Professional Documents
Culture Documents
NETWORK SECURITY
o m
i . c
with
ob RouterOS
ho
a
sIP FIREWALL
ADVANCED and EXTRA CONDITIONS
MUM VIETNAM 2019
UXVILLE G. UNABIA
m
Inquirinity Corporation - Philippines
o
. c
MikroTik Certified Trainer
i
b
MikroTik Academy Coordinator
o
h o
MikroTik Academy Trainer
@uxville tycoonux
+639175910742 s a MTCNA | MTCRE | MTCUME | MTCTCE | MTCWE
s a
Partnered for a start-up WISP
i . c
OBJECTIVES
security
o b
h o
▪ A primer on MTCTCE certification
m
rules and are certainly significant however
NEED FOR
GRANULAR i . co
will be inefficient or at worst inapplicable on
o b
scenarios that would need to consider non-
POLICIES
h o
a
I P F I R E WA L L contiguous networks, unknown ports,
s content, time, connection rate - just to name a
few
m
Src. Address List Connection Rate
ADVANCED .
Dst. Address List
i c oPacket size
CONDITIONS o b
Layer 7 protocol TCP Flags
h o
a
I P F I R E WA L L Content ICMP Options
s Connection Bytes
o m
SRC/DST
c
multiple firewall rules
i .
ADDRESS LIST
b
Addresses could be entered statically or
o
ADVANCED CONDITIONS
h o
acquired dynamically and either remain in
o m
SRC/DST
c
▪ BOGON filtering
i .
ADDRESS LIST
b
▪ Port Knocking
o
ADVANCED CONDITIONS
h o
▪ Whitelisting
sa ▪ Blacklisting
o m
a connection or the first 2KB of a
LAYER 7
i . c
PROTOCOL
o b
connection and searches for the pattern in
ADVANCED CONDITIONS
h o
the collected data.
m
Network Security Use Cases:
o
LAYER 7
i . c
▪ File type filtering
PROTOCOL
o b
▪ Malware patterns
ADVANCED CONDITIONS
h o
sa Check for some
solutions/plugins
Made for MikroTik
o m
. c
for wildcard matching.
i
TLS-HOST
o b
Matcher will not be able to match
ADVANCED CONDITIONS
h o
hostname if TLS handshake frame is
o m
i . c
Network Security Use Cases:
TLS-HOST
o b
ADVANCED CONDITIONS
h o
▪ Block HTTPS (malicious) websites
sa
o m
i . c
CONTENT
o b
ADVANCED CONDITIONS
h o
sa
Will not work on encrypted or fragmented packet
o m
i . c
Network Security Use Cases:
CONTENT
o b
▪ Will form part as a solution in dealing
ADVANCED CONDITIONS
h o
a
with Brute Force attacks
s
MUM VIETNAM 2019
IMPLEMENTING NETWORK SECURITY
WITH MIKROTIK ROUTEROS IP FIREWALL 12
ADVANCED AND EXTRA CONDITIONS
o m
CONNECTION
. c
Matches packets if only a given amount of
i
BYTES
o b
bytes has been transferred through the
ADVANCED CONDITIONS
h o
particular connection – upload and download
sa
o m
traffic based on present speed of the
CONNECTION
i . c
RATE connection.
o b
ADVANCED CONDITIONS
h o
Works only with TCP and UDP traffic. You
a h
s baselines, it turn forms basis for any
network monitoring activities
o m
i . c
Matches packets of specified size or size
PACKET SIZE
o b
range in bytes
ADVANCED CONDITIONS
h o
sa Integer value from 0 to 65535
o m
Network Security Use Cases:
i . c
b
PACKET SIZE ▪ Prevent ICMP Attacks – ICMP
ADVANCED CONDITIONS
o o
tunnelling (injecting arbitrary data into
a h
s an echo packet)
o m
▪ ack
i . c
- acknowledging data
TCP FLAGS ▪ cwr
o b
- congestion window reduced
ADVANCED CONDITIONS
o m
Matches specified TCP flags
i . c
TCP FLAGS ▪ rst
o b
- drop connection
ADVANCED CONDITIONS
o m
Network Security Use Cases:
i . c
TCP FLAGS
o b
▪ Various combinations of TCP flags can
ADVANCED CONDITIONS
h o
indicated port scanner activity
sa
h o
▪ Type 8 - Echo
ECHO REPLY
o m
▪ Code 0
i . c
- Echo reply
ICMP OPTIONS
o b
o
ADVANCED CONDITIONS ▪ Code 3 - Destination Unreachable
m
▪ Allow typical ICMP messages
o
i . c
For PING – messages 0:0 and 8:0
ICMP OPTIONS
o b
o
ADVANCED CONDITIONS For TRACEROUTE – messages 11:0 and 3:3
Connection Limit
Limit
o m
EXTRA
i . c
CONDITIONS
Dst. Limit
o b
h
Time
o
a
I P F I R E WA L L
m
address block up to and including the given
o
CONNECTION value
i . c
LIMIT o b
Should be used together with connection-
EXTRA CONDITIONS
h o
sa state=new and/or with tcp-flags=syn
because this matcher is very resource
intensive”
o m
CONNECTION
i . c
LIMIT o b
Match until the connection limit of 50 is
EXTRA CONDITIONS
h o
sa reached per /32 IP address of network in the
src-address
o m
Rule using this matcher will match until this
i . c
LIMIT
o b
limit is reached.
EXTRA CONDITIONS
h o
Parameters are the following:
sa Rate Burst
Time Mode
o m
i . c
LIMIT
o b
Match until an average rate of 100 packets
EXTRA CONDITIONS
h o
sa per minute is reached, not counting the 5
burst packets
o m
exceeded. Rate is defined as packets per time
i . c
b
DST-LIMIT interval.
EXTRA CONDITIONS
o o
As opposed to the limit matcher, every flow
a h
s has it’s own limit.
Flow is defined by mode parameter
h oBurst
sa Limit By
Expire
o m
i . c
For every flow by dst. address, match until
DST-LIMIT
o b
EXTRA CONDITIONS
h o
an average rate of 100 packets per second is
o m
CONNECTION
c
Network Security Use Cases:
i .
LIMIT / LIMIT /
b
▪ DDoS Detection and Blocking
o
DST-LIMIT
h o
▪ Dealing with Brute Force attacks
a
EXTRA CONDITIONS
s
MUM VIETNAM 2019
IMPLEMENTING NETWORK SECURITY
WITH MIKROTIK ROUTEROS IP FIREWALL 32
ADVANCED AND EXTRA CONDITIONS
o m
i . c
TIME
o b
Allows to create a filter based on the packets
EXTRA CONDITIONS
h o
sa arrival time and date or for locally generated
packets, departure time and date
o m
i . c
Network Security Use Cases:
TIME
o b
EXTRA CONDITIONS
h o
▪ Time-based access rules
sa
o m
SRC/DST
i . c
ADDRESS TYPE
o b
Matches the source/destination address type
EXTRA CONDITIONS
h o
a
unicast IP address used for point to point transmission
s local
broadcast
multicast
IP address assigned to one of router’s interfaces
Packet is sent to all devices in subnet
Packet is forward to defined group of devices
o m
SRC/DST
. c
address – Block any packets (outside
i
ADDRESS TYPE
o b
your network) directed to the broadcast
EXTRA CONDITIONS
h o
address and Block outgoing packets
o m
i . c
PSD
b
WeightThreshold Total weight of the latest TCP/UDP scans
o
o
EXTRA CONDITIONS DelayThreshold Delay for the packets with different
h
destination ports coming from the same
m
Network Security Use Cases:
o
i . c
▪ Drop Port Scanners
PSD
o b
EXTRA CONDITIONS
h o
Implement PSD in the input chain (to protect
sa from) and
scanners)
forward chain (local port
Layer 7 Protocol
o m
https://mum.mikrotik.com//presentations/US
i . c
b
18/presentation_5365_1524221989.pdf
NOTABLE MUM
PRESENTATIONS
o o
TLS-HOST
a h
s
https://mum.mikrotik.com/presentations/CR1
8/presentation_5701_1532535774.pdf
o m
i . c
https://mum.mikrotik.com//presentations/ID1
NOTABLE MUM
b
6/presentation_3549_1476685233.pdf
o
PRESENTATIONS
h o
IDS – Limit, Port Knocking, PSD
sa https://mum.mikrotik.com/presentations/ID18
/presentation_5640_1540365379.pdf
o m
i . c
DoS – TCP Flags, Connection-Limit
NOTABLE MUM
o b
https://mum.mikrotik.com//presentations/CY1
PRESENTATIONS
h o
sa 5/Denial_of_Service_Attack.pdf
o o
https://mum.mikrotik.com
h
IP FIREWALL ADVANCED
AND EXTRA CONDITIONS
s a https://forum.mikrotik.com
THANK i . c YOU
b
NETWORK SECURITY
WITH MIKROTIK ROUTEROS
o o
h
IP FIREWALL ADVANCED
AND EXTRA CONDITIONS
s a