• Router,DrayOS 5

Configuring a DrayTek Router to Support Cyber Essentials Compliance

I. Product Setup Guides

Products:
Vigor 2136
Vigor 2763
Vigor 2765
Vigor 2766
Show all

Keywords:
Cyber Essentials
PCI Compliance
Security

Cyber Essentials is a UK government-backed certification scheme that helps organisations protect themselves against common cyber threats. As the network gateway, a DrayTek router plays an important role in supporting key Cyber Essentials requirements, including secure configuration, firewall protection, and controlled administrative access.

This guide outlines recommended DrayTek router settings to help support an organisation's Cyber Essentials compliance objectives. These recommendations should be implemented as part of a wider security strategy covering endpoints, user accounts, software updates, and malware protection.

Note: Compliance with Cyber Essentials cannot be achieved through router configuration alone. Organisations must ensure all Cyber Essentials requirements are addressed across their entire IT environment.

DrayOS 5

1. Ensure the Router’s Firmware is Up to Date

Cyber Essentials Requirement

Devices and software must be supported and receive security updates.

Recommended Configuration

  1. Log in to the DrayTek management interface.
  2. Navigate to System Maintenance > System Upgrade.
  3. Verify that the router is running the latest firmware version.
  4. Enable Send Firmware Notifications in the Notifications section.
  5. Establish a documented process to review firmware updates at least monthly.

2. Secure Admin Access

Cyber Essentials Requirement

Administrative accounts must be protected against unauthorised access.

Remove Default Credentials

  • Change all default passwords (admin user and Wi-Fi passwords).
  • Use strong, unique passwords for all administrative accounts.
  • Disable unused administrative accounts.

Restrict Management Access

Navigate to:

System Maintenance > Management

Configure:

  • HTTPS management only for LAN access.
  • Disable HTTP management.
  • Disable Telnet access.
  • Disable WAN access for all management services unless explicitly required.

Limit Management Sources

  • Restrict administration to specific external IP addresses using WAN access control.
  • Use VPN access for remote administration.

3. Configure Firewall Protection

Cyber Essentials Requirement

Internet-connected devices must be protected by a firewall.

Enable Stateful Packet Inspection

Navigate to:

Security > Firewall Filters > Default Filters

  • Verify that the DrayTek firewall is enabled.
  • Ensure a default deny rule exists for inbound traffic (WAN to LAN).

Review Open Ports

Navigate to:

  • NAT > Port Forwarding
  • NAT > DMZ Host
  • Security > Firewall Filters > IP Filters

Review:

  • Remove unnecessary port forwards.
  • Review and document all approved inbound services.
  • Only permit traffic required for business operations.

4. Secure Remote Access

Cyber Essentials Requirement

Remote access services must be securely configured.

Use VPN Services

DrayTek routers support:

  • IPsec VPN
  • WireGuard VPN
  • L2TP/IPsec
  • OpenVPN

Where possible:

  • Use WireGuard, IPsec, or OpenVPN for remote access connections.
  • Ensure strong encryption and authentication settings are enabled.
  • Disable VPN protocols not required by the organisation.
  • Regularly review VPN users and access permissions.

Implement Multi-Factor Authentication

  • Enable MFA for VPN access.

Restrict VPN Users

  • Grant access only to authorised users.
  • Remove dormant Teleworker VPN accounts promptly.

5. Disable Unnecessary Services

Cyber Essentials Requirement

Reduce attack surface by removing unnecessary services.

Recommended Configuration

Review and disable where not required:

  • UPnP
  • WAN management
  • Telnet
  • FTP services
  • Unused VPN protocols

6. Implement Network Segmentation

Cyber Essentials Best Practice

While not a mandatory Cyber Essentials requirement, network segmentation strengthens security.

Recommended Configuration

Using VLAN functionality:

  • Separate corporate devices from guest networks.
  • Separate IoT devices from business systems.
  • Restrict inter-VLAN communication where appropriate.

7. Enable Security Logging

Cyber Essentials Requirement

Organisations should be able to identify and investigate security events.

Recommended Configuration

Navigate to:

System Maintenance > Device Settings > Syslog

Configure:

  • Enable Syslog storage on an external server or USB device.

8. Backup Configuration Securely

Recommended Configuration

Navigate to:

System Maintenance > Backup & Restore

  • Perform regular configuration backups.
  • Store backups securely.
  • Protect backup files with appropriate access controls.

DrayOS 4

1. Ensure the Router’s Firmware is Up to Date

Cyber Essentials Requirement

Devices and software must be supported and receive security updates.

Recommended Configuration

  1. Log in to the DrayTek management interface.
  2. Navigate to System Maintenance > Firmware Upgrade.
  3. Verify that the router is running the latest firmware version.
  4. Establish a documented process to review firmware updates at least monthly.

2. Secure Admin Access

Cyber Essentials Requirement

Administrative accounts must be protected against unauthorised access.

Remove Default Credentials

  • Change all default passwords (admin user and Wi-Fi passwords).
  • Use strong, unique passwords for all administrative accounts.
  • Disable unused administrative accounts.

Restrict Management Access

Navigate to:

System Maintenance > Management

Configure:

  • HTTPS management only for LAN access.
  • Disable HTTP management for Internet access.
  • Disable Telnet access.
  • Disable WAN access for all management services unless explicitly required.

Limit Management Sources

  • Restrict administration to specific external IP addresses using WAN access control.
  • Use VPN access for remote administration.

3. Configure Firewall Protection

Cyber Essentials Requirement

Internet-connected devices must be protected by a firewall.

Enable Stateful Packet Inspection

Navigate to:

Firewall > General Setup > Default Rule

  • Verify that the DrayTek firewall is enabled.
  • Ensure the default action is set to Block.

Configure firewall exceptions as required:

Navigate to:

Firewall > Filter Setup

  • Create and apply rules permitting only necessary inbound and outbound traffic.
  • Review configured rules to ensure legitimate business traffic is allowed while unauthorised traffic remains blocked.

Review Open Ports

Navigate to:

  • NAT > Port Redirection
  • NAT > Open Ports
  • NAT > DMZ Host
  • Firewall > Filter Setup

Review:

  • Remove unnecessary port forwards.
  • Review and document all approved inbound services.
  • Only permit traffic required for business operations.

4. Secure Remote Access

Cyber Essentials Requirement

Remote access services must be securely configured.

Use VPN Services

DrayTek routers support:

  • IPsec VPN
  • WireGuard VPN
  • L2TP/IPsec
  • OpenVPN
  • PPTP
  • SSL VPN

Where possible:

  • Use WireGuard, IPsec, or OpenVPN for remote access connections.
  • Ensure strong encryption and authentication settings are enabled.
  • Disable VPN protocols not required by the organisation.
  • Regularly review VPN users and access permissions.

Implement Multi-Factor Authentication

  • Enable MFA for VPN access.

Restrict VPN Users

  • Grant access only to authorised users.
  • Remove dormant Teleworker VPN accounts promptly.

5. Disable Unnecessary Services

Cyber Essentials Requirement

Reduce attack surface by removing unnecessary services.

  • UPnP
  • WAN management
  • Telnet
  • FTP services
  • Unused VPN protocols

6. Implement Network Segmentation

Cyber Essentials Best Practice

While not a mandatory Cyber Essentials requirement, network segmentation strengthens security.

Recommended Configuration

  • Separate corporate devices from guest networks.
  • Separate IoT devices from business systems.
  • Restrict inter-VLAN communication where appropriate.

7. Enable Security Logging

Cyber Essentials Requirement

Organisations should be able to identify and investigate security events.

Recommended Configuration

Navigate to:

System Maintenance > SysLog / Mail Alert Setup

  • Enable Syslog storage on an external server or USB device.

8. Backup Configuration Securely

Recommended Configuration

Navigate to:

System Maintenance > Configuration Backup

  • Perform regular configuration backups manually or by enabling automatic backups to USB storage.
  • Store backups securely.
  • Protect backup files with appropriate access controls.

Add a comment to this article

In the below box, you can add comments which you consider might be helpful to other users reading this article:

(Will be shown on your comment)
(Optional, Not shown/published)


NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.