Professional Documents
Culture Documents
Mikrotik Inbuilt Firewall Sahoobi
Mikrotik Inbuilt Firewall Sahoobi
o m
.i c
RouterOS inbuilt firewall
o b
by Martin Pína
h o
a
MUM Croatia, Zagreb, 15th March, 2013
s
my background
o m
● network and Linux administrator
.i c
● security consultant
o b
o
● tailored services
h
● Certifications
a
– Cisco Certified Academy Instructor
–
–
s
Netasq Certified Expert Plus
MikroTik Certified Trainer up to MTCINE
MikroTik Firewall
o m
● IPv4 and IPv6
.i c
●
o b
same concept as Linux iptables
o
● up to L7
h
● L2 bridges offer additional filters
sa
Goal
o m
●
.i c
fully automated and predefined, after initial
b
configuration, no or minimal maintenance
o
required, maintenance scripts
o
● designed for dynamic changes
h
provides protection for customers/servers
●
● a
can detect and possibly stop suspicious traffic
s
can be monitored
Other possibilities
o m
.i c
passive detection
b
●
– monitoring
o o
h
– alerting
a
● dedicated IPS/IDS
s
®
– Open source – SNORT
– Commercial – NETASQ
Advantages and disadvantages of
special IDS/IPS
o m
.i c
b
⊕ more possibilities
o
⊕ offload router's processing power
h o
⊖ dedicated box
⊖ usually more expensive
sa
note: may be achieved by virtual server inside
MikroTik RouterOS
Deployment considerations
o m
●
.i c
ethics of network neutrality and different
attitude for
–
o b
corporate networks
o
– ISP networks
h
– hotspots
a
● position in network
●
–
s
choosing appropriate action
drop
reject
Common „outside“ threats
o m
●
.i
DoS/DDoS (usually SYN flood)
c
● bandwidth attack
o b
o
● brute force for access
h
● bogons
sa
Common „inside“ threats
o m
● infected computers
.i c
● spammers
o b
o
● corporate network leaking through unauthorized
VPNs
●
a h
rogue or misconfigured DHCP server
s
infrastructure attacks OSPF/STP/VRRP
●
o
– servers
o
special purpose network devices
–
h
network infrastructure
●
– a
routers
s
switches
o
RouterOS protection
m
● management
.i c
b
– SSH
o
– winbox
...
o
–
network services
h
●
– sa
DHCP
webproxy
BGP
– ...
How?
o m
● disable unnecessary services
.i c
name=telnet]
o b
e.g.: /ip service disable [/ip service find where
h o
control MAC-telnet and btest server
a
e.g.: /tool mac-server set interface=ether10
s
disabled=yes
● Firewall
Why Firewall?
o m
.i c
⊕ it is there for exactly the purpose
b
⊕ address-list feature enables you to work with
o
„objects“ rather than addresses
o
⊕ allows creating dynamic address lists
a h
⊕ it can be used even for bridged
communication with use of
s
/interface bridge settings set use-ip-firewall=yes
⊕ is easily scriptable
Why not
o m
⊖ extra work
.i c
⊖ may be CPU demanding
o b
o
⊖ is not good for everything
h
⊖ may be nightmare if making false positives
sa
Whitelisting management access
o m
● create an address-list entry
.i c
o b
e.g.: /ip firewall address-list add list=ipv4-
management-access address=192.168.0.60/32
disabled=no
h o
allow management only for addresses from
a
●
address list
s
e.g.: /ip firewall filter add chain=input
protocol=tcp dst-port=22 src-address-list=!ipv4-
management-access action=drop
ICMP/Ping floods
o m
●
.i c
Allow only reasonable amount of ICMP going
b
through
o
/ip firewall filter add chain=forward
o
protocol=icmp limit=5/1,10 action=accept
a h
/ip firewall filter add chain=forward
protocol=icmp action=drop
●
–
s
Can be customized for
specific ICMP type/code
different chains
SYN floods #1
o m
● limit
.i c
b
/ip firewall filter add chain=input protocol=tcp
o
dst-port=80 connection-limit=10,32 action=add-
o
src-to-address-list address-list=ipv4-input-
h
port80-over-limit address-list-timeout=1d
a
/ip firewall filter add chain=input src-address-
s
list=ipv4-input-port80-over-limit action=drop
● be careful about the limits and specify the rule
as much as possible
SYN floods #2
o m
● tarpit
.i c
b
slows down the incoming connections
o o
e.g.: /ip firewall filter add chain=input
protocol=tcp tcp-flags=syn connection-
a h
state=new dst-port=80 connection-limit=10,32
src-address-list=ipv4-input-port80-over-limit
s
action=tarpit
● be carefull about „limit“ and „connection-limit“
rogue DHCP servers
o m
● detect rogue DHCP servers
.i c
b
/ip firewall filter add chain=input protocol=udp
o
src-port=67 in-bridge-port=ether1 action=drop
o
be carefull about input and forward chain
●
a h
you can optionally redirect the client's http
traffic to informative web page
●
s
There is also /ip dhcp-server alert option which
can use script to add the rogue dhcp server's
address to firewall
IP spoofing
o m
●
.i c
accept only src-addresses from given network
●
o b
can be only used on end-routers subnet
o
● in RouterOS v6, there is rp-filter option
h
● you can script it easily
a
:local interfacesubnet [/ip address get [/ip
s
address find where interface=ether2]
address]; /ip firewall address-list add
address=$interfacesubnet list=ipv4-ether1-
interfacesubnet
ARP spoofing
o m
●
.i c
static ARP or ARP reply-only can be used, but it
b
is lacking detection and alerting
●
o o
there are endless possibilities using bridge filter
/interface bridge filter add arp-
a h
arp-dst-address arp-dst-mac-address arp-
s
gratuitous arp-hardware-type arp-opcode arp-
packet-type arp-src-address arp-src-mac-
address
Port scanning #1
o m
●
.i c
there is nice inbuilt feature of firewall to detect
b
and sort port scanning
o o
e.g.: /ip firewall add chain=input protocol=tcp
psd=30,3s,3,1 action=add-src-to-address-list
a
timeout=1w
h
address-list="ipv4-portscan" address-list-
s
Port scanning #2
o m
●
.i c
You can also detect specific types of scans
e.g.: null scan
o b
o
/ip firewall filter add chain=input protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
a h
action=add-src-to-address-list address-
list="ipv4-portscan" address-list-timeout=1w
●
s
After detection it is needed to treat the IPs from
portscan address-list
L7 rules
o m
●
.i c
may be used as a protection for keeping port
b
numbers used for their intended purpose
●
o o
may be used as a protection for forged packet
attacks to weak network services protocols
h
implementations
a
s
Greylisting
o m
●
.i c
address lists may be used recursively with to
b
effectively greylist some addresses for defined
o
time
o
this method is also used for port knocking
●
a h
feature which may be used as intended
backdoor to the router in case the rules are so
s
strict that administrator cannot log in
Monitoring
o m
●
.i c
if unsure action=passtrough may be used just
b
to see the counters
●
o o
if some security issues are considered critical, it
can be logged by action=log and/or processed
h
further by scripting
a
s
Proposals
o m
●
.i c
use address lists (with timeouts)
● use structured firewall
o b
o
● use comments
h
● automate everything
sa
Caveat
o m
● CPU (L7!)
.i c
● FastPath
o b
o
● False positives
a h
s
Resources
o m
Wiki
.i c
●
o b
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall
o
● http://wiki.mikrotik.com/wiki/Firewall
a
Presentations
h
●
● s
Tom Smyth's
Wardner Maia
o m
Thanks for your attention (patience)
● Questions... ?
.i c
o b
h o
sa