Secure the Web Server

Steps to secure the WTI device web access

An internet facing web server can be the easiest way to control and configure a WTI Device, unfortunately its usually the focal point of hackers trying to get into your system.

There are a few steps you can take yo make sure that your WTI device and the Web Server live together in harmony.

First, via the CLI go to the web configuration section.

Login, enter /N, then enter 23, you should see this screen:

Web Server Configuration Screen

If you have not already created an SSL Certificate you can get the details here..

Our focal point of this tutorial are options 15, 16 ,and 17.

Harden Web Security:

This option when combined with TLS Modem will bolster the ciphers.

Off (RC4 and MEDIUM/HIGH ciphers enabled):, this obvious is only if you have legacy equipment connecting to a WTI device, it sohuld never be onncected directly to the internet with this setting. (Web server settings: SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM)

Medium (MEDIUM/HIGH ciphers enabled): This option disables RC4 and enables the MEDIUM and HIGH ciphers. (Web Server settings: SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:!RC4:+HIGH:+MEDIUM)

High (HIGH ciphers enabled or ECDHE ciphers if TLSv1.2 only): if TLS Mode is set to TLSv1 or TLSv1.1/TLSv1.2, will enable the HIGH ciphers in the web server. (Web Server settings: SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!MEDIUM:!EXP:!RC4+RSA:+HIGH)

If TLS mode is setup TLSv1.2 will only enable the ECDHE (Elliptic Curve Diffie-Hellman key Exchange) in the web server. (Web Server Settings: SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256)

TLS Mode:

TLSv1: Any connection down to TLS V1.0 will be accepted.

TLSv1.1/TLSv1.2: Either TLSv1.1 or TSLv1.2 will be accepted, anything lower will be rejected.

TSLv1.2: Only TLSv1.2 connection will be acctepted, this mode when Harden Web Security is set to High will enable the ECDHE ciphers.

TRACE Method:

Off - Denies TRACE requests per RFC 2616, which disallows any request body to accompany the request.

On - Permits TRACE requests per RFC 2616, which disallows any request body to accompany the request