Professional Documents
Culture Documents
Hardening Mikrotik Routeros: April 24, 2017 Mum Phnom Penh, Cambodia by Sarpich Rath (Peter)
Hardening Mikrotik Routeros: April 24, 2017 Mum Phnom Penh, Cambodia by Sarpich Rath (Peter)
i
RouterOS .c
Hardening MikroTik
o b
h o April 24, 2017
MUM Phnom Penh, Cambodia
i
b
● Partners
o
○ MikroTik Academy
Cisco Networking Academy
o
○
Pearson VUE
h
○
○ Prometric
s a
MUM 2017, Phnom Penh, Cambodia.
About Me
i .c
b
● MTCNA, MTCRE, Academy Trainer
o
● CCNA, CCNA Security, CCNP, Cisco Instructor
o
● Trainer @PPIC and AEU
a h
s MUM 2017, Phnom Penh, Cambodia.
Topic: Hardening MikroTik RouterOS
i .c
b
● Recommendation
o o
a h
s MUM 2017, Phnom Penh, Cambodia.
o m
Customized RouterOS setting
i .c
o b
h o
s a
Login Services: IP->Services
i .c
b
● Limit access from specific network
o o
a h
s MUM 2017, Phnom Penh, Cambodia.
MAC WinBox: Tools->MAC Server
i .c
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
RoMON: Tools->RoMON
● Disable by default
o m
● /tool romon set enabled=no
i .c
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
Login Credentials: System->Users
i .c
b
● Set the right permission (group) to router users
o
● Backup login account
h o
s a
MUM 2017, Phnom Penh, Cambodia.
Router Interface
o m
Disable all unused interfaces on your router, in order
.c
to decrease unauthorized access to your router.
i
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
LCD touch screen
i
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
Neighbor Discovery: IP->Neighbors
i .c
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
Neighbor Discovery: IP->Neighbors
o m
i .c
o b
o
WAN Interface
are Disable for
h
Neighbors
a
Discovery
● Bandwidth Test
o m
● Disable when not used it
i .c
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
NTP Clock Synchronization
i .c
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
Logging: System->Logging
i
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
Wireless Client Isolation
i .c
● Attention!!! streaming content to/from other devices
h o
s a
MUM 2017, Phnom Penh, Cambodia.
o m
i .c
o b
h o
sa
MUM Phnom Penh, Cambodia 2017.
Configuration Backup
o m
i .c
o b
h o
sa
MUM 2017, Phnom Penh, Cambodia.
RouterOS Firewall
o m
i .c
o b
h o
sa
What is FW used for?
i .c
b
● Filter for incoming and outgoing traffic.
o
● Protect and hide the server inside
o
● etc.
a h
s MUM 2017, Phnom Penh, Cambodia.
What can RouterOS FW do?
o m
.c
● Layer-7 protocol detection
i
● peer-to-peer protocols filtering
b
● traffic classification by:
o
○ source MAC address
○ IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
o
○ port or port range
IP protocols
h
○
a
○ internal flow and connection marks
○ packet size
s
○ packet arrival time
● and much more!
o m
c
Outside Inside
Connect to
ether1
Internet
ether2
DMZ, Server
b i . ether3
LAN
ether4
Management
o
Network 100.1.1.0/30 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24
Management network.
h o
*** If we don’t have enough ports, then can used VLAN for DMZ, LAN and
s a
MUM 2017, Phnom Penh, Cambodia.
Sample Network design
o m
192.168.10.0/24
i .c DMZ
b
192.168.20.0/24
o
Mikrotik
Internet ISP LAN
o
RouterOS
h
192.168.30.0/24
a
Management
o m
i .c DMZ
Internet ISP
o b
Mikrotik
LAN
o
RouterOS
a h Management
o m
i .c DMZ
Internet ISP
o b
Mikrotik
✗
LAN
o
RouterOS
a h Management
o m
✗
i .c DMZ
b
✗
o
Mikrotik
Internet ISP
✗ LAN
o
RouterOS
a h Management
i .c
● create address-list for IP addresses, that are allowed
o
● enable ICMP access (optionally);
b
to access your router; example Management
h o
● drop everything else, log=yes might be added to log
packets that hit the specific rule;
s a
MUM 2017, Phnom Penh, Cambodia.
IPv4 firewall: Protect the router
o m
c
add action=accept chain=input comment="default configuration"
i .
connection-state=established,related
add action=accept chain=input src-address-list=Management
b
add action=accept chain=input protocol=icmp
......
o
add action=drop chain=input
o
/ip firewall address-list add address=192.168.30.0/24 list=Management
h
s a
MUM 2017, Phnom Penh, Cambodia.
IPv4 firewall: Protect the Inside network
o m
Established/related packets are added to fasttrack for faster data throughput,
c
firewall will work with new connections only;
i .
● drop incoming packets that are not NATed, ether1 is public interface
drop incoming packets from Internet, which are not public IP addresses, ether1
b
●
is public interface
o
● drop packets from Inside that does not have address from inside address.
create address-list=Inside to group all inside address
o
●
○ 192.168.10.0/24 = DMZ
h
○ 192.168.20.0/24 = LAN
○ 192.168.30.0/24 = Management
s a
MUM 2017, Phnom Penh, Cambodia.
IPv4 firewall: Protect the Inside network
o m
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack
c
connection-state=established,related
i .
add action=accept chain=forward comment="Established, Related" connection-
state=established,related
b
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted"
o
connection-nat-state=!dstnat connection-state=new in-interface=ether1
o
add action=drop chain=forward comment="Drop incoming from internet which is not public
IP" in-interface=ether1 src-address-list=not_in_internet
a h
s MUM 2017, Phnom Penh, Cambodia.
IPv4 firewall: Protect the Inside network
o m
c
add action=drop chain=forward comment="Drop packets from Inside that do not have Inside
i .
IP" in-interface=ether2 src-address-list=!Inside
add action=drop chain=forward comment="Drop packets from Inside that do not have Inside
b
IP" in-interface=ether3 src-address-list=!Inside
add action=drop chain=forward comment="Drop packets from Inside that do not have Inside
o
IP" in-interface=ether4 src-address-list=!Inside
o
/ip firewall address-list
h
add address=192.168.10.0/24 list=Inside
a
add address=192.168.20.0/24 list=Inside
add address=192.168.30.0/24 list=Inside
o m
c
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
i .
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
b
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
o
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
o
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
h
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
a
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
s
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
*** Modify to meet the requirement
WEB-SERVER IP =192.168.10.10
o m
/ip firewall nat
i .c
add action=dst-nat chain=dstnat comment=WEB-SERVER dst
b
address=100.1.11.2 dst-port=80 in-interface=ether1
o
protocol=tcp to-addresses=192.168.10.10 to-ports=80
o
/ip firewall filter
h
add action=jump chain=forward comment=WEB-SERVER dst-
address=192.168.10.10 jump-target=WEB-SERVER
a
……
add action=accept chain=WEB-SERVER comment=WEB dst-port=80
s
protocol=tcp
add action=accept chain=WEB-SERVER comment="accept ssh from NOC" dst-
port=22 protocol=tcp src-address-list=Management
add action=drop chain=WEB-SERVER comment=DROP
● https://wiki.mikrotik.com/wiki/Firewall
o m
● SynFlood
i .c
b
● ICMP Flood
o
● Port Scanner
o
● Email Spam
h
● L7 Filter
a
● DoS attack protection
s
● Etc.
h o
● Enable SysLog and SNMP for monitoring the router
a
● Separate network for each LAN and Server
s
● Used Address list to group all address for used in FW
i .c
● Used FW to protect router itself, inside network and
the Servers
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
Reference
● wiki.mikrotik.com
o m
i .c
o b
h o
s a
MUM 2017, Phnom Penh, Cambodia.
Question?
o m
i .c
o b
h o
sa
MUM 2017, Phnom Penh, Cambodia.
Thanks for your Attention ☺
o m
i .c
•
o
Email: info@ppic-training.com
b
Upcoming Training: http://ppic-training.com/upcoming-courses/
o
• Facebook: www.facebook.com/PhnomPenhInformaticsCenter
h
• Mobiel: 077/087 616102
a
• Please subscribe to our mailing list to receive all update information such as
s
discount and promotion price