SlideShare a Scribd company logo

Mikrotik Hardening

β€’
β€’
A
AdityaNanda26

Mikrotik Hardening slide share

Internet
1 of 41
Download to read offline
MUM 2017, Phnom Penh, Cambodia. April 24, 2017 MUM Phnom Penh, Cambodia By Sarpich RATH (Peter) Hardening MikroTik RouterOS
MUM 2017, Phnom Penh, Cambodia. About PPIC ● Qualified and Vocational IT Training Center ● Found in late 2013. Offer service in June 2014 ● Partners β—‹ MikroTik Academy β—‹ Cisco Networking Academy β—‹ Pearson VUE β—‹ Prometric
MUM 2017, Phnom Penh, Cambodia. About Me ● Sarpich RATH (Peter) ● First used RouterOS since 2008 ● MTCNA, MTCRE, Academy Trainer ● CCNA, CCNA Security, CCNP, Cisco Instructor ● Trainer @PPIC and AEU
MUM 2017, Phnom Penh, Cambodia. Topic: Hardening MikroTik RouterOS ● Customized RouterOS setting ● RouterOS Firewall ● Recommendation
Customized RouterOS setting
MUM 2017, Phnom Penh, Cambodia. Login Services: IP->Services ● Disable unused services ● Or modify default port ● Limit access from specific network
MUM 2017, Phnom Penh, Cambodia. MAC WinBox: Tools->MAC Server ● Disable Allow to login from all interfaces ● Allow from specific interface only
MUM 2017, Phnom Penh, Cambodia. RoMON: Tools->RoMON ● Disable by default ● /tool romon set enabled=no
MUM 2017, Phnom Penh, Cambodia. Login Credentials: System->Users ● Rename default admin account ● Strong password policy ● Set the right permission (group) to router users ● Backup login account
MUM 2017, Phnom Penh, Cambodia. Router Interface ● Disable all unused interfaces on your router, in order to decrease unauthorized access to your router.
MUM 2017, Phnom Penh, Cambodia. LCD touch screen ● Some RouterBOARDs have LCD module for informational purpose, set pin or disable it.
MUM 2017, Phnom Penh, Cambodia. Neighbor Discovery: IP->Neighbors ● Disable Discovery on Interface that connect to Internet
MUM 2017, Phnom Penh, Cambodia. Neighbor Discovery: IP->Neighbors WAN Interface are Disable for Neighbors Discovery
MUM 2017, Phnom Penh, Cambodia. BTest Server: Tools-> Btest Server ● Bandwidth Test ● Disable when not used it
MUM 2017, Phnom Penh, Cambodia. NTP Clock Synchronization ● Keep the router sync with accurate clock ● Server: kh.pool.ntp.org
MUM 2017, Phnom Penh, Cambodia. Logging: System->Logging ● Send log message to SysLog Server
MUM 2017, Phnom Penh, Cambodia. SNMP: IP->SNMP ● Simple Network Management Protocol ● Used to Monitor Bandwidth and resource usages.
MUM 2017, Phnom Penh, Cambodia. Wireless Client Isolation ● Allows multiple clients to be on the same network, but not send traffic to each other. ● Attention!!! streaming content to/from other devices such as Chromecast, AppleTV, Ruku, etc… will not work on the same AP.
MUM Phnom Penh, Cambodia 2017.
MUM 2017, Phnom Penh, Cambodia. Configuration Backup
RouterOS Firewall
MUM 2017, Phnom Penh, Cambodia. What is FW used for? ● Preventing unauthorized access to networks ● Protect itself ● Filter for incoming and outgoing traffic. ● Protect and hide the server inside ● etc.
MUM 2017, Phnom Penh, Cambodia. What can RouterOS FW do? ● stateful packet inspection ● Layer-7 protocol detection ● peer-to-peer protocols filtering ● traffic classification by: β—‹ source MAC address β—‹ IP addresses (network or list) and address types (broadcast, local, multicast, unicast) β—‹ port or port range β—‹ IP protocols β—‹ interface the packet arrived from or left through β—‹ internal flow and connection marks β—‹ packet size β—‹ packet arrival time ● and much more!
MUM 2017, Phnom Penh, Cambodia. Sample Network design Outside Inside ether1 ether2 ether3 ether4 Connect to Internet DMZ, Server LAN Management Network 100.1.1.0/30 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 *** If we don’t have enough ports, then can used VLAN for DMZ, LAN and Management network.
MUM 2017, Phnom Penh, Cambodia. Sample Network design Internet DMZ Management LAN Mikrotik RouterOS 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 ISP
MUM 2017, Phnom Penh, Cambodia. Internet to DMZ Internet DMZ Management LAN Mikrotik RouterOS βœ“ ISP
MUM 2017, Phnom Penh, Cambodia. Internet to LAN/Management Internet DMZ Management LAN Mikrotik RouterOS βœ— βœ“ ISP
MUM 2017, Phnom Penh, Cambodia. Management to Router Internet DMZ Management LAN Mikrotik RouterOS βœ— βœ“ ISP βœ— βœ—
MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the router ● filter with new connections to decrease load on a router; ● create address-list for IP addresses, that are allowed to access your router; example Management ● enable ICMP access (optionally); ● drop everything else, log=yes might be added to log packets that hit the specific rule;
MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the router /ip firewall filter add action=accept chain=input comment="default configuration" connection-state=established,related add action=accept chain=input src-address-list=Management add action=accept chain=input protocol=icmp ...... add action=drop chain=input /ip firewall address-list add address=192.168.30.0/24 list=Management
MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Inside network ● Established/related packets are added to fasttrack for faster data throughput, firewall will work with new connections only; ● drop incoming packets that are not NATed, ether1 is public interface ● drop incoming packets from Internet, which are not public IP addresses, ether1 is public interface ● drop packets from Inside that does not have address from inside address. ● create address-list=Inside to group all inside address β—‹ 192.168.10.0/24 = DMZ β—‹ 192.168.20.0/24 = LAN β—‹ 192.168.30.0/24 = Management
MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Inside network /ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related add action=accept chain=forward comment="Established, Related" connection- state=established,related add action=drop chain=forward comment="Drop invalid" connection-state=invalid add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 src-address-list=not_in_internet
MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Inside network add action=drop chain=forward comment="Drop packets from Inside that do not have Inside IP" in-interface=ether2 src-address-list=!Inside add action=drop chain=forward comment="Drop packets from Inside that do not have Inside IP" in-interface=ether3 src-address-list=!Inside add action=drop chain=forward comment="Drop packets from Inside that do not have Inside IP" in-interface=ether4 src-address-list=!Inside /ip firewall address-list add address=192.168.10.0/24 list=Inside add address=192.168.20.0/24 list=Inside add address=192.168.30.0/24 list=Inside
MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Inside network /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet add address=224.0.0.0/4 comment=Multicast list=not_in_internet add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet *** Modify to meet the requirement
MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Server/DMZ WEB-SERVER IP =192.168.10.10 /ip firewall nat add action=dst-nat chain=dstnat comment=WEB-SERVER dst address=100.1.11.2 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=80 /ip firewall filter add action=jump chain=forward comment=WEB-SERVER dst- address=192.168.10.10 jump-target=WEB-SERVER …… add action=accept chain=WEB-SERVER comment=WEB dst-port=80 protocol=tcp add action=accept chain=WEB-SERVER comment="accept ssh from NOC" dst- port=22 protocol=tcp src-address-list=Management add action=drop chain=WEB-SERVER comment=DROP
MUM 2017, Phnom Penh, Cambodia. More Firewall rules ● https://wiki.mikrotik.com/wiki/Firewall ● SynFlood ● ICMP Flood ● Port Scanner ● Email Spam ● L7 Filter ● DoS attack protection ● Etc.
MUM 2017, Phnom Penh, Cambodia. Recommendation ● Disable unused ports and services on router ● Strong password policy for router users and allow to remote from specific network ● Disable discovery interfaces on outside/WAN ports ● Clock should be accurate synchronize ● Enable SysLog and SNMP for monitoring the router ● Separate network for each LAN and Server ● Used Address list to group all address for used in FW
MUM 2017, Phnom Penh, Cambodia. Recommendation ● Used Action=Jump to organized the FW rules and better performance ● Used FW to protect router itself, inside network and the Servers
MUM 2017, Phnom Penh, Cambodia. Reference ● wiki.mikrotik.com
MUM 2017, Phnom Penh, Cambodia. Question?
Thanks for your Attention ☺ β€’ Upcoming Training: http://ppic-training.com/upcoming-courses/ β€’ Email: info@ppic-training.com β€’ Facebook: www.facebook.com/PhnomPenhInformaticsCenter β€’ Mobiel: 077/087 616102 β€’ Please subscribe to our mailing list to receive all update information such as discount and promotion price

Recommended

CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
Β 
Mikrotik API
Mikrotik APIMikrotik API
Mikrotik APIAchmad Mardiansyah
Β 
Detecting network virus using mikrotik
Detecting network virus using mikrotikDetecting network virus using mikrotik
Detecting network virus using mikrotikAchmad Mardiansyah
Β 
GLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikGLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikAchmad Mardiansyah
Β 
Mikrotik firewall mangle
Mikrotik firewall mangleMikrotik firewall mangle
Mikrotik firewall mangleAchmad Mardiansyah
Β 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
Β 
Mikrotik pcq
Mikrotik pcqMikrotik pcq
Mikrotik pcqPutra Jambak
Β 
Learning Computer Network Through Network Simulation Program
Learning Computer Network Through Network Simulation ProgramLearning Computer Network Through Network Simulation Program
Learning Computer Network Through Network Simulation ProgramI Putu Hariyadi
Β 

Recommended

CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
Β 
Mikrotik API
Mikrotik APIMikrotik API
Mikrotik APIAchmad Mardiansyah
Β 
Detecting network virus using mikrotik
Detecting network virus using mikrotikDetecting network virus using mikrotik
Detecting network virus using mikrotikAchmad Mardiansyah
Β 
GLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikGLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikAchmad Mardiansyah
Β 
Mikrotik firewall mangle
Mikrotik firewall mangleMikrotik firewall mangle
Mikrotik firewall mangleAchmad Mardiansyah
Β 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
Β 
Mikrotik pcq
Mikrotik pcqMikrotik pcq
Mikrotik pcqPutra Jambak
Β 
Learning Computer Network Through Network Simulation Program
Learning Computer Network Through Network Simulation ProgramLearning Computer Network Through Network Simulation Program
Learning Computer Network Through Network Simulation ProgramI Putu Hariyadi
Β 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
Β 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
Β 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
Β 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
Β 
Mikrotik firewall raw table
Mikrotik firewall raw tableMikrotik firewall raw table
Mikrotik firewall raw tableAchmad Mardiansyah
Β 
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Canada
Β 
Snort IPS
Snort IPSSnort IPS
Snort IPSSimone Tino
Β 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
Β 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
Β 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
Β 
Chapter 6 Presentation
Chapter 6 PresentationChapter 6 Presentation
Chapter 6 PresentationAmy McMullin
Β 
Mikrotik Network Simulator (MUM Presentation Material 2013)
Mikrotik Network Simulator (MUM Presentation Material 2013)Mikrotik Network Simulator (MUM Presentation Material 2013)
Mikrotik Network Simulator (MUM Presentation Material 2013)Rofiq Fauzi
Β 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
Β 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
Β 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
Β 
Materi Pelatihan analisa malware
Materi Pelatihan analisa malwareMateri Pelatihan analisa malware
Materi Pelatihan analisa malwareSetia Juli Irzal Ismail
Β 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
Β 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentationSimon Vass
Β 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparationManich Koomsusi
Β 
eBPF Basics
eBPF BasicseBPF Basics
eBPF BasicsMichael Kehoe
Β 
Load Sharing Internet with MikroTik.pdf
Load Sharing Internet with MikroTik.pdfLoad Sharing Internet with MikroTik.pdf
Load Sharing Internet with MikroTik.pdfEnics
Β 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkIRJET Journal
Β 

More Related Content

What's hot

Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
Β 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
Β 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
Β 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
Β 
Mikrotik firewall raw table
Mikrotik firewall raw tableMikrotik firewall raw table
Mikrotik firewall raw tableAchmad Mardiansyah
Β 
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Canada
Β 
Chapter 6 Presentation
Chapter 6 PresentationChapter 6 Presentation
Chapter 6 PresentationAmy McMullin
Β 
Mikrotik Network Simulator (MUM Presentation Material 2013)
Mikrotik Network Simulator (MUM Presentation Material 2013)Mikrotik Network Simulator (MUM Presentation Material 2013)
Mikrotik Network Simulator (MUM Presentation Material 2013)Rofiq Fauzi
Β 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
Β 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
Β 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
Β 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
Β 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentationSimon Vass
Β 

What's hot (20)

Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Β 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
Β 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Β 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Β 
Mikrotik firewall raw table
Mikrotik firewall raw tableMikrotik firewall raw table
Mikrotik firewall raw table
Β 
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Β 
Snort IPS
Snort IPSSnort IPS
Snort IPS
Β 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Β 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
Β 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
Β 
Chapter 6 Presentation
Chapter 6 PresentationChapter 6 Presentation
Chapter 6 Presentation
Β 
Mikrotik Network Simulator (MUM Presentation Material 2013)
Mikrotik Network Simulator (MUM Presentation Material 2013)Mikrotik Network Simulator (MUM Presentation Material 2013)
Mikrotik Network Simulator (MUM Presentation Material 2013)
Β 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 Presentation
Β 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
Β 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Β 
Materi Pelatihan analisa malware
Materi Pelatihan analisa malwareMateri Pelatihan analisa malware
Materi Pelatihan analisa malware
Β 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
Β 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentation
Β 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
Β 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
Β 

Similar to Mikrotik Hardening

Load Sharing Internet with MikroTik.pdf
Load Sharing Internet with MikroTik.pdfLoad Sharing Internet with MikroTik.pdf
Load Sharing Internet with MikroTik.pdfEnics
Β 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkIRJET Journal
Β 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfGLC Networks
Β 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - EnglishAdhie Lesmana
Β 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
Β 
Mikrotik Hotspot With Queue Tree BW Management
Mikrotik Hotspot With Queue Tree BW ManagementMikrotik Hotspot With Queue Tree BW Management
Mikrotik Hotspot With Queue Tree BW Managementgopartheredbuff
Β 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-DiveGLC Networks
Β 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopGLC Networks
Β 
Mikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackMikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackGLC Networks
Β 
Ccna 2 Final V4 1
Ccna 2 Final V4 1Ccna 2 Final V4 1
Ccna 2 Final V4 1stigerj
Β 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7GLC Networks
Β 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopbackGLC Networks
Β 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3TommyBtown
Β 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by stepDewa Ketut Setiawan
Β 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
Β 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up routeGLC Networks
Β 
OSMC 2018 | Why we recommend PMM to our clients by Matthias Crauwels
OSMC 2018 | Why we recommend PMM to our clients by Matthias CrauwelsOSMC 2018 | Why we recommend PMM to our clients by Matthias Crauwels
OSMC 2018 | Why we recommend PMM to our clients by Matthias CrauwelsNETWAYS
Β 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Netgate
Β 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
Β 

Similar to Mikrotik Hardening (20)

Load Sharing Internet with MikroTik.pdf
Load Sharing Internet with MikroTik.pdfLoad Sharing Internet with MikroTik.pdf
Load Sharing Internet with MikroTik.pdf
Β 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private Network
Β 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdf
Β 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English
Β 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
Β 
Mikrotik Hotspot With Queue Tree BW Management
Mikrotik Hotspot With Queue Tree BW ManagementMikrotik Hotspot With Queue Tree BW Management
Mikrotik Hotspot With Queue Tree BW Management
Β 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
Β 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loop
Β 
Mikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackMikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs Fasttrack
Β 
Ccna 2 Final V4 1
Ccna 2 Final V4 1Ccna 2 Final V4 1
Ccna 2 Final V4 1
Β 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
Β 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopback
Β 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3
Β 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
Β 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux Systems
Β 
BGP on mikrotik
BGP on mikrotikBGP on mikrotik
BGP on mikrotik
Β 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up route
Β 
OSMC 2018 | Why we recommend PMM to our clients by Matthias Crauwels
OSMC 2018 | Why we recommend PMM to our clients by Matthias CrauwelsOSMC 2018 | Why we recommend PMM to our clients by Matthias Crauwels
OSMC 2018 | Why we recommend PMM to our clients by Matthias Crauwels
Β 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Β 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
Β 

Recently uploaded

Call Girls in Uttam Nagar Delhi πŸ’―Call Us πŸ”8264348440πŸ”
Call Girls in Uttam Nagar Delhi πŸ’―Call Us πŸ”8264348440πŸ”Call Girls in Uttam Nagar Delhi πŸ’―Call Us πŸ”8264348440πŸ”
Call Girls in Uttam Nagar Delhi πŸ’―Call Us πŸ”8264348440πŸ”soniya singh
Β 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
Β 
Low Rate Call Girls Kolkata Avani 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🀌 8250192130 πŸš€ Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🀌 8250192130 πŸš€ Vip Call Girls Kolkataanamikaraghav4
Β 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
Β 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
Β 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
Β 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
Β 
VIP Call Girls Kolkata Ananya 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🀌 8250192130 πŸš€ Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🀌 8250192130 πŸš€ Vip Call Girls Kolkataanamikaraghav4
Β 
VIP Kolkata Call Girl Dum Dum πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum πŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum πŸ‘‰ 8250192130 Available With Roomdivyansh0kumar0
Β 
VIP Kolkata Call Girl Alambazar πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar πŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar πŸ‘‰ 8250192130 Available With Roomdivyansh0kumar0
Β 
VIP Kolkata Call Girl Salt Lake πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake πŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake πŸ‘‰ 8250192130 Available With Roomishabajaj13
Β 
VIP Kolkata Call Girl Kestopur πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur πŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur πŸ‘‰ 8250192130 Available With Roomdivyansh0kumar0
Β 
Chennai Call Girls Alwarpet Phone πŸ† 8250192130 πŸ‘… celebrity escorts service
Chennai Call Girls Alwarpet Phone πŸ† 8250192130 πŸ‘… celebrity escorts serviceChennai Call Girls Alwarpet Phone πŸ† 8250192130 πŸ‘… celebrity escorts service
Chennai Call Girls Alwarpet Phone πŸ† 8250192130 πŸ‘… celebrity escorts servicevipmodelshub1
Β 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
Β 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
Β 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
Β 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
Β 

Recently uploaded (20)

Call Girls in Uttam Nagar Delhi πŸ’―Call Us πŸ”8264348440πŸ”
Call Girls in Uttam Nagar Delhi πŸ’―Call Us πŸ”8264348440πŸ”Call Girls in Uttam Nagar Delhi πŸ’―Call Us πŸ”8264348440πŸ”
Call Girls in Uttam Nagar Delhi πŸ’―Call Us πŸ”8264348440πŸ”
Β 
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Β 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
Β 
Low Rate Call Girls Kolkata Avani 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🀌 8250192130 πŸš€ Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
Β 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
Β 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Β 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
Β 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
Β 
Model Call Girl in Jamuna Vihar Delhi reach out to us at πŸ”9953056974πŸ”
Model Call Girl in Jamuna Vihar Delhi reach out to us at πŸ”9953056974πŸ”Model Call Girl in Jamuna Vihar Delhi reach out to us at πŸ”9953056974πŸ”
Model Call Girl in Jamuna Vihar Delhi reach out to us at πŸ”9953056974πŸ”
Β 
VIP Call Girls Kolkata Ananya 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🀌 8250192130 πŸš€ Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🀌 8250192130 πŸš€ Vip Call Girls Kolkata
Β 
young call girls in Uttam NagarπŸ” 9953056974 πŸ” Delhi escort Service
young call girls in Uttam NagarπŸ” 9953056974 πŸ” Delhi escort Serviceyoung call girls in Uttam NagarπŸ” 9953056974 πŸ” Delhi escort Service
young call girls in Uttam NagarπŸ” 9953056974 πŸ” Delhi escort Service
Β 
VIP Kolkata Call Girl Dum Dum πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum πŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum πŸ‘‰ 8250192130 Available With Room
Β 
VIP Kolkata Call Girl Alambazar πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar πŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar πŸ‘‰ 8250192130 Available With Room
Β 
VIP Kolkata Call Girl Salt Lake πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake πŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake πŸ‘‰ 8250192130 Available With Room
Β 
VIP Kolkata Call Girl Kestopur πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur πŸ‘‰ 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur πŸ‘‰ 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur πŸ‘‰ 8250192130 Available With Room
Β 
Chennai Call Girls Alwarpet Phone πŸ† 8250192130 πŸ‘… celebrity escorts service
Chennai Call Girls Alwarpet Phone πŸ† 8250192130 πŸ‘… celebrity escorts serviceChennai Call Girls Alwarpet Phone πŸ† 8250192130 πŸ‘… celebrity escorts service
Chennai Call Girls Alwarpet Phone πŸ† 8250192130 πŸ‘… celebrity escorts service
Β 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
Β 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
Β 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Β 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
Β 

Mikrotik Hardening

  • 1. MUM 2017, Phnom Penh, Cambodia. April 24, 2017 MUM Phnom Penh, Cambodia By Sarpich RATH (Peter) Hardening MikroTik RouterOS
  • 2. MUM 2017, Phnom Penh, Cambodia. About PPIC ● Qualified and Vocational IT Training Center ● Found in late 2013. Offer service in June 2014 ● Partners β—‹ MikroTik Academy β—‹ Cisco Networking Academy β—‹ Pearson VUE β—‹ Prometric
  • 3. MUM 2017, Phnom Penh, Cambodia. About Me ● Sarpich RATH (Peter) ● First used RouterOS since 2008 ● MTCNA, MTCRE, Academy Trainer ● CCNA, CCNA Security, CCNP, Cisco Instructor ● Trainer @PPIC and AEU
  • 4. MUM 2017, Phnom Penh, Cambodia. Topic: Hardening MikroTik RouterOS ● Customized RouterOS setting ● RouterOS Firewall ● Recommendation
  • 6. MUM 2017, Phnom Penh, Cambodia. Login Services: IP->Services ● Disable unused services ● Or modify default port ● Limit access from specific network
  • 7. MUM 2017, Phnom Penh, Cambodia. MAC WinBox: Tools->MAC Server ● Disable Allow to login from all interfaces ● Allow from specific interface only
  • 8. MUM 2017, Phnom Penh, Cambodia. RoMON: Tools->RoMON ● Disable by default ● /tool romon set enabled=no
  • 9. MUM 2017, Phnom Penh, Cambodia. Login Credentials: System->Users ● Rename default admin account ● Strong password policy ● Set the right permission (group) to router users ● Backup login account
  • 10. MUM 2017, Phnom Penh, Cambodia. Router Interface ● Disable all unused interfaces on your router, in order to decrease unauthorized access to your router.
  • 11. MUM 2017, Phnom Penh, Cambodia. LCD touch screen ● Some RouterBOARDs have LCD module for informational purpose, set pin or disable it.
  • 12. MUM 2017, Phnom Penh, Cambodia. Neighbor Discovery: IP->Neighbors ● Disable Discovery on Interface that connect to Internet
  • 13. MUM 2017, Phnom Penh, Cambodia. Neighbor Discovery: IP->Neighbors WAN Interface are Disable for Neighbors Discovery
  • 14. MUM 2017, Phnom Penh, Cambodia. BTest Server: Tools-> Btest Server ● Bandwidth Test ● Disable when not used it
  • 15. MUM 2017, Phnom Penh, Cambodia. NTP Clock Synchronization ● Keep the router sync with accurate clock ● Server: kh.pool.ntp.org
  • 16. MUM 2017, Phnom Penh, Cambodia. Logging: System->Logging ● Send log message to SysLog Server
  • 17. MUM 2017, Phnom Penh, Cambodia. SNMP: IP->SNMP ● Simple Network Management Protocol ● Used to Monitor Bandwidth and resource usages.
  • 18. MUM 2017, Phnom Penh, Cambodia. Wireless Client Isolation ● Allows multiple clients to be on the same network, but not send traffic to each other. ● Attention!!! streaming content to/from other devices such as Chromecast, AppleTV, Ruku, etc… will not work on the same AP.
  • 19. MUM Phnom Penh, Cambodia 2017.
  • 20. MUM 2017, Phnom Penh, Cambodia. Configuration Backup
  • 22. MUM 2017, Phnom Penh, Cambodia. What is FW used for? ● Preventing unauthorized access to networks ● Protect itself ● Filter for incoming and outgoing traffic. ● Protect and hide the server inside ● etc.
  • 23. MUM 2017, Phnom Penh, Cambodia. What can RouterOS FW do? ● stateful packet inspection ● Layer-7 protocol detection ● peer-to-peer protocols filtering ● traffic classification by: β—‹ source MAC address β—‹ IP addresses (network or list) and address types (broadcast, local, multicast, unicast) β—‹ port or port range β—‹ IP protocols β—‹ interface the packet arrived from or left through β—‹ internal flow and connection marks β—‹ packet size β—‹ packet arrival time ● and much more!
  • 24. MUM 2017, Phnom Penh, Cambodia. Sample Network design Outside Inside ether1 ether2 ether3 ether4 Connect to Internet DMZ, Server LAN Management Network 100.1.1.0/30 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 *** If we don’t have enough ports, then can used VLAN for DMZ, LAN and Management network.
  • 25. MUM 2017, Phnom Penh, Cambodia. Sample Network design Internet DMZ Management LAN Mikrotik RouterOS 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 ISP
  • 26. MUM 2017, Phnom Penh, Cambodia. Internet to DMZ Internet DMZ Management LAN Mikrotik RouterOS βœ“ ISP
  • 27. MUM 2017, Phnom Penh, Cambodia. Internet to LAN/Management Internet DMZ Management LAN Mikrotik RouterOS βœ— βœ“ ISP
  • 28. MUM 2017, Phnom Penh, Cambodia. Management to Router Internet DMZ Management LAN Mikrotik RouterOS βœ— βœ“ ISP βœ— βœ—
  • 29. MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the router ● filter with new connections to decrease load on a router; ● create address-list for IP addresses, that are allowed to access your router; example Management ● enable ICMP access (optionally); ● drop everything else, log=yes might be added to log packets that hit the specific rule;
  • 30. MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the router /ip firewall filter add action=accept chain=input comment="default configuration" connection-state=established,related add action=accept chain=input src-address-list=Management add action=accept chain=input protocol=icmp ...... add action=drop chain=input /ip firewall address-list add address=192.168.30.0/24 list=Management
  • 31. MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Inside network ● Established/related packets are added to fasttrack for faster data throughput, firewall will work with new connections only; ● drop incoming packets that are not NATed, ether1 is public interface ● drop incoming packets from Internet, which are not public IP addresses, ether1 is public interface ● drop packets from Inside that does not have address from inside address. ● create address-list=Inside to group all inside address β—‹ 192.168.10.0/24 = DMZ β—‹ 192.168.20.0/24 = LAN β—‹ 192.168.30.0/24 = Management
  • 32. MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Inside network /ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related add action=accept chain=forward comment="Established, Related" connection- state=established,related add action=drop chain=forward comment="Drop invalid" connection-state=invalid add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 src-address-list=not_in_internet
  • 33. MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Inside network add action=drop chain=forward comment="Drop packets from Inside that do not have Inside IP" in-interface=ether2 src-address-list=!Inside add action=drop chain=forward comment="Drop packets from Inside that do not have Inside IP" in-interface=ether3 src-address-list=!Inside add action=drop chain=forward comment="Drop packets from Inside that do not have Inside IP" in-interface=ether4 src-address-list=!Inside /ip firewall address-list add address=192.168.10.0/24 list=Inside add address=192.168.20.0/24 list=Inside add address=192.168.30.0/24 list=Inside
  • 34. MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Inside network /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet add address=224.0.0.0/4 comment=Multicast list=not_in_internet add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet *** Modify to meet the requirement
  • 35. MUM 2017, Phnom Penh, Cambodia. IPv4 firewall: Protect the Server/DMZ WEB-SERVER IP =192.168.10.10 /ip firewall nat add action=dst-nat chain=dstnat comment=WEB-SERVER dst address=100.1.11.2 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=80 /ip firewall filter add action=jump chain=forward comment=WEB-SERVER dst- address=192.168.10.10 jump-target=WEB-SERVER …… add action=accept chain=WEB-SERVER comment=WEB dst-port=80 protocol=tcp add action=accept chain=WEB-SERVER comment="accept ssh from NOC" dst- port=22 protocol=tcp src-address-list=Management add action=drop chain=WEB-SERVER comment=DROP
  • 36. MUM 2017, Phnom Penh, Cambodia. More Firewall rules ● https://wiki.mikrotik.com/wiki/Firewall ● SynFlood ● ICMP Flood ● Port Scanner ● Email Spam ● L7 Filter ● DoS attack protection ● Etc.
  • 37. MUM 2017, Phnom Penh, Cambodia. Recommendation ● Disable unused ports and services on router ● Strong password policy for router users and allow to remote from specific network ● Disable discovery interfaces on outside/WAN ports ● Clock should be accurate synchronize ● Enable SysLog and SNMP for monitoring the router ● Separate network for each LAN and Server ● Used Address list to group all address for used in FW
  • 38. MUM 2017, Phnom Penh, Cambodia. Recommendation ● Used Action=Jump to organized the FW rules and better performance ● Used FW to protect router itself, inside network and the Servers
  • 39. MUM 2017, Phnom Penh, Cambodia. Reference ● wiki.mikrotik.com
  • 40. MUM 2017, Phnom Penh, Cambodia. Question?
  • 41. Thanks for your Attention ☺ β€’ Upcoming Training: http://ppic-training.com/upcoming-courses/ β€’ Email: info@ppic-training.com β€’ Facebook: www.facebook.com/PhnomPenhInformaticsCenter β€’ Mobiel: 077/087 616102 β€’ Please subscribe to our mailing list to receive all update information such as discount and promotion price