Hardening EdgeRouter Lite – Part 3


This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

DateTitleDescription
03/13/16My Home Router – EdgeRouter LiteQuick introduction to EdgeRouter Lite
04/09/16Ubiquiti’s EdgeOS CLI IntroductionEdgeOS CLI Primer
05/01/16How to configure EdgeRouter Lite via CLI – Part 1EdgeOS configuration guide for CLI junkies
05/01/16How to configure EdgeRouter Lite via CLI – Part 2EdgeOS configuration guide for CLI junkies
12/03/16Hardening EdgeRouter Lite – Part 1Basic management hardening
12/04/16Hardening EdgeRouter Lite – Part 2EdgeOS with two-factor authentication
12/06/16Hardening EdgeRouter Lite – Part 4Remote Access VPN with two-factor authentication

Introduction

I focused on authentication method in the first two posts of this EdgeRouter Lite series. In today’s post, I will focus on access restriction to the management plane. To accomplish this access restriction, we need to create firewall policies on the router and apply it to LAN and sub-interfaces. This post will show what you need for the firewall policy.

Management ACL

While restricting management services to listen on a single address, it is also a good practice to restrict addresses or networks allowed to reach it. The firewall on EdgeOS allows users the creation of address groups and network groups. The groups allow users include more than one address in the firewall policy. Without further ado, below is an example of a firewall policy that one can apply to EdgeRouter Lite.

Firewall group

We need to gather the source IP addresses or network prefixes that will be allowed to connect to the EdgeRouter Lite. It is good practice that these hosts are one of the most secure computers in the network.  We do not want the bad guys taking control of our router since all traffic traverses through it. For example, my Linux hosts have 2FA enabled for both SSH and console access.

The address-group allows users to add multiple IP addresses.

The network-group allows users to add network prefixes.

Firewall policy

Once we’ve created the firewall group, we are now ready to create the firewall rules.

The first three lines are what a lot of people will call this as a catch-all rule. Any traffic not defined in our firewall policy will fall under this rule.

The next firewall rule is unnecessary, but I like to add it in the beginning. In my environment, this rule has one of the lowest numbers, so it is safe to move it at the end of the firewall policy if you feel so inclined. Alternatively, do not add this rule since the catch-all rule will drop this traffic.

I will leave the next rule at your discretion. Some people like to allow ICMP for troubleshooting purposes and some people do not.

The next rule depends if you run SNMP or not. I run the free PRTG Network Monitor in my environment, so I have to add it.

These next rules are what we need to restrict source IP addresses or network prefixes that can connect to the EdgeRouter Lite. If you disable GUI access then there is no point in adding firewall rules for both HTTP and HTTPS.

The last rule allows any traffic that is in established or related state. Check this site to understand the states.

Apply the firewall policy

Now, we need to apply the firewall rule to all your LAN interfaces including sub-interfaces.

Save config

Now, we need to save the configuration by issuing commit;save command.

Verification

Try connecting to EdgeRouter Lite without logging out from your current SSH or secure HTTP connection. This ensures that you still have access to the router just in case there’s a mistake with the ACL. If you have a Network Management System (NMS), make sure that SNMP is working as well.

Final Words

Any traffic destined to the EdgeRouter Lite must be restricted. While we did it on the WAN side, we also need to secure the LAN side. As much as possible, the allowed list must be limited. Only systems that must have router access should be on the list. Finally, computers on the list should have great security controls to keep it from being compromised.

The next blog post, I am going to talk about securing the remote access VPN. The blog post will address the security concerns on my how to configure EdgeRouter Lite guide.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.


About Andrew Roderos

Andrew Roderos is an IT professional who specializes in networking, a CCIE hopeful, and forever a student of technology. Technologies that he is mostly interested in are routing and switching, virtualization, data center, and a little bit of network security. Outside of the information technology world, he enjoys reading science fiction books, manga, and photography.