Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mikrotik Firewall 
Securing Your Router With Port 
Knocking
Introduction 
 Name : Akbar 
 Mikrotik User Since : Mid 2005 
 IT Manager @ Agung Sedayu Group 
 Trainer For Ufoakses ...
What is Port Knocking ? 
 Port Knocking is a method of externally 
opening ports on a firewall by generating a 
connectio...
Port Knocking Process 
Connection Attempt to Router with 
Winbox or Telnet or SSH 
Connection Attempt Rejected / Drop 
Kno...
Why Port Knocking ? 
 The primary purpose of port knocking is to 
prevent an attacker from scanning a system 
for potenti...
When to Use Port Knocking ? 
 When you need to do remote configuration or 
monitoring from remote area 
 When you try to...
How to Apply Port Knocking in 
Mikrotik ? 
Forum Mikrotik Indonesia www.forummikrotik.com 7 
 Using : 
 Firewall Filter ...
The Basic of Firewall Filter 
Forum Mikrotik Indonesia www.forummikrotik.com 8
The Basic of Firewall Filter 
 Firewall Filter is used for packet filtering 
 Firewall Filter consist of IF-THEN rules 
...
The Basic of Firewall Filter 
 Input : Processes packets addressed to the router 
itself 
 Output : Processes packets se...
Chain Input 
Forum Mikrotik Indonesia www.forummikrotik.com 11
Chain Output 
Forum Mikrotik Indonesia www.forummikrotik.com 12
Chain Forward 
Forum Mikrotik Indonesia www.forummikrotik.com 13
Firewall Filter Action 
 Accept – accept the packet. No action is taken, I.e the packet is passed 
thourgh and no more ru...
IP Address List 
 You can also define group 
of IP address using “IP 
address List” 
 IP address List can be used 
in Fi...
Let’s Start Implementing 
Port Knocking in 
Mikrotik Router OS… 
Forum Mikrotik Indonesia www.forummikrotik.com 16
Case Studies 
192.168.33.254 
LAN 
10.1.1.254 
192.168.33.0/24 
Internet 
Mikrotik Router 
Forum Mikrotik Indonesia www.fo...
Case Studies 
 We only allowed access to router only from 
several IP from LAN : 
 192.168.33.10 Until 192.168.33.20 
 ...
Case Studies 
 We will only allowed access to router from 
address list named “Safe Haven” 
 Other have to knock first t...
Adding Allowed LAN Address 
to Address List 
add address=192.168.33.10-192.168.33.20 comment="" disabled=no list= 
"Save H...
Knock Rules 1 
add action=add-src-to-address-list address-list=knock-knock address-list-timeout= 
15s chain=input comment=...
Knock Rules 2 
add action=add-src-to-address-list address-list="Save Haven“ address-list-timeout= 
3h chain=input comment=...
Only Allowing “Save Haven” to 
Connect to the router 
add action=accept chain=input comment="Only Allow Access from Save 
...
Drop Everything Else 
add action=drop chain=input comment="Drop Everything Else" disabled=no 
Forum Mikrotik Indonesia www...
Configuration 
Here’s the configuration for port knocking. Just make sure you don’t 
change the sequence or this will not ...
Knock Attempt 
 Hosts have to Knock the correct ports 
 Hosts IP Address that have knocked the correct 
ports will be pu...
Forum Mikrotik Indonesia www.forummikrotik.com 27 
Closing 
 Port Knocking is useful for securing the router 
 Port Knoc...
Thank You 
Your Question Will be Appreciated 
Forum Mikrotik Indonesia www.forummikrotik.com 28
Upcoming SlideShare
Loading in …5
×

MikroTik Firewall : Securing your Router with Port Knocking

24,571 views

Published on

This presentation was presented at MUM Indonesia at Bali in 2008. Discussed about how to put extra layer of security into your MikroTik Router using Port Knocking mechanism.

Published in: Technology
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! I can recommend a site that has helped me. It's called ⇒ www.WritePaper.info ⇐ So make sure to check it out!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! I can recommend a site that has helped me. It's called ⇒ www.HelpWriting.net ⇐ They helped me for writing my quality research paper.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

MikroTik Firewall : Securing your Router with Port Knocking

  1. 1. Mikrotik Firewall Securing Your Router With Port Knocking
  2. 2. Introduction  Name : Akbar  Mikrotik User Since : Mid 2005  IT Manager @ Agung Sedayu Group  Trainer For Ufoakses Mikrotik Training  www.forummikrotik.com  akbar@forummikrotik.com Forum Mikrotik Indonesia www.forummikrotik.com 2
  3. 3. What is Port Knocking ?  Port Knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports  Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s) Forum Mikrotik Indonesia www.forummikrotik.com 3
  4. 4. Port Knocking Process Connection Attempt to Router with Winbox or Telnet or SSH Connection Attempt Rejected / Drop Knock : Connection Attempt to Pre Defined Port Firewall Rules Dynamically Modified to Allow Access From That Host Connection Attempt to Router with Winbox or Telnet or SSH Connection Granted Host Router with Firewall Forum Mikrotik Indonesia www.forummikrotik.com 4
  5. 5. Why Port Knocking ?  The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed. Forum Mikrotik Indonesia www.forummikrotik.com 5
  6. 6. When to Use Port Knocking ?  When you need to do remote configuration or monitoring from remote area  When you try to decrease brute force attack Forum Mikrotik Indonesia www.forummikrotik.com 6
  7. 7. How to Apply Port Knocking in Mikrotik ? Forum Mikrotik Indonesia www.forummikrotik.com 7  Using :  Firewall Filter  Address List  Knock Application Please download the application from : www.zeroflux.org
  8. 8. The Basic of Firewall Filter Forum Mikrotik Indonesia www.forummikrotik.com 8
  9. 9. The Basic of Firewall Filter  Firewall Filter is used for packet filtering  Firewall Filter consist of IF-THEN rules IF <conditions> THEN <action>  Firewall Filter is done in sequential top to bottom  Firewall Filter are organized in chains Forum Mikrotik Indonesia www.forummikrotik.com 9
  10. 10. The Basic of Firewall Filter  Input : Processes packets addressed to the router itself  Output : Processes packets sent by the router itself  Forward : processes traffic sent through the router Forum Mikrotik Indonesia www.forummikrotik.com 10
  11. 11. Chain Input Forum Mikrotik Indonesia www.forummikrotik.com 11
  12. 12. Chain Output Forum Mikrotik Indonesia www.forummikrotik.com 12
  13. 13. Chain Forward Forum Mikrotik Indonesia www.forummikrotik.com 13
  14. 14. Firewall Filter Action  Accept – accept the packet. No action is taken, I.e the packet is passed thourgh and no more rules applied to it  Add-dst-to-address-list – adds destination address of an IP packet to the address list specified by address-list parameter  Add-src-to-address-list – adds source address of an IP packet to the address list specified by address-list parameter  Drop – silently drop the packet (without sending the ICMP reject messege)  Jump – jump to the chain specified by the value of the jump-target-parameter  Log – each match with this action will add a messege to the system log  Passthrogh – ignores this rule and goes on the next one  Reject – reject the packet and send an ICMP reject messege  Return – passes control back to the chain where the jump took place  Tarpit – captures and hold incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet Forum Mikrotik Indonesia www.forummikrotik.com 14
  15. 15. IP Address List  You can also define group of IP address using “IP address List”  IP address List can be used in Firewall Rules to apply certain action  You can use mangle or firewall filter rule to dynamicly add IP address to IP address List certain time limit Forum Mikrotik Indonesia www.forummikrotik.com 15
  16. 16. Let’s Start Implementing Port Knocking in Mikrotik Router OS… Forum Mikrotik Indonesia www.forummikrotik.com 16
  17. 17. Case Studies 192.168.33.254 LAN 10.1.1.254 192.168.33.0/24 Internet Mikrotik Router Forum Mikrotik Indonesia www.forummikrotik.com 17 Remote Area (Home, Café, etc)
  18. 18. Case Studies  We only allowed access to router only from several IP from LAN :  192.168.33.10 Until 192.168.33.20  Different IP from LAN have to knock first before gain access to router  Remote area from Internet have to knock first before gain access to router Forum Mikrotik Indonesia www.forummikrotik.com 18
  19. 19. Case Studies  We will only allowed access to router from address list named “Safe Haven”  Other have to knock first to :  Protocol TCP, Port 1337  Protocol UDP, Port 17954 Forum Mikrotik Indonesia www.forummikrotik.com 19
  20. 20. Adding Allowed LAN Address to Address List add address=192.168.33.10-192.168.33.20 comment="" disabled=no list= "Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 20
  21. 21. Knock Rules 1 add action=add-src-to-address-list address-list=knock-knock address-list-timeout= 15s chain=input comment="Knock 1" disabled=no dst-port=1337 Forum Mikrotik Indonesia www.forummikrotik.com 21 protocol=tcp
  22. 22. Knock Rules 2 add action=add-src-to-address-list address-list="Save Haven“ address-list-timeout= 3h chain=input comment="Knock 2 - OK" disabled=no dst-port=17954 protocol=udp src-address-list=knock-knock Forum Mikrotik Indonesia www.forummikrotik.com 22
  23. 23. Only Allowing “Save Haven” to Connect to the router add action=accept chain=input comment="Only Allow Access from Save Haven" disabled=no src-address-list="Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 23
  24. 24. Drop Everything Else add action=drop chain=input comment="Drop Everything Else" disabled=no Forum Mikrotik Indonesia www.forummikrotik.com 24
  25. 25. Configuration Here’s the configuration for port knocking. Just make sure you don’t change the sequence or this will not worked Forum Mikrotik Indonesia www.forummikrotik.com 25
  26. 26. Knock Attempt  Hosts have to Knock the correct ports  Hosts IP Address that have knocked the correct ports will be put in dynamically to “Save Haven” Address List  Hosts can access router Forum Mikrotik Indonesia www.forummikrotik.com 26
  27. 27. Forum Mikrotik Indonesia www.forummikrotik.com 27 Closing  Port Knocking is useful for securing the router  Port Knocking is also useful to decrease a brute force attack  Port Knocking has it’s weakness also:  It' s possible to spy out the knocking sequence by sniffing the network  It' s necessary to have a special knocking-client  Port Knocking is only one method to secure the router, best to combine this with other methods.
  28. 28. Thank You Your Question Will be Appreciated Forum Mikrotik Indonesia www.forummikrotik.com 28

×