Securing your Mikrotik Network Andrew Thrift
[email protected]
Who am I ?
Andrew Thrift Mikrotik Certified Consultant Based in New Zealand Using Mikrotik Router! since around "##" $orking in network securit% since &''' Blog with Andrew Co( @ www.)ikrotik*routeros.co)
Who am I ?
Andrew Thrift Mikrotik Certified Consultant Based in New Zealand Using Mikrotik Router! since around "##" $orking in network securit% since &''' Blog with Andrew Co( @ www.)ikrotik*routeros.co)
Agenda •
Attack T%+es
•
,etecting attacks
•
!ecuring %our routers
•
-rotecting %our network
•
uestion Ti)e
Types of network based attacks •
•
•
Attacks on %our routers
Unauthorised logins
Brute force attacks
,enial f !er/ice
Custo)er )isuse
Custo)ers b%+assing ---o0 ser/er
Rogue ,1C- !er/ers
Attacks on %our networks 2custo)ers3
Brute force attacks
,enial f !er/ice
Detecting Attacks Use 4ntrusion ,etection !%ste) 24,!54-!3 software !nort 5 !uricata -lace behind %our 6border7 +rotection Configure alerting •
Use !ecurit% 4nfor)ation 0/ents Manage)ent 2!40M3 software !agan
What is an IDS/IPS 4ntrusion ,etection !%ste)
4ns+ects network traffic for 6known threats7
4dentifies network threats using8 •
!ignatures
•
Beha/ioural Anal%sis
•
1euristics
Ranks risk se/erit% 69ow: Mediu): 1igh7
Co))on 4,! are !nort: !uricata: Bro*4,!
4ntrusion -re/ention !%ste)
!a)e as an 4,!: but is +laced 64nline7 and can take actions 2dro+5)ark3 based on risk.
Detecting Attacks – Intrusion Detection System
IDS/IPS – What is Suricata
1eard of !nort ;
IDS/IPS Suricata !uricata is like !nort: but is better8
Multi*threaded to scale better on Multi*Core: Multi*-rocessor s%ste)s
More sane configuration
Can use e(isting !nort rule bases
1as been de)onstrated doing 4-! at wire s+eed "= >igabit on Tilera +rocessors
What is a SI!" ? !ecurit% 4nfor)ation ? 0/ents Manage)ent
4ns+ects log entries and correlates these to 6known threats7
4dentifies network threats using8 •
!ignatures
•
Beha/ioural Anal%sis
•
1euristics
Ranks risk se/erit% 69ow: Mediu): 1igh7
Co))on !40M are !agan: !!4M
>enerall% reuire custo) rules for Router!
SI!" Sagan !agan is a log anal%ser8
Anal%ses log traffic sent to it /ia !%slog
Multi*threaded !cales well on )ulti*core5)ulti*+rocessor s%ste)s
1as fle(ible 6rules7 that can correlate )ulti+le different e/ents in to a securit% e/ent.
ut+uts in !nort for)at allowing for eas% integration
Snorby -ro/ides a nice $eb interface to anal%se !uricata !agan results
Intrusion Detection for the #a$y Ubuntu !uricata !norb% SmoothSec •
-re*Built 6A++liance7
•
$orks out of the bo(
A/ailable fro) htt+855baile%.st5blog5s)ooth*sec5
•
•
Can a+t*get install sagan for !40M functionalit%
What e#se can you do with an IPS ? Accuratel% detect difficult +rotocols e.g.
BitTorrent 2including ,1T5Trackerless torrents3
!k%+e 2!ignalling and )edia3
Doutube 2Nati/e and e)bedded3
Eo4- 2!ignalling and )edia3
This can be done on standard and non*standard +orts. n )atch the 4-! can change the ,!C- tag. Dour Mikrotik router can then identif% the traffic in )angle using the ,!C- tag: and %ou can then ueue this traffic a++ro+riatel%.
Protecting your routers Mikrotik Routers ha/e no securit% configured b% default. There are N firewall +olicies: all ser/ices are accessible fro) e/er%where. Dou need to +rotect %ourself or it is onl% a )atter of ti)e before %our routers are co)+ro)ised. How ? ,isable unused ser/ices 2$inBo(: Telnet: !!1: $ebMin3
•
4)+le)ent 6in+ut7 4- filters to8
•
Restrict access to router )anage)ent
Mini)ise the i)+act of ,enial of !er/ice t%+e attack
nl% allow )anage)ent access within a dedicated Manage)ent ER< 2Router! F.( New Routing +ackage3 •
Protecting your routers Disab#ing unused ser%ices ,isabling the ser/ices %ou do not use is eas%: and once disable these can not be attacked. To disable 4- ser/ices: si)+l% go to8 IP Services in $inbo( and disable the ser/ices %ou do not need.
Protecting your routers – IP &i#tering Create 6in+ut7 +olicies: acce+ting the +rotocols %ou need. 0.g. $inbo(: !!1: B>-: !-<: M-9! 9,-: --T-: ,N!. Be s+ecific in %our +olicies: onl% allow these +rotocols to enter /ia a s+ecific interface: or use 6Address 9ists7 to li)it these to originate fro) a grou+ of %our subnets. Drop e/er%thing else.
Protecting your routers – 'ommon Ser%ices Service
Protocol/Port
$inbo(
TC- G"'&
!!1
TC- ""
Telnet
TC- "H
$eb)in
TC- G# and TC- IIH
!-<
!-< 2-rotocol G'3
B>-
TC- &J'
M-9! 9,-
TC- FIF and U,- FIF
Neighbor ,isco/er%
U,- =FJG
Btest
U,- ""=#*""J#
Protecting your network As well as +rotecting %our routers fro) attack: %ou )a% want to +rotect %our clients fro) attacks such as8 ,istributed ,enial of !er/ice 2,,o!3
•
Brute
•
4CM- flooding
•
And %our network fro)8 Unauthorised transit
•
Custo)er )isuse
•
Protecting your network – I'"P (Ping) &#ooding This e(a)+le shows the li)iting of 4CM- traffic. This works b% allowing the /arious t%+es of 4CM- traffic at a rate of u+ to = +ackets a second. 4f 4CM- traffic e(ceeds this: then it will be dro++ed. NT08 This +olic% will need tuning if %ou are using it in %our 6forward7 chain. This +olic% can be used as*is: for +rotecting %our router in the 6in+ut7 chain.
Protecting your network – SS* bruteforce This e(a)+le shows +rotecting %our custo)ers fro) !!1 brute force attacks. 4t works b% adding the !ource 4- of the +art% originating the !!1 session to an address list: if this !ource +art% starts another !!1 session within a & )inute ti)efra)e it escalates it u+ to the ne(t le/el of address list. 4f the source +art% continues to create new !!1 sessions: the% will be escalated to the 6sshKblacklist7 and will not be able to create !!1 sessions for &# da%s.
These sa)e techniues can be used for nu)erous other +rotocols.
What is unauthorised transit ? Unauthorised transit is when another +art% uses %our routers to +ro/ide transit. This is co))on on 4nternet 0(changes. Dour routers will trust the Hrd +art% as their +refi(es will ha/e been recei/ed fro) the trusted 4L: the Hrd +art% will then route traffic /ia %our router which will route it to one of %our transit +ro/iders. The Hrd +art% could now be getting internet bandwidth /ia %our network: at %our cost.
Detecting unauthorised transit This can be done b% increasing 6/isibilit%7 in to %our network. Use torch on egress +ort
•
Use sflow anal%tics software 2NT-5!cruitinizer5!olar $inds3
•
9ook for !ource addresses that are not within %our 4- ranges
Pre%enting unauthorised transit This can be prevented by restricting L forwarding! and controlling yo"r #$P advertisements% &estrict Layer transit 'ro"ting( of any networ)s that are *+T o"r own ,reate an address list containing yo"r s"bnets
,reate - IP filter policies Acce+t traffic originating fro) our subnets: to our subnets Acce+t traffic originating fro) our subnets to the 4nternet Acce+t traffic fro) the 4nternet to our subnets ,ro+ all other traffic atte)+ting to forward
Pre%enting unauthorised transit Do *+T advertise prefi.es that are *+T yo"r own to "pstream #$P peers Create filter for %our u+strea) +eer2s3 * Acce+t %our subnets * ,iscard e/er%thing else
+,-,. &i#tering A #+$+* is a Bogus 4- address. B>N lists contain ranges of 4- addresses that are known to ha/e not been allocated b% the Regional 4nternet Registries 2A-N4C3 for use. These are often used for )alicious +ur+oses B>N lists can be used on Border Routers as a first line of defence: and can reduce the effect of ,! attacks as well as inco)ing s+a) and network scans. As Regional 4nternet Registr% allocations are constantl% changing: B>N lists should not be static
sing Team '0"1 +,-,. +-P feed &. Reuest a CDMRU B>- +eering session: see www.tea)*c%)ru.org ". Configure %our Mikrotik router to +eer with Tea) CDMRU A!F=HH" 2use a loo+back3 H. Configure a routing filter to turn all routes recei/ed fro) CDMRU co))unit% F=HH"8GGG in to Black 1ole routes
Success IG'F B>N !ubnets will now be blocked at the Border of our networks
D ,%na)ic: A Acti/e: b B>-: # Blackhole
Pre%enting 'ustomer "isuse – PPPo! fi#tering $hen backhauling ---o0 to a central concentrator /ia E-9!50o4-: %ou can +re/ent custo)ers fro) creating their own networks b% using #ridge ilters Use Ad)in*Mac to create a static MAC on the bridge on ---o0 concentrator
•
Bridge
•
Allow +++oe*disco/er% to A99 destinations
Allow +++oe*session N9D to ---o0 !er/er
,R- all other traffic
Pre%enting 'ustomer "isuse – 1ogue D*'P Ser%ers $hen o+erating a ,1C- based network: it is co))on to encounter custo)ers who run a ,1C- ser/er on their +ublic facing interface. These are called 6Rogue7 ,1C- ser/ers: and can cause outages to other custo)ers b% hiacking their ,1C- reuest and res+onding with settings that differ to %our own ,1C- ser/er. 9uckil%: this is eas% to fi( using #ridge ilters Acce+t 4n+ut of ,1C- reuests
•
Acce+t ut+ut of ,1C- res+onses
•
,ro+ forwarding of all ,1C- +ackets
•
2uestions ?
