Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Network Networking

Germany Proposes Router Security Guidelines (zdnet.com) 62

German government would like to regulate what kind of routers are sold and installed across the country. From a report: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance. The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features.
This discussion has been archived. No new comments can be posted.

Germany Proposes Router Security Guidelines

Comments Filter:
  • I'm confused about this rule: "Only DNS, HTTP, HTTPS, DHCP, DHCPv6, and ICMPv6 services should be available on the LAN and WiFi interface"

    What about SSH, VPN, VPN-over-SSH, etc? Are they saying that other than those few services, no other services should be passed through to the Internet? Or that the router ITSELF shouldn't provide services other than those six?

    • by BenFranske ( 646563 ) on Monday November 26, 2018 @11:50AM (#57701868) Homepage

      I think it's pretty clear they mean the router itself shouldn't have other services open. This is all about reducing router attack surface as they have become a popular target for botnets.

    • by Anonymous Coward

      This is the default factory shipped configuration, which is adequate for initial setup / install by 'average user'. There is nothing stopping them having additional services that can be enabled after installation.

    • No NTP or ICMPv4?

    • From default the english version: "In factory settings the router SHOULD restrict access to a defined list of services provided to devices
      connected on the LAN and WiFi interface by the router. The services are provided on one or more dedicated
      TCP and/ or UDP ports or by the network stack itself."

      That is a sane setup to start.

      Better modern +$200 routers do this already.

      Some of the audit and management features seem difficult. It may disqualify all the existing Apple AirPort devices.

      The VOIP stuff is interes

  • Interesting (Score:5, Informative)

    by AmiMoJo ( 196126 ) on Monday November 26, 2018 @11:57AM (#57701928) Homepage Journal

    Some interesting stuff in that document.

    - By default the router must only offer DNS, ping response and a web interface to devices on the LAN. Seems like even UPnP is disabled.
    - Default SSID must not give anything away, such as the manufacturer of the router. Not sure what exactly the point is, considering that things like the MAC address reveal that.
    - Half decent default passwords.
    - Manufacturer must state how long they supply updates for and what severity level merits a patch.
    - IPv6 is optional.

    Seems rather basic to be honest.

    • Re:Interesting (Score:5, Informative)

      by Solandri ( 704621 ) on Monday November 26, 2018 @12:33PM (#57702196)
      If you've been to Germany before WPS, every private router had the WiFi password enabled. There were no open WiFi hotspots emanating from homes. Indicating that Germans take the time to learn how to configure their router correctly. A set of requirements like those, disabling nearly everything by default, would work well in Germany to prevent the accidental misconfiguration. If you need a feature (like uPnP), you must enable it.

      Most of the rest of the world, people are too damn lazy to learn how to configure a router. (I'd draw an analogy to the the clock on people's VCRs perpetually flashing 12:00, but I doubt half the readers would get that reference.) So router manufacturers have bent backwards to design something akin to one-touch configuration. Unfortunately that means every service you can think of has to be enabled by default, with only advanced users going in and disabling the stupid stuff.

      So yeah it's basic stuff. But it trades off usability for security. Not that I disagree with that philosophy, but the people who want to buy a router, not read the manual, push a single button to set it up, then forget about it forever are going to whine ceaselessly about this. It's just that there are very few such people in Germany.
      • Re:Interesting (Score:5, Informative)

        by grumbel ( 592662 ) <grumbel+slashdot@gmail.com> on Monday November 26, 2018 @12:46PM (#57702288) Homepage

        Indicating that Germans take the time to learn how to configure their router correctly.

        That's however not because Germans are so tech savvy, but because they are liable for what goes over their open WiFi. So everybody closes things down to avoid lawsuits and fines.

        • by Cederic ( 9623 )

          Plus of course the strange assumption that people wouldn't intentionally configure an open hotspot.

          I have three SSIDs configured on my wireless router, one of which is entirely unsecured. Makes life very easy for guests.

          Friends do similar things.

      • by Anonymous Coward


        Most of the rest of the world, people are too damn lazy to learn how to configure a router.

        15 years ago I would have agreed with you. Very few wifi routers had security enabled. In 2018 in the US, I don't think I've seen a residential home without a password set. I've been all over the world, and wifi passwords are the norm, not the exception. In many places the wifi password is actually randomly set, and printed on the back of the DSL modem.

        So no, it's not just Germans who've figured out how to configu

    • - IPv6 is optional.

      Fuck this, it's about time we migrate to IPv6, they should make it mandatory.

  • I give you my sticker for half the price they do.
  • Good idea (Score:5, Insightful)

    by BringsApples ( 3418089 ) on Monday November 26, 2018 @12:01PM (#57701970)
    The draft sets out to not only list what expectations/requirements routers will need, but it explains, in layman's terms, the reasoning behind it all. The best way to secure a thing is to properly educate those that are using it.
    • I'm pretty most people don't understand the dangers of open ports and will never need them. This sets the basics of what is required by default. The user is free to bypass the basics. I don't think that forcing people to learn about topics is the most productive. It would be like required everyone who buys a car to know how to change their transmission.

      • Not that you want to read it, but every car in the US comes with a manual, for those of us that do.

        It's information, silly. Information is always a good thing to have.
        • I've read the manual to my car provided to me by the manufacturer. Please tell where it shows me how to change my transmission. I'll wait. For that level of repair you can buy a service/repair manual from the manufacturer; they do not come with most cars. There are also 3rd party manuals which also detail these kind of repairs. Again they do not come with the car.
  • ...not a regulatory programme. Even TFA calls them guidelines. It is a sad day when the Slashdot editors are worse than the press for adding fud.

    • by Anonymous Coward

      xkcd: Free [xkcd.com]

      AVM, the maker of the most popular router "Fritz!Box" (and for good reasons), will have this on their boxes. Big and fat. They're the type or manufacturer who offers free updates to entirely new versions of their FritzOS, with all new features that the hardware can manage, even years later. Security patches often even are in the local tech news.
      Which means, everyone who doesn't have this certification, has even less of a chance of competing against them.

      There are people here, who pick their ISP ba

  • is to simply hold the manufacturers of said hardware fully liable for the half-assed products they sell.

    Great big eye-opening-with-cries-of-thats-not-fair-from-the-companies-who-peddle-this-shit fines with the option to forgo said fines if the CEO goes to jail for a decade instead.

    Industry only takes security seriously when it impacts their profits.

  • Just a thought: At least here in the U.S., Underwriters Laboratory does electrical testing on products to ensure they're safe. Why not expand their role in the case of computing equipment like this (and perhaps also so-called 'IoT' devices) to test for vulnerabilities? Basically, throw a bunch of attacks at Internet-facing devices and see if you can crack them. As new exploits are discovered, expand the suite of testing to include those attacks. Would never be 100% because exploits and attack methods seem t
    • Because 90% of Chinese hardware is tested to the 'Chine Export' standard, not UL. They are labelled CE rather than UL. Neither really means much, UL takes longer and costs more.

    • by MobyDisk ( 75490 )

      100% agreed! These standards agencies are behind the times and I would rather they determine the standards than a government body.

      • ..no, that's not what I'm asking for, and so far as I knew, there was some coordination between the UL and the government. Guess I was wrong? No matter. Maybe there should be, so far as 'cybersecurity' is concerned. They are behind the times, and maybe we need to fix that.
  • ... the rules have been put together with input from router vendors, German telecoms, and the German hardware community.

    No input from the IT people wearing boots? Expectations of fixing problems by those who are the problem ...

  • by Anonymous Coward

    In Germany you buy a reasonably recent Fritz!Box and get security updates for several years. For the internationals.. this is the most popular Cable/DSL WiFi router in Germany and to be honest, for a very good reason. Really really good stuff.

  • > The router must allow any authenticated user to change [the wifi] password.

    > The procedure of changing the WiFi password should not show a password strength meter or force users to use special characters.

    Wtf?

  • by Anonymous Coward

    Not the faintest sign of skepticism in the summary? This "certification", which is voluntary by the way, has been heavily criticized by CCC and the OpenWRT project, cf. https://translate.googleusercontent.com/translate_c?depth=1&hl=de&nv=1&rurl=translate.google.com&sl=de&sp=nmt4&tl=en&u=https://www.heise.de/newsticker/meldung/IT-Sicherheit-CCC-kritisiert-BSI-Routerrichtlinie-scharf-4226397.html

  • Guidelines are not rules or laws or even Best Practices. They're just suggestions. And vague ones at that, which allow the person using them to figure out all the details of how and when and what.

    Guidelines are like saying "you ought to have painted walls" but leaving the paint color and even the wall material (brick, plaster, drywall, stucco, recycled political signs) up to the occupant.

    We've HAD this sort of thing in routers for years. Everybody had some base standards to follow and went off on their

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...