IP - Firewall - Advanced PDF

IMPLEMENTING
NETWORK SECURITY
o m
i . c
with
ob RouterOS
ho
a
sIP FIREWALL
ADVANCED and EXTRA CONDITIONS
MUM VIETNAM 2019
UXVILLE G. UNABIA
m
Inquirinity Corporation - Philippines
o
. c
MikroTik Certified Trainer
i
b
MikroTik Academy Coordinator
o
h o
MikroTik Academy Trainer
@uxville tycoonux
+639175910742 s a MTCNA | MTCRE | MTCUME | MTCTCE | MTCWE
CCSI | CCNP | CCNA | MCT | MCSA | FCT | NSE4

uxville.unabia@inquirinity.com UBWS | HCDA | CSSA | PCE | VMTSP
MUM VIETNAM 2019

Davao City, Philippines
ICT certification-based training center

o m
i . c
b
MikroTik Academy – Inquirinity Computer Academy
o
h o
Reseller of ICT products – MikroTik & others
s a
Partnered for a start-up WISP
System and Network consultation
MUM VIETNAM 2019

IMPLEMENTING NETWORK SECURITY
WITH MIKROTIK ROUTEROS IP FIREWALL 01
ADVANCED AND EXTRA CONDITIONS
▪ To list built-in MikroTik IP Firewall

capabilities in
o m
implementing network
i . c
OBJECTIVES
security
o b
h o
▪ A primer on MTCTCE certification
sa ▪ To look beyond network connectivity -

build and maintain secure networks
MUM VIETNAM 2019

General conditions form the basic firewall
m
rules and are certainly significant however
NEED FOR
GRANULAR i . co
will be inefficient or at worst inapplicable on
o b
scenarios that would need to consider non-
POLICIES
h o
a
I P F I R E WA L L contiguous networks, unknown ports,
s content, time, connection rate - just to name a
few
MUM VIETNAM 2019

m
Src. Address List Connection Rate
ADVANCED .
Dst. Address List
i c oPacket size
CONDITIONS o b
Layer 7 protocol TCP Flags
h o
a
I P F I R E WA L L Content ICMP Options
s Connection Bytes
MUM VIETNAM 2019

Allow or block multiple non-contiguous IP

address or networks without using
o m
SRC/DST
c
multiple firewall rules
i .
ADDRESS LIST
b
Addresses could be entered statically or
o
ADVANCED CONDITIONS
h o
acquired dynamically and either remain in
sa disk permanently or removed after a

specific timeout
MUM VIETNAM 2019

Network Security Use Cases:
o m
SRC/DST
c
▪ BOGON filtering
i .
ADDRESS LIST
b
▪ Port Knocking
o
ADVANCED CONDITIONS
h o
▪ Whitelisting
sa ▪ Blacklisting
MUM VIETNAM 2019

L7 matcher collects the first 10 packets of
o m
a connection or the first 2KB of a
LAYER 7
i . c
PROTOCOL
o b
connection and searches for the pattern in
ADVANCED CONDITIONS
h o
the collected data.
sa L7 matcher is very resource intensive and

can’t identify protocols in SSL tunnels
MUM VIETNAM 2019

m
o
LAYER 7
i . c
▪ File type filtering
PROTOCOL
o b
▪ Malware patterns
ADVANCED CONDITIONS
h o
sa Check for some
solutions/plugins
Made for MikroTik
MUM VIETNAM 2019

“Allows to match HTTPS traffic based on

TLS SNI hostname. Accepts GLOB syntax
o m
. c
for wildcard matching.
i
TLS-HOST
o b
Matcher will not be able to match
ADVANCED CONDITIONS
h o
hostname if TLS handshake frame is
sa fragmented into multiple TCP segments

(packets)”
MUM VIETNAM 2019

o m
i . c
TLS-HOST
o b
ADVANCED CONDITIONS
h o
▪ Block HTTPS (malicious) websites
sa
MUM VIETNAM 2019

Match packets that contain specified text
o m
i . c
CONTENT
o b
ADVANCED CONDITIONS
h o
sa
Will not work on encrypted or fragmented packet
MUM VIETNAM 2019

o m
i . c
CONTENT
o b
▪ Will form part as a solution in dealing
ADVANCED CONDITIONS
h o
a
with Brute Force attacks
s
MUM VIETNAM 2019
o m
CONNECTION
. c
Matches packets if only a given amount of
i
BYTES
o b
bytes has been transferred through the
ADVANCED CONDITIONS
h o
particular connection – upload and download
sa
MUM VIETNAM 2019

“A firewall matcher that allows to capture
o m
traffic based on present speed of the
CONNECTION
i . c
RATE connection.
o b
ADVANCED CONDITIONS
h o
Works only with TCP and UDP traffic. You
sa need to specify protocol to activate these

options”
MUM VIETNAM 2019


▪ Although
o m
implementation is more
CONNECTION
i . c
b
towards traffic prioritization, it could be
BYTES/RATE
ADVANCED CONDITIONS a
o o
significant part of establishing
a h
s baselines, it turn forms basis for any
network monitoring activities
MUM VIETNAM 2019

o m
i . c
Matches packets of specified size or size
PACKET SIZE
o b
range in bytes
ADVANCED CONDITIONS
h o
sa Integer value from 0 to 65535
MUM VIETNAM 2019

o m
i . c
b
PACKET SIZE ▪ Prevent ICMP Attacks – ICMP
ADVANCED CONDITIONS
o o
tunnelling (injecting arbitrary data into
a h
s an echo packet)
MUM VIETNAM 2019

Matches specified TCP flags
o m
▪ ack
i . c
- acknowledging data
TCP FLAGS ▪ cwr
o b
- congestion window reduced
ADVANCED CONDITIONS
h▪ eceo - ECN-echo flag
sa ▪ fin - close conneciton

▪ psh - push function
MUM VIETNAM 2019

o m
Matches specified TCP flags
i . c
TCP FLAGS ▪ rst
o b
- drop connection
ADVANCED CONDITIONS
h▪ syno - new connection
sa ▪ urg - urgent data
MUM VIETNAM 2019

o m
i . c
TCP FLAGS
o b
▪ Various combinations of TCP flags can
ADVANCED CONDITIONS
h o
indicated port scanner activity
sa
MUM VIETNAM 2019

Matches ICMP type:code fields

▪ Type 0
o m
- Echo reply
▪ Type 3
i . c
- Destination Unreachable
ICMP OPTIONS
o b
ADVANCED CONDITIONS
h o
▪ Type 8 - Echo
sa ▪ Type 11 - Time Exceeded

ECHO REQUEST
ECHO REPLY
MUM VIETNAM 2019

Matches ICMP type:code fields
o m
▪ Code 0
i . c
- Echo reply
ICMP OPTIONS
o b
o
ADVANCED CONDITIONS ▪ Code 3 - Destination Unreachable
a h▪ Code 4 - Source Quench

s
MUM VIETNAM 2019
m
▪ Allow typical ICMP messages
o
i . c
For PING – messages 0:0 and 8:0
ICMP OPTIONS
o b
o
ADVANCED CONDITIONS For TRACEROUTE – messages 11:0 and 3:3
a h For Path MTU discovery – message 3:4
s Other types of ICMP messages should

be blocked
MUM VIETNAM 2019

Connection Limit
Limit
o m
EXTRA
i . c
CONDITIONS
Dst. Limit
o b
h
Time
o
a
I P F I R E WA L L
s Src/Dst address type

PSD
MUM VIETNAM 2019

“Matches connections per address or
m
address block up to and including the given
o
CONNECTION value
i . c
LIMIT o b
Should be used together with connection-
EXTRA CONDITIONS
h o
sa state=new and/or with tcp-flags=syn
because this matcher is very resource
intensive”
MUM VIETNAM 2019

o m
CONNECTION
i . c
LIMIT o b
Match until the connection limit of 50 is
EXTRA CONDITIONS
h o
sa reached per /32 IP address of network in the
src-address
MUM VIETNAM 2019

Matches packets up to a limited rate
o m
Rule using this matcher will match until this
i . c
LIMIT
o b
limit is reached.
EXTRA CONDITIONS
h o
Parameters are the following:
sa Rate Burst
Time Mode
MUM VIETNAM 2019

o m
i . c
LIMIT
o b
Match until an average rate of 100 packets
EXTRA CONDITIONS
h o
sa per minute is reached, not counting the 5
burst packets
MUM VIETNAM 2019

Matches packets until a given rate is
o m
exceeded. Rate is defined as packets per time
i . c
b
DST-LIMIT interval.
EXTRA CONDITIONS
o o
As opposed to the limit matcher, every flow
a h
s has it’s own limit.
Flow is defined by mode parameter
MUM VIETNAM 2019

Parameters are the following:

Rate
o m
Time
i . c
DST-LIMIT
o b
EXTRA CONDITIONS
h oBurst
sa Limit By
Expire
MUM VIETNAM 2019

o m
i . c
For every flow by dst. address, match until
DST-LIMIT
o b
EXTRA CONDITIONS
h o
an average rate of 100 packets per second is
sa reached, not counting the 5 burst packets.

For every 100 seconds, flow with no packets
will be allowed to be deleted
MUM VIETNAM 2019

o m
CONNECTION
c
i .
LIMIT / LIMIT /
b
▪ DDoS Detection and Blocking
o
DST-LIMIT
h o
▪ Dealing with Brute Force attacks
a
EXTRA CONDITIONS
s
MUM VIETNAM 2019
o m
i . c
TIME
o b
Allows to create a filter based on the packets
EXTRA CONDITIONS
h o
sa arrival time and date or for locally generated
packets, departure time and date
MUM VIETNAM 2019

o m
i . c
TIME
o b
EXTRA CONDITIONS
h o
▪ Time-based access rules
sa
MUM VIETNAM 2019

o m
SRC/DST
i . c
ADDRESS TYPE
o b
Matches the source/destination address type
EXTRA CONDITIONS
h o
a
unicast IP address used for point to point transmission
s local
broadcast
multicast
IP address assigned to one of router’s interfaces
Packet is sent to all devices in subnet
Packet is forward to defined group of devices
MUM VIETNAM 2019


▪ DDoS attacks use the special broadcast
o m
SRC/DST
. c
address – Block any packets (outside
i
ADDRESS TYPE
o b
your network) directed to the broadcast
EXTRA CONDITIONS
h o
address and Block outgoing packets
sa (from your network) destined for the

broadcast address
MUM VIETNAM 2019

o m
i . c
PSD
b
WeightThreshold Total weight of the latest TCP/UDP scans
o
o
EXTRA CONDITIONS DelayThreshold Delay for the packets with different
h
destination ports coming from the same
sa host to be treated as possible port scan

sequence
LowPortWeight Weight of the packets with privileged
(<=1024) destination port
HighPortWeight Weight of the packet with non-privileged
destination port
MUM VIETNAM 2019

m
o
i . c
▪ Drop Port Scanners
PSD
o b
EXTRA CONDITIONS
h o
Implement PSD in the input chain (to protect
sa from) and
scanners)
forward chain (local port
MUM VIETNAM 2019

Layer 7 Protocol
o m
https://mum.mikrotik.com//presentations/US
i . c
b
18/presentation_5365_1524221989.pdf
NOTABLE MUM
PRESENTATIONS
o o
TLS-HOST
a h
s
https://mum.mikrotik.com/presentations/CR1
MUM VIETNAM 2019

Brute Force – Content, Address List
o m
i . c
https://mum.mikrotik.com//presentations/ID1
NOTABLE MUM
b
o
PRESENTATIONS
h o
IDS – Limit, Port Knocking, PSD
sa https://mum.mikrotik.com/presentations/ID18
/presentation_5640_1540365379.pdf
MUM VIETNAM 2019

o m
i . c
DoS – TCP Flags, Connection-Limit
NOTABLE MUM
o b
https://mum.mikrotik.com//presentations/CY1
PRESENTATIONS
h o
sa 5/Denial_of_Service_Attack.pdf
MUM VIETNAM 2019

Resources:
o m
IMPLEMENTING
i . c
https://wiki.mikrotik.com
b
NETWORK SECURITY
WITH MIKROTIK ROUTEROS
o o
https://mum.mikrotik.com
h
IP FIREWALL ADVANCED
AND EXTRA CONDITIONS
s a https://forum.mikrotik.com
MUM VIETNAM 2019

o m
IMPLEMENTING
THANK i . c YOU
b
NETWORK SECURITY
WITH MIKROTIK ROUTEROS
o o
h
IP FIREWALL ADVANCED
AND EXTRA CONDITIONS
s a
MUM VIETNAM 2019

IP - Firewall - Advanced PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IP - Firewall - Advanced PDF

Uploaded by

Copyright:

Available Formats

IMPLEMENTING

CCSI | CCNP | CCNA | MCT | MCSA | FCT | NSE4

MUM VIETNAM 2019

ICT certification-based training center

System and Network consultation

MUM VIETNAM 2019

▪ To list built-in MikroTik IP Firewall

sa ▪ To look beyond network connectivity -

MUM VIETNAM 2019

General conditions form the basic firewall

MUM VIETNAM 2019

MUM VIETNAM 2019

Allow or block multiple non-contiguous IP

sa disk permanently or removed after a

MUM VIETNAM 2019

Network Security Use Cases:

MUM VIETNAM 2019

L7 matcher collects the first 10 packets of

sa L7 matcher is very resource intensive and

MUM VIETNAM 2019

MUM VIETNAM 2019

“Allows to match HTTPS traffic based on

sa fragmented into multiple TCP segments

MUM VIETNAM 2019

MUM VIETNAM 2019

Match packets that contain specified text

MUM VIETNAM 2019

MUM VIETNAM 2019

“A firewall matcher that allows to capture

sa need to specify protocol to activate these

MUM VIETNAM 2019

Network Security Use Cases:

MUM VIETNAM 2019

MUM VIETNAM 2019

MUM VIETNAM 2019

Matches specified TCP flags

h▪ eceo - ECN-echo flag

sa ▪ fin - close conneciton

MUM VIETNAM 2019

h▪ syno - new connection

sa ▪ urg - urgent data

MUM VIETNAM 2019

MUM VIETNAM 2019

Matches ICMP type:code fields

sa ▪ Type 11 - Time Exceeded

MUM VIETNAM 2019

Matches ICMP type:code fields

a h▪ Code 4 - Source Quench

Network Security Use Cases:

a h For Path MTU discovery – message 3:4

s Other types of ICMP messages should

MUM VIETNAM 2019

s Src/Dst address type

MUM VIETNAM 2019

“Matches connections per address or

MUM VIETNAM 2019

MUM VIETNAM 2019

Matches packets up to a limited rate

MUM VIETNAM 2019

MUM VIETNAM 2019

Matches packets until a given rate is

MUM VIETNAM 2019

Parameters are the following: