Slashdot Mirror

← Back to Stories (view on slashdot.org)

Germany Proposes Router Security Guidelines (zdnet.com)

Posted by msmash on from the interesting-moves dept.

German government would like to regulate what kind of routers are sold and installed across the country. From a report: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance. The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features.

8 of 62 comments (clear)

  1. Re:Rule #1 - bad translation? by BenFranske · · Score: 5, Informative

    I think it's pretty clear they mean the router itself shouldn't have other services open. This is all about reducing router attack surface as they have become a popular target for botnets.

  2. Interesting by AmiMoJo · · Score: 5, Informative

    Some interesting stuff in that document.

    - By default the router must only offer DNS, ping response and a web interface to devices on the LAN. Seems like even UPnP is disabled.
    - Default SSID must not give anything away, such as the manufacturer of the router. Not sure what exactly the point is, considering that things like the MAC address reveal that.
    - Half decent default passwords.
    - Manufacturer must state how long they supply updates for and what severity level merits a patch.
    - IPv6 is optional.

    Seems rather basic to be honest.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Interesting by rpresser · · Score: 3, Informative

      The section they are speaking of is giving recommendations for the initial state of the router. "Don't turn on a web proxy when he gets it out of the box. Let him customize that later."

    2. Re:Interesting by Solandri · · Score: 5, Informative

      If you've been to Germany before WPS, every private router had the WiFi password enabled. There were no open WiFi hotspots emanating from homes. Indicating that Germans take the time to learn how to configure their router correctly. A set of requirements like those, disabling nearly everything by default, would work well in Germany to prevent the accidental misconfiguration. If you need a feature (like uPnP), you must enable it.

      Most of the rest of the world, people are too damn lazy to learn how to configure a router. (I'd draw an analogy to the the clock on people's VCRs perpetually flashing 12:00, but I doubt half the readers would get that reference.) So router manufacturers have bent backwards to design something akin to one-touch configuration. Unfortunately that means every service you can think of has to be enabled by default, with only advanced users going in and disabling the stupid stuff.

      So yeah it's basic stuff. But it trades off usability for security. Not that I disagree with that philosophy, but the people who want to buy a router, not read the manual, push a single button to set it up, then forget about it forever are going to whine ceaselessly about this. It's just that there are very few such people in Germany.

    3. Re:Interesting by grumbel · · Score: 4, Informative

      Indicating that Germans take the time to learn how to configure their router correctly.

      That's however not because Germans are so tech savvy, but because they are liable for what goes over their open WiFi. So everybody closes things down to avoid lawsuits and fines.

  3. Good idea by BringsApples · · Score: 5, Insightful

    The draft sets out to not only list what expectations/requirements routers will need, but it explains, in layman's terms, the reasoning behind it all. The best way to secure a thing is to properly educate those that are using it.

    --
    Politics; n. : A religion whereby man is god.
  4. Re:Rule #1 - bad translation? by Solandri · · Score: 3, Informative

    Also note that by specifying which services are to be left open, any router manufacturer which leaves in a secret backdoor would be in violation (looking at you Cisco).

  5. Actually, no. Obligatory XKCD. by Anonymous Coward · · Score: 3, Interesting

    xkcd: Free

    AVM, the maker of the most popular router "Fritz!Box" (and for good reasons), will have this on their boxes. Big and fat. They're the type or manufacturer who offers free updates to entirely new versions of their FritzOS, with all new features that the hardware can manage, even years later. Security patches often even are in the local tech news.
    Which means, everyone who doesn't have this certification, has even less of a chance of competing against them.

    There are people here, who pick their ISP based on who gives them the best FritzBox. Not even having a (maybe branded) FritzBox included, is often grounds for exclusion.

    Trust me, this will have an effect on the majority of people in Germany.
    (Provided AVM doesn’t already do all that’s demanded.)