MikroTik Router OS Firewall .Firewall Best Practices Populate a Router with the Maximum RAM...

download MikroTik Router OS Firewall .Firewall Best Practices Populate a Router with the Maximum RAM Configuration

of 78

  • date post

    17-Feb-2019
  • Category

    Documents

  • view

    212
  • download

    0

Embed Size (px)

Transcript of MikroTik Router OS Firewall .Firewall Best Practices Populate a Router with the Maximum RAM...

http://wirelessconnect.eu/ Copyright 2007 -2010 1

MikroTik Router OS Firewall StrategiesMikroTik Router OS Firewall Strategies

MikroTik Router OS Network Threats and Countermeasures

Speaker: Tom SmythCTO Wireless Connect Ltd.

Location: Wroclaw, PolandDate: 1st of March

http://wirelessconnect.eu/ Copyright 2007 -2010 2

Wireless Connect Ltd. Irish Company Incorporated in 2006 Operate an ISP in the centre of Ireland. Good Infrastructure Expertise. Certified MikroTik Partners

Training Certified OEM Integrators Consultants Distributor & Value Added Reseller

http://wirelessconnect.eu/ Copyright 2007 -2010 3

Speaker Profile: Studied BEng. Mechanical & Electronic Engineering, DCU,

Ireland Have been working in Industry since 2000

Server Infrastructure Engineer Systems / Network Administrator IS Architect Internet Security Consultant

1st MikroTik Certified Trainer in June 2007 in Ireland

http://wirelessconnect.eu/ Copyright 2007 -2010 4

Ogma Connect A Collaborative Effort involved in the development and

support of MikroTik Powered Appliances Ogma Connect's name comes from the Ancient God of

Communications and eloquence who's name was Oghma Oghma was credited with the invention of the written

language Ogham which is found carved in stones that mark the land of ancient tribes throughout the once vast Celtic world in northern & western Europe

We want people to be able to connect with each other eloquently efficiently and elegantly

http://ogmaconnect.com/

http://wirelessconnect.eu/ Copyright 2007 -2010 5

Presentation Objectives IP v4 Firewall Systems Concepts Outline what a firewall can and can not do Discuss Prevalent Network Attacks and Mitigation

Strategies Structure the Firewall

In a security centric manner Create policy based rule sets

Protocol Specific Filtering Proxy Specifically Http Proxy

http://wirelessconnect.eu/ Copyright 2007 -2010 6

Sources of Security Information ENISA http://www.enisa.europa.eu/ OWASP http://owasp.org Rits Group http://www.ritsgroup.com/ SANS Institute http://sans.org CIS Centre for Internet Security http://cisecurity.org/ NIST Computer Security http://csrc.nist.gov/ Open BSD http://OpenBSD.org/ Spamhaus.org http://spamhaus.org nmap.org http://nmap.org ha.ckers.org http://ha.ckers.org/

http://www.enisa.europa.eu/http://owasp.org/http://www.ritsgroup.com/http://sans.org/http://cisecurity.org/http://csrc.nist.gov/http://OpenBSD.org/http://spamhaus.org/http://nmap.org/http://ha.ckers.org/

http://wirelessconnect.eu/ Copyright 2007 -2010 7

Firewall Systems One or more systems combined to achieve a desired

security objective There are multiple ways firewall systems handle traffic

Routing NATing Bridging Proxying

http://wirelessconnect.eu/ Copyright 2007 -2010 8

Firewall Design Objectives To implement a security policy by classifying, validating,

logging and ultimately reacting to traffic Flowing to the system Flowing through the system Flowing from the system

Legitimate / useful traffic for users and systems should: Not be Blocked Not be Corrupted Not be Slowed or Hampered Beyond Strict Tolerances

Protect the users / systems behind it and Itself

http://wirelessconnect.eu/ Copyright 2007 -2010 9

Firewall Capabilities Can Identify traffic according to the following

Entry interface

Exit interface

Source Address (Source Address List)

Destination Address (destination Address List)

Address Types

Protocol type (number)

Protocol port (source and destination

Message type (ICMP)

State of the Connection

IP V4 Options

TCP Flags

Number of Concurrent Connections

Packet Rate

Packet Size

Packet Fragmentation

Layer 7 Packet Matching (unencrypted)

http://wirelessconnect.eu/ Copyright 2007 -2010 10

Firewall Limitations Firewalls generally have difficulty with the following

Protocol Validation / Filtration Deep packet inspection beyond the first 10 packets /

2.5KB of data in the stream Inspection of encrypted data streams such as

Ssh sessions Https Ipsec TLS Protected Connections

http://wirelessconnect.eu/ Copyright 2007 -2010 11

Firewall Limitations Dont Worry Proxies pick up where firewalls leave off... Proxies allow fine control over specific protocols :) Limitations are not a problem for inherently safe protocols For unsafe protocols proxies help can provide some

damage limitation.

http://wirelessconnect.eu/ Copyright 2007 -2010 12

Proxy

http://wirelessconnect.eu/ Copyright 2007 -2010 13

What is a Proxy It a service that accepts connections from a client and in

turn makes a request to another server. 2 Connections for each Accepted Request

Client to the proxy Proxy to the Server

1 Connection for each Rejected Request HTTP Firewall (understands http)

RFC Compliance Checking Blocking non http protocols running on port 80 Disable Certain Dangerous Requests Block Content

http://wirelessconnect.eu/ Copyright 2007 -2010 14

Proxy Limitation Cant Reverse Proxy SSL / TLS Settings :( However one can use Stunnel to decrypt the SSL Traffic

before it hits the reverse proxy :)

http://wirelessconnect.eu/ Copyright 2007 -2010 15

Example Http Reverse Proxy

http://wirelessconnect.eu/ Copyright 2007 -2010 16

Web Client Makes Https Request

http://wirelessconnect.eu/ Copyright 2007 -2010 17

Stunnel Decrypts the Request & forwards to Reverse Proxy

http://wirelessconnect.eu/ Copyright 2007 -2010 18

Reverse Proxy Analyses Request

http://wirelessconnect.eu/ Copyright 2007 -2010 19

Proxy Accepts & Relays Request

http://wirelessconnect.eu/ Copyright 2007 -2010 20

Http Server Responds to Proxy Request

http://wirelessconnect.eu/ Copyright 2007 -2010 21

Proxy forwards Response to Stunnel

http://wirelessconnect.eu/ Copyright 2007 -2010 22

Client receives the Webpage

http://wirelessconnect.eu/ Copyright 2007 -2010 23

What if the Proxy Says No?

http://wirelessconnect.eu/ Copyright 2007 -2010 24

Proxy Sends Error Msg To Stunnel

http://wirelessconnect.eu/ Copyright 2007 -2010 25

Client Recieves Error Message

http://wirelessconnect.eu/ Copyright 2007 -2010 26

Http Proxy / Reverse Http Proxy Identical Http Proxy serves to protect clients Http Reverse Proxy serves to protect servers Http Proxy can access any Server from a few clients Http Reverse Proxy can access few servers and is

available to any client. Http Proxy Utilises External DNS Servers for Name

Resolution. Http Proxy uses a local DNS for Name Resolution

http://wirelessconnect.eu/ Copyright 2007 -2010 27

Reverse Proxy Setup Same as a standard Proxy Setup Except for the Following

Changes Proxy Listens on Port 80 (or redirect to proxy port) Static local DNS entries are setup on reverse proxy External DNS servers point protected hostnames at the

external IP of the Reverse Proxy Proxy is heavily firewalled, usual precautions apply Firewall Rules, no outbound connections allowed except for

Http tcp port 80 to your webserver Network Syslog udp port 514 NTP Server Requests udp port 123

http://wirelessconnect.eu/ Copyright 2007 -2010 28

Http Firewall Proxy access list provides option to filter

DNS names Urls Filetypes Url paths designed to hack http servers Ports IP address

You can make redirect to specific pages Home page of your website Custom Error Pages giving as much or as little information

as you require

http://wirelessconnect.eu/ Copyright 2007 -2010 29

Http Firewall Building Aproach Block Unwanted Requests for telnet, smtp, ftp ports Block Unwanted / Unrequired Http Methods Block URL Paths containing Dangerous Characters Prevent IP Obfuscation Requests Allow White listed Servers Deny access to dissalowed ports Deny Proxying access to Local Networks Deny Proxying access to any other system.

http://wirelessconnect.eu/ Copyright 2007 -2010 30

Block / Allow Selected Http Methods Only allow Required Methods (Safest)

HEAD GET POST

Block potentially dangerous Types of HTTP Methods TRACE CONNECT DELETE PUT OPTIONS

http://wirelessconnect.eu/ Copyright 2007 -2010 31

Example of Http firewall Rules

http://wirelessconnect.eu/ Copyright 2007 -2010 32

Path Rule Example http://example.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

http://example.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

http://wirelessconnect.eu/ Copyright 2007 -2010 33

Web Proxy Access Rule Add an access rule as follows

http://wirelessconnect.eu/ Copyright 2007 -2010 34

Protecting sensitive files in poorly configued Servers Deny access to following url paths

Any . Files in linux /etc/ /etc/shadow /var/mysql/ /var/log /system32 /sysWOW /WinNT /Winnt

http://wirelessconnect.eu/ Copyright 2007 -2010 35

Proxy Limitation ASCII Character codes are not evaluated by proxy but are

by webservers e.g. ros.php =%2F%72%6F%73%2E%70%68%70 http://example.com/ros.php = http://example.com%2F%72%6F%73%2E%70%68%70 = http://example.com/72%6F%73.%70h%70 Solution use Regular expressions :)

http://example.com/ros.phphttp://example.com/72%6F%73.%70h%70

http://wirelesscon