The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done using a browser like Internet Explorer, Google Chrome or Firefox using an HTTP or HTTPs connection. For security purposes, it's important to consider the possibilities:
- Access from the LAN side is likely safer than from the WAN (internet) side but may still need to be secured.
- Access from the WAN (internet) side is "public" and needs to be secure.
There are at least two kinds of "security" that are possible:
1) It's important to select a combination of Username and Password for logging into the controls. In this case, both the Username AND the Password might be viewed as "passwords" as they both have to be entered correctly. There are plenty of good articles written about how to select passwords.
2) Unless one is willing to risk that their public login communications won't be intercepted then the communications need to be encrypted. This is where HTTPS comes in. It's fair to say that the WAN side communications, if actually public, must be encrypted. Similarly, internal LAN communications might also have the same requirement - but often not. There is almost no penalty for using HTTPS - so why not? [Well, there’s an issue regarding security certificates when using HTTPS and that’s described in a later section here.]
If you’re at all like me and any number of others, you’ll find the built-in Help for the RV042 GUI Firewall page to be a bit cryptic and confusing. So I undertook to map out the setting functions and interactions to understand the Management access aspects better. This involves the Firewall, Remote Management, Port and HTTPS settings.
Here are the results that we get by entering all the combinations of Enable/Disable and some Port numbers:
RV042 Firewall Truth Table (firmware 126.96.36.199-tm)
1=Enabled 0=Disabled Grayed out means unavailable RM=Remote Management (WAN)
*Remote Management (RM) via HTTP Port 80 is allowed by default if the firewall is Disabled - so it shows Enabled and is grayed out.
**Port setting is only possible if the Firewall is Enabled. Otherwise the setting shows but is grayed out. The setting does nothing if the Firewall is Disabled.
***Port 99 was an aribitrary choice and some testing was done using Port 101 to confirm. It could be anything suitable.
****Explicit means addressing in the browser like this: http://192.168.1.1:443
- Enabling / Disabling HTTPS affects Remote Management and other things.
- Without HTTPS enabled, Remote Management will work via HTTP although it can work with HTTPS via port 443.
- Remote and Local Management will work via HTTP if a port other than 80 or 443 is entered and used by the client (e.g. 99). So, communications can be encrypted if HTTPS isn't enabled but can also be unencrypted.
- If HTTPS is enabled, Remote Management will only work via HTTPS.
- Setting a port number for Remote Management makes that port available on both the WAN and the LAN but doesn't disable Port 443 or, if allowed, Port 80.
- If the Firewall, Remote Management and HTTPS are all enabled and a port other than 80 or 443 is entered,
- that port works on HTTPS on the WAN and on HTTP on the LAN. Port 443 is always HTTPS.
At this point, we boil down the results to create some common settings:
First, you need to decide whether you will allow Remote Management on the WAN – i.e. presumably over the Internet. If not, then you will Disable Remote Management
. The Firewall page will look like this. DON'T FORGET TO SELECT SAVE at the bottom of the page!
(If you do this using a Remote Management connection on the WAN, you will lose your connection if not immediately then shortly thereafter depending on what you do).
However, if you do want to provide management access on the WAN side of the router then you would Enable Remote Management and Enable HTTPS
That’s all there is to it for the WAN side.
For the LAN side, there is really nothing to be done other than choosing how to access from the browser. The LAN side will allow management access via either HTTP or HTTPS. In order to use HTTPS, you have to use an addressing form from the examples below to do that.
Some Notes about Browsers:
The address provided to a browser is usually the sole determinant whether HTTP or HTTPS is going to be used. The router determines whether HTTP or HTTPS will be allowed. So, a browser may use an address (using here the default RV042 LAN IP address of 192.168.1.1):
In effect, entering a port number in the Firewall simply opens another port for access to router Management.
When using HTTPS, there’s an unfortunate outcome with the RV042. For some reason, the security certificate isn’t recognized as valid. I know of no solution for this. This is unfortunate because it would potentially allow for an undetectable man-in-the-middle attack. While this may not be a great concern when accessing the router Management over your LAN, it could be a concern if accessing the router over the internet on the WAN interface – even using HTTPS.
Internet Explorer certificate errors:
If you’ve set up the router then presumably you expect to see this. The choice is to choose “Continue to this website”.
Google Chrome certificate errors:
If you’ve set up the router then presumably you expect to see this. The choice is to choose “Advanced” which will bring up this page:
And, here you need to choose “Proceed to [the router IP address] (unsafe)”
Firefox Certificate Errors
will require you to save the router IP address as an exception in order to be able to access it via HTTPS. You will need to select “I Understand the Risks” and will get:
Then select “Add Exception” and get:
The location should be the router IP address and you will need to “Confirm Security Exception”. Then the Firefox rendition of the router login will appear.
RV042 Built-In Help for the Firewall page:
Firewall General (A copy of the RV042 Help)
From the Firewall Tab, you can configure the Router to deny or allow specific internal users from accessing the Internet. You can also configure the Router to deny or allow specific Internet users from accessing the internal servers.
You can set up different packet filters for different users that are located on internal (LAN) side or external (WAN) side based on their IP addresses or their network Port number.
The default is enabled. If users disable the Firewall function, SPI, DoS, Block WAN Request will be disabled, Remote Management will be enabled and Access Rules and Content Filter will be disabled.
Stateful Packet Inspection (SPI>
The Router's Firewall uses Stateful Packet Inspection to maintain connection information that passes through the firewall. It will inspect all packets based on the established connection, prior to passing the packets for processing through a higher protocol layer
Denial of Service (DoS)
Protect internal networks from Internet attacks, such as SYN Flooding, Smurf, LAND, Ping of Death, IP Spoofing and reassembly attacks.
Block WAN Request
This feature is designed to prevent attacks through the Internet. When it is enabled, the Router will drop both the unaccepted TCP request and ICMP packets from the WAN side. The hacker will not find the Router by pinging the WAN IP address. If DMZ is enabled, this function will be disabled.
This Router supports remote management. If you want to manage this Router through the WAN connection, you have to 'Enable' this option. User can enter the port number for remote management.
HTTPS (HyperText Transfer Protocol Secure)
HTTPS is a secured http session. Users can enable HTTPS for secured management. HTTPS encrypts the communications among connected clients and servers to provide data confidentiality. The default is disabled.
(Note: If you will use the Linksys Quick VPN Client Software for allowing VPN Clients to connect to the RV042, please enable the HTTPS.)
Multicast Pass Through
IP Multicasting occurs when a single data transmission is sent to multiple recipients at the same time. Using this feature, the Router allows IP multicast packets to be forwarded to the appropriate computers.
Restrict WEB Features
RV042 supports the following filtering for web protocol. Block:
Java is a programming language for websites. Some web sites contain small programs, and it may be dangerous to run an unknown program on your machine. You can check the Java box to "filter the Java Applets for security reason, but you may take the risk of not having access to Internet sites which created using this programming language if Java is blocked."
A cookie is data stored on your PC and used by Internet sites when you interact with them. Cookies are usually used to track visitors, and store information about their personal preferences. "You can check the Cookies box to block Cookies in order to maintain a higher level of anonymity on the Web."
Active X is a programming language for websites. Some web sites contain small programs, and it may be dangerous to run an unknown program on your machine.
You can check the Active X box to filter the Active X for security reason, but you may take the risk of not having access to Internet sites which created using this programming language if Active X is blocked.
Access to HTTP Proxy Servers:
Use of Proxy Servers may compromise the Router’s security. You can check the box to enable proxy filtering, and it will disable access to any proxy servers.
Don’t block Java/ActiveX/Cookies to Trusted Domain:
If the box is checked, users can enter the web sites or IP address in Trusted Domain field, and the Router will not check the Java/ActiveX/Cookies in the Trusted Domain(s).
Click the Save Settings button when you finish the settings, or click the Cancel Changes button to undo your changes.
As always, edits, corrections, comments and questions are welcome and encouraged!