securing networks with mikrotik router os
TRANSCRIPT
-
7/24/2019 Securing Networks With Mikrotik Router OS
1/43
2006-2012 WirelessConnect.eu1
Securing Networks with Mikrotik Router OS
Speaker: Tom Smyth, CTO Wireless Connect LtdLocation: !u"ai!ate: #$%&$%#&'#
-
7/24/2019 Securing Networks With Mikrotik Router OS
2/43
2006-2012 WirelessConnect.eu2
Wireless Connect Ltd
Irish Company Incorporated in 2006Operate an ISP in the centre of Ireland.
ood Infrastructure !"pertise.
Certified #i$ro%i$ Partners%rainin&
Certified O!# Inte&rators
Consultants'alue (dded )eseller
-
7/24/2019 Securing Networks With Mikrotik Router OS
3/43
2006-2012 WirelessConnect.eu*
Speaker Profile:
Studied +!n&. #echanical , !lectronic !n&ineerin&C/Ireland
as een or$in& in Industry since 2000
Ser3er Infrastructure !n&ineer
Systems 4 5etor$ (dministrator
Internet Security Consultant
1st #i$ro%i$ Certified %rainer in une 2007 in Ireland
-
7/24/2019 Securing Networks With Mikrotik Router OS
4/43
2006-2012 WirelessConnect.eu8
Security (n)ormation sources
!5IS( 9http:44.enisa.europa.eu4OW(SP http:44oasp.or&
)its roup 9 http:44.rits&roup.com4
S(5S Institute 9 http:44sans.or&CIS Centre for Internet Security 9 http:44cisecurity.or&4
5IS% Computer Security http:44csrc.nist.&o34
Open +S 9 http:44Open+S.or&4Spamhaus.or& 9 http:44spamhaus.or&
nmap.or& 9 http:44nmap.or&
ha.c$ers.or& 9 http:44ha.c$ers.or&4
-
7/24/2019 Securing Networks With Mikrotik Router OS
5/43
2006-2012 WirelessConnect.eu;
Router OS
i&hly 'ersatilei&hly Customisale
i&hly Cost !ffecti3e
(llos one to mana&e Security %hreats in many Ways
-
7/24/2019 Securing Networks With Mikrotik Router OS
6/43
2006-2012 WirelessConnect.eu6
What Can MikroTik Router OS !o *
It is a Stateful
-
7/24/2019 Securing Networks With Mikrotik Router OS
7/432006-2012 WirelessConnect.eu7
State)ul +irewalls!nhance security y monitorin& re=uests and to enforce that only
le&itimate responses to le&itimate re=uests are alloed.
(ll other %raffic is either malicious or due to misconfi&uration
Protect the router 4 customer from attac$s such as 5S CachePoisonin& (ttac$s
!3ery Stateful rules near thetop of fireall rule set
(llo !stalished Connections on forard input and Output Chains
(llo )elated Connections on forard input and Output Chainsrop In3alid Connections on forard input and Output Chains
(ll 5e )e=uests ? non layer 7 @ ill e filtered after the rulesao3e
See #/# 2010 , #/# 2011 Presentations for #ore information
-
7/24/2019 Securing Networks With Mikrotik Router OS
8/432006-2012 WirelessConnect.euA
We" ro-y
We Pro"y is an (pplication Bayer ateay/nderstands %%P allos one to filter
5S names
/rls
-
7/24/2019 Securing Networks With Mikrotik Router OS
9/432006-2012 WirelessConnect.eu>
.n)orcing a We" ro-y
a3in& a We Pro"y is useless if you allo traffic to ypass thefireall.
Corporate firealls should
+loc$ all traffic from clients directly out of the netor$
(llo Clients to tal$ to the Pro"y ? re=uest pa&es@
(llo only the Pro"y traffic out of the netor$
+y loc$in& direct internet access you force users to use thepro"y here the company has a lot more control o3er traffic and
can protect the company 4 user from malicious content
-
7/24/2019 Securing Networks With Mikrotik Router OS
10/432006-2012 WirelessConnect.eu10
We" pro-y Security
(lays filter the !"ternal 4 pulicly accessile interface of thePro"y. Other ise you may ha3e an Open Pro"y
Open Pro"ies are often used y attac$ers to hide their true identityalso can e used in more serious ille&al acti3ity
)e3erse Pro"ies that are open to the pulic should ha3e a firealleteen your internal netor$ and the Pro"y.
(ttac$ers could use your pro"y to ounce to other internal systemsadministration pa&e
-
7/24/2019 Securing Networks With Mikrotik Router OS
11/432006-2012 WirelessConnect.eu11
Risky Re/erse ro-y !eployment
-
7/24/2019 Securing Networks With Mikrotik Router OS
12/432006-2012 WirelessConnect.eu12
(nternal Network protected "y +irewall
-
7/24/2019 Securing Networks With Mikrotik Router OS
13/432006-2012 WirelessConnect.eu1*
MikroTik Socks ro-y
(llos Pro"yin& of %CP Ser3icesOperates at Bayer ;
Can offer increased security y rea$in& the direct connectioneteen a Client and a ser3er
/seful for %CP Ser3ices only
Can e used to Circum3ent Company Policy if Soc$s Pro"y is notsufficiently Protected ith
-
7/24/2019 Securing Networks With Mikrotik Router OS
14/432006-2012 WirelessConnect.eu18
!NS Cache 0 !NS ro-y
#i$ro%i$ can not only cache 5S )e=uests it can pro3ide a 5S
-
7/24/2019 Securing Networks With Mikrotik Router OS
15/432006-2012 WirelessConnect.eu1;
Setting 1p a !NS +ilter
(3ailale in the IP 4 5S #enu
-
7/24/2019 Securing Networks With Mikrotik Router OS
16/43
2006-2012 WirelessConnect.eu16
+ilter 2nown 3ttack Sites
/sers can Opt in y usin&your 5S Ser3er 4
-
7/24/2019 Securing Networks With Mikrotik Router OS
17/43
2006-2012 WirelessConnect.eu17
.n)orcing a !NS olicy)e=uests to other 5S Ser3ers that tra3erse the fireall are
redirected ?S% 5(%ed@ to the 5S
-
7/24/2019 Securing Networks With Mikrotik Router OS
18/43
2006-2012 WirelessConnect.eu1A
3lternati/es to +irewall +iltering
If e ant to filter traffic &oin& toards a destination for e"ampleBet us ta$e a loo$ at the Dernel here #i$ro%i$ )outer OS oes
its #a&ic
-
7/24/2019 Securing Networks With Mikrotik Router OS
19/43
2006-2012 WirelessConnect.eu1>
MikroTik 2ernel %acket +low
It Seems all pac$ets floin& to 4 throu&h the router are processedusin& the routin& tale
-
7/24/2019 Securing Networks With Mikrotik Router OS
20/43
2006-2012 WirelessConnect.eu20
+iltering 1sing Routes
#ost people are familiar ith )outin& as a tool to help traffic reachits destination
%hese E5ormalF routes are called /nicast routes
-
7/24/2019 Securing Networks With Mikrotik Router OS
21/43
2006-2012 WirelessConnect.eu21
.nter the 4lack5ole Route
+lac$ole 9 the name from the astronomical phenomena hereany oect placed into the +lac$ole ill ne3er lea3e.
+lac$ole 9 iscard the Pac$et )oute
-
7/24/2019 Securing Networks With Mikrotik Router OS
22/43
2006-2012 WirelessConnect.eu22
Other types o) !iscard Routes
+lac$-ole 9 iscard pac$et silently ?similar to rop in fireall@Prohiit 9 iscard the pac$et and Send an IC#P (dmin Prohiited
ms& ac$ to source of the pac$et ?similar to )eect (dminProhiited@
/nreachale- iscard Pac$et and Send an IC#P ost/nreachale messa&e ac$ to the source of the pac$et
+lac$ ole is most secure and incurrs the least load on the router
-
7/24/2019 Securing Networks With Mikrotik Router OS
23/43
2006-2012 WirelessConnect.eu2*
4ene)its o) 4lackholes o/er +orward)ilters
-
7/24/2019 Securing Networks With Mikrotik Router OS
24/43
2006-2012 WirelessConnect.eu28
4lack 5ole 5ardware 3cceleration
)outers ith accelerated hardare for )outin& ? !"pressforardin& 4 )oute once Sitch many@ ill see filterin& of-loadedfrom CP/ to (SICs.
-
7/24/2019 Securing Networks With Mikrotik Router OS
25/43
2006-2012 WirelessConnect.eu2;
3utomating This +ilter Techni6ue
)outin& ... (utomatin& )oute /pdates G
-
7/24/2019 Securing Networks With Mikrotik Router OS
26/43
2006-2012 WirelessConnect.eu26
!ynamic Routing
OSP
-
7/24/2019 Securing Networks With Mikrotik Router OS
27/43
2006-2012 WirelessConnect.eu27
47%% Routing the world3long with MikroTik
:8
-
7/24/2019 Securing Networks With Mikrotik Router OS
28/43
2006-2012 WirelessConnect.eu2A
47 % Not er)ect, "ut Scala"lePlot shoin& (cti3e
)outes on Internet
-
7/24/2019 Securing Networks With Mikrotik Router OS
29/43
2006-2012 WirelessConnect.eu2>
47/9 4asics
Stands for +order ateay Protocolesi&ned as an Inter-(S routin& protocol
5etor$ topolo&y is not e"chan&ed only
reachaility information.This Prefix is reachable through my AS
Only protocol that can handle InternetHs sienetor$s
/ses path 3ector al&orithm
#i$ro%i$ Supports +P38 )
-
7/24/2019 Securing Networks With Mikrotik Router OS
30/43
2006-2012 WirelessConnect.eu*0
47 Transport
Operates y e"chan&in& 5B)I ?netor$ layer reachailityinformation@.
5B)I includes a set of +P attriutes and one or more prefi"esith hich those attriutes are associated
/ses %CP as the transport protocol ?port 17>@Initial full routin& tale e"chan&e eteen peers
Incremental updates after initial e"chan&e
?maintains routin& tale 3ersion@
-
7/24/2019 Securing Networks With Mikrotik Router OS
31/43
2006-2012 WirelessConnect.eu*1
Community
(ttriute that &roups destinations
-
7/24/2019 Securing Networks With Mikrotik Router OS
32/43
2006-2012 WirelessConnect.eu*2
47 Community
*2-it 3alue ritten in format E"":yyF Where""J (S 5umer:
yyJ Community Option
i3es customer more policy control
Simplifies upstream confi&uration
Can e used y ISPs for:
(S prependin& options
eo&raphic restrictions+lac$holin& etc.
Chec$ Internet )outin& )e&istry ?I))@
-
7/24/2019 Securing Networks With Mikrotik Router OS
33/43
2006-2012 WirelessConnect.eu**
Communities (n a nutshell
)oute (d3ertiser and )oute )ecie3er ? ISP (dmins @ discusspolicies and e"chan&e usefull information meanin& of Policiesetc.
)oute (d3ertiser ?+P out@ sets communties accordin& to somedesi&n 4 policy
'arious Communties are set and sent out ith 3arious routes...
)oute )ecie3er (dmin sets )outer )ecie3er to loo$ for setcommunities in routes and implement policy ased on thecommunity.
5o each ISP is implementin& 4 continuin& a policy as a&reed iththeir peer
.... +)IBBI(5% :@
-
7/24/2019 Securing Networks With Mikrotik Router OS
34/43
2006-2012 WirelessConnect.eu*8
4ogon 47 +eed
)ememer your #%C5( %rainin& G )ememer the defination of a+o&on G
If you ha3ent a #%C5( 9 you could e missin& out on lots of tipsand techni=ues to ma$e your o of runnin& and e"pandin& yournetor$ easier
-
7/24/2019 Securing Networks With Mikrotik Router OS
35/43
2006-2012 WirelessConnect.eu*;
Team Cymru %%% Cool (nternet
Security Research Organisation'isit http:44.team-cymru.or&
%hey ha3e lots of ser3ices that can e used to increase thesecurity of your netor$
%hey also ha3e a free +P
-
7/24/2019 Securing Networks With Mikrotik Router OS
36/43
2006-2012 WirelessConnect.eu*6
Teamcymru;s 4ogon we" page
-
7/24/2019 Securing Networks With Mikrotik Router OS
37/43
2006-2012 WirelessConnect.eu*7
4ogon +eed Re6uest
-
7/24/2019 Securing Networks With Mikrotik Router OS
38/43
2006-2012 WirelessConnect.eu*A
Cymru responseWe recei3ed ;;6; o&on
prefi"es from CK#)/We used +P +o&on
community: 6;**2:AAAL no-e"port
!-mail contact:nocMcymru.com
-
7/24/2019 Securing Networks With Mikrotik Router OS
39/43
2006-2012 WirelessConnect.eu*>
4ogon +eed (nstalled
-
7/24/2019 Securing Networks With Mikrotik Router OS
40/43
2006-2012 WirelessConnect.eu80
Taking 47 +iltering to ne-t Le/el#emory is an issue full internet tale is A00$ routes ?2;6# )am
needed for it alone@ ho many routes are ein& donloadedfrom your peer G
Cost of #emory &oin& don :@
Can use i+P to distriute a policy ithin your entire netor$
-
7/24/2019 Securing Networks With Mikrotik Router OS
41/43
2006-2012 WirelessConnect.eu81
(ssues with Wide scale deploymentOne could use communities to differentiate eteen different $inds
of threats
%he real =uestion is .. ho ould these threats e assessed andadded to the feed.. %ransparency , an speedy appeals processould e an asolute re=uirement
%he Opt in nature model is &ood so people could opt to eprotected if re=uired. Can e useful for sensiti3e industries orsensiti3e collaoration netor$s
-
7/24/2019 Securing Networks With Mikrotik Router OS
42/43
2006-2012 WirelessConnect.eu82
Communities Recei/ed )rom Cogent)outes announced to customers y
Co&ent ill ha3e one of the folloin&communities associated ith them:
Th k
-
7/24/2019 Securing Networks With Mikrotik Router OS
43/43
2006-2012 WirelessConnect.eu8*
Thank