Mikrotik Security

Download as pdf or txt
Download as pdf or txt
You are on page 1of 53

Security by harnessing the

power of RouterOS

Mihai Săftoiu - MUM România


29 Octomber 2018
1
Mihai Săftoiu
• MikroTik Certified Trainer
• MikroTik Consultant
• TIER Data Center CEO
• STARNET NOC Manager
• Italian ISP CTO
• Security auditor for military
and energy contractors

2
Why this presentation?

What this presentation is not.

What this presentation is.


3
Who is in the audience ?

4
What is security?

5
Security is the consequence of
the following situation:

When an unauthorized person:


- does not have the key
- cannot find/copy the key
- if the key gets found, it
cannot be used
6
Conclusion:

Security is the applied logic


(algorithm, way of doing etc.)
which leads to that consequence.

7
Defining the goal:

To have a system which even if


compromised (revealed password)
will remain secure from a functional
authentication perspective.

Is that even possible?


8
Discussion topics:

General communication priciples

RouterOS security mechanisms

Applying authentication logic on


different layers

Putting it all together


9
General principles

The OSI model is the basis of all


inter-system communication.

Understanding the OSI model is the


first step in understanding where
to apply security concepts.

10
General principles - OSI

11
General principles - OSI

12
General principles - OSI

Application level authentication security

These layers are geared towards security,


we can actually make use of them

TCP/IP security

MAC authentication security


Physical security
13
The setup

192.168.88.250/24

192.168.88.1/24
ether2
ether1

14
RouterOS security mechanisms

Physical security

MAC authentication security

TCP/IP security

Application level security


15
Physical security

1. Using secure enclosures/racks

2. Using centralized logging

3. Disabling unused interfaces

4. Protecting from factory reset


16
Physical security

2. Using centralized logging

Centralized logging is possible for


free using The Dude
https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Syslog

17
Physical security

2. Using centralized logging

18
Physical security

2. Using centralized logging

19
Physical security

2. Using centralized logging

20
Physical security

3. Disabling unused interfaces

21
Physical security

4. Protection from hardware reset

22
MAC authentication security

1. Disabling unwanted local login

2. Allowing only specific devices to


access the physical ports

23
MAC authentication security

1. Disabling unwanted local login

24
MAC authentication security

1. Disabling unwanted local login

25
MAC authentication security

1. Disabling unwanted local login

26
MAC authentication security

2. Allowing only trusted devices

27
MAC authentication security

2. Allowing only trusted devices

28
TCP/IP Security

Practices found on the Internet


usually employ techniques such as:

- IP ACL trust relationship (firewall)


- filtering invalid packet sources
- some form of port knocking
technique
29
TCP/IP Security

IP ACL trust relationship (firewall)

- the most common layer 3 method


- easy to configure
- useful when used with static IPs
- easy to bypass using spoofing
- what to do when in another city?
30
TCP/IP Security

Filtering invalid packet sources


- also common in modern firewalls
- a skilled attacker will not send
invalid packets and will not get
blacklisted

31
TCP/IP Security

Some form of port knocking

- employs a set of ports which are


“knocked” which then enables the
login to the device
- the ports used can also be sniffed
or discovered by specialized tools
32
Application layer security

1. Disabling unwanted services

2. Using built-in ACL mechanism


and changing default ports

P.S. We’ll get back to TCP/IP soon


33
Application layer security

1. Disabling services (IP -> Services)

34
Application layer security

2. ACL and default port change

35
Reiterating the goal:

To have a system which even if


compromised (revealed password)
will remain secure from a functional
authentication perspective.

Is that even possible?


36
What is the problem with these
setups?

37
Are there any improvements we
can make?

38
The most important security layer

39
How can this 8-th layer actually
come into play ?

40
Steganography is the practice of
concealing a file, message, image, or
video within another file, message,
image, or video.

The word steganography combines the


Greek words steganos (στεγανός),
meaning "covered, concealed, or
protected", and graphein (γράφειν)
meaning "writing".
source: Wikipedia 41
My birthday is: 01 February 1983

Let’s change the date format: 01.02.1983

Let’s turn it into a numerical code:

01021983
42
To express the same idea into a different
format we could say: “At 01 hours and
02 minutes you should ping the
equipment 47 times in order to access it
and then 111 times.”

01021983

IP header 20B, ICMP header 8B


47 - 20 - 8 = 19, 111 - 20 - 8 = 83
43
01021983
Let’s read the true logic decoded:
- protocol 1
- 2-nd packet relevant
- length 19, encrypted length 83

44
Protocol 1: ICMP, echo request (ping)

2-nd packet relevant: the MikroTik


router will only process the odd packets

length 19, encrypted length 83: the


MikroTik router will respond in a
receptive manner if two sets of data are
involved: unencrypted 19 bytes, the
second sent over encryption 83 bytes
45
So for a highly secured device the
algorithm is as follows:

- drop icmp echo request of size 19 (True size:


19 + 20 + 8 = 47) and add source to trusted1
- allow encrypted connections from trusted1
- drop icmp echo request of size 83 over
encryption (True size: 83 + 20 + 8 = 111) and
add source to trusted2
- allow to port 8291 encrypted from trusted2
- allow discovery over encryption (optional)
- drop everything else 46
Setting up the authentication system:

1. Set up a PPTP server (you can use any


type of more advanced tunneling server
SSTP with SSL, L2TP over IPSec etc.)

2. Set up a PPTP user and password

3. Set up the firewall


47
PPTP server

48
PPTP user and password

49
Firewall rules

50
Firewall rules
applied

51
Working demo
192.168.88.3

192.168.88.250/24

192.168.88.2 192.168.88.1/24
ether2
ether1

52
Final conclusions

A subtle but important difference in logic


makes the difference in security.

By making use of this technique, a system


which has a compromised admin password
will remain unaccessible by attackers.

Questions?

53

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy