ISP Wireless - Guide to Security for airOS Devices
This article discusses a few suggested best practices to secure your airOS devices. The best practices discussed are just the minimum suggested, any extra precautions are encouraged.
Keep Firmware Up to Date
One of the most important steps will be to keep your airOS firmware up to date. Using out of date firmware poses a significant risk as they will not include patches for identified security holes. If you would like to receive automatic notifications of new airOS firmware releases and security notices, you may opt-in on the Ubiquiti Community.
Note: airOS devices that can reach the Internet and have valid DNS servers will show that an update is available in the Web UI, provided this feature has not been disabled.
Restrict Access
Restricting access is especially important for devices with public IP addresses. Restrict access to management interfaces such as SSH/HTTP/HTTPS via firewall or by disabling “Remote Management” on the Network tab.
Another option would be to use the built-in firewall to restrict access to management interfaces. This example shows an airOS devices in Router mode w/ WLAN port as WAN (Internet-facing).
Radio IP = 192.168.1.67 (This should be a public IP address)
Whitelisted/allowed IP = 1.1.1.1
airMAX M
airMAX AC - Router mode
As of v8.5.8+ firmware, airMAX AC devices in router mode can now add use an IP/Mask Access Control List (under WAN -> ACL) to whitelist remote IPs to allow remote access when Block Management Access is enabled.
airMAX AC - Bridge mode
Select the Correct Password
Use 8+ character non-dictionary administrator passwords. For additional complexity, change the username to something other than ubnt. Do so in the System tab.
Identify Infected Devices
Symptoms of an infected device may include:
- An inaccessible or corrupted web interface
- Increased traffic
- Management ports changed or disabled
- Custom scripts Detected warning message on Main airOS tab (see below)
If you are unsure if a device has been compromised, please contact our support team. If you would like to report a vulnerability you have discovered, please see Security Rewards information.
Wireless Security Types
Enabling secure access to the wireless interface is vitally important in ISP networks to keep devices only accessible by & securely managed by trusted administrators.
WPA2-AES (Recommended Security & Encryption)
WPA2 (Wireless Protected Access II) security mode with AES (Advanced Encryption Standard) type 256bit encryption. AES is also known as CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). WPA2 is always recommended over its predecessor, WPA. And, generally speaking, WPA2-AES is recommended on all wireless networks for its combination of performance & security. This is because encryption occurs within the wireless hardware chip, the CPU/memory are not affected and highest data rates are achievable (MCS15 & MCS7 for 2x2 & 1x1 devices, respectively).
WPA2 is available with PSK (where you set a passkey) or EAP (Enterprise Authentication Protocol, for centralized management of access via credential-based security). Provided you use WPA2 with AES, either is acceptable in wireless ISP networks. Ubiquiti ISP wireless devices configured with EAP also supports either TTLS or PEAP w/ MSCHAP v2* authentication
Note: With EAP configured, airOS devices automatically detects which WPA2-Enterprise authentication protocol in use (TTLS or PEAP w/MSCHAP v2).
Open Network (Not Recommended)
While most Ubiquiti wireless devices do not support open network configuration, legacy airMAX M APs can be configured without wireless security (i.e., "open access") in case Wi-Fi guest networks are desired, or if paired with RADIUS MAC authentication & MAC ACL are used. But neither case offers real security, and is therefore not recommended.TKIP and WEP
TKIP & WEP (Not Recommended)
Note: TKIP and WEP modes were removed on version 5.6.1 because they were deemed not secure enough. As always, we recommend upgrading to the newest available firmware.