Skip to content

@mkprz /uscert.feature
Last active

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
# I've been working off and on on a project to use a Wizard-like interface to configure
# SOHO wireless routers. I am targeting routers supporting openwrt's UCI. The idea is to
# enable the average user to make the most of their router by answering non-technical
# questions on how it will be used. The biggest weakness of my approach, what's
# called an Expert System in the AI field, is translating knowledge from domain-experts
# into code. I am attempting to solve this using Domain-specific Languages (DSL). Here
# is my first attempt using a DSL called Gherkin which is used by non-programmer business
# analysts to define software requirements.
# I've read that for a DSL to be successful, it must be both readable and writeable by the
# domain experts. With extra emphasis on the _readable_.
# This first attempt focuses on security. If this DSL works out, future feature files will
# focus on bandwidth, QoS, and niche use-cases. So what do you think?
# For an extreme example, *complete with formal logic verification*, in the Autonomous Node
# level of networking, see _Nettle_.
Feature: SOHO Security Mitigations as prescribed by the US Computer Emergency Readiness Team (US-CERT)
This feature serves as a base for securing common SO/HO routers
For full details, see http://www.us-cert.gov/sites/default/files/publications/HomeRouterSecurity2011.pdf
All scenarios make the following assumption: We are using the system to configure a single router
in a single-family residence or a small office setting.
Scenario: Change the default login username
Given the router uses the default manufacturer username
Then set the username to a non-default username
Scenario: Change the default login password
Given the router uses the default manufacturer password
Then set the password
And ensure the password is at least 14 characters long
And ensure the password is alphanumeric
Scenario: Change the default SSID
Given the router uses the default SSID name
Then set the SSID name
And ensure the SSID name is at least 8 characters long
And ensure the SSID name is alphanumeric
Scenario: Configure WPA2-AES for Enterprise
Given a RADIUS authentication server
And WPA2 compatibility for all devices in network
Then set security to WPA2-Enterprise
Scenario: Configure WPA2-AES for Personal
Given no RADIUS authentication server
And WPA2 compatibility for all devices in network
Then set security to WPA2-Personal
And set pre-shared key
Scenario: Configure WPA-AES for Enterprise
Given a RADIUS authentication server
And no WPA2 compatibility for all devices in network
Then set security to WPA-Enterprise
Scenario: Configure WPA-AES for Personal
Given no RADIUS authentication server
And no WPA2 compatibility for all devices in network
Then set security to WPA-Personal
And set pre-shared key
Scenario: Limit WLAN coverage
Given Wireless LAN
And stock antenna
Then centrally locate router
And adjust transmission power for area of coverage
Scenario: Turn network off when not in use
Given user expects regular periods of non-use
Then schedule periods to disable WLAN
Scenario: Disable UPnP
Given user expects regular periods of non-use
Then schedule periods to disable UPnP
Scenario: Upgrade firmware
Given firmware has security updates
Then schedule times to update firmware
Scenario: Use static IP addresses or limit DHCP reserved addresses
Given DHCP is enabled
Then set DHCP pool size to max number of expected devices in network
Scenario: Disable remote management
Given Remote Management is enabled
Then disable remote manangement
Scenario: Disable remote upgrade
Given TFTP is not needed
Then disable TFTP
Scenario: Disable DMZ
Given no hosts requiring internet access
Then disable DMZ
Scenario: Enable DMZ and Firewall
Given hosts requiring internet access
Then enable DMZ
And enable firewall
And enable hosts to connect to internet through firewall
Scenario: Disable unnecessary services
When no more user prompts in wizard configuration
Then determine services not needed
And disable services not needed
Scenario: Disable ping response
Given troubleshooting on router is not being done
Then disable ping response
Scenario: Enable router firewall
Given firewall is disabled
Then enable firewall
Scenario: Activate Stateful Packet Inspection (SPI) in firewall
Given SPI available
When firewall is enabled
Then enable SPI
Scenario: Create Whitelists in firewall
Given whitelist available
And user prefes whitelist over blacklist
When firewall is enabled
Then prompt user for websites to add to whitelist
And prompt user for ports to add to whitelist
And prompt user for services to add to whitelist
Scenario: Create Blacklists in firewall
Given blacklist available
And user prefes blacklist over whitelist
When firewall is enabled
Then prompt user for websites to add to blacklist
And prompt user for ports to add to blacklist
And prompt user for services to add to blacklist
Scenario: Logging
Given logging available
Then enable logging
And schedule log report review times
And set email address to send log reports at review times
Scenario: Monitor the wireless traffic
Given logging enabled
And WLAN enabled
Then email user when an unknown device attempts to join network
Scenario: Administrator workstations
Given user device is on a trusted network segment (LAN; not DMZ)
When user device attempts to run this configuration system
Then allow user device to administer the router
Scenario: Disable bridging and use network address translation (NAT)
Given NAT available
And bridging enabled
And bridging not needed
Then disable bridging
And enable NAT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.