These guidelines apply to the test equipment's LAN and WLAN/Wi-Fi Management ports, to minimize the chance for security vulnerability breaches. Ethernet test ports are completely isolated and considered secure.
Never connect the LAN management port of any test set to a public IP address or to unknown ("free") Wi-Fi access point! No device is safe without proper IT protection (e.g., firewall, etc.).
You will be surprised how quickly the first attack attempt happens, once a device is connected directly to an Internet access port, with Public IP address.
Organizations focusing on mitigating the increase in cyber-security threats may find that specialized test equipment presents unique IT challenges. These often arise from a lack of knowledge about their system/OS architecture and/or specific applications. Although a compromised test instrument might not directly impact an organization's production networks, reputation, or revenue, it can still malfunction, slow down, become irresponsive or crash. Recognizing the differences between test systems and standard IT systems is critical, as is considering the vital cyber-security measures and guidelines needed for their protection.
Most VeEX test sets use a highly customized version of Linux, as we disable all unnecessary services to limit possible attack vectors, which should reduce what hackers could do with them if they manage to gain access and control. However, modern hackers use highly automated tools and bots to scan the networks for devices out in the open and we all have to assume that any default passwords (published in manuals and user guides) are public knowledge. That is why it is important to (at least) change the default passwords to something unique and complex.
About Telecommunications Test Equipment
Ethernet test ports normally generate and terminate artificial test traffic, from/to an isolated FPGA, so they don't pose major risks and are generally considered safe, due to their limited, or lack of, connectivity with the rest of the world. So, the focus is on the Ethernet Management ports used for configuring, controlling and/or accessing these instruments. Except for always-on rack-mount instruments and servers (e.g. MPA, VeSion®, R-Server, RTU, RFTS, etc.), portable test sets are considered unmonitored network devices.
VeEX R&D teams routinely run security scans for our test sets, to identify any new kernel, drivers or security patches that may be required. We also review custom security scans customers share with us and take appropriate actions, to keep our products as secure as possible.
VeEX test equipment are considered closed system, since they don't allow third-party software, apps or driver installations. This all done at system level integration by our R&D teams. That helps limit exposure to malicious code injection.
For Cloud Services and SaaS solutions, VeEX relies on top tier 1 data center service providers, to ensure optimal security standards with their cloud-hosting infrastructure.
However, there is nothing more important than End Users and their Internet security training and awareness. Which applies not only to test equipment, but to smartphones, tablets, PCs, routers, cameras, IoT devices, etc.
Basic Cyber Security Recommendations
- Never Connect the test equipment's Management BASE-T port to a Public IP address. Use a LAN port behind the cyber security wall, with all the network security protections, using private IP addresses. Use EZ-Remote or VPN to provide access to (external) remote users.
- Change the default passwords to your own unique strong passwords (e.g., VNC services, CLI/SCPI sessions, etc.). Root and admin level access and passwords are not available for VeEX's portable test sets.
- Keep the Telnet/SSH functionality disabled, unless the test equipment is being used in a secured/isolated scripting environment or if it has been explicitly requested by one of our customer support agents, for troubleshooting purposes.
- Keep the test equipment's software up to date, by downloading software install packages from their respective product web pages, using their built-in VeExpress client or searching for Software Updates. For older products' updates and support, refer to the Discontinued Products' page and End-of-Life policy.
- Always download software updates, software tools and apps from www.veexinc.com, VeExpress, R-Server, or links provided directly by VeEX or authorized local partner. (Except for Apple and Google app stores, VeEX's software is not distributed by any third-party organizations.)
- Limit the security risks associated with USB memories - Don't plug in USB memory sticks you don't recognize, especially if they're found in public places, giveaways from events/conferences/tradeshows or sent to you unsolicited. Keep personal and business USB drives separate.
- Always report lost and stolen equipment to VeEX (Contact Us), and never buy VeEX test equipment from gray or black markets. VeEX keeps records of backlisted (reported) equipment.
- Train end users to follow these guidelines and to always be aware of potential end point security situations and threats.
- Include test equipment in your network's scans, cyber-security risk, vulnerabilities and threats assessments, and report any concern to the manufacturers. (Contact Us.)
Note: VeEX's handheld test sets are not meant to be permanently connected and active on a network, for long periods of time, since they can't be managed by OT Cyber-Security systems. However, their non-test traffic and activity can be monitored and regularly scanned, following customers' cyber security guidelines.
Peer-to-Peer Wi-Fi Connection
Many of VeEX's test sets support Wi-Fi Access Point (AP) Mode, which allows uses to stablish a local isolated connection directly between the test set and a laptop, tablet or smartphone. Such connection is terminated at both ends (test set and computer), without any external connection to the Internet. In this mode, users can use a standard web browser to connect to the Web Access and Web Remote functions of the test ser, by entering the test set's IP address on the browser's address field.
- Web Remote (Control) - Allows users to operate test sets from a remote location, using any standard web browser from a PC/Mac/Linux, tablet or smartphone. No app required. It mirrors the content of the test set's screen on the PC and allows users to control the remote test sets as if they were touching the screen. Alternatively, users can use a trusted VNC client app to connect to the test set and control it.
- Web (Remote) Access - Access, manage and download test results, test profiles and screenshots. Once connected, users can View, Download, Delete, generate PDF, Search and Filter, directly on the test set from the remote PC/Table/Phone. (Software upgrade not available.)
This isolated operation mode is considered secured, since it is pee-to-peer.
Complying with Wi-Fi Restrictions
For environments that restrict the use of Wi-Fi and/or Bluetooth radios, VeEX test sets offer two main options:
- Some test sets use external USB Wi-Fi transceivers, which can be completely removed from the test sets, before entering the restricted facilities.
- Some test sets, with internal Wi-Fi chips, have the option to disable and completely turn OFF the radios. Some of these instruments can be ordered without internal Wi-Fi or Bluetooth hardware, as a factory option.
- Most test sets allow wired local connections with PCs or tablets, via USB cables and/or RJ45 Ethernet cables.