Due to recent news that the VPNFilter malware has caused Ubiquiti Networks to look at their network designs, device configurations and general operation security to make sure they are protected against the issue, as well as any others that may occur in the future.
Although recent airOS software is not at high risk of this attack, please see below some security practices Ubiquiti advise you follow:
Use Complex Login Credentials
Modern versions of airOS will prompt you to use reasonably-complex credentials in an attempt to avoid the use of default or simple credentials. By prompting the use of a complex set of credentials that meet defined character requirements, airOS attempts to help you secure your network devices without having to think about it.
If you manage a large number of devices through their web UI, consider using a password manager in your browser to remember and automatically fill in the complex credentials you set on each unit.
Remove Public Access
Limit access to the management interfaces of your network devices. Only those who are supposed to operate these devices should be able to access them, any devices that are accessible on the public internet are a prime targets for attacks from outside.
Take your network devices off of the public internet or limit management access to these devices such that only people within your private network can access them. This can be achieved using a firewall, and Ubiquiti will be adding a management whitelist feature to airOS in the future which will simplify configuring this on the airOS network device itself, without requiring an external firewall.
Disable or Block Unused Features
If you are not using features or other protocols which can communicate with external devices, turn them off. This can be done in two ways:
1) Disable the protocol or the feature that uses it on the network device itself.
2) Block these protocols at the border of your network using a firewall. If this communication is blocked at the network edge, the threat is gone.
Use Secure Protocols
Look at anywhere you are using HTTP in your network operations today. HTTP is unencrypted, and if a man in the middle were positioned correctly he may be able to intercept your credentials and use them to attack your network infrastructure. So where a secure alternative such as HTTPS is available, make sure it is used.
Once usage of the secure protocol is established, as mentioned above it is prudent to disable the insecure protocol to protect your network.
Keep your Software Up to Date
Check regularly to make sure the software operating on all of your network devices is up to date.
Block by Default
If you allow only the protocols, connections and users you need to, the opportunities for forgetting things you should’ve blocked are much smaller.
If you have any queries on network security and airOS visit the airMAX sections at community.ubnt.com