Security Best Practices

A secure installation depends on correct configuration, network design, and operational discipline. Failure to follow recommended practices may expose the device and connected networks to security risks. This page outlines recommended configuration and operational practices for deploying and operating WAVER devices in typical network environments. These recommendations should be applied based on the specific requirements of each installation.

Allocation of responsibilities, operational boundaries, and limitations are defined in the Security & Responsibility Statement.

1. Protect administrator access

Administrator credentials and privileges must be properly secured at all times.

Best practices:

Change default passwords immediately after first login. (This step is mandatory and enforced by the setup Wizard.)
Use strong, unique passwords for all accounts.
Create only the administrator accounts that are strictly required.
Remove or disable unused users.
Administrative access should be performed over HTTPS using valid certificates.
Avoid accessing the administrative interface from untrusted networks or shared devices.
Always log out after completing administrative tasks.
Administrative accounts provide full control over the device and should be limited to trusted personnel only.

2. Block inbound traffic from WAN

The device must not accept unsolicited inbound connections from the internet. Administrative interfaces must not be exposed directly to public networks.

Recommended settings:

Enable Block ICMP (Ping) on WAN
Enable Block Inbound Traffic

These settings reduce exposure to unsolicited external traffic and unauthorized access attempts, including:

scanning the device
discovering its presence
attempting direct access from the internet

IMPORTANT: Management services must not be exposed through port forwarding or public IPs.
The device is designed to operate without any inbound WAN access to its management services. By default, WAVER devices do not require inbound access from the internet for normal operation.

3. Remote access via cloud

If remote access to the device is needed, use the built-in cloud access feature. Cloud access allows remote management without opening inbound ports or assigning a public IP.

Enable cloud access only when required.
Disable cloud access when it is not actively used.
Access should be restricted to authorized users and protected with strong credentials.
Do not rely on cloud access as a permanent exposure method.

IMPORTANT: Remote access must not be implemented through port forwarding or direct exposure of the device to the public internet.

4. Keep firmware updated

Firmware updates are a critical part of maintaining device security and stability.

Always run the latest available firmware version.
Firmware updates may include security and stability improvements.
Avoid long-term operation on outdated firmware.
Firmware updates should only be applied from official Wavertech sources.

Keeping firmware up to date reduces exposure to known issues.

5. Physically secure the device

Install the device in a restricted or locked area.
Prevent unauthorized access to Ethernet ports, reset buttons, and power.
Do not deploy the device in public or easily accessible locations.

Physical access can bypass network-level protections.

6. Network segmentation and isolation

Guest networks are treated as untrusted environments by design. Access to the device’s administrative interfaces from guest networks is restricted by the device, and guest users are limited to the captive portal interface. Management services are not exposed to guest users.

At the network level, WAVER devices enforce isolation between local network segments created by the device, such as the guest network and the LAN management network. This isolation is enabled by default. Certain local isolation behaviors may be adjusted by the administrator if required.

This isolation applies only to local network domains created and controlled by the device. Traffic reaching the device through external or upstream paths, including WAN-side routing, NAT, or operator-managed infrastructure, is outside the scope of this local isolation and remains the responsibility of the network operator.

This layered approach reduces exposure and helps limit lateral movement within the local environment.

7. Monitor activity and logs

Periodically review device status and logs.
Investigate unexpected configuration changes or reboots.
Ensure only authorized personnel perform administrative actions.

Early detection reduces security risk.

8. Outbound device communications

The WAVER device may initiate outbound connections for:

firmware update checks
license verification
product authenticity validation

These connections are initiated by the device and do not allow inbound access or remote administrative control.
For environments requiring isolation, please contact support@wavertech.com to obtain the list of required domains.

9. Backup configuration regularly

Export configuration backups after initial setup and major changes.
Store backups securely and offline.
Verify backups before making significant configuration changes.

Backups allow fast recovery in case of failure or misconfiguration.

10. Data storage and retention

Guest and operational data generated by the device is stored locally on the device. Retention periods and data scope depend on the configuration and features enabled by the administrator. Administrators are responsible for configuring retention settings in accordance with applicable laws and internal policies. Where data retention is not required, administrators should regularly clear stored data or limit retention duration

Admin Panel

Voucher Manager App

Live! Menu App

Coupon Manager App

First Login

Dashboard Overview

Dashboard Customization

Notifications and Tools

WAN Configuration

Firewall and URL Filtering

VPN Client

LAN Network and IP Settings

Guest Network and IP Settings

Guest Ethernet and VLANs

Third-Party AP Integration

Builder Overview

Landing Page

Authentication Page

OTP Validation

Connected Page

Feedback System

Translations

Theme Editor

Media Gallery

Legal Compliance

Templates

Free Access (with or without validation)

Facebook Login Authentication

Email Connect (with or without OTP)

Mobile/SMS Authentication (with OTP)

Voucher Authentication

Paid Access

Persistent Login & Auto-Reconnect

Network and Device Speed Limits

Time Limits and Connection Keep-Alive

Concurrent Device Limit (Vouchers)

Bypass Portal or Block access for specific devices

Bypass Authentication for specific URLs (Walled Garden)

Accessing Voucher Manager

Creating, Editing and Printing Vouchers

Voucher Generator (Click and Print)

Managing Payment Plans

Payment Portal Settings

Printing Options

Data Export and Reporting

Dashboard Analytics

Login Log

Vouchers

Free Users

Email Users

Mobile Users

Facebook Users

User Ratings

Mailchimp Integration

API Access with Examples

Automatic Export with FTP Uploader

PointX CM Integration

Automations

Coupon Campaigns

Bulk Messages

Connectivity Settings

Users and Privileges

Cloud Access

System Log & Connection Tracking

Data Retention

LED Controller

Backup and Restore

Time & Region

Maintenance

HTTPS & Certificates