securing networks with mikrotik router os

7/24/2019 Securing Networks With Mikrotik Router OS

1/43

2006-2012 WirelessConnect.eu1

Securing Networks with Mikrotik Router OS

Speaker: Tom Smyth, CTO Wireless Connect LtdLocation: !u"ai!ate: #$%&$%#&'#


2/43


Wireless Connect Ltd

Irish Company Incorporated in 2006Operate an ISP in the centre of Ireland.

ood Infrastructure !"pertise.

Certified #i$ro%i$ Partners%rainin&

Certified O!# Inte&rators

Consultants'alue (dded )eseller


3/43

2006-2012 WirelessConnect.eu*

Speaker Profile:

Studied +!n&. #echanical , !lectronic !n&ineerin&C/Ireland

as een or$in& in Industry since 2000

Ser3er Infrastructure !n&ineer

Systems 4 5etor$ (dministrator

Internet Security Consultant

1st #i$ro%i$ Certified %rainer in une 2007 in Ireland


4/43


Security (n)ormation sources

!5IS( 9http:44.enisa.europa.eu4OW(SP http:44oasp.or&

)its roup 9 http:44.rits&roup.com4

S(5S Institute 9 http:44sans.or&CIS Centre for Internet Security 9 http:44cisecurity.or&4

5IS% Computer Security http:44csrc.nist.&o34

Open +S 9 http:44Open+S.or&4Spamhaus.or& 9 http:44spamhaus.or&

nmap.or& 9 http:44nmap.or&

ha.c$ers.or& 9 http:44ha.c$ers.or&4


5/43

2006-2012 WirelessConnect.eu;

Router OS

i&hly 'ersatilei&hly Customisale

i&hly Cost !ffecti3e

(llos one to mana&e Security %hreats in many Ways


6/43


What Can MikroTik Router OS !o *

It is a Stateful


7/432006-2012 WirelessConnect.eu7

State)ul +irewalls!nhance security y monitorin& re=uests and to enforce that only

le&itimate responses to le&itimate re=uests are alloed.

(ll other %raffic is either malicious or due to misconfi&uration

Protect the router 4 customer from attac$s such as 5S CachePoisonin& (ttac$s

!3ery Stateful rules near thetop of fireall rule set

(llo !stalished Connections on forard input and Output Chains

(llo )elated Connections on forard input and Output Chainsrop In3alid Connections on forard input and Output Chains

(ll 5e )e=uests ? non layer 7 @ ill e filtered after the rulesao3e

See #/# 2010 , #/# 2011 Presentations for #ore information


8/432006-2012 WirelessConnect.euA

We" ro-y

We Pro"y is an (pplication Bayer ateay/nderstands %%P allos one to filter

5S names

/rls


9/432006-2012 WirelessConnect.eu>

.n)orcing a We" ro-y

a3in& a We Pro"y is useless if you allo traffic to ypass thefireall.

Corporate firealls should

+loc$ all traffic from clients directly out of the netor$

(llo Clients to tal$ to the Pro"y ? re=uest pa&es@

(llo only the Pro"y traffic out of the netor$

+y loc$in& direct internet access you force users to use thepro"y here the company has a lot more control o3er traffic and

can protect the company 4 user from malicious content



We" pro-y Security

(lays filter the !"ternal 4 pulicly accessile interface of thePro"y. Other ise you may ha3e an Open Pro"y

Open Pro"ies are often used y attac$ers to hide their true identityalso can e used in more serious ille&al acti3ity

)e3erse Pro"ies that are open to the pulic should ha3e a firealleteen your internal netor$ and the Pro"y.

(ttac$ers could use your pro"y to ounce to other internal systemsadministration pa&e



Risky Re/erse ro-y !eployment



(nternal Network protected "y +irewall


13/432006-2012 WirelessConnect.eu1*

MikroTik Socks ro-y

(llos Pro"yin& of %CP Ser3icesOperates at Bayer ;

Can offer increased security y rea$in& the direct connectioneteen a Client and a ser3er

/seful for %CP Ser3ices only

Can e used to Circum3ent Company Policy if Soc$s Pro"y is notsufficiently Protected ith



!NS Cache 0 !NS ro-y

#i$ro%i$ can not only cache 5S )e=uests it can pro3ide a 5S


15/432006-2012 WirelessConnect.eu1;

Setting 1p a !NS +ilter

(3ailale in the IP 4 5S #enu


16/43


+ilter 2nown 3ttack Sites

/sers can Opt in y usin&your 5S Ser3er 4


17/43


.n)orcing a !NS olicy)e=uests to other 5S Ser3ers that tra3erse the fireall are

redirected ?S% 5(%ed@ to the 5S


18/43

2006-2012 WirelessConnect.eu1A

3lternati/es to +irewall +iltering

If e ant to filter traffic &oin& toards a destination for e"ampleBet us ta$e a loo$ at the Dernel here #i$ro%i$ )outer OS oes

its #a&ic


19/43

2006-2012 WirelessConnect.eu1>

MikroTik 2ernel %acket +low

It Seems all pac$ets floin& to 4 throu&h the router are processedusin& the routin& tale


20/43


+iltering 1sing Routes

#ost people are familiar ith )outin& as a tool to help traffic reachits destination

%hese E5ormalF routes are called /nicast routes


21/43


.nter the 4lack5ole Route

+lac$ole 9 the name from the astronomical phenomena hereany oect placed into the +lac$ole ill ne3er lea3e.

+lac$ole 9 iscard the Pac$et )oute


22/43


Other types o) !iscard Routes

+lac$-ole 9 iscard pac$et silently ?similar to rop in fireall@Prohiit 9 iscard the pac$et and Send an IC#P (dmin Prohiited

ms& ac$ to source of the pac$et ?similar to )eect (dminProhiited@

/nreachale- iscard Pac$et and Send an IC#P ost/nreachale messa&e ac$ to the source of the pac$et

+lac$ ole is most secure and incurrs the least load on the router


23/43

2006-2012 WirelessConnect.eu2*

4ene)its o) 4lackholes o/er +orward)ilters


24/43


4lack 5ole 5ardware 3cceleration

)outers ith accelerated hardare for )outin& ? !"pressforardin& 4 )oute once Sitch many@ ill see filterin& of-loadedfrom CP/ to (SICs.


25/43

2006-2012 WirelessConnect.eu2;

3utomating This +ilter Techni6ue

)outin& ... (utomatin& )oute /pdates G


26/43


!ynamic Routing

OSP


27/43


47%% Routing the world3long with MikroTik

:8


28/43

2006-2012 WirelessConnect.eu2A

47 % Not er)ect, "ut Scala"lePlot shoin& (cti3e

)outes on Internet


29/43

2006-2012 WirelessConnect.eu2>

47/9 4asics

Stands for +order ateay Protocolesi&ned as an Inter-(S routin& protocol

5etor$ topolo&y is not e"chan&ed only

reachaility information.This Prefix is reachable through my AS

Only protocol that can handle InternetHs sienetor$s

/ses path 3ector al&orithm

#i$ro%i$ Supports +P38 )


30/43

2006-2012 WirelessConnect.eu*0

47 Transport

Operates y e"chan&in& 5B)I ?netor$ layer reachailityinformation@.

5B)I includes a set of +P attriutes and one or more prefi"esith hich those attriutes are associated

/ses %CP as the transport protocol ?port 17>@Initial full routin& tale e"chan&e eteen peers

Incremental updates after initial e"chan&e

?maintains routin& tale 3ersion@


31/43


Community

(ttriute that &roups destinations


32/43


47 Community

*2-it 3alue ritten in format E"":yyF Where""J (S 5umer:

yyJ Community Option

i3es customer more policy control

Simplifies upstream confi&uration

Can e used y ISPs for:

(S prependin& options

eo&raphic restrictions+lac$holin& etc.

Chec$ Internet )outin& )e&istry ?I))@


33/43

2006-2012 WirelessConnect.eu**

Communities (n a nutshell

)oute (d3ertiser and )oute )ecie3er ? ISP (dmins @ discusspolicies and e"chan&e usefull information meanin& of Policiesetc.

)oute (d3ertiser ?+P out@ sets communties accordin& to somedesi&n 4 policy

'arious Communties are set and sent out ith 3arious routes...

)oute )ecie3er (dmin sets )outer )ecie3er to loo$ for setcommunities in routes and implement policy ased on thecommunity.

5o each ISP is implementin& 4 continuin& a policy as a&reed iththeir peer

.... +)IBBI(5% :@


34/43


4ogon 47 +eed

)ememer your #%C5( %rainin& G )ememer the defination of a+o&on G

If you ha3ent a #%C5( 9 you could e missin& out on lots of tipsand techni=ues to ma$e your o of runnin& and e"pandin& yournetor$ easier


35/43

2006-2012 WirelessConnect.eu*;

Team Cymru %%% Cool (nternet

Security Research Organisation'isit http:44.team-cymru.or&

%hey ha3e lots of ser3ices that can e used to increase thesecurity of your netor$

%hey also ha3e a free +P


36/43


Teamcymru;s 4ogon we" page


37/43


4ogon +eed Re6uest


38/43

2006-2012 WirelessConnect.eu*A

Cymru responseWe recei3ed ;;6; o&on

prefi"es from CK#)/We used +P +o&on

community: 6;**2:AAAL no-e"port

!-mail contact:nocMcymru.com


39/43

2006-2012 WirelessConnect.eu*>

4ogon +eed (nstalled


40/43


Taking 47 +iltering to ne-t Le/el#emory is an issue full internet tale is A00$ routes ?2;6# )am

needed for it alone@ ho many routes are ein& donloadedfrom your peer G

Cost of #emory &oin& don :@

Can use i+P to distriute a policy ithin your entire netor$


41/43


(ssues with Wide scale deploymentOne could use communities to differentiate eteen different $inds

of threats

%he real =uestion is .. ho ould these threats e assessed andadded to the feed.. %ransparency , an speedy appeals processould e an asolute re=uirement

%he Opt in nature model is &ood so people could opt to eprotected if re=uired. Can e useful for sensiti3e industries orsensiti3e collaoration netor$s


42/43


Communities Recei/ed )rom Cogent)outes announced to customers y

Co&ent ill ha3e one of the folloin&communities associated ith them:

Th k


43/43

2006-2012 WirelessConnect.eu8*

Thank

securing networks with mikrotik router os

Documents