Hardening Mikrotik Routeros: April 24, 2017 Mum Phnom Penh, Cambodia by Sarpich Rath (Peter)

o m
i
RouterOS .c
Hardening MikroTik
o b
h o April 24, 2017
MUM Phnom Penh, Cambodia
s a By Sarpich RATH (Peter)
MUM 2017, Phnom Penh, Cambodia.

About PPIC
● Qualified and Vocational IT Training Center

o m
.c
● Found in late 2013. Offer service in June 2014
i
b
● Partners
o
○ MikroTik Academy
Cisco Networking Academy
o
○
Pearson VUE
h
○
○ Prometric
s a
About Me
● Sarpich RATH (Peter)

o m
● First used RouterOS since 2008
i .c
b
● MTCNA, MTCRE, Academy Trainer
o
● CCNA, CCNA Security, CCNP, Cisco Instructor
o
● Trainer @PPIC and AEU
a h
s MUM 2017, Phnom Penh, Cambodia.
Topic: Hardening MikroTik RouterOS
● Customized RouterOS setting

o m
● RouterOS Firewall
i .c
b
● Recommendation
o o
a h
o m
Customized RouterOS setting
i .c
o b
h o
s a
Login Services: IP->Services
● Disable unused services

o m
● Or modify default port
i .c
b
● Limit access from specific network
o o
a h
MAC WinBox: Tools->MAC Server
● Disable Allow to login from all interfaces

o m
● Allow from specific interface only
i .c
o b
h o
s a
RoMON: Tools->RoMON
● Disable by default
o m
● /tool romon set enabled=no
i .c
o b
h o
s a
Login Credentials: System->Users
● Rename default admin account

o m
● Strong password policy
i .c
b
● Set the right permission (group) to router users
o
● Backup login account
h o
s a
Router Interface
o m
Disable all unused interfaces on your router, in order
.c
to decrease unauthorized access to your router.
i
o b
h o
s a
LCD touch screen
● Some RouterBOARDs have LCD module for

o m
.c
informational purpose, set pin or disable it.
i
o b
h o
s a
Neighbor Discovery: IP->Neighbors
● Disable Discovery on Interface that connect to

o m
Internet
i .c
o b
h o
s a
Neighbor Discovery: IP->Neighbors
o m
i .c
o b
o
WAN Interface
are Disable for
h
Neighbors
a
Discovery

BTest Server: Tools-> Btest Server
● Bandwidth Test
o m
● Disable when not used it
i .c
o b
h o
s a
NTP Clock Synchronization
● Keep the router sync with accurate clock

o m
● Server: kh.pool.ntp.org
i .c
o b
h o
s a
Logging: System->Logging
● Send log message to SysLog Server

o m
i .c
o b
h o
s a
SNMP: IP->SNMP
● Simple Network Management Protocol

o m
.c
● Used to Monitor Bandwidth and resource usages.
i
o b
h o
s a
Wireless Client Isolation
● Allows multiple clients to be on the same network,

o m
but not send traffic to each other.
i .c
● Attention!!! streaming content to/from other devices
work on the same AP.

o b
such as Chromecast, AppleTV, Ruku, etc… will not
h o
s a
o m
i .c
o b
h o
sa
MUM Phnom Penh, Cambodia 2017.
Configuration Backup
o m
i .c
o b
h o
sa
RouterOS Firewall
o m
i .c
o b
h o
sa
What is FW used for?
● Preventing unauthorized access to networks

o m
● Protect itself
i .c
b
● Filter for incoming and outgoing traffic.
o
● Protect and hide the server inside
o
● etc.
a h
What can RouterOS FW do?
● stateful packet inspection
o m
.c
● Layer-7 protocol detection
i
● peer-to-peer protocols filtering
b
● traffic classification by:
o
○ source MAC address
○ IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
o
○ port or port range
IP protocols
h
○
○ interface the packet arrived from or left through
a
○ internal flow and connection marks
○ packet size
s
○ packet arrival time
● and much more!

Sample Network design
o m
c
Outside Inside
Connect to
ether1
Internet
ether2
DMZ, Server
b i . ether3
LAN
ether4
Management
o
Network 100.1.1.0/30 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24
Management network.
h o
*** If we don’t have enough ports, then can used VLAN for DMZ, LAN and
s a
Sample Network design
o m
192.168.10.0/24
i .c DMZ
b
192.168.20.0/24
o
Mikrotik
Internet ISP LAN
o
RouterOS
h
192.168.30.0/24
a
Management

Internet to DMZ
o m
i .c DMZ
Internet ISP
o b
Mikrotik
LAN
o
RouterOS
a h Management

Internet to LAN/Management
o m
i .c DMZ
Internet ISP
o b
Mikrotik
✗
LAN
o
RouterOS
a h Management

Management to Router
o m
✗
i .c DMZ
b
✗
o
Mikrotik
Internet ISP
✗ LAN
o
RouterOS
a h Management

IPv4 firewall: Protect the router
● filter with new connections to decrease load on a

o m
router;
i .c
● create address-list for IP addresses, that are allowed
o
● enable ICMP access (optionally);
b
to access your router; example Management
h o
● drop everything else, log=yes might be added to log
packets that hit the specific rule;
s a
IPv4 firewall: Protect the router
/ip firewall filter
o m
c
add action=accept chain=input comment="default configuration"
i .
connection-state=established,related
add action=accept chain=input src-address-list=Management
b
add action=accept chain=input protocol=icmp
......
o
add action=drop chain=input
o
/ip firewall address-list add address=192.168.30.0/24 list=Management
h
s a
IPv4 firewall: Protect the Inside network
o m
Established/related packets are added to fasttrack for faster data throughput,
c
firewall will work with new connections only;
i .
● drop incoming packets that are not NATed, ether1 is public interface
drop incoming packets from Internet, which are not public IP addresses, ether1
b
●
is public interface
o
● drop packets from Inside that does not have address from inside address.
create address-list=Inside to group all inside address
o
●
○ 192.168.10.0/24 = DMZ
h
○ 192.168.20.0/24 = LAN
○ 192.168.30.0/24 = Management
s a
o m
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack
c
connection-state=established,related
i .
add action=accept chain=forward comment="Established, Related" connection-
state=established,related
b
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted"
o
connection-nat-state=!dstnat connection-state=new in-interface=ether1
o
add action=drop chain=forward comment="Drop incoming from internet which is not public
IP" in-interface=ether1 src-address-list=not_in_internet
a h
o m
c
add action=drop chain=forward comment="Drop packets from Inside that do not have Inside
i .
IP" in-interface=ether2 src-address-list=!Inside
b
o
o
/ip firewall address-list
h
add address=192.168.10.0/24 list=Inside
a

/ip firewall address-list
o m
c
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
i .
b
o
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
o
h
a
s
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
*** Modify to meet the requirement

IPv4 firewall: Protect the Server/DMZ
WEB-SERVER IP =192.168.10.10
o m
/ip firewall nat
i .c
add action=dst-nat chain=dstnat comment=WEB-SERVER dst
b
address=100.1.11.2 dst-port=80 in-interface=ether1
o
protocol=tcp to-addresses=192.168.10.10 to-ports=80
o
/ip firewall filter
h
add action=jump chain=forward comment=WEB-SERVER dst-
address=192.168.10.10 jump-target=WEB-SERVER
a
……
add action=accept chain=WEB-SERVER comment=WEB dst-port=80
s
protocol=tcp
add action=accept chain=WEB-SERVER comment="accept ssh from NOC" dst-
port=22 protocol=tcp src-address-list=Management
add action=drop chain=WEB-SERVER comment=DROP

More Firewall rules
● https://wiki.mikrotik.com/wiki/Firewall
o m
● SynFlood
i .c
b
● ICMP Flood
o
● Port Scanner
o
● Email Spam
h
● L7 Filter
a
● DoS attack protection
s
● Etc.

Recommendation
● Disable unused ports and services on router

o m
.c
● Strong password policy for router users and allow to
remote from specific network
i
o b
● Disable discovery interfaces on outside/WAN ports
● Clock should be accurate synchronize
h o
● Enable SysLog and SNMP for monitoring the router
a
● Separate network for each LAN and Server
s
● Used Address list to group all address for used in FW

Recommendation
● Used Action=Jump to organized the FW rules and

o m
better performance
i .c
● Used FW to protect router itself, inside network and
the Servers
o b
h o
s a
Reference
● wiki.mikrotik.com
o m
i .c
o b
h o
s a
Question?
o m
i .c
o b
h o
sa
Thanks for your Attention ☺
o m
i .c
•
o
Email: info@ppic-training.com
b
Upcoming Training: http://ppic-training.com/upcoming-courses/
o
• Facebook: www.facebook.com/PhnomPenhInformaticsCenter
h
• Mobiel: 077/087 616102
a
• Please subscribe to our mailing list to receive all update information such as
s
discount and promotion price

Hardening Mikrotik Routeros: April 24, 2017 Mum Phnom Penh, Cambodia by Sarpich Rath (Peter)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hardening Mikrotik Routeros: April 24, 2017 Mum Phnom Penh, Cambodia by Sarpich Rath (Peter)

Uploaded by

Copyright:

Available Formats

o m

s a By Sarpich RATH (Peter)

MUM 2017, Phnom Penh, Cambodia.

● Qualified and Vocational IT Training Center

● Sarpich RATH (Peter)

● Customized RouterOS setting

● Disable unused services

● Disable Allow to login from all interfaces

● Rename default admin account

● Some RouterBOARDs have LCD module for

● Disable Discovery on Interface that connect to

s MUM 2017, Phnom Penh, Cambodia.

● Keep the router sync with accurate clock

● Send log message to SysLog Server

● Simple Network Management Protocol

● Allows multiple clients to be on the same network,

work on the same AP.

● Preventing unauthorized access to networks

● stateful packet inspection

○ interface the packet arrived from or left through

MUM 2017, Phnom Penh, Cambodia.

s MUM 2017, Phnom Penh, Cambodia.

s MUM 2017, Phnom Penh, Cambodia.

s MUM 2017, Phnom Penh, Cambodia.

s MUM 2017, Phnom Penh, Cambodia.

● filter with new connections to decrease load on a

/ip firewall filter

s MUM 2017, Phnom Penh, Cambodia.

/ip firewall address-list

MUM 2017, Phnom Penh, Cambodia.

MUM 2017, Phnom Penh, Cambodia.

MUM 2017, Phnom Penh, Cambodia.

● Disable unused ports and services on router

MUM 2017, Phnom Penh, Cambodia.

● Used Action=Jump to organized the FW rules and

You might also like