The Digi family of companies provides a wide range of products that our customers use in thousands of different settings. Below we provide a list of security practices recommended by telecom carriers that are used to secure devices to communications networks. Depending on the device you have purchased from Digi, some of these practices may not be applicable and many of these pertain only to cellular based products. Should you have questions about any of these practices, please contact customer support.
- Change default passwords for device administration credentials. Password should follow a standard that defines minimum number of characters, type and number of characters required, and timeframe for expiration.
- Do not use the same password on more than one device. Passwords should be unique.
- Log out of any admin interface when finished with tasks. Do not leave open an admin interface when not in use.
- Disable remote management on the device if not needed. If remote admin is needed, restrict access to only known IP addresses.
- For administration of the router, use SSL/TSL or SSH whenever possible instead of plain unencrypted access.
- Keep firmware up to date to ensure security fixes/ patches are recent
- Isolate LAN or any other network that do not need to communicate together.
- Limit administrative access to the device to only those who require it. Build alternative user accounts with limited capabilities for others that need access to the device but not admin level rights.
- Disable any protocols or features that are not in use.
- Disable or restrict settings such as DHCP, ping, trace route, telnet, etc. to reduce visibility to attacks.
- Develop and comply with an acceptable usage policy for staff that describes what is permitted on the network and what best practices staff should follow.
- Place devices in locations that provide physical security. When possible, devices should not be in open areas where unauthorized individuals can gain physical access.
- Wired ports not in use should be disabled.
- When possible, ports in use should use 802.1x or MAC authentication to prevent unauthorized devices to connect to the network.
- Select the most secure features when possible (e.g., use AES instead of DES).
- Any real time clock on devices should be configured accurately. Connect devices to reliable NTP source.
- Disable any file sharing, NAS or USB ports/options.
- Maintain backups of device configurations.
- If wireless capabilities on devices are not used, disable feature.
- Change default SSID to a name that does not easily identify the device, company, brand, or location of the device.
- If the device supports wireless encryption, use the strongest wireless encryption. When possible, avoid using no encryption or WEP.
- Disable wireless access except when functionality is required.
- Disable WPS if supported on device.
Updated: March 24, 2023