CDRouter Support

The CDRouter Security Test List

quick-start-guide version 11.1

Overview

The CDRouter Security Test List is a collection of over 200 test cases designed to cover a basic set of security best practices and harden your devices against many known vulnerabilities.

Highlights include:

  • Nmap port scanning, which identifies open services that may not need to run by default, plus reveals how your device will appear to OS detection scans
  • Firewall feature testing
  • Hardening of the DUT web GUI (use of credentials, secure connections, etc.)
  • Testing for known vulnerabilities like heartbleed, TR-069 connection request abuse, code injection in management protocols, denial-of-service, and more
  • Firewall and port scan tests specific to DOCSIS CM devices
  • IETF RFC 6092 (simple security in IPv6 gateways)
  • Tests run over both IPv4 and IPv6

The CDRouter Security Test List is a great starting point for new users or users who have been considering an audit of their device security, in an easy to use list that can be run immediately in CDRouter 11.1 or later.

Expected Results

Most devices should pass the majority of the test cases in the CDRouter Security List.

Failures should be investigated and may indicate that there are security-related issues or vulnerabilities present within the device under test (DUT).

Failures may be the result of setup or configuration issues within the DUT and should be addressed and/or understood before performing additional, more complex, testing with CDRouter.

Test Setup & Configuration

Many IPv4 specific tests in the CDRouter Security Test List will run without any additional configuration on the DUT or within the CDRouter.

From CDRouter’s perspective, the only requirements are that the LAN and WAN test interfaces within the CDRouter configuration file are properly defined. By default, CDRouter’s LAN and WAN test interface are set to eth1 and eth2, respectively:

testvar lanInterface eth1
testvar wanInterface eth2

If the DUT is connected to CDRouter using different interfaces, the lanInterface and wanInterface must be properly configured.

Note that some tests will require additional configuration based on the capabilities of the DUT.

For example, to run the IPv6 related test cases IPv6 must be enabled within the DUT and an appropriate IPv6 capable configuration file must be used within CDRouter.

Installation

The CDRouter Security Test List is automatically installed with all CDRouter 11.1 or newer releases and can easily be included within new or existing test packages.

Please watch the following video for more information on using test lists within CDRouter:

Test Coverage

The CDRouter Security Test List provides coverage for core IPv4, IPv6, DOCSIS, and TR-069 functionality.

Some tests within the CDRouter Security Test List do require specific CDRouter add- ons. Please see the table below for the complete list of tests and required add- ons. CDRouter will automatically skip any tests in the CDRouter Security Test List if the required add-on(s) are not installed.

Test Module Description Number of Tests Required Add-Ons
firewall Firewall tests including port scans 9 CDRouter
firewall-out Firewall tests for limiting outbound access to services 3 CDRouter
firewall-v6 IPv6 Firewall tests including port scans 18 IPv6
firewall-v6-out IPv6 Firewall tests for limiting outbound access to services 3 IPv6
ssl SSL related test cases 2 CDRouter
dos Common denial of service attacks against routers 10 CDRouter
heartbleed Heartbleed vulnerability tests for CVE-2014-0160 3 CDRouter
rfc6092 IETF RFC 6092 simple security in IPv6 gateway CPE tests 31 IPv6
tr69_conn_req TR-069 tests for TCP connection requests 14 TR-069
nmap Nmap based IPv4 portscan tests from the LAN side of the device 16 Nmap
nmap-v6 Nmap based IPv6 portscan tests from the LAN side of the device 16 Nmap, IPv6
nmap-wan Nmap based IPv4 portscan tests from the WAN side of the device 16 Nmap
nmap-wan-v6 Nmap based IPv6 portscan tests from the WAN side of the device 16 Nmap, IPv6
firewall-docsis Firewall tests including port scans against the CM 6 DOCSIS
firewall-docsis-v6 IPv6 firewall tests including port scans against the CM 6 DOCSIS, IPv6
nmap-docsis Nmap based IPv4 portscan tests from the WAN to the CM 16 Nmap, DOCSIS
nmap-docsis-v6 Nmap based IPv6 portscan tests from the WAN to the CM 16 Nmap, DOCSIS, IPv6
upnp UPnP tests for routers that support IGDv1/IGDv2 devices 2 CDRouter
upnp-v6 IPv6 UPnP tests for routers that support IGDv1/IGDv2 devices 2 IPv6

Contents

×

About CDRouter

CDRouter is made by QA Cafe, a technology company based in Portsmouth, NH.

Get in touch via our Contact page or by following us on your favorite service: