<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

RV042 Firewall Settings for Remote and Internet Management

Published on
7,313 Points
4,213 Views
1 Endorsement
Last Modified:
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done using a browser like Internet Explorer, Google Chrome or Firefox using an HTTP or HTTPs connection. For security purposes, it's important to consider the possibilities:
  • Access from the LAN side is likely safer than from the WAN (internet) side but may still need to be secured.
  • Access from the WAN (internet) side is "public" and needs to be secure.
There are at least two kinds of "security" that are possible:

1) It's important to select  a combination of Username and Password for logging into the controls. In this case, both the Username AND the Password might be viewed as "passwords" as they both have to be entered correctly. There are plenty of good articles written about how to select passwords.

2) Unless one is willing to risk that their public login communications won't be intercepted then the communications need to be encrypted. This is where HTTPS comes in. It's fair to say that the WAN side communications, if actually public, must be encrypted. Similarly, internal LAN communications might also have the same requirement - but often not. There is almost no penalty for using HTTPS - so why not?  [Well, there’s an issue regarding security certificates when using HTTPS and that’s described in a later section here.]

If you’re at all like me and any number of others, you’ll find the built-in Help for the RV042 GUI Firewall page to be a bit cryptic and confusing. So I undertook to map out the setting functions and interactions to understand the Management access aspects better. This involves the Firewall, Remote Management, Port and HTTPS settings.
RV042-Firewall-Annotated.jpg
Here are the results that we get by entering all the combinations of Enable/Disable and some Port numbers:

RV042 Firewall Truth Table (firmware 1.3.12.19-tm)
1=Enabled   0=Disabled   Grayed out means unavailable   RM=Remote Management (WAN)  
RV042-Firewall-WAN-Truth-Table.jpgRV042-Firewall-LAN-Truth-Table.jpg*Remote Management (RM) via HTTP Port 80 is allowed by default if the firewall is Disabled - so it shows Enabled and is grayed out.
**Port setting is only possible if the Firewall is Enabled. Otherwise the setting shows but is grayed out. The setting does nothing if the Firewall is Disabled.
***Port 99 was an aribitrary choice and some testing was done using Port 101 to confirm. It could be anything suitable.
****Explicit means addressing in the browser like this: http://192.168.1.1:443

Conclusions:
  • Enabling / Disabling HTTPS affects Remote Management and other things.
  • Without HTTPS enabled, Remote Management will work via HTTP although it can work with HTTPS via port 443.
  • Remote and Local Management will work via HTTP if a port other than 80 or 443 is entered and used by the client (e.g. 99). So, communications can be encrypted if HTTPS isn't enabled but can also be unencrypted.
  • If HTTPS is enabled, Remote Management will only work via HTTPS.
  • Setting a port number for Remote Management makes that port available on both the WAN and the LAN but doesn't disable Port 443 or, if allowed, Port 80.
  • If the Firewall, Remote Management and HTTPS are all enabled and a port other than 80 or 443 is entered,
  • that port works on HTTPS on the WAN and on HTTP on the LAN.  Port 443 is always HTTPS.
 
Guidance:
At this point, we boil down the results to create some common settings:

First, you need to decide whether you will allow Remote Management on the WAN – i.e. presumably over the Internet. If not, then you will Disable Remote Management. The Firewall page will look like this. DON'T FORGET TO SELECT SAVE at the bottom of the page!

(If you do this using a Remote Management connection on the WAN, you will lose your connection if not immediately then shortly thereafter depending on what you do).
RV042-Firewall-Disable-RM.jpgHowever, if you do want to provide management access on the WAN side of the router then you would Enable Remote Management and Enable HTTPS.
RV042-Firewall.jpgThat’s all there is to it for the WAN side.

For the LAN side, there is really nothing to be done other than choosing how to access from the browser. The LAN side will allow management access via either HTTP or HTTPS. In order to use HTTPS, you have to use an addressing form from the examples below to do that.

Some Notes about Browsers:
The address provided to a browser is usually the sole determinant whether HTTP or HTTPS is going to be used. The router determines whether HTTP or HTTPS will be allowed. So, a browser may use an address (using here the default RV042 LAN IP address of 192.168.1.1):
http://192.168.1.1 for HTTP where the browser will use Port 80 by default.
http://192.168.1.1:80 for HTTP
https://192.168.1.1for HTTPS where the browser will use Port 443 by default.
https://192.168.1.1:443 for HTTPS
http://192.168.1.1:nnn for HTTP on the LAN where nnn is the Port number entered in the Firewall
https://192.168.1.1:nnn for HTTPS on the WAN
In effect, entering a port number in the Firewall simply opens another port for access to router Management.

Certificate Errors:
When using HTTPS, there’s an unfortunate outcome with the RV042. For some reason, the security certificate isn’t recognized as valid. I know of no solution for this. This is unfortunate because it would potentially allow for an undetectable man-in-the-middle attack. While this may not be a great concern when accessing the router Management over your LAN, it could be a concern if accessing the router over the internet on the WAN interface – even using HTTPS.
 
Internet Explorer certificate errors:
HTTPS-There-is-a-problem-with-this-websi
If you’ve set up the router then presumably you expect to see this. The choice is to choose “Continue to this website”.
 
Google Chrome certificate errors:
 HTTPS-Your-connection-is-not-private.jpg
If you’ve set up the router then presumably you expect to see this.  The choice is to choose “Advanced” which will bring up this page:
 HTTPS-Go-back-to-safety-Chrome.jpgAnd, here you need to choose “Proceed to [the router IP address] (unsafe)”
 
Firefox Certificate Errors will require you to save the router IP address as an exception in order to be able to access it via HTTPS. You will need to select “I Understand the Risks” and will get:
 HTTPS-This-connection-is-untrusted-FirefThen select “Add Exception” and get:
HTTPS-Exception-Firefox3.jpgThe location should be the router IP address and you will need to “Confirm Security Exception”. Then the Firefox rendition of the router login will appear.

RV042 Built-In Help for the Firewall page:
Firewall General (A copy of the RV042 Help)

From the Firewall Tab, you can configure the Router to deny or allow specific internal users from accessing the Internet. You can also configure the Router to deny or allow specific Internet users from accessing the internal servers.

You can set up different packet filters for different users that are located on internal (LAN) side or external (WAN) side based on their IP addresses or their network Port number.

Firewall
The default is enabled. If users disable the Firewall function, SPI, DoS, Block WAN Request will be disabled, Remote Management will be enabled and Access Rules and Content Filter will be  disabled.

Stateful Packet Inspection (SPI>
The Router's Firewall uses Stateful Packet Inspection to maintain connection information that passes through the firewall. It will inspect all packets based on the established connection, prior to passing the packets for processing through a higher protocol layer

Denial of Service (DoS)
Protect internal networks from Internet attacks, such as SYN Flooding, Smurf, LAND, Ping of Death, IP Spoofing and reassembly attacks.

Block WAN Request
This feature is designed to prevent attacks through the Internet. When it is enabled, the Router will drop both the unaccepted TCP request and ICMP packets from the WAN side. The hacker will not find the Router by pinging the WAN IP address. If DMZ is enabled, this function will be disabled.

Remote Management
This Router supports remote management. If you want to manage this Router through the WAN connection, you have to 'Enable' this option. User can enter the port number for remote management.

HTTPS (HyperText Transfer Protocol Secure)
HTTPS is a secured http session. Users can enable HTTPS for secured management. HTTPS encrypts the communications among connected clients and servers to provide data confidentiality. The default is disabled.
(Note: If you will use the Linksys Quick VPN Client Software for allowing VPN Clients to connect to the RV042, please enable the HTTPS.)

Multicast Pass Through
IP Multicasting occurs when a single data transmission is sent to multiple recipients at the same time. Using this feature, the Router allows IP multicast packets to be forwarded to the appropriate computers.

Restrict WEB Features
RV042 supports the following filtering for web protocol. Block:

Java: Java is a programming language for websites. Some web sites contain small programs, and it may be dangerous to run an unknown program on your machine. You can check the Java box to "filter the Java Applets for security reason, but you may take the risk of not having access to Internet sites which created using this programming language if Java is blocked."

Cookies: A cookie is data stored on your PC and used by Internet sites when you interact with them. Cookies are usually used to track visitors, and store information about their personal preferences. "You can check the Cookies box to block Cookies in order to maintain a higher level of anonymity on the Web."

Active X: Active X is a programming language for websites. Some web sites contain small programs, and it may be dangerous to run an unknown program on your machine.                           
You can check  the Active X box to filter the Active X for security reason, but you may take the risk of not having access to Internet sites which created using this programming language if Active X is blocked.

Access to HTTP Proxy Servers: Use of Proxy Servers may compromise the Router’s security. You can check the box to enable proxy filtering, and it will disable access to any proxy servers.

Don’t block Java/ActiveX/Cookies to Trusted Domain: If the box is checked, users can enter the  web sites or IP address in Trusted Domain field, and the Router will not check the Java/ActiveX/Cookies in the Trusted Domain(s).

Click the Save Settings button when you finish the settings, or click the Cancel Changes button to undo your changes.

..............................
As always, edits, corrections, comments and questions are welcome and encouraged!
1
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Expert Comment

by:Rolf Brauch
This is the first comprehensive and understandable explanations of the firewall settings I have come across.  Thank you for taking the time to publish this.  I'm having a devil of a time getting two RV045 running again after Apple discontinued PPTP protocol (trying L2TP).  I'm able to connect but have not been able to get the authorisation to work - it just sites there forever noodling for an eternity.  Did you happen to publish an article on VPN client access?
0
 
LVL 26

Author Comment

by:Fred Marshall
No,  I haven't published an article on VPN client access.  All of my successful experience re: RV042 has been for site-to-site VPNs and not client-to-site VPNs.    I't s been a long time.  I found that the tough cases are best tackled by putting both endpoints in the same room for system integration using a "model" or fake internet in between.  But these days with remote access being common, that may not be necessary.

I've had better luck with Netgear client-to-site VPN situations more recently.
0
 

Expert Comment

by:Zhen Fury
The Certificate error will always be there because you need to buy an SSL Certificate for your Public webpage to be recognized publicly. For Lan you can provide a local cert though this is not really an issue.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month