Taking advantage of MikroTik

o m
.i c
RouterOS inbuilt firewall

o b
by Martin Pína

h o
a
MUM Croatia, Zagreb, 15th March, 2013

s
 my background
o m
● network and Linux administrator
.i c
● security consultant

o b
o
● tailored services

h
● Certifications

a
– Cisco Certified Academy Instructor
–

–
s
Netasq Certified Expert Plus
MikroTik Certified Trainer up to MTCINE
 MikroTik Firewall
o m
● IPv4 and IPv6
.i c
●

o b
same concept as Linux iptables

o
● up to L7

h
● L2 bridges offer additional filters

sa
 Goal
o m
●

.i c
fully automated and predefined, after initial

b
configuration, no or minimal maintenance

o
required, maintenance scripts

o
● designed for dynamic changes

h
provides protection for customers/servers
●

● a
can detect and possibly stop suspicious traffic

s
can be monitored
 Other possibilities
o m
.i c
passive detection
b
●

– monitoring

o o
h
– alerting

a
● dedicated IPS/IDS

s
®
– Open source – SNORT
– Commercial – NETASQ
Advantages and disadvantages of
special IDS/IPS
o m
.i c
b
⊕ more possibilities

o
⊕ offload router's processing power

h o
⊖ dedicated box
⊖ usually more expensive

sa
note: may be achieved by virtual server inside
MikroTik RouterOS
 Deployment considerations
o m
●

.i c
ethics of network neutrality and different
attitude for
–

o b
corporate networks

o
– ISP networks

h
– hotspots

a
● position in network
●

–
s
choosing appropriate action
drop
reject
 Common „outside“ threats
o m
●

.i
DoS/DDoS (usually SYN flood)
c
● bandwidth attack

o b
o
● brute force for access

h
● bogons

sa
 Common „inside“ threats
o m
● infected computers
.i c
● spammers

o b
o
● corporate network leaking through unauthorized
VPNs
●

a h
rogue or misconfigured DHCP server

s
infrastructure attacks OSPF/STP/VRRP
●

● IP spoofing and ARP spoofing

 What to protect?
o m
● end hosts
.i c
b
– human operated computers

o
– servers

o
special purpose network devices
–

h
network infrastructure
●

– a
routers

s
switches
 o
RouterOS protection
m
● management
.i c
b
– SSH

o
– winbox
...

o
–

network services
h
●

– sa
DHCP
webproxy
BGP
– ...
 How?
o m
● disable unnecessary services
.i c
name=telnet]
o b
e.g.: /ip service disable [/ip service find where

h o
control MAC-telnet and btest server

a
e.g.: /tool mac-server set interface=ether10

s
disabled=yes
● Firewall
 Why Firewall?
o m
.i c
⊕ it is there for exactly the purpose

b
⊕ address-list feature enables you to work with

o
„objects“ rather than addresses

o
⊕ allows creating dynamic address lists

a h
⊕ it can be used even for bridged
communication with use of

s
/interface bridge settings set use-ip-firewall=yes
⊕ is easily scriptable
 Why not
o m
⊖ extra work
.i c
⊖ may be CPU demanding

o b
o
⊖ is not good for everything

h
⊖ may be nightmare if making false positives

sa
 Whitelisting management access
o m
● create an address-list entry
.i c
o b
e.g.: /ip firewall address-list add list=ipv4-
management-access address=192.168.0.60/32
disabled=no

h o
allow management only for addresses from

a
●

address list

s
e.g.: /ip firewall filter add chain=input
protocol=tcp dst-port=22 src-address-list=!ipv4-
management-access action=drop
 ICMP/Ping floods
o m
●

.i c
Allow only reasonable amount of ICMP going

b
through

o
/ip firewall filter add chain=forward

o
protocol=icmp limit=5/1,10 action=accept

a h
/ip firewall filter add chain=forward
protocol=icmp action=drop
●

–
s
Can be customized for
specific ICMP type/code
different chains
 SYN floods #1
o m
● limit
.i c
b
/ip firewall filter add chain=input protocol=tcp

o
dst-port=80 connection-limit=10,32 action=add-

o
src-to-address-list address-list=ipv4-input-

h
port80-over-limit address-list-timeout=1d

a
/ip firewall filter add chain=input src-address-

s
list=ipv4-input-port80-over-limit action=drop
● be careful about the limits and specify the rule
as much as possible
 SYN floods #2
o m
● tarpit
.i c
b
slows down the incoming connections

o o
e.g.: /ip firewall filter add chain=input
protocol=tcp tcp-flags=syn connection-

a h
state=new dst-port=80 connection-limit=10,32
src-address-list=ipv4-input-port80-over-limit

s
action=tarpit
● be carefull about „limit“ and „connection-limit“
 rogue DHCP servers
o m
● detect rogue DHCP servers
.i c
b
/ip firewall filter add chain=input protocol=udp

o
src-port=67 in-bridge-port=ether1 action=drop

o
be carefull about input and forward chain
●

a h
you can optionally redirect the client's http
traffic to informative web page
●

s
There is also /ip dhcp-server alert option which
can use script to add the rogue dhcp server's
address to firewall
 IP spoofing
o m
●

.i c
accept only src-addresses from given network
●

o b
can be only used on end-routers subnet

o
● in RouterOS v6, there is rp-filter option

h
● you can script it easily

a
:local interfacesubnet [/ip address get [/ip

s
address find where interface=ether2]
address]; /ip firewall address-list add
address=$interfacesubnet list=ipv4-ether1-
interfacesubnet
 ARP spoofing
o m
●

.i c
static ARP or ARP reply-only can be used, but it

b
is lacking detection and alerting
●

o o
there are endless possibilities using bridge filter
/interface bridge filter add arp-

a h
arp-dst-address arp-dst-mac-address arp-

s
gratuitous arp-hardware-type arp-opcode arp-
packet-type arp-src-address arp-src-mac-
address
 Port scanning #1
o m
●

.i c
there is nice inbuilt feature of firewall to detect

b
and sort port scanning

o o
e.g.: /ip firewall add chain=input protocol=tcp
psd=30,3s,3,1 action=add-src-to-address-list

a
timeout=1w
h
address-list="ipv4-portscan" address-list-

s
 Port scanning #2
o m
●

.i c
You can also detect specific types of scans
e.g.: null scan

o b
o
/ip firewall filter add chain=input protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

a h
action=add-src-to-address-list address-
list="ipv4-portscan" address-list-timeout=1w
●

s
After detection it is needed to treat the IPs from
portscan address-list
 L7 rules
o m
●

.i c
may be used as a protection for keeping port

b
numbers used for their intended purpose
●

o o
may be used as a protection for forged packet
attacks to weak network services protocols

h
implementations

a
s
 Greylisting
o m
●

.i c
address lists may be used recursively with to

b
effectively greylist some addresses for defined

o
time

o
this method is also used for port knocking
●

a h
feature which may be used as intended
backdoor to the router in case the rules are so

s
strict that administrator cannot log in
 Monitoring
o m
●

.i c
if unsure action=passtrough may be used just

b
to see the counters
●

o o
if some security issues are considered critical, it
can be logged by action=log and/or processed

h
further by scripting

a
s
 Proposals
o m
●

.i c
use address lists (with timeouts)
● use structured firewall

o b
o
● use comments

h
● automate everything

sa
 Caveat
o m
● CPU (L7!)
.i c
● FastPath

o b
o
● False positives

a h
s
 Resources
o m
Wiki
.i c
●

o b
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall

o
● http://wiki.mikrotik.com/wiki/Firewall

a
Presentations
h
●

● s
Tom Smyth's
Wardner Maia
 o m
Thanks for your attention (patience)
● Questions... ?
.i c
o b
h o
sa