NetBurner 3.5.6
PDF Version
Disable System Features

Disable System Features

A NetBurner example application that demonstrates how to disable various system networking features for enhanced security. This application allows users to disable features like AutoIP, Discovery Server, PING/Echo responses, and web services to reduce the attack surface and prevent these services from appearing in network security scans.

Overview

The DisableSysFeatures application provides an interactive command-line interface to control system networking features that may be undesirable in production environments. By disabling these features, administrators can:

  • Close unnecessary network ports
  • Reduce visibility in network security scans
  • Minimize attack vectors
  • Implement security best practices for embedded devices

Features

System Settings Control

The application allows runtime configuration of the following networking features:

  • AutoIP: Automatic IP address assignment when DHCP is unavailable
  • Discovery Server: NetBurner's discover.netburner.com service registration
  • PING/Echo Responses: ICMP ping and UDP echo port responses
  • Configuration Persistence: Save changes to flash memory

Interactive Menu System

The application provides a simple command-line interface with the following options:

  1. Show current system settings
  2. Disable networking features
  3. Re-enable networking features
  4. Save configuration to flash memory

Configuration Options

AutoIP Disabling

ib->ip4.autoip = false;

Disables automatic IP address assignment, preventing the device from self-assigning an IP when DHCP is unavailable.

Discovery Server Disabling

ib->discovery_server = "";

Prevents the device from registering with NetBurner's discovery service at discover.netburner.com.

PING and Echo Response Disabling

ib->supress_default_responses = true;

Disables responses to ICMP ping requests and UDP echo port communications.

Web Server Control

Web services can be disabled by not calling StartHttp() and StartHttps() functions in UserMain(). For HTTPS-only operation:

StartHttps(443, 0); // HTTPS on 443, HTTP disabled
StartHttps
void StartHttps(uint16_t ssl_port, uint16_t http_port)
Start the HTTPS secure web server.

Configuration Server Control

The device configuration web interface can be disabled by removing the EnableSecureConfigServer() call, or configured for HTTPS-only access:

EnableSecureConfigServer(true); // HTTPS only
EnableSecureConfigServer(false); // Both HTTP and HTTPS
EnableSecureConfigServer
void EnableSecureConfigServer(bool bSec_Only)
Enable the minimal http config server to operate over TLS.

Usage

Runtime Operation

  1. Compile and load the application onto your NetBurner device
  2. Connect via serial console
  3. Use the interactive menu to view and modify system settings
  4. Save changes to flash memory using the 'S' command

Commands

  • 1: Display current system settings
  • 2: Disable AutoIP, Discovery Server, and PING/Echo responses
  • 3: Re-enable all networking features
  • S: Save current configuration to flash memory
  • ?: Show command menu

Security Considerations

Network Hardening

This application is particularly useful for:

  • Production deployments requiring minimal network exposure
  • Environments with strict security scanning requirements
  • IoT devices that need to minimize their network footprint
  • Systems requiring compliance with security standards

Alternative Configuration Methods

These settings can also be configured through:

  • The device's Configuration Server web page (if enabled)
  • Direct modification of configuration parameters
  • Factory default settings

Application Structure

Key Components

  • showSystemSettings(): Displays current networking feature states
  • disableSystemSettings(): Disables AutoIP, Discovery Server, and PING/Echo
  • enableSystemSettings(): Re-enables all networking features
  • Interactive Menu Loop: Provides user interface for runtime control

Network Interface Management

The application uses the first available network interface (GetFirstInterface()) for configuration. For multi-interface systems, additional logic would be needed to select and configure specific interfaces.

Use Cases

Production Environments

  • Embedded systems requiring minimal network services
  • Industrial control systems with security requirements
  • IoT devices deployed in sensitive network environments

Security Testing

  • Verification of disabled services
  • Network security scan preparation
  • Compliance testing and validation

Development and Testing

  • Feature testing during development
  • Network behavior verification
  • Security configuration validation

Notes

  • Changes made through the application interface are runtime modifications
  • Use the 'S' command to persist changes to flash memory
  • Configuration Server access may be required for certain changes if the application interface is unavailable
  • Network security scans should be performed after disabling features to verify effectiveness