Router security findings
Unofficial
An extensive overview of router security guidelines is here: https://routersecurity.org/
Official
EU Cyber Resilience Act
The Cyber Resilience Act 🇪🇺 is a disruptive legislation which establishes a set of cybersecurity requirements applicable to manufacturers of products, both hardware and software, with digital components.
10/12/2024: The Cyber Resilience Act has now officially entered into force.
Starting in December 2027, to get a CE marking on hardware, it will have to comply with CRA requirements. They are not particularly high.
It seems that the EU orders security audits of popular consumer-grade routers from a Czech company i46 s.r.o. They have reviewed ~5 models as of now, including TP-Link Archer v2 (US-version): https://www.cyberresilienceact.eu/2024/06/13/cra-fast-check-tp-link-archer-ax73-v2/
More info: https://www.cyberresilienceact.eu/category/routers/
My requirements for list of official requirements
I want the device to be certified to comply to some standard. I want the standard to enforce the highest security from the device. In particular, I want the standard to require a router to support:
- VLANs
- blocking outbound traffic on a per-device or per-vlan level (prevents
ssh -R)
Security Requirements Guide (SRG)
Technology specific SRGs reflect what a technology family SHOULD be capable of, in order to be secured. The STIG author (vendor) will assess the SRG controls against a product with one of four potential outcomes.
On 2024-07-17, DoD released Router SRG - Ver 5, Rel 1 (download here: https://www.cyber.mil/stigs/downloads/)
Download Stig viewer and view the downloaded SRG. Tens of very technical security requirements are listed in the downloaded SRG! https://www.cyber.mil/stigs/srg-stig-tools/ e.g.:
- V-207112: The router must be configured to have all inactive interfaces disabled.
- V-216978: The router must not be configured to have any feature enabled that calls home to the vendor.
- V-216978: The router must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
- V-220145: The router must not be configured to use IPv6 Site Local Unicast addresses.
DoD STIGs
The Security Technical Implementation Guides (STIGs) are the configuration standards created by the Defense Information Systems Agency (DISA) for Department of Defence systems. The STIGs contain technical guidance to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system
DISA Risk Management Executive (RME) developed a process whereby original product developers/vendors can write Security Technical Implementation Guides (STIGs) for their products. Vendor STIGs must be written against a published DoD Security Requirements Guide (SRG).
STIG Viewer, which aggregates publicly available, unclassified STIGs releases quarterly: https://stigviewer.com/stigs
Example required config of Cisco IOS XR router: https://stigviewer.com/stigs/cisco_ios_xr_router_ndm
Approved Products List
We have a list of approved products curated by DoDIN, but becomes deprecated on 30 September 2025: https://aplits.disa.mil/processAPList.action
The successor is vendor-released STIGs for particular model: https://www.cyber.mil/stigs/vendor-process
You can comment on this post using GitHub Discussions.
Alternatively, use the Giscus-powered comment system below.