DK
Uploaded byDidiet Kusumadihardja
PDF, PPTX505 views

Access RouterOS using Multi-Factor Authentication

This document discusses the implementation of multi-factor authentication on MikroTik RouterOS, emphasizing security practices for network management. It details the necessary steps for generating and utilizing SSH keys, recommends securing access through specific IP addresses, and highlights additional security measures such as VPN and port knocking. The author, Didiet Kusumadihardja, is a seasoned IT professional with extensive experience in various IT services and emphasizes the importance of layered security strategies.

Embed presentation

Download as PDF, PPTX
ACCESS ROUTEROS USING MULTI-FACTOR AUTHENTICATION MIKROTIK USER MEETING 2018 Didiet Kusumadihardja | didiet@arch.web.id Yogyakarta, Indonesia | 20 Oktober 2018
About Me Didiet Kusumadihardja | didiet@arch.web.id 2 Didiet Kusumadihardja  12 tahun pengalaman di IT RT/RW Net, Startup (e-commerce), Manage Service, IT Consulting, IT Auditor, Penetration Tester & Training Service  Penguji UKK TKJ  Mikrotik Certified Trainer  Mikrotik Certified Consultant https://about.me/didiet
Services Offered Didiet Kusumadihardja | didiet@arch.web.id 3 1. Network Assessment/Design Service 2. IT General Control Audit Service 3. Vulnerability Assessment & Penetration Testing Service 4. IT Due Diligence Service 5. Training Service • UU ITE No 11 Tahun 2008 • POJK 38/POJK.03/2016 • SEOJK 21/SEOJK.03/2017 • PBI 16/8/PBI/2014  PCI DSS  ISO 27001 Planning Discovery Attack Reporting Additional Discovery
Background4 Didiet Kusumadihardja | didiet@arch.web.id
Data Breaches News 2016 Didiet Kusumadihardja | didiet@arch.web.id 5
Data Breaches News 2017 Didiet Kusumadihardja | didiet@arch.web.id 6
Data Breaches News 2018 Didiet Kusumadihardja | didiet@arch.web.id 7
MikroTik Security Fixed Didiet Kusumadihardja | didiet@arch.web.id 8  6.38.5 (9 Maret 2017) www - fixed http server vulnerability  6.41.3 (8 Maret 2018) smb - fixed buffer overflow vulnerability, everyone using this feature is urged to upgrade  6.42.1 (23 April 2018) winbox - fixed vulnerability that allowed to gain access to an unsecured router  6.42.7 (17 Agustus 2018) security - fixed vulnerabilities CVE-2018-1156, CVE- 2018-1157, CVE-2018-1158, CVE-2018-1159
Exploits Didiet Kusumadihardja | didiet@arch.web.id 9
Amount of Time to Crack Passwords Didiet Kusumadihardja | didiet@arch.web.id 10
Processing Power vs Passwords Didiet Kusumadihardja | didiet@arch.web.id 11
Reality Didiet Kusumadihardja | didiet@arch.web.id 12 Dictionary Attack Brute Force Attack ExploitsPassword Dictionary Bad Guys
Humans and Password Didiet Kusumadihardja | didiet@arch.web.id 13
Password Tips Didiet Kusumadihardja | didiet@arch.web.id 14
Indonesia Regulation Didiet Kusumadihardja | didiet@arch.web.id 15
How we do it with RouterOS?16 Didiet Kusumadihardja | didiet@arch.web.id
Multi-Factor Authentication on RouterOS Didiet Kusumadihardja | didiet@arch.web.id 17  Something you know  Password  Something you have  SSH Keys  Somewhere you from  IP Address
Create SSH Public & Private Key Didiet Kusumadihardja | didiet@arch.web.id 18 1. Generate 2. Save Private Key 3. Copy Public Key and save to file 1 2 3 For OS X and Linux users can use ‘ssh-keygen’
RouterOS Configuration Didiet Kusumadihardja | didiet@arch.web.id 19 1. Upload Public Key 2. Create New User 3. Import SSH Key
Login using SSH Keys Didiet Kusumadihardja | didiet@arch.web.id 20 1 2 Connection > SSH > Auth
Only permit from specific IP address Didiet Kusumadihardja | didiet@arch.web.id 21
Other Methods (1/3) Didiet Kusumadihardja | didiet@arch.web.id 22 Port Knocking https://wiki.mikrotik.com/wiki/Port_Knocking
Other Methods (2/3) Didiet Kusumadihardja | didiet@arch.web.id 23 VPN then remote access 1. VPN (PPTP/SSTP/OpenVPN) 2. Remote Access (Winbox/SSH) VPN Network Address
Other Methods (3/3) Didiet Kusumadihardja | didiet@arch.web.id 24 Out of Band Network Management Network
Audit Trail / Log as Evidence Didiet Kusumadihardja | didiet@arch.web.id 25
Audit Trail / Log using The Dude Didiet Kusumadihardja | didiet@arch.web.id 26
Summary Didiet Kusumadihardja | didiet@arch.web.id 27 Defense in Depth Layers 1. Policies, Procedure, and Awareness 2. Physical 3. Perimeter 4. Internal Network 5. Host 6. Application 7. Data
Reference Didiet Kusumadihardja | didiet@arch.web.id 28  ArsTechnica. 2012. 25-GPU cluster cracks every standard Windows password in <6 hours. https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows- password-in-6-hours/.  BetterBuys. Estimating Password-Cracking Times. https://www.betterbuys.com/estimating-password-cracking- times/.  C# Corner. 2015. Passphrase vs Password For Security. https://www.c- sharpcorner.com/UploadFile/66489a/passphrase-vs-password-for-the-security/.  Information is beautiful. 2018. World’s Biggest Data Breaches. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/.  MikroTik. 2015. Port Knocking. https://wiki.mikrotik.com/wiki/Port_Knocking.  MikroTik. 2016. Manual: The Dude v6/Syslog. https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Syslog.  NIST. 2017. Easy Ways to Build a Better P@$5w0rd. https://www.nist.gov/blogs/taking-measure/easy-ways-build- better-p5w0rd.  Records Management Center. 2017. Identity Theft – Is It All Digital. https://rmcmaine.com/identity-theft-report/.  Reuters. 2017. Yahoo says all three billion accounts hacked in 2013 data theft. https://www.reuters.com/article/us- yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1.  ScienceDirect. 2017. Towards port-knocking authentication methods for mobile cloud computing. https://www.sciencedirect.com/science/article/pii/S1084804517302813 (Accessed 2018-09-04).  The Hacker News. 2018. Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware. https://thehackernews.com/2018/08/mikrotik-router-hacking.html.  The New York Times. 2016. Yahoo Says 1 Billion User Accounts Were Hacked. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html.
Diijinkan menggunakan sebagian atau seluruh materi pada modul ini, baik berupa ide, foto, tulisan, konfigurasi dan diagram selama untuk kepentingan pengajaran, dan memberikan kredit kepada penulis serta link ke www.arch.web.id 29 Didiet Kusumadihardja Mobile: +62 813 1115 0054 e-mail: didiet@arch.web.id Didiet Kusumadihardja | didiet@arch.web.id

More Related Content

PPTX
Security and Authentication of Internet of Things (IoT) Devices
bySanjayKumarYadav58
 
PPTX
Internet of things security challenges
byHadi Fadlallah
 
PPTX
Cybersecurity Implementation and Certification in Practice for IoT Equipment
byOnward Security
 
PDF
IoT security fresh thinking 2017 sep 9
byArvind Tiwary
 
PPTX
Internet of Things Security
byTutun Juhana
 
PDF
IoT Security in Action - Boston Sept 2015
byEurotech
 
PDF
IoT Security Challenges
byForest Interactive
 
PDF
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
byTransUnion
 
Security and Authentication of Internet of Things (IoT) Devices
bySanjayKumarYadav58
 
Internet of things security challenges
byHadi Fadlallah
 
Cybersecurity Implementation and Certification in Practice for IoT Equipment
byOnward Security
 
IoT security fresh thinking 2017 sep 9
byArvind Tiwary
 
Internet of Things Security
byTutun Juhana
 
IoT Security in Action - Boston Sept 2015
byEurotech
 
IoT Security Challenges
byForest Interactive
 
AuthentiThings: The Pitfalls and Promises of Authentication in the IoT
byTransUnion
 

What's hot

PPTX
Security for iot and cloud aug 25b 2017
byUlf Mattsson
 
PDF
IoT Security
byNarudom Roongsiriwong, CISSP
 
PPTX
Security Testing for IoT Systems
bySecurity Innovation
 
PPTX
Industrial IoT Security Standards & Frameworks
byPriyanka Aash
 
PDF
IoT Security Challenges and Solutions
byIntel® Software
 
PDF
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
byCableLabs
 
PPTX
Enabling Data Protection through PKI encryption in IoT m-Health Devices
byCharalampos Doukas
 
PDF
The Future of Authentication for IoT
byFIDO Alliance
 
PPTX
IoT Security: Cases and Methods
byLeonardo De Moura Rocha Lima
 
PDF
1 importance of light weight authentication in iot
byChintan Patel
 
PDF
IoT/M2M Security
byYu-Hsin Hung
 
PDF
国际物联网安全标准与认证大解析
byOnward Security
 
PDF
Security Aspects in IoT - A Review
byAsiri Hewage
 
PPTX
Addressing Healthcare Challenges Today
byIvanti
 
DOC
Adarsh Resume ISO27001
byAdarsh HIRENALLUR
 
PDF
Cybersecurity Summit 2020 Slide Deck
byCimetrics Inc
 
PDF
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
byDenim Group
 
PDF
Cybersecurity Summit AHR20 Protect Cimetrics
byCimetrics Inc
 
PDF
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
byPatricia M Watson
 
PDF
Technology & Policy Interaction Panel at Inform[ED] IoT Security
byCableLabs
 
Security for iot and cloud aug 25b 2017
byUlf Mattsson
 
IoT Security
byNarudom Roongsiriwong, CISSP
 
Security Testing for IoT Systems
bySecurity Innovation
 
Industrial IoT Security Standards & Frameworks
byPriyanka Aash
 
IoT Security Challenges and Solutions
byIntel® Software
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
byCableLabs
 
Enabling Data Protection through PKI encryption in IoT m-Health Devices
byCharalampos Doukas
 
The Future of Authentication for IoT
byFIDO Alliance
 
IoT Security: Cases and Methods
byLeonardo De Moura Rocha Lima
 
1 importance of light weight authentication in iot
byChintan Patel
 
IoT/M2M Security
byYu-Hsin Hung
 
国际物联网安全标准与认证大解析
byOnward Security
 
Security Aspects in IoT - A Review
byAsiri Hewage
 
Addressing Healthcare Challenges Today
byIvanti
 
Adarsh Resume ISO27001
byAdarsh HIRENALLUR
 
Cybersecurity Summit 2020 Slide Deck
byCimetrics Inc
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
byDenim Group
 
Cybersecurity Summit AHR20 Protect Cimetrics
byCimetrics Inc
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
byPatricia M Watson
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
byCableLabs
 

More from Didiet Kusumadihardja

PDF
Didiet Cybersecurity Consultant Portfolio - English
byDidiet Kusumadihardja
 
PDF
Manajemen wireless rogue
byDidiet Kusumadihardja
 
PDF
Didiet Cyber Security Consultant Portfolio - Bahasa Indonesia
byDidiet Kusumadihardja
 
PDF
Adequate password policy
byDidiet Kusumadihardja
 
PDF
Personally identifiable information
byDidiet Kusumadihardja
 
PPTX
Fools your enemy with MikroTik
byDidiet Kusumadihardja
 
PDF
Notifikasi penggunaan sistem
byDidiet Kusumadihardja
 
Didiet Cybersecurity Consultant Portfolio - English
byDidiet Kusumadihardja
 
Manajemen wireless rogue
byDidiet Kusumadihardja
 
Didiet Cyber Security Consultant Portfolio - Bahasa Indonesia
byDidiet Kusumadihardja
 
Adequate password policy
byDidiet Kusumadihardja
 
Personally identifiable information
byDidiet Kusumadihardja
 
Fools your enemy with MikroTik
byDidiet Kusumadihardja
 
Notifikasi penggunaan sistem
byDidiet Kusumadihardja
 

Recently uploaded

PDF
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
PDF
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
PDF
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
PPTX
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
PPTX
Social media app presentation snapgram.pptx
byrayessafa21
 
PPTX
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
PPTX
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
PPTX
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
bynaloskihristo
 
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
Social media app presentation snapgram.pptx
byrayessafa21
 
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
bynaloskihristo
 

Access RouterOS using Multi-Factor Authentication

  • 1.
    ACCESS ROUTEROS USING MULTI-FACTORAUTHENTICATION MIKROTIK USER MEETING 2018 Didiet Kusumadihardja | didiet@arch.web.id Yogyakarta, Indonesia | 20 Oktober 2018
  • 2.
    About Me Didiet Kusumadihardja| didiet@arch.web.id 2 Didiet Kusumadihardja  12 tahun pengalaman di IT RT/RW Net, Startup (e-commerce), Manage Service, IT Consulting, IT Auditor, Penetration Tester & Training Service  Penguji UKK TKJ  Mikrotik Certified Trainer  Mikrotik Certified Consultant https://about.me/didiet
  • 3.
    Services Offered Didiet Kusumadihardja| didiet@arch.web.id 3 1. Network Assessment/Design Service 2. IT General Control Audit Service 3. Vulnerability Assessment & Penetration Testing Service 4. IT Due Diligence Service 5. Training Service • UU ITE No 11 Tahun 2008 • POJK 38/POJK.03/2016 • SEOJK 21/SEOJK.03/2017 • PBI 16/8/PBI/2014  PCI DSS  ISO 27001 Planning Discovery Attack Reporting Additional Discovery
  • 4.
  • 5.
    Data Breaches News2016 Didiet Kusumadihardja | didiet@arch.web.id 5
  • 6.
    Data Breaches News2017 Didiet Kusumadihardja | didiet@arch.web.id 6
  • 7.
    Data Breaches News2018 Didiet Kusumadihardja | didiet@arch.web.id 7
  • 8.
    MikroTik Security Fixed DidietKusumadihardja | didiet@arch.web.id 8  6.38.5 (9 Maret 2017) www - fixed http server vulnerability  6.41.3 (8 Maret 2018) smb - fixed buffer overflow vulnerability, everyone using this feature is urged to upgrade  6.42.1 (23 April 2018) winbox - fixed vulnerability that allowed to gain access to an unsecured router  6.42.7 (17 Agustus 2018) security - fixed vulnerabilities CVE-2018-1156, CVE- 2018-1157, CVE-2018-1158, CVE-2018-1159
  • 9.
  • 10.
    Amount of Timeto Crack Passwords Didiet Kusumadihardja | didiet@arch.web.id 10
  • 11.
    Processing Power vsPasswords Didiet Kusumadihardja | didiet@arch.web.id 11
  • 12.
    Reality Didiet Kusumadihardja |didiet@arch.web.id 12 Dictionary Attack Brute Force Attack ExploitsPassword Dictionary Bad Guys
  • 13.
    Humans and Password DidietKusumadihardja | didiet@arch.web.id 13
  • 14.
    Password Tips Didiet Kusumadihardja| didiet@arch.web.id 14
  • 15.
  • 16.
    How we doit with RouterOS?16 Didiet Kusumadihardja | didiet@arch.web.id
  • 17.
    Multi-Factor Authentication onRouterOS Didiet Kusumadihardja | didiet@arch.web.id 17  Something you know  Password  Something you have  SSH Keys  Somewhere you from  IP Address
  • 18.
    Create SSH Public& Private Key Didiet Kusumadihardja | didiet@arch.web.id 18 1. Generate 2. Save Private Key 3. Copy Public Key and save to file 1 2 3 For OS X and Linux users can use ‘ssh-keygen’
  • 19.
    RouterOS Configuration Didiet Kusumadihardja| didiet@arch.web.id 19 1. Upload Public Key 2. Create New User 3. Import SSH Key
  • 20.
    Login using SSHKeys Didiet Kusumadihardja | didiet@arch.web.id 20 1 2 Connection > SSH > Auth
  • 21.
    Only permit fromspecific IP address Didiet Kusumadihardja | didiet@arch.web.id 21
  • 22.
    Other Methods (1/3) DidietKusumadihardja | didiet@arch.web.id 22 Port Knocking https://wiki.mikrotik.com/wiki/Port_Knocking
  • 23.
    Other Methods (2/3) DidietKusumadihardja | didiet@arch.web.id 23 VPN then remote access 1. VPN (PPTP/SSTP/OpenVPN) 2. Remote Access (Winbox/SSH) VPN Network Address
  • 24.
    Other Methods (3/3) DidietKusumadihardja | didiet@arch.web.id 24 Out of Band Network Management Network
  • 25.
    Audit Trail /Log as Evidence Didiet Kusumadihardja | didiet@arch.web.id 25
  • 26.
    Audit Trail /Log using The Dude Didiet Kusumadihardja | didiet@arch.web.id 26
  • 27.
    Summary Didiet Kusumadihardja |didiet@arch.web.id 27 Defense in Depth Layers 1. Policies, Procedure, and Awareness 2. Physical 3. Perimeter 4. Internal Network 5. Host 6. Application 7. Data
  • 28.
    Reference Didiet Kusumadihardja |didiet@arch.web.id 28  ArsTechnica. 2012. 25-GPU cluster cracks every standard Windows password in <6 hours. https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows- password-in-6-hours/.  BetterBuys. Estimating Password-Cracking Times. https://www.betterbuys.com/estimating-password-cracking- times/.  C# Corner. 2015. Passphrase vs Password For Security. https://www.c- sharpcorner.com/UploadFile/66489a/passphrase-vs-password-for-the-security/.  Information is beautiful. 2018. World’s Biggest Data Breaches. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/.  MikroTik. 2015. Port Knocking. https://wiki.mikrotik.com/wiki/Port_Knocking.  MikroTik. 2016. Manual: The Dude v6/Syslog. https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Syslog.  NIST. 2017. Easy Ways to Build a Better P@$5w0rd. https://www.nist.gov/blogs/taking-measure/easy-ways-build- better-p5w0rd.  Records Management Center. 2017. Identity Theft – Is It All Digital. https://rmcmaine.com/identity-theft-report/.  Reuters. 2017. Yahoo says all three billion accounts hacked in 2013 data theft. https://www.reuters.com/article/us- yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1.  ScienceDirect. 2017. Towards port-knocking authentication methods for mobile cloud computing. https://www.sciencedirect.com/science/article/pii/S1084804517302813 (Accessed 2018-09-04).  The Hacker News. 2018. Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware. https://thehackernews.com/2018/08/mikrotik-router-hacking.html.  The New York Times. 2016. Yahoo Says 1 Billion User Accounts Were Hacked. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html.
  • 29.
    Diijinkan menggunakan sebagianatau seluruh materi pada modul ini, baik berupa ide, foto, tulisan, konfigurasi dan diagram selama untuk kepentingan pengajaran, dan memberikan kredit kepada penulis serta link ke www.arch.web.id 29 Didiet Kusumadihardja Mobile: +62 813 1115 0054 e-mail: didiet@arch.web.id Didiet Kusumadihardja | didiet@arch.web.id