Professional Documents
Culture Documents
o m
.i c
o b
Dynamic Firewalling
h o by
Barry Higgins
sa UK MuM 2016 1
o m
.i c
● Hosting
● WISP
o b
h o
● Consultancy
● Mikrotik Training
sa UK MuM 2016 2
So the problem...
o m
.i c
o b
I want to add an extra layer of security from
o
network scans, viral scripts probing servers and
h
protect my WISP end users
sa UK MuM 2016 3
Sites A & B
The network...
o m
3 Gateways
.i c
o b
h o
sa UK MuM 2016 4
o m
.i c
o b
h o
sa UK MuM 2016 5
o m
.i c
o b
h o
sa UK MuM 2016 6
o m
.i c
o b
h o
sa UK MuM 2016 7
o m
.i c
o b
h o
sa UK MuM 2016 8
o m
.i c
o b
h o
sa UK MuM 2016 9
Full of holes!
o m
.i c
o b
h o
sa UK MuM 2016 10
Solutions?
o m
●
.i c
Don’t allow any ports open in the first place
b
● Migrate user to another (W)ISP and let them
have the problem!
● Or...
o o
a h
s UK MuM 2016 11
Firewall them all!
o m
.i c
o b
h o
sa UK MuM 2016 12
User alert
o m
.i c
b Default username
●
o !
● Default password
o
● Web access open
h
● DNS enabled
sa UK MuM 2016 13
o m
.i c
o b
h o
sa UK MuM 2016 14
<demo site-A>
o m
.i c
o b
h o
sa UK MuM 2016 15
So we have our blacklist..
o m
.
.i c
o b
h o
sa UK MuM 2016 16
Blacklist
o m
.i c
o b
h o
sa UK MuM 2016 17
Logging
o m
.i c
o b
h o
sa UK MuM 2016 18
So how do we propagate the bad ?
o m
.i c
o b
h o
sa UK MuM 2016 19
Blackhole the blacklist!
o m
.i c
o b
h o
sa UK MuM 2016 20
<demo site-B>
o m
.i c
o b
h o
sa UK MuM 2016 21
The bit behind the scenes
o m
.i c
o b
h o
sa UK MuM 2016 22
The process
o m
●
.i c
Bad traffic is detected at the edge on the input
chain
●
o b
Src address is added to blacklist address list
o
● Forward chain then uses the blacklist address
h
to block unwanted traffic
a
● To then propagate the blacklist information, a
s
script reads the blacklist and creates blackhole
routes.
UK MuM 2016 23
The process
o m
.i c
The route table is then passed on using OSPF in
●
o b
Script also checks to see if blackhole routes can
be removed due to blacklist address timeout (set
o
by the initial firewall input rule).
h
A manual whitelist is also created to prevent
●
a
accidental lockouts to important services and
s
systems.
● It's not perfect… but it works for me!
UK MuM 2016 24
Available for download
o m
.i c
Blackhole script and bare basic routerboard
firewall config can be found at:
●
o b
http://www.allness.net/mum
o
Do not hold me responsible if it crashes and
h
wipes out your network. Use at your own
discretion and risk.
sa UK MuM 2016 25
o m
.i c
b
Any questions?
o
h o
sa UK MuM 2016 26
o m
.i c
o b
Thank you for your time
h o
sa UK MuM 2016 27