New german initial draft for rules on securing Small Office and Home Office
Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community.
Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance.
The document lists tens of recommendations and rules for various router functions and features.
Few of a greater importance:
- Only DNS, HTTP, HTTPS, DHCP, DHCPv6, and ICMPv6 services should be available on the LAN and WiFi interface.
- If the router has a guest WiFi mode, this mode must not allow access to the router's configuration panel.
- The Extended Service Set Identifier (ESSID) should not contain information that is derived from the router itself (such as the vendor name or router model).
- The router must support the WPA2 protocol, and use it by default.
- WiFi passwords should have a length of 20 digits or more.
- WiFi passwords must not contain information derived from the router itself (vendor, model, MAC, etc.).
- The router must allow any authenticated user to change this password.
- The procedure of changing the WiFi password should not show a password strength meter or force users to use special characters.
- After setup, the router must restrict access to the WAN interface, with the exception of a few services, such as (CWMP) TR-069, SIP, SIPS, and ICMPv6.
- Routers must make CWMP available only if the ISP controls the router's configuration from a remote, central location.
- Password for the router's configuration/admin panel must have at least 8 characters and must have a complex setup involving two of the following: uppercase letters, lowercase letters, special characters, numbers.
- Just like WiFi passwords, admin panel passwords must not contain router-related information (vendor, model, MAC, etc.).
- The router must allow the user to change this default admin panel password.
- Password-based authentication MUST be protected against brute force attacks.
- Routers must not ship with undocumented (backdoor) accounts.
- In its default state, access to the admin panel must only be allowed via the LAN or WiFi interfaces.
- If the router vendor wants to expose the admin panel via WAN, it must use TLS.
- The end-user should be able to configure the port to be used for access to the configuration via the WAN interface.
- The router admin panel must show the firmware version.
- The router must users about an out-of-date or end-of-life firmware.
- The router must keep and display a last login log.
- The router must show the status and rules of any local firewall service.
- The router must list all active services per each interface (LAN/WAN/WiFi).
- Routers must include a way to perform factory resets.
- The routers must support DHCP over LAN and WiFi.