The CDRouter Security Test List
Overview
The CDRouter Security Test List is a collection of over 200 test cases designed to cover a basic set of security best practices and harden your devices against many known vulnerabilities.
Highlights include:
- Nmap port scanning, which identifies open services that may not need to run by default, plus reveals how your device will appear to OS detection scans
- Firewall feature testing
- Hardening of the DUT web GUI (use of credentials, secure connections, etc.)
- Testing for known vulnerabilities like heartbleed, TR-069 connection request abuse, code injection in management protocols, denial-of-service, and more
- Firewall and port scan tests specific to DOCSIS CM devices
- IETF RFC 6092 (simple security in IPv6 gateways)
- Tests run over both IPv4 and IPv6
The CDRouter Security Test List is a great starting point for new users or users who have been considering an audit of their device security, in an easy to use list that can be run immediately in CDRouter 11.1 or later.
Test Coverage
The CDRouter Security Test List provides coverage for core IPv4, IPv6, DOCSIS, and TR-069 functionality.
The tests are taken from the modules listed in the table below. Some tests within the CDRouter Security Test List do require specific CDRouter add-ons. Please see the table below for the complete list of tests and required add-ons. CDRouter will automatically skip any tests in the CDRouter Security Test List if the required add-on(s) are not installed.
The full list of test cases can be found in the “CDRouter-Security” testlist on the Packages page within CDRouter.
| Test Module | Description | Number of Tests | Required Add-Ons |
|---|---|---|---|
| firewall | Firewall tests including port scans | 9 | CDRouter |
| firewall-out | Firewall tests for limiting outbound access to services | 3 | CDRouter |
| firewall-v6 | IPv6 Firewall tests including port scans | 18 | IPv6 |
| firewall-v6-out | IPv6 Firewall tests for limiting outbound access to services | 3 | IPv6 |
| ssl | SSL related test cases | 2 | CDRouter |
| dos | Common denial of service attacks against routers | 10 | CDRouter |
| heartbleed | Heartbleed vulnerability tests for CVE-2014-0160 | 3 | CDRouter |
| rfc6092 | IETF RFC 6092 simple security in IPv6 gateway CPE tests | 31 | IPv6 |
| tr69_conn_req | TR-069 tests for TCP connection requests | 14 | TR-069 |
| nmap | Nmap based IPv4 portscan tests from the LAN side of the device | 16 | Nmap |
| nmap-v6 | Nmap based IPv6 portscan tests from the LAN side of the device | 16 | Nmap, IPv6 |
| nmap-wan | Nmap based IPv4 portscan tests from the WAN side of the device | 16 | Nmap |
| nmap-wan-v6 | Nmap based IPv6 portscan tests from the WAN side of the device | 16 | Nmap, IPv6 |
| firewall-docsis | Firewall tests including port scans against the CM | 6 | DOCSIS |
| firewall-docsis-v6 | IPv6 firewall tests including port scans against the CM | 6 | DOCSIS, IPv6 |
| nmap-docsis | Nmap based IPv4 portscan tests from the WAN to the CM | 16 | Nmap, DOCSIS |
| nmap-docsis-v6 | Nmap based IPv6 portscan tests from the WAN to the CM | 16 | Nmap, DOCSIS, IPv6 |
| upnp | UPnP tests for routers that support IGDv1/IGDv2 devices | 2 | CDRouter |
| upnp-v6 | IPv6 UPnP tests for routers that support IGDv1/IGDv2 devices | 2 | IPv6 |
Expected Results
Most devices should pass the majority of the test cases in the CDRouter Security List.
Failures should be investigated and may indicate that there are security-related issues or vulnerabilities present within the device under test (DUT).
Failures may be the result of setup or configuration issues within the DUT and should be addressed and/or understood before performing additional, more complex, testing with CDRouter.
Installation
The CDRouter Security Test List is automatically installed with all CDRouter 11.1 or newer releases and can easily be included within new or existing test packages.
Note that CDRouter will automatically overwrite this testlist whenever you update or reinstall CDRouter. If you’d like to modify or customize this testlist in any way, you should make a copy or create a new testlist from scratch.
Please watch the following video for more information on using
test lists within CDRouter, or read
How to Create and Run a
Testlist for
detailed instructions.
Test Setup & Configuration
Many IPv4 specific tests in the CDRouter Security Test List will run without any additional configuration on the DUT or within the CDRouter.
From CDRouter’s perspective, the only requirements are that the LAN and WAN test
interfaces within the CDRouter configuration file are properly defined. By
default, CDRouter’s LAN and WAN test interface are set to eth1 and eth2,
respectively:
testvar lanInterface eth1
testvar wanInterface eth2
If the DUT is connected to CDRouter using different interfaces, the lanInterface and wanInterface must be properly configured.
Note that some tests will require additional configuration based on the capabilities of the DUT.
For example, to run the IPv6 related test cases IPv6 must be enabled within the DUT and an appropriate IPv6 capable configuration file must be used within CDRouter.
