1. MUM 2017, Phnom Penh, Cambodia.
April 24, 2017
MUM Phnom Penh, Cambodia
By Sarpich RATH (Peter)
Hardening MikroTik
RouterOS
2. MUM 2017, Phnom Penh, Cambodia.
About PPIC
β Qualified and Vocational IT Training Center
β Found in late 2013. Offer service in June 2014
β Partners
β MikroTik Academy
β Cisco Networking Academy
β Pearson VUE
β Prometric
3. MUM 2017, Phnom Penh, Cambodia.
About Me
β Sarpich RATH (Peter)
β First used RouterOS since 2008
β MTCNA, MTCRE, Academy Trainer
β CCNA, CCNA Security, CCNP, Cisco Instructor
β Trainer @PPIC and AEU
6. MUM 2017, Phnom Penh, Cambodia.
Login Services: IP->Services
β Disable unused services
β Or modify default port
β Limit access from specific network
7. MUM 2017, Phnom Penh, Cambodia.
MAC WinBox: Tools->MAC Server
β Disable Allow to login from all interfaces
β Allow from specific interface only
8. MUM 2017, Phnom Penh, Cambodia.
RoMON: Tools->RoMON
β Disable by default
β /tool romon set enabled=no
9. MUM 2017, Phnom Penh, Cambodia.
Login Credentials: System->Users
β Rename default admin account
β Strong password policy
β Set the right permission (group) to router users
β Backup login account
10. MUM 2017, Phnom Penh, Cambodia.
Router Interface
β Disable all unused interfaces on your router, in order
to decrease unauthorized access to your router.
11. MUM 2017, Phnom Penh, Cambodia.
LCD touch screen
β Some RouterBOARDs have LCD module for
informational purpose, set pin or disable it.
12. MUM 2017, Phnom Penh, Cambodia.
Neighbor Discovery: IP->Neighbors
β Disable Discovery on Interface that connect to
Internet
13. MUM 2017, Phnom Penh, Cambodia.
Neighbor Discovery: IP->Neighbors
WAN Interface
are Disable for
Neighbors
Discovery
14. MUM 2017, Phnom Penh, Cambodia.
BTest Server: Tools-> Btest Server
β Bandwidth Test
β Disable when not used it
15. MUM 2017, Phnom Penh, Cambodia.
NTP Clock Synchronization
β Keep the router sync with accurate clock
β Server: kh.pool.ntp.org
16. MUM 2017, Phnom Penh, Cambodia.
Logging: System->Logging
β Send log message to SysLog Server
17. MUM 2017, Phnom Penh, Cambodia.
SNMP: IP->SNMP
β Simple Network Management Protocol
β Used to Monitor Bandwidth and resource usages.
18. MUM 2017, Phnom Penh, Cambodia.
Wireless Client Isolation
β Allows multiple clients to be on the same network,
but not send traffic to each other.
β Attention!!! streaming content to/from other devices
such as Chromecast, AppleTV, Ruku, etc⦠will not
work on the same AP.
22. MUM 2017, Phnom Penh, Cambodia.
What is FW used for?
β Preventing unauthorized access to networks
β Protect itself
β Filter for incoming and outgoing traffic.
β Protect and hide the server inside
β etc.
23. MUM 2017, Phnom Penh, Cambodia.
What can RouterOS FW do?
β stateful packet inspection
β Layer-7 protocol detection
β peer-to-peer protocols filtering
β traffic classification by:
β source MAC address
β IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
β port or port range
β IP protocols
β interface the packet arrived from or left through
β internal flow and connection marks
β packet size
β packet arrival time
β and much more!
24. MUM 2017, Phnom Penh, Cambodia.
Sample Network design
Outside Inside
ether1 ether2 ether3 ether4
Connect to Internet DMZ, Server LAN Management
Network 100.1.1.0/30 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24
*** If we donβt have enough ports, then can used VLAN for DMZ, LAN and
Management network.
25. MUM 2017, Phnom Penh, Cambodia.
Sample Network design
Internet
DMZ
Management
LAN
Mikrotik
RouterOS
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
ISP
26. MUM 2017, Phnom Penh, Cambodia.
Internet to DMZ
Internet
DMZ
Management
LAN
Mikrotik
RouterOS
β
ISP
27. MUM 2017, Phnom Penh, Cambodia.
Internet to LAN/Management
Internet
DMZ
Management
LAN
Mikrotik
RouterOS
β
β
ISP
28. MUM 2017, Phnom Penh, Cambodia.
Management to Router
Internet
DMZ
Management
LAN
Mikrotik
RouterOS
β
β
ISP
β
β
29. MUM 2017, Phnom Penh, Cambodia.
IPv4 firewall: Protect the router
β filter with new connections to decrease load on a
router;
β create address-list for IP addresses, that are allowed
to access your router; example Management
β enable ICMP access (optionally);
β drop everything else, log=yes might be added to log
packets that hit the specific rule;
31. MUM 2017, Phnom Penh, Cambodia.
IPv4 firewall: Protect the Inside network
β Established/related packets are added to fasttrack for faster data throughput,
firewall will work with new connections only;
β drop incoming packets that are not NATed, ether1 is public interface
β drop incoming packets from Internet, which are not public IP addresses, ether1
is public interface
β drop packets from Inside that does not have address from inside address.
β create address-list=Inside to group all inside address
β 192.168.10.0/24 = DMZ
β 192.168.20.0/24 = LAN
β 192.168.30.0/24 = Management
32. MUM 2017, Phnom Penh, Cambodia.
IPv4 firewall: Protect the Inside network
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack
connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-
state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted"
connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop incoming from internet which is not public
IP" in-interface=ether1 src-address-list=not_in_internet
33. MUM 2017, Phnom Penh, Cambodia.
IPv4 firewall: Protect the Inside network
add action=drop chain=forward comment="Drop packets from Inside that do not have Inside
IP" in-interface=ether2 src-address-list=!Inside
add action=drop chain=forward comment="Drop packets from Inside that do not have Inside
IP" in-interface=ether3 src-address-list=!Inside
add action=drop chain=forward comment="Drop packets from Inside that do not have Inside
IP" in-interface=ether4 src-address-list=!Inside
/ip firewall address-list
add address=192.168.10.0/24 list=Inside
add address=192.168.20.0/24 list=Inside
add address=192.168.30.0/24 list=Inside
36. MUM 2017, Phnom Penh, Cambodia.
More Firewall rules
β https://wiki.mikrotik.com/wiki/Firewall
β SynFlood
β ICMP Flood
β Port Scanner
β Email Spam
β L7 Filter
β DoS attack protection
β Etc.
37. MUM 2017, Phnom Penh, Cambodia.
Recommendation
β Disable unused ports and services on router
β Strong password policy for router users and allow to
remote from specific network
β Disable discovery interfaces on outside/WAN ports
β Clock should be accurate synchronize
β Enable SysLog and SNMP for monitoring the router
β Separate network for each LAN and Server
β Used Address list to group all address for used in FW
38. MUM 2017, Phnom Penh, Cambodia.
Recommendation
β Used Action=Jump to organized the FW rules and
better performance
β Used FW to protect router itself, inside network and
the Servers
41. Thanks for your Attention βΊ
β’ Upcoming Training: http://ppic-training.com/upcoming-courses/
β’ Email: info@ppic-training.com
β’ Facebook: www.facebook.com/PhnomPenhInformaticsCenter
β’ Mobiel: 077/087 616102
β’ Please subscribe to our mailing list to receive all update information such as
discount and promotion price