The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done using a browser like Internet Explorer, Google Chrome or Firefox using an HTTP or HTTPs connection. For security purposes, it's important to consider the possibilities:
There are at least two kinds of "security" that are possible:
1) It's important to select a combination of Username and Password for logging into the controls. In this case, both the Username AND the Password might be viewed as "passwords" as they both have to be entered correctly. There are plenty of good articles written about how to select passwords.
2) Unless one is willing to risk that their public login communications won't be intercepted then the communications need to be encrypted. This is where HTTPS comes in. It's fair to say that the WAN side communications, if actually public, must be encrypted. Similarly, internal LAN communications might also have the same requirement - but often not. There is almost no penalty for using HTTPS - so why not? [Well, there’s an issue regarding security certificates when using HTTPS and that’s described in a later section here.]
If you’re at all like me and any number of others, you’ll find the built-in Help for the RV042 GUI Firewall page to be a bit cryptic and confusing. So I undertook to map out the setting functions and interactions to understand the Management access aspects better. This involves the Firewall, Remote Management, Port and HTTPS settings.
Here are the results that we get by entering all the combinations of Enable/Disable and some Port numbers:
RV042 Firewall Truth Table (firmware 1.3.12.19-tm)
1=Enabled 0=Disabled Grayed out means unavailable RM=Remote Management (WAN)
*Remote Management (RM) via HTTP Port 80 is allowed by default if the firewall is Disabled - so it shows Enabled and is grayed out.
**Port setting is only possible if the Firewall is Enabled. Otherwise the setting shows but is grayed out. The setting does nothing if the Firewall is Disabled.
***Port 99 was an aribitrary choice and some testing was done using Port 101 to confirm. It could be anything suitable.
****Explicit means addressing in the browser like this: http://192.168.1.1:443
Conclusions:
Guidance:
At this point, we boil down the results to create some common settings:
First, you need to decide whether you will allow Remote Management on the WAN – i.e. presumably over the Internet. If not, then you will Disable Remote Management. The Firewall page will look like this. DON'T FORGET TO SELECT SAVE at the bottom of the page!
(If you do this using a Remote Management connection on the WAN, you will lose your connection if not immediately then shortly thereafter depending on what you do).
However, if you do want to provide management access on the WAN side of the router then you would Enable Remote Management and Enable HTTPS.
How to change the Remote Management Port number:
It took me a while to figure this out and I'm writing the instructions here for ready reference ..
Imagine that the Firewall is Disabled, Remote Management is Enabled and the port number is 443 (or some other) and you want to switch it to port 80. You might want to do this if the router is being used inside a private network and not as a direct internet interface.
You can only change Enable/Disable Remote Management when the Firewall is Enabled.
You can only change the Remote Management port number when Remote Management is Enabled.
- Enable the Firewall.
- Enable Remote Management.
- Enter the desired port number.
- Save the configuration. Then if you like:
- Disable Remote Management (optional)
- Disable the Firewall
- Save the configuration again.
Now the Remote Management port number will be changed and, if not Enabled, ready to be Enabled.
That’s all there is to it for the WAN side.
For the LAN side, there is really nothing to be done other than choosing how to access from the browser. The LAN side will allow management access via either HTTP or HTTPS. In order to use HTTPS, you have to use an addressing form from the examples below to do that.
Some Notes about Browsers:
The address provided to a browser is usually the sole determinant whether HTTP or HTTPS is going to be used. The router determines whether HTTP or HTTPS will be allowed. So, a browser may use an address (using here the default RV042 LAN IP address of 192.168.1.1):
In effect, entering a port number in the Firewall simply opens another port for access to router Management.
Certificate Errors:
When using HTTPS, there’s an unfortunate outcome with the RV042. For some reason, the security certificate isn’t recognized as valid. I know of no solution for this. This is unfortunate because it would potentially allow for an undetectable man-in-the-middle attack. While this may not be a great concern when accessing the router Management over your LAN, it could be a concern if accessing the router over the internet on the WAN interface – even using HTTPS.
Internet Explorer certificate errors:
If you’ve set up the router then presumably you expect to see this. The choice is to choose “Continue to this website”.
Google Chrome certificate errors:
If you’ve set up the router then presumably you expect to see this. The choice is to choose “Advanced” which will bring up this page:
And, here you need to choose “Proceed to [the router IP address] (unsafe)”
Firefox Certificate Errors will require you to save the router IP address as an exception in order to be able to access it via HTTPS. You will need to select “I Understand the Risks” and will get:
Then select “Add Exception” and get:
The location should be the router IP address and you will need to “Confirm Security Exception”. Then the Firefox rendition of the router login will appear.
RV042 Built-In Help for the Firewall page:
Firewall General (A copy of the RV042 Help)
From the Firewall Tab, you can configure the Router to deny or allow specific internal users from accessing the Internet. You can also configure the Router to deny or allow specific Internet users from accessing the internal servers.
You can set up different packet filters for different users that are located on internal (LAN) side or external (WAN) side based on their IP addresses or their network Port number.
Firewall
The default is enabled. If users disable the Firewall function, SPI, DoS, Block WAN Request will be disabled, Remote Management will be enabled and Access Rules and Content Filter will be disabled.
Stateful Packet Inspection (SPI>
The Router's Firewall uses Stateful Packet Inspection to maintain connection information that passes through the firewall. It will inspect all packets based on the established connection, prior to passing the packets for processing through a higher protocol layer
Denial of Service (DoS)
Protect internal networks from Internet attacks, such as SYN Flooding, Smurf, LAND, Ping of Death, IP Spoofing and reassembly attacks.
Block WAN Request
This feature is designed to prevent attacks through the Internet. When it is enabled, the Router will drop both the unaccepted TCP request and ICMP packets from the WAN side. The hacker will not find the Router by pinging the WAN IP address. If DMZ is enabled, this function will be disabled.
Remote Management
This Router supports remote management. If you want to manage this Router through the WAN connection, you have to 'Enable' this option. User can enter the port number for remote management.
HTTPS (HyperText Transfer Protocol Secure)
HTTPS is a secured http session. Users can enable HTTPS for secured management. HTTPS encrypts the communications among connected clients and servers to provide data confidentiality. The default is disabled.
(Note: If you will use the Linksys Quick VPN Client Software for allowing VPN Clients to connect to the RV042, please enable the HTTPS.)
Multicast Pass Through
IP Multicasting occurs when a single data transmission is sent to multiple recipients at the same time. Using this feature, the Router allows IP multicast packets to be forwarded to the appropriate computers.
Restrict WEB Features
RV042 supports the following filtering for web protocol. Block:
Java: Java is a programming language for websites. Some web sites contain small programs, and it may be dangerous to run an unknown program on your machine. You can check the Java box to "filter the Java Applets for security reason, but you may take the risk of not having access to Internet sites which created using this programming language if Java is blocked."
Cookies: A cookie is data stored on your PC and used by Internet sites when you interact with them. Cookies are usually used to track visitors, and store information about their personal preferences. "You can check the Cookies box to block Cookies in order to maintain a higher level of anonymity on the Web."
Active X: Active X is a programming language for websites. Some web sites contain small programs, and it may be dangerous to run an unknown program on your machine.
You can check the Active X box to filter the Active X for security reason, but you may take the risk of not having access to Internet sites which created using this programming language if Active X is blocked.
Access to HTTP Proxy Servers: Use of Proxy Servers may compromise the Router’s security. You can check the box to enable proxy filtering, and it will disable access to any proxy servers.
Don’t block Java/ActiveX/Cookies to Trusted Domain: If the box is checked, users can enter the web sites or IP address in Trusted Domain field, and the Router will not check the Java/ActiveX/Cookies in the Trusted Domain(s).
Click the Save Settings button when you finish the settings, or click the Cancel Changes button to undo your changes.
..............................
As always, edits, corrections, comments and questions are welcome and encouraged!
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (4)
Commented:
Author
Commented:I've had better luck with Netgear client-to-site VPN situations more recently.
Commented:
Author
Commented:I added a paragraph that describes how to change the displayed port number for Remote Management.
It's not easy to figure out so that the result sticks!
Thank you!