Professional Documents
Culture Documents
Additional Security Engineer Materials
Additional Security Engineer Materials
Additional Security Engineer Materials
(MTCASE)
Riga, Latvia
March 7 - March 8, 2019
Schedule
2
INTRODUCE
YOURSELF
3
Introduce Yourself
• Name
• Company / Student
• Current Position
• Job Rules
• Expectation from Training
4
LAB SETUP
5
Lab Setup
SSID : CLASS-AP
KEY : MikrotikLab
AP
R1 R2 Rn
Wireless-Link
Ether-Link
6
Lab Setup
7
SECURITY INTRO
8
What Security is all about?
9
What Security is all about?
10
Security Attacks, Mechanisms & Services
11
Security Threats / Attacks
NORMAL FLOW
Information Information
source destination
12
Security Threats / Attacks
INTERRUPTION
Information Information
source destination
13
Security Threats / Attacks
INTERCEPTION
Information Information
source destination
Attacker
14
Security Threats / Attacks
MODIFICATION
Information Information
source destination
Attacker
15
Security Threats / Attacks
FABRICATION
Information Information
source destination
Attacker
“additional data or activities are generated that would normally no exist, such
as adding a password to a system, replaying previously send messages, etc.”
16
Type of Threats / Attacks
Interruption
Active Attacks /
Modification
Threats
Passive Attacks /
Interception
Threats
17
Security Mechanisms
18
COMMON
THREATS
19
Common Security Threats
Botnet
“Collection of software robots, or 'bots', that creates
an army of infected computers (known as ‘zombies') that are
remotely controlled by the originator”
What it can do :
• Send spam emails with viruses attached.
• Spread all types of malware.
• Can use your computer as part of a denial of service
attack against other systems.
20
Common Security Threats
What it can do :
• The most common and obvious type of DDoS attack occurs
when an attacker “floods” a network with useless
information.
• The flood of incoming messages to the target system
essentially forces it to shut down, thereby denying access to
legitimate users.
21
Common Security Threats
Hacking
“Hacking is a term used to describe actions taken by
someone to gain unauthorized access to a computer.”
What it can do :
• Find weaknesses (or pre-existing bugs) in your security
settings and exploit them in order to access your.
• Install a Trojan horse, providing a back door for hackers to
enter and search for your information.
22
Common Security Threats
Malware
“Malware is one of the more common ways to infiltrate or
damage your computer, it’s software that infects your computer, such as
computer viruses, worms, Trojan horses, spyware, and adware.”
What it can do :
• Intimidate you with scareware, which is usually a pop-up message that
tells you your computer has a security problem or other false information.
• Reformat the hard drive of your computer causing you to lose all your
information.
• Alter or delete files.
• Steal sensitive information.
• Send emails on your behalf.
• Take control of your computer and all the software running on it.
23
Common Security Threats
Phishing
“Phishing is used most often by cyber criminals because
it's easy to execute and can produce the results they're looking for
with very little effort.”
What it can do :
• Trick you into giving them information by asking you to update,
validate or confirm your account. It is often presented in a
manner than seems official and intimidating, to encourage you to
take action.
• Provides cyber criminals with your username and passwords so
that they can access your accounts (your online bank account,
shopping accounts, etc.) and steal your credit card numbers.
24
Common Security Threats
Ransomware
“Ransomware is a type of malware that restricts
access to your computer or your files and displays a message
that demands payment in order for the restriction to be
removed.”
What it can do :
• Lockscreen ransomware: displays an image that prevents
you from accessing your computer.
• Encryption ransomware: encrypts files on your system's
hard drive and sometimes on shared network drives, USB
drives, external hard drives, and even some cloud storage
drives, preventing you from opening them.
25
Common Security Threats
Spam
“Spam is one of the more common methods of both
sending information out and collecting it from unsuspecting people.”
What it can do :
• Annoy you with unwanted junk mail.
• Create a burden for communications service providers and
businesses to filter electronic messages.
• Phish for your information by tricking you into following links or
entering details with too-good-to-be-true offers and promotions.
• Provide a vehicle for malware, scams, fraud and threats to your
privacy.
26
Common Security Threats
Spoofing
“This technique is often used in conjunction with
phishing in an attempt to steal your information.”
What it can do :
• Spends spam using your email address, or a variation of
your email address, to your contact list.
• Recreates websites that closely resemble the authentic
site. This could be a financial institution or other site that
requires login or other personal information.
27
Common Security Threats
What it can do :
• Collect information about you without you knowing about it and
give it to third parties.
• Send your usernames, passwords, surfing habits, list of
applications you've downloaded, settings, and even the version
of your operating system to third parties.
• Change the way your computer runs without your knowledge.
• Take you to unwanted sites or inundate you with uncontrollable
pop-up ads.
28
Common Security Threats
Trojan Horses
“A malicious program that is disguised as, or embedded
within, legitimate software. It is an executable file that will install
itself and run automatically once it's downloaded.”
What it can do :
• Delete your files.
• Use your computer to hack other computers.
• Watch you through your web cam.
• Log your keystrokes (such as a credit card number you entered
in an online purchase).
• Record usernames, passwords and other personal information.
29
Common Security Threats
Virus
“Malicious computer programs that are often sent as an
email attachment or a download with the intent of infecting your
computer.”
What it can do :
• Send spam.
• Provide criminals with access to your computer and contact lists.
• Scan and find personal information like passwords on your
computer.
• Hijack your web browser.
• Disable your security settings.
• Display unwanted ads.
30
Common Security Threats
Worm
“A worm, unlike a virus, goes to work on its own
without attaching itself to files or programs. It lives in your
computer memory, doesn't damage or alter the hard drive and
propagates by sending itself to other computers in a network.”
What it can do :
• Spread to everyone in your contact list.
• Cause a tremendous amount of damage by shutting down
parts of the Internet, wreaking havoc on an internal network
and costing companies enormous amounts of lost revenue.
31
SECURITY
DEPLOYMENT
32
MikroTik as a Global Firewall Router
DATA CENTER
OFFICE
INTERNET
GUEST
33
MikroTik as a Global Firewall Router
Pros
• Simple topology
• Easy to manage
Cons
• Concentrate in one single-of-failure
• High resource demanding
34
MikroTik as a Specific Router Firewall
DATA CENTER
OFFICE
INTERNET
GUEST
35
MikroTik as a Specific Router Firewall
Pros
• Less resource consumption on each routers
• Only focusing security firewall on each network
Cons
• Different network segment, different treatment
• Need to configure firewall differently on each routers
• Sometimes happening configure double firewall rules on
one another routers
36
MikroTik as an IPS
DATA CENTER
OFFICE
INTERNET
GUEST
37
MikroTik as an IPS
Pros
• Clean firewall configuration on Router, because all
firewall configuration already defined on IPS router.
Cons
• Need high resource Device on Mikrotik as IPS
38
MikroTik with IDS as a trigger
DATA CENTER
OFFICE
INTERNET
GUEST
IDS SERVER
39
MikroTik with IDS as a trigger
Pros
• All firewall rules are made automatically by API from IDS
Server
Cons
• Need additional device for triggering a bad traffic
• Need powerful device for mirroring all traffic in/out from
networks
• Need special scripting for sending information to router
• expensive
40
IPv6 SECURITY
41
IPv6 Review – Address Comparison
42
IPv6 Review – Header Comparison
43
IPv6 Review – Extension Header
44
IPv6 Review – Usable Addresses
45
IPv6 Threat Types
46
IPv6 Threat Types
47
IPv6 Threats - Scanning
48
IPv6 Threats - Scanning
49
IPv6 Threats - Unauthorized Access
50
IPv6 Threats - Header Manipulation
51
IPv6 Threats - L3 / L4 Spoofing
52
IPv6 Threats - Auto Configuration
53
IPv6 Threats – DDoS Attacks
54
IPv6 Threats – DDoS Mitigation
55
IPv6 Threats – Routing Attack
56
IPv6 Threats – Sniffing
57
IPv6 Threats – Application Attacks
58
IPv6 Threats – MITM
59
IPv6 Threats – Flooding
• Flooding attacks are identical for both the IPv4 and the
IPv6
60
Man in the Middle Attack
61
NDP Attacks
62
IPv6 Attack Frameworks
63
Duplicate Address Detection - DoS
64
DAD Attack Tool - DoS
dos-new-ip6
• This tool prevents new IPv6 interfaces to come up by
sending answers to duplicate IPv6 checks. This results
in a DoS for new IPv6 devices.
65
Neighbor Discovery Spoofing
66
NDP Spoofing – Attack Tool
Parasite6
• This is an "ARP spoofer" for IPv6, redirecting all local
traffic to your own system (or nirvana if fake-mac does
not exist) by answering falsely to Neighbor Solicitation
requests, specifying FAKE-MAC results in a local DoS.
67
Router Advertisement Spoofing
Router Down
Attacker Flood
a Router
Attacker act as
Router
68
Man in the Middle Attack
2000:db8::1/64
fac:dead:a11::/64
69
Router Advertisement Spoofing
70
Router Advertisement Flooding
71
Router Advertisement Flooding
72
Router Advertisement Flooding
73
Router Advertisement Flooding
74
Detect Rogue RAs & ND Spoofing
75
RA Guard
Block incoming
RA
76
How to Countermeasure
77
Allowing own Prefix
78
Allowing ICMPv6
• Allow ICMPv6.
79
Filtering unneeded services
80
Filtering Bogons Address
81
OSPF SECURITY
82
OSPF - Attacks
83
OSPF - Resource Starvation Attacks
84
OSPF - Resource Starvation Attacks
Memory Impact
• Bogus LSA's with an arbitrary source take up space in the
topology table until the LSA ages out
CPU impact
• LSA's with bogus MD5 passwords invoke the MD5 function
Bandwidth impact
• Bogus LSA's and the associated legitimate response traffic
could be disruptively high in large, densely populated areas.
• Bogus link state request packets can saturate a link with
requests for nonexistent networks.
85
OSPF - Resource Starvation Attacks
86
Misdirecting Traffic to Form Routing Loops
87
Misdirecting Traffic to a Black Hole
88
Eavesdropping/Man-in-the-middle
89
Attacks Against OSPF
90
Protecting OSPF
91
OSPF Attack
R1 R2
192.168.0.0/24
1 2
11
92
OSPF Attack Scenario
93
OSPF Neighbor/Route Injection
94
OSPF Neighbor/Route Injection
95
OSPF Neighbor/Route Injection
96
OSPF Neighbor/Route Injection
97
OSPF Neighbor/Route Injection
98
Preventing OSPF Attacks
• It is recommended to set
“Authentication” for every
peering to other OSPF routers
99
Preventing OSPF Attacks
• It is recommended to set
“Passive” to interface that is
not facing other OSPF router
and also set Authentication.
100
Preventing OSPF Attacks
101
BGP SECURITY
102
BGP Security
103
BGP Session Protection
104
GTSM
105
GTSM
R1 R2
# on R1
/ routing bgp peer set R2 ttl=255
# on R2
/ routing bgp peer set R1 ttl=255
106
TCP-AO
107
MD5
108
MD5
R1 R2
# on R1
/ routing bgp peer set R2 tcp-md5-key=this-is-super-secret
# on R2
/ routing bgp peer set R1 tcp-md5-key=this-is-super-secret
109
Maximum-Prefix Limit
110
Maximum-Prefix Limit
R1 R2
# on R1
/ routing bgp peer set R2 max-prefix-limit=100
# on R2
/ routing bgp peer set R1 max-prefix-limit=500
111
Prefix Filtering
112
Inbound and Outbound
UPSTREAM PRIVATE
IXP
TRANSIT PEERING
CORE
113
Inbound and Outbound
STATIC STATIC
OSPF INBOUND OUTBOUND OSPF
BGP BGP
114
Prefix Filtering – Upstream Inbound
115
Prefix Filtering – Upstream Inbound
PRIVATE
IXP UPSTREAM
PEERING
CORE
116
Prefix Filtering – Upstream Inbound
# ADD ROUTING FILTER ACCEPT-ALL & DROP-ALL
/ routing filter
add action=accept chain=ACCEPT-ALL comment="ACCEPT ALL"
add action=discard chain=DROP-ALL comment="DROP ALL"
117
Prefix Filtering – Upstream Inbound
# ADD ROUTING FILTER RFC 5735
/ routing filter
d action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-1" prefix=192.0.2.0/24
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks"
prefix=192.168.0.0/16
add action=discard chain=RFC-5735 comment="RFC 2544 - Device Benchmark Testing"
prefix=198.18.0.0/15
add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-2" prefix=198.51.100.0/24
add action=discard chain=RFC-5735 comment="RFC 3068 - 6to4 Relay Anycast"
prefix=192.88.99.0/24
add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-3" prefix=203.0.113.0/24
add action=discard chain=RFC-5735 comment="RFC 3171 - Multicast" prefix=224.0.0.0/4
add action=discard chain=RFC-5735 comment="RFC 1112 - Reserved for Future Use"
prefix=240.0.0.0/4
add action=discard chain=RFC-5735 comment="RFC 6598 - Shared CGN IPv4 Address"
prefix=100.64.0.0/10
add action=return chain=RFC-5735 comment="RETURN PACKET"
118
Prefix Filtering – Upstream Inbound
# ADD ROUTING FILTER DROP-YOUR-PREFIX
/ routing filter
add action=discard chain=OUR-PREFIX-DROP prefix=100.0.0.0/22 prefix-length=22-24
add action=return chain=OUR-PREFIX-DROP comment="RETURN PACKET"
119
Prefix Filtering – Upstream Outbound
120
Prefix Filtering – Upstream Outbound
PRIVATE
IXP UPSTREAM
PEERING
CORE
121
Prefix Filtering – Upstream Outbound
# ADD ROUTING FILTER ACCEPT-YOUR-PREFIX
/routing filter
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22 prefix-length=22-24
add action=return chain=OUR-PREFIX-ADV comment="RETURN PACKET"
122
Prefix Filtering – Upstream Outbound
/routing filter
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/24
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.1.0/24
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.2.0/24
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.3.0/24
add action=return chain=OUR-PREFIX-ADV comment="RETURN PACKET"
/routing filter
add action=jump chain=IXP-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=IXP-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=IXP-OUTBOUND jump-target=RFC-5735
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM1
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM2
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM3
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM4
123
Prefix Filtering – Upstream Outbound
/routing filter
add action=jump chain=UPSTREAM-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=UPSTREAM-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=UPSTREAM-OUTBOUND jump-target=RFC-5735
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM1
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM2
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM3
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM4
/routing filter
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=RFC-5735
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM1
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM2
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM3
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM4
124
Prefix Filtering – Downstream Inbound
125
Prefix Filtering – Downstream Inbound
CORE
126
Prefix Filtering – Downstream Inbound
/ routing filter
add action=jump chain=DOWNSTREAM1-INBOUND jump-target=DOWNSTREAM1
add action=jump chain=DOWNSTREAM2-INBOUND jump-target=DOWNSTREAM2
add action=jump chain=DOWNSTREAM3-INBOUND jump-target=DOWNSTREAM3
add action=jump chain=DOWNSTREAM4-INBOUND jump-target=DOWNSTREAM4
127
Prefix Filtering – Downstream Outbound
128
Prefix Filtering – Downstream Outbound
CORE
129
Prefix Filtering – Downstream Inbound
/ routing filter
add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ACCEPT-ALL
add action=jump chain=DOWNSTREAM2-OUTBOUND jump-target=ACCEPT-ALL
add action=jump chain=DOWNSTREAM3-OUTBOUND jump-target=ACCEPT-ALL
add action=jump chain=DOWNSTREAM4-OUTBOUND jump-target=ACCEPT-ALL
130
AS-Path Filtering
131
AS-Path Filtering – Upstream Inbound
132
AS-Path Filtering – Upstream Inbound
PRIVATE
IXP UPSTREAM
PEERING
CORE
133
AS-Path Filtering – Upstream Inbound
/ routing filter
add action=discard bgp-as-path=".* 0 .*" chain=ASN-BOGONS comment="RFC 7607"
add action=discard bgp-as-path=".* 23456 .*" chain=ASN-BOGONS comment="RFC 4893 - AS_TRANS"
add action=discard bgp-as-path=".* [64496-64511] .*" chain=ASN-BOGONS comment="RFC 5398 - and documentation/
example ASNs"
add action=discard bgp-as-path=".* [65536-65551] .*" chain=ASN-BOGONS comment="RFC 5398 - and documentation/
example ASNs"
add action=discard bgp-as-path=".* [64512-65534] .*" chain=ASN-BOGONS comment="RFC 6996 - Private ASN"
add action=discard bgp-as-path=".* [4200000000-4294967294] .*" chain=ASN-BOGONS comment="RFC 6996 - Private
ASN"
add action=discard bgp-as-path=".* 65535 .*" chain=ASN-BOGONS comment="RFC 7300 - Last 16 and 32 bit ASN"
add action=discard bgp-as-path=".* 4294967295 .*" chain=ASN-BOGONS comment="RFC 7300 - Last 16 and 32 bit ASN"
add action=return chain=ASN-BOGONS comment="RETURN PACKET"
/ routing filter
add action=discard bgp-as-path=".* 1111 .*" chain=YOUR-ASN comment="YOUR ASN“
add action=return chain=YOUR-ASN comment="RETURN PACKET"
134
AS-Path Filtering – Upstream Inbound
/ routing filter
add action=jump chain=IXP-INBOUND jump-target=YOUR-ASN
add action=jump chain=IXP-INBOUND jump-target=ASN-BOGONS
add action=jump chain=UPSTREAM-INBOUND jump-target=YOUR-ASN
add action=jump chain=UPSTREAM-INBOUND jump-target=ASN-BOGONS
add action=jump chain=PRVT_PEER-INBOUND jump-target=YOUR-ASN
add action=jump chain=PRVT_PEER-INBOUND jump-target=ASN-BOGONS
135
AS-Path Filtering – Upstream Outbound
136
AS-Path Filtering – Upstream Outbound
PRIVATE
IXP UPSTREAM
PEERING
CORE
137
AS-Path Filtering – Upstream Outbound
/ routing filter
add action=jump chain=IXP-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=UPSTREAM-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=ASN-BOGONS
138
AS-Path Filtering – Downstream Inbound
139
AS-Path Filtering – Downstream Inbound
CORE
140
AS-Path Filtering – Downstream Inbound
/ routing filter
add action=discard bgp-as-path="!.* 2001 .*" chain=DOWNSTREAM1
add action=discard bgp-as-path="!.* 2002 .*" chain=DOWNSTREAM2
add action=discard bgp-as-path="!.* 2003 .*" chain=DOWNSTREAM3
add action=discard bgp-as-path="!.* 2004 .*" chain=DOWNSTREAM4
141
AS-Path Filtering – Downstream Inbound
142
AS-Path Filtering – Downstream Inbound
CORE
143
AS-Path Filtering – Downstream Inbound
/ routing filter
add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=DOWNSTREAM2-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=DOWNSTREAM3-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=DOWNSTREAM4-OUTBOUND jump-target=ASN-BOGONS
144
Rearranging the Routing Filter
# IXP PEERING IN/OUT FILTER
/routing filter
add action=jump chain=IXP-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=IXP-INBOUND jump-target=IXP-PREFIX
add action=jump chain=IXP-INBOUND jump-target=RFC-5735
add action=jump chain=IXP-INBOUND jump-target=ASN-BOGONS
add action=jump chain=IXP-INBOUND jump-target=ACCEPT-ALL
add action=jump chain=IXP-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=IXP-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=IXP-OUTBOUND jump-target=RFC-5735
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM1
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM2
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM3
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM4
add action=jump chain=IXP-OUTBOUND jump-target=DROP-ALL
145
Rearranging the Routing Filter
# UPSTREAM PEERING IN/OUT FILTER
/routing filter
add action=jump chain=UPSTREAM-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=UPSTREAM-INBOUND jump-target=IXP-PREFIX
add action=jump chain=UPSTREAM-INBOUND jump-target=RFC-5735
add action=jump chain=UPSTREAM-INBOUND jump-target=ASN-BOGONS
add action=jump chain=UPSTREAM-INBOUND jump-target=ACCEPT-ALL
add action=jump chain=UPSTREAM-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=UPSTREAM-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=UPSTREAM-OUTBOUND jump-target=RFC-5735
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM1
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM2
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM3
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM4
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DROP-ALL
146
Rearranging the Routing Filter
# PRIVATE-PEER PEERING IN/OUT FILTER
/routing filter
add action=jump chain=PRVT_PEER-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=PRVT_PEER-INBOUND jump-target=IXP-PREFIX
add action=jump chain=PRVT_PEER-INBOUND jump-target=RFC-5735
add action=jump chain=PRVT_PEER-INBOUND jump-target=ASN-BOGONS
add action=jump chain=PRVT_PEER-INBOUND jump-target=ACCEPT-ALL
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=RFC-5735
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM1
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM2
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM3
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM4
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DROP-ALL
147
Rearranging the Routing Filter
# DOWNSTREAMS PEERING IN/OUT FILTER
/routing filter
add action=jump chain=DOWNSTREAM1-INBOUND jump-target=DOWNSTREAM1
add action=jump chain=DOWNSTREAM1-INBOUND jump-target=DROP-ALL
add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ACCEPT-ALL
add action=jump chain=DOWNSTREAM2-INBOUND jump-target=DOWNSTREAM2
add action=jump chain=DOWNSTREAM2-INBOUND jump-target=DROP-ALL
add action=jump chain=DOWNSTREAM2-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=DOWNSTREAM2-OUTBOUND jump-target=ACCEPT-ALL
add action=jump chain=DOWNSTREAM3-INBOUND jump-target=DOWNSTREAM3
add action=jump chain=DOWNSTREAM3-INBOUND jump-target=DROP-ALL
add action=jump chain=DOWNSTREAM3-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=DOWNSTREAM3-OUTBOUND jump-target=ACCEPT-ALL
add action=jump chain=DOWNSTREAM4-INBOUND jump-target=DOWNSTREAM4
add action=jump chain=DOWNSTREAM4-INBOUND jump-target=DROP-ALL
add action=jump chain=DOWNSTREAM4-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=DOWNSTREAM4-OUTBOUND jump-target=ACCEPT-ALL
148
Rearranging the Routing Filter
# YOUR PREFIX FILTER
/routing filter
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22 prefix-length=22-24
add action=return chain=OUR-PREFIX-ADV comment="RETURN PACKET"
add action=discard chain=OUR-PREFIX-DROP prefix=100.0.0.0/22 prefix-length=22-24
add action=return chain=OUR-PREFIX-DROP comment="RETURN PACKET"
149
Rearranging the Routing Filter
# DOWNSTREAMS PREFIX FILTER
/routing filter
add action=accept chain=DOWNSTREAM1 prefix=100.1.0.0/22 prefix-length=22-24
add action=discard bgp-as-path="!.* 2001 .*" chain=DOWNSTREAM1
add action=return chain=DOWNSTREAM1 comment="RETURN PACKET"
add action=accept chain=DOWNSTREAM2 prefix=100.2.0.0/22 prefix-length=22-24
add action=discard bgp-as-path="!.* 2002 .*" chain=DOWNSTREAM2
add action=return chain=DOWNSTREAM2 comment="RETURN PACKET"
add action=accept chain=DOWNSTREAM3 prefix=100.3.0.0/22 prefix-length=22-24
add action=discard bgp-as-path="!.* 2003 .*" chain=DOWNSTREAM3
add action=return chain=DOWNSTREAM3 comment="RETURN PACKET"
add action=accept chain=DOWNSTREAM4 prefix=100.4.0.0/22 prefix-length=22-24
add action=discard bgp-as-path="!.* 2004 .*" chain=DOWNSTREAM4
add action=return chain=DOWNSTREAM4 comment="RETURN PACKET"
150
Rearranging the Routing Filter
# RFC 5735 PREFIX FILTER
/routing filter
add action=discard chain=RFC-5735 comment="DEFAULT ROUTE" prefix=0.0.0.0/0
add action=discard chain=RFC-5735 comment="PREFIX LOWER /24" prefix=0.0.0.0/0 prefix-length=25-32
add action=discard chain=RFC-5735 comment="RFC 1122 - This Network" prefix=0.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks]" prefix=10.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 1122 - Loopback " prefix=127.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 3927 - Link Local" prefix=169.254.0.0/16
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks" prefix=172.16.0.0/12
add action=discard chain=RFC-5735 comment="RFC 5736 - IETF Protocol Assignments" prefix=192.0.0.0/24
add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-1" prefix=192.0.2.0/24
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks" prefix=192.168.0.0/16
add action=discard chain=RFC-5735 comment="RFC 2544 - Device Benchmark Testing" prefix=198.18.0.0/15
add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-2" prefix=198.51.100.0/24
add action=discard chain=RFC-5735 comment="RFC 3068 - 6to4 Relay Anycast" prefix=192.88.99.0/24
add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-3" prefix=203.0.113.0/24
add action=discard chain=RFC-5735 comment="RFC 3171 - Multicast" prefix=224.0.0.0/4
add action=discard chain=RFC-5735 comment="RFC 1112 - Reserved for Future Use" prefix=240.0.0.0/4
add action=discard chain=RFC-5735 comment="RFC 6598 - Shared CGN IPv4 Address" prefix=100.64.0.0/10
add action=return chain=RFC-5735 comment="RETURN PACKET"
151
Rearranging the Routing Filter
# YOUR AS NUMBER FILTER
/routing filter
add action=discard bgp-as-path=".* 1111 .*" chain=YOUR-ASN
add action=return chain=YOUR-ASN comment="RETURN PACKET"
/routing filter
add action=accept chain=ACCEPT-ALL comment="ACCEPT ALL"
add action=discard chain=DROP-ALL comment="DROP ALL""
152
Traffic Filtering
153
Traffic Filtering
154
Traffic Filtering
/ip firewall filter
add action=accept chain=input dst-port=179 in-interface=ether1-IXP protocol=tcp src-address=101.0.0.1
add action=drop chain=input dst-port=179 in-interface=ether1-IXP protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether2-UPSTREAM protocol=tcp src-address=102.0.0.3
add action=drop chain=input dst-port=179 in-interface=ether2-UPSTREAM protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether3-PRVT_PEER protocol=tcp src-address=103.0.0.3
add action=drop chain=input dst-port=179 in-interface=ether3-PRVT_PEER protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether4-DOWNSTREAM1 protocol=tcp src-address=100.0.0.2
add action=drop chain=input dst-port=179 in-interface=ether4-DOWNSTREAM1 protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether5-DOWNSTREAM2 protocol=tcp src-address=100.0.0.6
add action=drop chain=input dst-port=179 in-interface=ether5-DOWNSTREAM2 protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether6-DOWNSTREAM3 protocol=tcp src-address=100.0.0.10
add action=drop chain=input dst-port=179 in-interface=ether6-DOWNSTREAM3 protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether7-DOWNSTREAM4 protocol=tcp src-address=100.0.0.14
add action=drop chain=input dst-port=179 in-interface=ether7-DOWNSTREAM4 protocol=tcp
/ip arp
add address=101.0.0.1 interface=ether1-IXP mac-address=00:50:00:03:00:01
add address=102.0.0.1 interface=ether2-UPSTREAM mac-address=00:50:00:03:00:02
add address=103.0.0.1 interface=ether3-PRVT_PEER mac-address=00:50:00:03:00:03
add address=100.0.0.6 interface=ether5-DOWNSTREAM2 mac-address=00:50:00:03:00:04
add address=100.0.0.10 interface=ether6-DOWNSTREAM3 mac-address=00:50:00:03:00:05
add address=100.0.0.2 interface=ether4-DOWNSTREAM1 mac-address=00:50:00:03:00:06
add address=100.0.0.14 interface=ether7-DOWNSTREAM4 mac-address=00:50:00:03:00:07
155
CRYPTOGRAPHY
156
What is Cryptography
157
Security Mechanisms
Encryption :
• Process of transforming plaintext to ciphertext using a
cryptographic key
• Used all around us
• In Application Layer – used in secure email, database sessions, and
messaging
• In session layer – using Secure Socket Layer (SSL) or Transport Layer
Security (TLS)
• In the Network Layer – using protocols such as IPSec
• Benefits of good encryption algorithm:
• Resistant to cryptographic attack
• They support variable and long key lengths and scalability
• They create an avalanche effect
• No export or import restrictions
158
Terminology
plaintext (P) : the original message
ciphertext (C) : the coded message
cipher : algorithm for transforming plaintext to cipher text
key (k) : info used in cipher known only to sender/receiver
encipher/encrypt (e) : converting plaintext to cipher text
decipher/decrypt (d) : recovering cipher text from plaintext
cryptography : study of encryption principles/methods
cryptanalysis : the study of principles/ methods of deciphering
cipher text without knowing key
cryptology : the field of both cryptography and cryptanalysis
159
Encryption Methods
160
Symmetric Encryption
161
Symmetric Key Algorithms
162
Asymmetric Encryption
163
Asymmetric Encryption
164
Public Key Infrastructure (PKI)
Functions of a PKI :
• Registration • Key generation
• Initialization • Key update
• Certification • Cross-certification
• Key pair • Revocation
recovery
165
Components of a PKI
• Certificate authority
• The trusted third party
• Trusted by both the owner of the certificate and the party relying
upon the certificate.
• Validation authority
• Registration authority
• For big CAs, a separate RA might be necessary to take some
work off the CA
• Identity verification and registration of the entity applying for a
certificate
• Central directory
166
CERTIFICATES
167
Certificates
168
Digital Certificates
169
Digital Certificates
• Certificate examples :
• X509 (standard)
• PGP (Pretty Good Privacy)
• Certificate Authority (CA) creates and digitally signs certificates
• To obtain a digital certificate, Alice must :
• Make a certificate signing request to the CA
• CA returns Alice’s digital certificate, cryptographically
binding her identity to public key :
• CertA = {IDA, KA_PUB, info, SigCA(IDA,KA_PUB,info)}
170
X.509
171
X.509
172
Every Certificate Contains
173
Certificate Authority
174
Certificate Revocation List
175
SELF-SIGNED
CERTIFICATE
176
Self-Signed Certificates
177
Self-Signed Certificates
example.com
example.com
178
Self-Signed Certificates
179
Self-Signed Certificates
webfix.example.com
webfix.example.com
180
Self-Signed Certificates
181
FREE OF CHARGE
VALID
CERTIFICATES
182
Let’s Encrypt
183
Let’s Encrypt
184
SSL For Free
https://www.sslforfree.com
185
SSL For Free
186
SSL For Free
187
SSL For Free
188
SSL For Free
189
Free of Charge Valid Certificates
190
Free of Charge Valid Certificates
“System > Certificate”: import both the “certificate.crt” and the “private.key”
191
Free of Charge Valid Certificates
192
HIGH AVAILABILITY
193
INTERFACE
BONDING
194
What is Interface Bonding
195
802.3ad
196
Balance-rr and balance-xor
197
Balance-tlb
198
Balance-alb
199
Interface Bonding
R1 R2
200
Interface Bonding R1
/interface bonding
add lacp-rate=1sec mode=802.3ad
name=bonding1 slaves=ether1,ether2 \
transmit-hash-policy=layer-3-and-4
201
Interface Bonding R2
/interface bonding
add lacp-rate=1sec mode=802.3ad
name=bonding1 slaves=ether1,ether2 \
transmit-hash-policy=layer-3-and-4
202
VRRP
203
What is VRRP
204
What is VRRP
205
VRRP Master Selection
206
VRRP Master Selection
207
VRRP Master Configuration
208
VRRP Backup Configuration
209
VRRP Preemption
• Ability to preempt a virtual router backup that has taken over for a
failing virtual router master with a higher priority virtual router
backup that has become available
• When set to 'no' backup node will not be elected to be a master until
the current master fails
Interface : ether1 Interface : ether1
VRID :1 VRID :1
Priority : 100 Priority : 50
Preempt : Yes Preempt : No
Version :2 Version :2
IP : 192.168.1.253 R1 R2 IP : 192.168.1.254
VIP : 192.168.1.1 VIP : 192.168.1.1
210
VRRP
+
INTERFACE
BONDING
211
VRRP + Interface Bonding
212
VRRP + Interface Bonding
213
Interface Bonding R1
/interface bonding
add lacp-rate=1sec mode=802.3ad
name=bonding1 slaves=ether1,ether2 \
transmit-hash-policy=layer-3-and-4
214
Interface Bonding R2
/interface bonding
add lacp-rate=1sec mode=802.3ad
name=bonding1 slaves=ether1,ether2 \
transmit-hash-policy=layer-3-and-4
215
VRRP Master Configuration
/ip address
add address=192.168.1.253/24 interface=bonding1 network=192.168.1.0
add address=192.168.1.1 interface=vrrp1 network=192.168.1.1
216
VRRP Backup Configuration
/ip address
add address=192.168.1.254/24 interface=bonding1 network=192.168.1.0
add address=192.168.1.1 interface=vrrp1 network=192.168.1.1
217
VRRP + Interface Bonding (VLAN)
218
VRRP + Interface Bonding (VLAN)
vlan11 vlan12
219
Interface Bonding R1
/interface bonding
add lacp-rate=1sec mode=802.3ad
name=bonding1 slaves=ether1,ether2 \
transmit-hash-policy=layer-3-and-4
220
Interface Bonding R2
/interface bonding
add lacp-rate=1sec mode=802.3ad
name=bonding1 slaves=ether1,ether2 \
transmit-hash-policy=layer-3-and-4
221
VLAN Interface R1
/interface vlan
add interface=bonding1 mtu=1496 name=vlan11 vlan-id=11
add interface=bonding1 mtu=1496 name=vlan12 vlan-id=12
222
VLAN Interface R2
/interface vlan
add interface=bonding1 mtu=1496 name=vlan11 vlan-id=11
add interface=bonding1 mtu=1496 name=vlan12 vlan-id=12
223
VRRP R1 Configuration
/interface vrrp
add interface=vlan11 name=vrrp-vlan11 priority=100 version=2 vrid=11
add interface=vlan12 name=vrrp-vlan12 preemption-mode=no priority=50 version=2 vrid=12
224
VRRP R2 Configuration
/interface vrrp
add interface=vlan11 name=vrrp-vlan11 preemption-mode=no priority=50 version=2 vrid=11
add interface=vlan12 name=vrrp-vlan12 priority=100 version=2 vrid=12
225
IP Addressing R1
/ip address
add address=192.168.11.253/24 interface=vlan11 network=192.168.11.0
add address=192.168.12.253/24 interface=vlan12 network=192.168.12.0
add address=192.168.11.1 interface=vrrp-vlan11 network=192.168.11.1
add address=192.168.12.1 interface=vrrp-vlan12 network=192.168.12.1
226
IP Addressing R2
/ip address
add address=192.168.11.254/24 interface=vlan11 network=192.168.11.0
add address=192.168.12.254/24 interface=vlan12 network=192.168.12.0
add address=192.168.11.1 interface=vrrp-vlan11 network=192.168.11.1
add address=192.168.12.1 interface=vrrp-vlan12 network=192.168.12.1
227
MTCASE
SUMMARY
228
Certification Test
229
Thank You!
Thank you
José Manuel Román Fernández Checa
and
Fajar Nugroho
for creating and sharing the initial version
of the MTCASE course materials.
230