 60 protocol tcp
set firewall name LAN-LOCAL rule 60 source group network-group GUI-TRUSTED

The last rule allows any traffic that is in established or related state. Check this site to understand the states.

set firewall name LAN-LOCAL rule 70 action accept
set firewall name LAN-LOCAL rule 70 description 'Allow Established'
set firewall name LAN-LOCAL rule 70 log disable
set firewall name LAN-LOCAL rule 70 protocol all
set firewall name LAN-LOCAL rule 70 state established enable
set firewall name LAN-LOCAL rule 70 state related enable

Apply the firewall policy

Now, we need to apply the firewall rule to all your LAN interfaces including sub-interfaces.

set interfaces ethernet eth1 firewall local name LAN-LOCAL
set interfaces ethernet eth2 firewall local name LAN-LOCAL
set interfaces ethernet eth1 vif 10 firewall local name LAN-LOCAL
set interfaces ethernet eth1 vif 50 firewall local name LAN-LOCAL
set interfaces ethernet eth1 vif 100 firewall local name LAN-LOCAL
set interfaces ethernet eth1 vif 200 firewall local name LAN-LOCAL

Save config

Now, we need to save the configuration by issuing commit;save command.

Verification

Try connecting to EdgeRouter Lite without logging out from your current SSH or secure HTTP connection. This ensures that you still have access to the router just in case there’s a mistake with the ACL. If you have a Network Management System (NMS), make sure that SNMP is working as well.

Final Words

Any traffic destined to the EdgeRouter Lite must be restricted. While we did it on the WAN side, we also need to secure the LAN side. As much as possible, the allowed list must be limited. Only systems that must have router access should be on the list. Finally, computers on the list should have great security controls to keep it from being compromised.

The next blog post, I am going to talk about securing the remote access VPN. The blog post will address the security concerns on my how to configure EdgeRouter Lite guide.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.


About Andrew Roderos

As an IT professional, I have a strong passion for technology and a desire to learn more about it. Technologies that I am mostly interested in are computer networking, network security, virtualization, and programming. Outside of the information technology world, I enjoy traveling, reading science fiction books and manga, watching movies, and photography.