Professional Documents
Culture Documents
o m
.i c
o b
o
MikroTik Router OS Network Threats and Countermeasures
s Location:
Date:
Budapest, Hungary
10th of March 2011
o m
● Operate an ISP in the centre of Ireland.
.i c
b
● Good Infrastructure Expertise.
o
● Certified MikroTik Partners
o
– Training
h
– Certified OEM Integrators
a
– Consultants
s
– Distributor & Value Added Reseller
o m
c
Ireland
Have been working in Industry since 2000
.i
●
b
– Server Infrastructure Engineer
o
– Systems / Network Administrator
o
– IS Architect
h
– Internet Security Consultant
a
st
●
1 MikroTik Certified Trainer in June 2007 in Ireland
o m
.i c
support of MikroTik Powered Appliances
● Ogma Connect's name comes from the Ancient God of
b
Communications and eloquence who's name was Oghma
o
Oghma was credited with the invention of the written
●
o
language Ogham which is found carved in stones that mark
h
the land of ancient tribes throughout the once vast Celtic
world in northern & western Europe
●
s a
We want people to be able to connect with each other
eloquently efficiently and elegantly
o m
● Outline what a firewall can and can not do
.i c
b
● Discuss Network Attacks and Mitigation Strategies
o
● Structure the Firewall
o
– In a security centric manner
h
– Create policy based rule sets
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 5
Sources of Security Information
● ENISA – http://www.enisa.europa.eu/
o m
c
● OWASP http://owasp.org
Rits Group – http://www.ritsgroup.com/
.i
●
b
● SANS Institute – http://sans.org
o
● CIS Centre for Internet Security – http://cisecurity.org/
o
● NIST Computer Security http://csrc.nist.gov/
h
● Open BSD – http://OpenBSD.org/
a
● Spamhaus.org – http://spamhaus.org
s
● nmap.org – http://nmap.org
● ha.ckers.org – http://ha.ckers.org/
● Cypherdyne - http://cypherdyne.org/
o m
c
● One or more systems combined to achieve a desired
.i
security objective
b
● There are multiple ways firewall systems handle traffic
o
– Routing
o
– NATing
h
– Bridging
a
– Proxying
o m
.i c
logging and ultimately reacting to traffic
– Flowing to the system
–
–
Flowing through the system
Flowing from the system
o b
●
h o
Legitimate / useful traffic for users and systems should:
Not be Blocked
a
–
s
– Not be Corrupted
– Not be Slowed or Hampered Beyond Strict Tolerances
● Protect the users / systems behind it and Itself
http://wirelessconnect.eu/ Copyright 2007 - 2011 8
Ideal firewall interface
● Protect me from bad traffic
o m
c
Allow only good traffic
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 9
Current Firewall Capabilities
● Can Identify traffic according to the following
o m
c
– Entry interface
.i
– Exit interface
– Source Address (Source Address List)
b
– Destination Address (destination Address List)
o
– Address Types
– Protocol type (number)
o
– Protocol port (source and destination
– Message type (ICMP)
h
– State of the Connection
a
– IP V4 Options
– TCP Flags
s
– Number of Concurrent Connections
– Packet Rate
– Packet Size
– Packet Fragmentation
o
● Packet Inspection inside the
c
netfilter Firewall
.i
● Can use content matcher in
Advanced Tab
b
● Exact Match only
o
● Safe to use no regular
expressions to trip you up
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 11
Layer 7 classifier
● Very powerful uses a Regular expressions
o m
●
.i
Searches first 10 Packets / 2.5KB of a stream / connection
c
b
● Pre-defined signatures / patterns available from
http://l7-filter.sourceforge.net/
●
o o
User Can generate their own custom pattern matches
Be careful Layer 7 Rules if incorrectly written can crash
h
●
a
●
required
●
s
Gradually add L7 Rules so that if there is an issue with the
Firewall you can easily diagnose which rule is causing the
issues
http://wirelessconnect.eu/ Copyright 2007 - 2011 12
Adding L7 Rules
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 13
Firewall Challenges
● Firewalls generally have difficulty with the following
o m
c
Specific protocol Validation / Filtration
.i
–
b
2.5KB of data in the stream
o
– Inspection of encrypted data streams such as
o
● Ssh sessions
h
● Https
Ipsec
a
●
s
●
o m
c
Proxies allow fine control over specific protocols :)
.i
●
damage limitation.
o b
For unsafe protocols proxies help can provide some
o
Check out my Presentation Last year, at
●
h
http://mum.mikrotik.com
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 15
Modular Firewall System Example
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 16
Firewall hardening
● Some of the checks may be duplicated, this is ok, belt and
o m
c
braces.
Check for unusual TCP Flags and drop.
.i
●
b
● Drop packets with invalid connection state
o
● Your Effort will complement and bolster your networking
o
operating software provider's efforts to maintain security
h
● Ultimately you are responsible for your networks security
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 17
Firewall Best Practices
● Populate a Router with the Maximum RAM Configuration
o m
● Use Connection Tracking to achieve state-full packet
inspection & perform fragmented packet reassembly
.i c
●
o b
Disable Administration interfaces from External Interfaces
o
● Try where possible to use in interfaces rather than source
IP address for establishing the level of trust that you have
h
for the
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 18
Firewall System Best Practices
● Run as few network services on the firewall hardware as
o m
c
possible
Turn off all Administration services that are not needed
.i
●
b
● Do not use un-encrypted administration protocols
o
● Shore up un-encrypted services with IPSEC policies
SNMP
o
–
ah
DNS (internal use not for customer use)
Http fetch
–
s
NTP Time updates make sure the NTP Server responses
are authenticated.
o m
c
If a service has a vulnerability your firewall can be
.i
●
b
● Administration Services are particularly risky as they allow
o
for the change of firewall configuration
o
● DNS Server services should be offloaded to a Hardened
h
DNS Box
a
● NTP Server services should be offloaded to a Hardened
s
NTP Box
o m
c
Packets could be modified in transit
.i
●
b
user authentication credentials
o
● IPSEC can eliminate this risk by securing the traffic with the
o
best available FIPS grade cryptography protocols
h
● IPSEC can be used to increase confidence if encryption
a
quality of an administration service is unknown.
o m
●
.i c
The More RAM you have the harder the device is to Crash due to
memory exhaustion (DOS / DDOS attacks)
b
MT ROS Devices are Optimised against RAM Exhaustion Attacks.
●
o o
The firewall can cope better in busy periods.
Ogma Connect Routers are always Sold with the maximum
h
●
a
● Wireless Connect Customers can avail of RAM upgrades for RB1100
s
the New
● MikroTik Now Ship 1.5 GB RAM on the Improved RB1100AH :)
o b
For Clients who require higher levels of Security
assurance.
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 23
Hardware fit for the Job :)
● As you have seen from the My colleague and Friend Patrik
o m
.i c
Schaub's presentation on Mikrotik Datacentre products.
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 24
RB 1100 / RB1100AH
● 13 Interfaces :) so greater control of your network
o m
.i c
●
ah
s http://wirelessconnect.eu/ Copyright 2007 - 2011 25
Ogma Connect 2500
● 11 GBE Interfaces by Default
o m
c
Up to 19 GBE with Expansion Cards
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 26
Connection Tracking
● ConTrack carries out the following essential tasks
o m
c
It monitors the state of all connections / requests flowing
.i
–
in the firewall
b
– Allows the firewall to dynamically open / close ports
according to the connection state in the firewall
–
o o
Performs IP Packet Reassembly before inspection
(prevents IP Fragment Attacks)
ah
s http://wirelessconnect.eu/ Copyright 2007 - 2011 27
Filter Administration Services
● Minimise Risk from outside attacks
o m
c
Allow Flexibility of management internally
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 28
Firewall Setup Strategy
● Turn on connection tracking
o m
c
Break down the security policy into functional groups
.i
●
o b
Granularly control settings within the chains /groups
Make use of Address lists group hosts together
o
●
ah
s http://wirelessconnect.eu/ Copyright 2007 - 2011 29
Security Objectives (policies)
● One Should
o m
c
Detect / Block Traffic to / from Invalid Addresses
.i
–
b
– Detect / Block Traffic that has unusual characteristics
o
– Detect / Block Traffic from Port Scanners
o
– Detect / Block Traffic from Brute Force Hackers
h
– Once Traffic has been inspected don't keep reprocessing the
same connection.
–
–
s a
Analyse Traffic originating from and Leaving router
Protect Traffic Entering and destined for the router.
Update some Rules dynamically (Self Defending Networks)
o m
c
–
.i
– Remove (Special Purpose Allocated Addresses)
● Allocated Special Purpose:
b
– Multicast Addresses (source addresses only) 224.0.0.0/4
o
● Broadcast Addresses 255.255.255.255
o
Connected Network Broadcast addresses such as
●
h
– 192.168.0.255 if the router has an ip address of 192.168.0.x/24
a
– 192.168.0.127 if the router has an ip address of 192.168.0.x/25
s
● Private IP Addresses
● Test IP Addresses 192.0.2.0/24
● Loopback Addresses 127.0.0.0/8
http://wirelessconnect.eu/ Copyright 2007 - 2011 31
Block invalid packets with IP
Broadcast source address
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 32
Block Multicast source Address
● Multicast should never be a source address of an IP Packet
o m
c
Block it the same way as the previous slide
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 33
Blocking IP Directed broadcast
● In forward chain create a rule with “destination address
o m
c
type” = Broadcast.
Example of IP Directed broadcast 192.168.1.255
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 34
Blocking IP Directed Broadcast
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 35
m
Block Bad People Dynamic
updates
● Reference Spamhaus DROP List (Dont Route or Peer)
updated Weekly
.i c o
b
Reference SANS ISC Top 10 – 10000(optional if you wish)
●
o o
Bogons (un allocated not special Purpose)
If updating using fetch with dns host name one should use
h
●
IPSEC for protecting the DNS & the FTP /http Download of
a
rules list
o
Addresses for ease of management.
o
● Security Concerns...Updates traversing untrusted networks
h
Use IPSEC Policy for fetch tool,
–
a
ensure DNS Requests don't traverse untrusted networks
–
–
s or
Use Static DNS
:global totalbogoncount;
.i c o
b
/ip firewall address-list set comment="oldbogons" [/ip firewall address-list find list=bogons_address_list]
:set oldbogoncount [ip firewall address-list print count-only value-list where list=bogons_address_list];
o
/tool fetch mode=http url="http://wirelessconnect.eu/store/images/bogonsnoprivate.rsc"
o
import bogonsnoprivate.rsc
h
:set totalbogoncount [ip firewall address-list print count-only value-list where list=bogons_address_list];
:if ($oldbogoncount < $totalbogoncount) do {/ip firewall address-list remove [/ip firewall address-list find comment="oldbogons"] }
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 38
Block Packets with Large Size
● Block Packets larger than 1500 bytes to protect legacy
o m
c
clients.
b .i
o o
ah
s http://wirelessconnect.eu/ Copyright 2007 - 2011 39
Block Un-needed IP Options
● Strict Source Route
o m
c
Loose Source Route
.i
●
● Route Record
● Timestamp
Router Alert (if not using
o b
o
●
RSVP)
ah
s http://wirelessconnect.eu/ Copyright 2007 - 2011 40
Block Port Scanners
● Detect Nmap Scan types (TCP)
o m
c
Christmas Tree
.i
–
– SYN FIN
b
– FIN
o
– ALL
– SYN/RST
●
Detect TCP
h o
Detect using MT Port Scan
a
Detect and drop scans using
●
s
ICMP Messages out bound
– (Port Unavailable)
– Communications Prohibited
o m
c
Detected Directly
UDP Scans indirectly
.i
●
b
● Drop UDP Scans /
o
Results of UDP
Scans (ICMP)
●
h o
Add big offenders to
Port Scanners
a
blocking list
o m
c
obvious UDP
.i
Scanners
b
● Limit the speed of a
scan for 120 ports
per minute
o o
ah
s http://wirelessconnect.eu/ Copyright 2007 - 2011 43
Blocking the UDP scanner
● Use Add Dst Address
o m
c
to Address List action
b .i
o o
ah
s http://wirelessconnect.eu/ Copyright 2007 - 2011 44
m
Blocking Port scanners can be
abused
● What about spoofing UDP Scans and TCP Syn Scans?
–
.i c
Attacker can send the packets does not need the reply ?
o
b
An attacker can spoof your Customers IP Address and your
●
o
Firewall will block the customer IP address
o
● Your customer will be denied your services
h
● There is a trade off between high security and service
a
availability for UDP and TCP Syn Scan detection
s
● Can be over come by using white lists for critical customers /
servers
● Differentiate between Connect port scans ( bi directional cant be
spoofed) and scans that can be spoofed
http://wirelessconnect.eu/ Copyright 2007 - 2011 45
Before the DOS
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 46
Attacker Starts DOS
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 47
Firewall Responds to Scan
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 48
DOS Complete
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 49
Port Scan Address Lists
● Create one “definite port scan address list”
o m
c
Longer lockout time
.i
–
b
● Create a second “possible port scan address list”
Shorter lockout time
o
–
o
Log using syslog for internal reporting and analysis
–
h
Analyse logs for the following
–
a
● Repeated persistent scans denial of service, may have to
s
work with intermediate ISPs to trace the culprit
● Single scans lasting under an hour ? Most likely a scan and
src ip address likely to be in control of your adversary
.i c
b
● Example Brute Force Password Attacks on servers
o
– Some Administrative Services have 1 TCP Connection
o
mantained per Active Admin session
h
– Some Administrative Services Disconnect users after a
number of Failed Password attempts
–
s a
These include Winbox , SSH, Telnet etc
These Do not include HTTP / HTTPs
o m
c
attempts.
Requires that any one administration session is maintained
.i
●
b
as continuous established connection.
o
● Based on some cool ideas from the MT User Community
o
– On First Connection ( First authentication attempt) add src to
h
Management Light Grey List
On Second Connection add src to Management Grey List
a
–
s
– On Third Connection add src to Management Dark Grey List
– On Fourth Connection add src to Management Black List
● Then insert Rule to Block members of the Management
Black List this List on the Router
http://wirelessconnect.eu/ Copyright 2007 - 2011 52
Port Scan Timings
● You can slip a scan under the radar
o m
c
Slow scan one port per hour
.i
●
o b
time-out values for port scans are proportional to your
o
–
paranoia :)
ah
s http://wirelessconnect.eu/ Copyright 2007 - 2011 53
m
Sending Protocols to bruteforce check
o
● Send selected protocols to the Brute Force Check Chain
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 54
Brute Force Detection
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 55
Last Rule in Detection Chain
● Accept new connection as long as Src Address is not in the
o m
c
management Black List
.i
●
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 56
External Multi system Response
● MikroTik is so powerful that you can
o m
c
Report Suspicious Traffic back to a central Syslog Server
.i
–
b
server.
o
– Firewalls effectively sharing data on attack sources and
other security threats
–
h o
After analysis of Logs system can push out commands to
add people to address lists in multiple mikrotik devices
a
using SSH scripts & SSH Keys
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 58
Incident Response
o m
.i c
o b
h o
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 59
Further Reading
● For more information on firewall rules click on
o m
c
http://wirelessconnect.eu
.i
●
b
setting up the firewalls and Proxies when they are publicly
o
released after the MUM
o
● Rules will be released first of May This year.
h
● http://wiki.mikrotik.com
a
http://www.cipherdyne.org/
●
o m
c
Thanks to all the support team at Mikrotik
.i
●
b
Thanks to all who contribute to the wiki
●
o
Thank you for listening o
Thanks to all who contribute positively to the Wiki
h
●
s a
http://wirelessconnect.eu/ Copyright 2007 - 2011 61