SlideShare une entreprise Scribd logo

MikroTik Firewall : Securing your Router with Port Knocking

Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP

This presentation was presented at MUM Indonesia at Bali in 2008. Discussed about how to put extra layer of security into your MikroTik Router using Port Knocking mechanism.

Technologie
1  sur  28
Télécharger pour lire hors ligne
Mikrotik Firewall Securing Your Router With Port Knocking
Introduction  Name : Akbar  Mikrotik User Since : Mid 2005  IT Manager @ Agung Sedayu Group  Trainer For Ufoakses Mikrotik Training  www.forummikrotik.com  akbar@forummikrotik.com Forum Mikrotik Indonesia www.forummikrotik.com 2
What is Port Knocking ?  Port Knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports  Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s) Forum Mikrotik Indonesia www.forummikrotik.com 3
Port Knocking Process Connection Attempt to Router with Winbox or Telnet or SSH Connection Attempt Rejected / Drop Knock : Connection Attempt to Pre Defined Port Firewall Rules Dynamically Modified to Allow Access From That Host Connection Attempt to Router with Winbox or Telnet or SSH Connection Granted Host Router with Firewall Forum Mikrotik Indonesia www.forummikrotik.com 4
Why Port Knocking ?  The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed. Forum Mikrotik Indonesia www.forummikrotik.com 5
When to Use Port Knocking ?  When you need to do remote configuration or monitoring from remote area  When you try to decrease brute force attack Forum Mikrotik Indonesia www.forummikrotik.com 6
How to Apply Port Knocking in Mikrotik ? Forum Mikrotik Indonesia www.forummikrotik.com 7  Using :  Firewall Filter  Address List  Knock Application Please download the application from : www.zeroflux.org
The Basic of Firewall Filter Forum Mikrotik Indonesia www.forummikrotik.com 8
The Basic of Firewall Filter  Firewall Filter is used for packet filtering  Firewall Filter consist of IF-THEN rules IF <conditions> THEN <action>  Firewall Filter is done in sequential top to bottom  Firewall Filter are organized in chains Forum Mikrotik Indonesia www.forummikrotik.com 9
The Basic of Firewall Filter  Input : Processes packets addressed to the router itself  Output : Processes packets sent by the router itself  Forward : processes traffic sent through the router Forum Mikrotik Indonesia www.forummikrotik.com 10
Chain Input Forum Mikrotik Indonesia www.forummikrotik.com 11
Chain Output Forum Mikrotik Indonesia www.forummikrotik.com 12
Chain Forward Forum Mikrotik Indonesia www.forummikrotik.com 13
Firewall Filter Action  Accept – accept the packet. No action is taken, I.e the packet is passed thourgh and no more rules applied to it  Add-dst-to-address-list – adds destination address of an IP packet to the address list specified by address-list parameter  Add-src-to-address-list – adds source address of an IP packet to the address list specified by address-list parameter  Drop – silently drop the packet (without sending the ICMP reject messege)  Jump – jump to the chain specified by the value of the jump-target-parameter  Log – each match with this action will add a messege to the system log  Passthrogh – ignores this rule and goes on the next one  Reject – reject the packet and send an ICMP reject messege  Return – passes control back to the chain where the jump took place  Tarpit – captures and hold incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet Forum Mikrotik Indonesia www.forummikrotik.com 14
IP Address List  You can also define group of IP address using “IP address List”  IP address List can be used in Firewall Rules to apply certain action  You can use mangle or firewall filter rule to dynamicly add IP address to IP address List certain time limit Forum Mikrotik Indonesia www.forummikrotik.com 15
Let’s Start Implementing Port Knocking in Mikrotik Router OS… Forum Mikrotik Indonesia www.forummikrotik.com 16
Case Studies 192.168.33.254 LAN 10.1.1.254 192.168.33.0/24 Internet Mikrotik Router Forum Mikrotik Indonesia www.forummikrotik.com 17 Remote Area (Home, Café, etc)
Case Studies  We only allowed access to router only from several IP from LAN :  192.168.33.10 Until 192.168.33.20  Different IP from LAN have to knock first before gain access to router  Remote area from Internet have to knock first before gain access to router Forum Mikrotik Indonesia www.forummikrotik.com 18
Case Studies  We will only allowed access to router from address list named “Safe Haven”  Other have to knock first to :  Protocol TCP, Port 1337  Protocol UDP, Port 17954 Forum Mikrotik Indonesia www.forummikrotik.com 19
Adding Allowed LAN Address to Address List add address=192.168.33.10-192.168.33.20 comment="" disabled=no list= "Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 20
Knock Rules 1 add action=add-src-to-address-list address-list=knock-knock address-list-timeout= 15s chain=input comment="Knock 1" disabled=no dst-port=1337 Forum Mikrotik Indonesia www.forummikrotik.com 21 protocol=tcp
Knock Rules 2 add action=add-src-to-address-list address-list="Save Haven“ address-list-timeout= 3h chain=input comment="Knock 2 - OK" disabled=no dst-port=17954 protocol=udp src-address-list=knock-knock Forum Mikrotik Indonesia www.forummikrotik.com 22
Only Allowing “Save Haven” to Connect to the router add action=accept chain=input comment="Only Allow Access from Save Haven" disabled=no src-address-list="Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 23
Drop Everything Else add action=drop chain=input comment="Drop Everything Else" disabled=no Forum Mikrotik Indonesia www.forummikrotik.com 24
Configuration Here’s the configuration for port knocking. Just make sure you don’t change the sequence or this will not worked Forum Mikrotik Indonesia www.forummikrotik.com 25
Knock Attempt  Hosts have to Knock the correct ports  Hosts IP Address that have knocked the correct ports will be put in dynamically to “Save Haven” Address List  Hosts can access router Forum Mikrotik Indonesia www.forummikrotik.com 26
Forum Mikrotik Indonesia www.forummikrotik.com 27 Closing  Port Knocking is useful for securing the router  Port Knocking is also useful to decrease a brute force attack  Port Knocking has it’s weakness also:  It' s possible to spy out the knocking sequence by sniffing the network  It' s necessary to have a special knocking-client  Port Knocking is only one method to secure the router, best to combine this with other methods.
Thank You Your Question Will be Appreciated Forum Mikrotik Indonesia www.forummikrotik.com 28

Recommandé

Mikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerMikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerKHNOG
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radiusAchmad Mardiansyah
 
HOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterHOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterKHNOG
 
MikroTik Security
MikroTik SecurityMikroTik Security
MikroTik SecurityRofiq Fauzi
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced trainingJignesh H. Bhalsod
 
Mikrotik Hotspot With Queue Tree BW Management
Mikrotik Hotspot With Queue Tree BW ManagementMikrotik Hotspot With Queue Tree BW Management
Mikrotik Hotspot With Queue Tree BW Managementgopartheredbuff
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 

Recommandé

Mikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerMikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerKHNOG
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radiusAchmad Mardiansyah
 
HOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterHOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterKHNOG
 
MikroTik Security
MikroTik SecurityMikroTik Security
MikroTik SecurityRofiq Fauzi
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced trainingJignesh H. Bhalsod
 
Mikrotik Hotspot With Queue Tree BW Management
Mikrotik Hotspot With Queue Tree BW ManagementMikrotik Hotspot With Queue Tree BW Management
Mikrotik Hotspot With Queue Tree BW Managementgopartheredbuff
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
VLAN on mikrotik
VLAN on mikrotikVLAN on mikrotik
VLAN on mikrotikAchmad Mardiansyah
 
Mikrotik router os qos best practice
Mikrotik router os qos best practiceMikrotik router os qos best practice
Mikrotik router os qos best practiceBassel Kablawi
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrackAchmad Mardiansyah
 
Konfigurasi VLAN di SwitchOS MikroTik
Konfigurasi VLAN di SwitchOS MikroTikKonfigurasi VLAN di SwitchOS MikroTik
Konfigurasi VLAN di SwitchOS MikroTikAdhie Lesmana
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansingКирилл Кекер
 
Mikrotik firewall filter
Mikrotik firewall filterMikrotik firewall filter
Mikrotik firewall filterAchmad Mardiansyah
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik HotspotGLC Networks
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Tunnel vs VPN on Mikrotik
Tunnel vs VPN on MikrotikTunnel vs VPN on Mikrotik
Tunnel vs VPN on MikrotikGLC Networks
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotikAdi Utami
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1GLC Networks
 
(Mikrotik)MTCNA presentation Material-IDN
(Mikrotik)MTCNA presentation Material-IDN(Mikrotik)MTCNA presentation Material-IDN
(Mikrotik)MTCNA presentation Material-IDNAndry Ansah
 
Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingteknetir
 
Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveGLC Networks
 
MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2Yaser Rahmati
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Fools your enemy with MikroTik
Fools your enemy with MikroTikFools your enemy with MikroTik
Fools your enemy with MikroTikDidiet Kusumadihardja
 
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021I Putu Hariyadi
 
BGP on mikrotik
BGP on mikrotikBGP on mikrotik
BGP on mikrotikAchmad Mardiansyah
 
Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Riza Hafizhuddin
 
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXSETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXKadek Kamastika
 

Contenu connexe

Tendances

Mikrotik router os qos best practice
Mikrotik router os qos best practiceMikrotik router os qos best practice
Mikrotik router os qos best practiceBassel Kablawi
 
Konfigurasi VLAN di SwitchOS MikroTik
Konfigurasi VLAN di SwitchOS MikroTikKonfigurasi VLAN di SwitchOS MikroTik
Konfigurasi VLAN di SwitchOS MikroTikAdhie Lesmana
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Tunnel vs VPN on Mikrotik
Tunnel vs VPN on MikrotikTunnel vs VPN on Mikrotik
Tunnel vs VPN on MikrotikGLC Networks
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotikAdi Utami
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1GLC Networks
 
(Mikrotik)MTCNA presentation Material-IDN
(Mikrotik)MTCNA presentation Material-IDN(Mikrotik)MTCNA presentation Material-IDN
(Mikrotik)MTCNA presentation Material-IDNAndry Ansah
 
Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingteknetir
 
Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveGLC Networks
 
MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2Yaser Rahmati
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021I Putu Hariyadi
 

Tendances (20)

VLAN on mikrotik
VLAN on mikrotikVLAN on mikrotik
VLAN on mikrotik
 
Mikrotik router os qos best practice
Mikrotik router os qos best practiceMikrotik router os qos best practice
Mikrotik router os qos best practice
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrack
 
Konfigurasi VLAN di SwitchOS MikroTik
Konfigurasi VLAN di SwitchOS MikroTikKonfigurasi VLAN di SwitchOS MikroTik
Konfigurasi VLAN di SwitchOS MikroTik
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansing
 
Mikrotik firewall filter
Mikrotik firewall filterMikrotik firewall filter
Mikrotik firewall filter
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
Tunnel vs VPN on Mikrotik
Tunnel vs VPN on MikrotikTunnel vs VPN on Mikrotik
Tunnel vs VPN on Mikrotik
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotik
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 
(Mikrotik)MTCNA presentation Material-IDN
(Mikrotik)MTCNA presentation Material-IDN(Mikrotik)MTCNA presentation Material-IDN
(Mikrotik)MTCNA presentation Material-IDN
 
Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routing
 
Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep Dive
 
MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotik
 
Fools your enemy with MikroTik
Fools your enemy with MikroTikFools your enemy with MikroTik
Fools your enemy with MikroTik
 
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Linux Actual - ITNSA LKS SMK Tingkat Provinsi NTB 2021
 
BGP on mikrotik
BGP on mikrotikBGP on mikrotik
BGP on mikrotik
 

Similaire à MikroTik Firewall : Securing your Router with Port Knocking

Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Riza Hafizhuddin
 
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXSETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXKadek Kamastika
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.pptcemporku
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsAhmed Habib
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summarymoonmanik
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfBT Digital
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
Floodlight with Firewall and Network Virtualization
Floodlight with Firewall and Network VirtualizationFloodlight with Firewall and Network Virtualization
Floodlight with Firewall and Network VirtualizationAnkita Mandekar
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfezonesolutions
 

Similaire à MikroTik Firewall : Securing your Router with Port Knocking (20)

Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015
 
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXSETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.ppt
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
100197
100197100197
100197
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdf
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.
 
Floodlight with Firewall and Network Virtualization
Floodlight with Firewall and Network VirtualizationFloodlight with Firewall and Network Virtualization
Floodlight with Firewall and Network Virtualization
 
Set review 1
Set review 1Set review 1
Set review 1
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 

Plus de Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP

Plus de Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP (7)

Multi-criteria Decision Making dengan Advance Hierarchy Process
Multi-criteria Decision Making dengan Advance Hierarchy Process Multi-criteria Decision Making dengan Advance Hierarchy Process
Multi-criteria Decision Making dengan Advance Hierarchy Process
 
Open Zoom Conference - Let's talk about PMP Certification
Open Zoom Conference - Let's talk about PMP CertificationOpen Zoom Conference - Let's talk about PMP Certification
Open Zoom Conference - Let's talk about PMP Certification
 
Risks in Project
Risks in ProjectRisks in Project
Risks in Project
 
Blockchain presentation for prudential
Blockchain presentation for prudentialBlockchain presentation for prudential
Blockchain presentation for prudential
 
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar AzwirMikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
 
Introduction to MikroTik RouterOS API
Introduction to MikroTik RouterOS APIIntroduction to MikroTik RouterOS API
Introduction to MikroTik RouterOS API
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
 

Dernier

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Dernier (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

MikroTik Firewall : Securing your Router with Port Knocking

  • 1. Mikrotik Firewall Securing Your Router With Port Knocking
  • 2. Introduction  Name : Akbar  Mikrotik User Since : Mid 2005  IT Manager @ Agung Sedayu Group  Trainer For Ufoakses Mikrotik Training  www.forummikrotik.com  akbar@forummikrotik.com Forum Mikrotik Indonesia www.forummikrotik.com 2
  • 3. What is Port Knocking ?  Port Knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports  Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s) Forum Mikrotik Indonesia www.forummikrotik.com 3
  • 4. Port Knocking Process Connection Attempt to Router with Winbox or Telnet or SSH Connection Attempt Rejected / Drop Knock : Connection Attempt to Pre Defined Port Firewall Rules Dynamically Modified to Allow Access From That Host Connection Attempt to Router with Winbox or Telnet or SSH Connection Granted Host Router with Firewall Forum Mikrotik Indonesia www.forummikrotik.com 4
  • 5. Why Port Knocking ?  The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed. Forum Mikrotik Indonesia www.forummikrotik.com 5
  • 6. When to Use Port Knocking ?  When you need to do remote configuration or monitoring from remote area  When you try to decrease brute force attack Forum Mikrotik Indonesia www.forummikrotik.com 6
  • 7. How to Apply Port Knocking in Mikrotik ? Forum Mikrotik Indonesia www.forummikrotik.com 7  Using :  Firewall Filter  Address List  Knock Application Please download the application from : www.zeroflux.org
  • 8. The Basic of Firewall Filter Forum Mikrotik Indonesia www.forummikrotik.com 8
  • 9. The Basic of Firewall Filter  Firewall Filter is used for packet filtering  Firewall Filter consist of IF-THEN rules IF <conditions> THEN <action>  Firewall Filter is done in sequential top to bottom  Firewall Filter are organized in chains Forum Mikrotik Indonesia www.forummikrotik.com 9
  • 10. The Basic of Firewall Filter  Input : Processes packets addressed to the router itself  Output : Processes packets sent by the router itself  Forward : processes traffic sent through the router Forum Mikrotik Indonesia www.forummikrotik.com 10
  • 11. Chain Input Forum Mikrotik Indonesia www.forummikrotik.com 11
  • 12. Chain Output Forum Mikrotik Indonesia www.forummikrotik.com 12
  • 13. Chain Forward Forum Mikrotik Indonesia www.forummikrotik.com 13
  • 14. Firewall Filter Action  Accept – accept the packet. No action is taken, I.e the packet is passed thourgh and no more rules applied to it  Add-dst-to-address-list – adds destination address of an IP packet to the address list specified by address-list parameter  Add-src-to-address-list – adds source address of an IP packet to the address list specified by address-list parameter  Drop – silently drop the packet (without sending the ICMP reject messege)  Jump – jump to the chain specified by the value of the jump-target-parameter  Log – each match with this action will add a messege to the system log  Passthrogh – ignores this rule and goes on the next one  Reject – reject the packet and send an ICMP reject messege  Return – passes control back to the chain where the jump took place  Tarpit – captures and hold incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet Forum Mikrotik Indonesia www.forummikrotik.com 14
  • 15. IP Address List  You can also define group of IP address using “IP address List”  IP address List can be used in Firewall Rules to apply certain action  You can use mangle or firewall filter rule to dynamicly add IP address to IP address List certain time limit Forum Mikrotik Indonesia www.forummikrotik.com 15
  • 16. Let’s Start Implementing Port Knocking in Mikrotik Router OS… Forum Mikrotik Indonesia www.forummikrotik.com 16
  • 17. Case Studies 192.168.33.254 LAN 10.1.1.254 192.168.33.0/24 Internet Mikrotik Router Forum Mikrotik Indonesia www.forummikrotik.com 17 Remote Area (Home, Café, etc)
  • 18. Case Studies  We only allowed access to router only from several IP from LAN :  192.168.33.10 Until 192.168.33.20  Different IP from LAN have to knock first before gain access to router  Remote area from Internet have to knock first before gain access to router Forum Mikrotik Indonesia www.forummikrotik.com 18
  • 19. Case Studies  We will only allowed access to router from address list named “Safe Haven”  Other have to knock first to :  Protocol TCP, Port 1337  Protocol UDP, Port 17954 Forum Mikrotik Indonesia www.forummikrotik.com 19
  • 20. Adding Allowed LAN Address to Address List add address=192.168.33.10-192.168.33.20 comment="" disabled=no list= "Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 20
  • 21. Knock Rules 1 add action=add-src-to-address-list address-list=knock-knock address-list-timeout= 15s chain=input comment="Knock 1" disabled=no dst-port=1337 Forum Mikrotik Indonesia www.forummikrotik.com 21 protocol=tcp
  • 22. Knock Rules 2 add action=add-src-to-address-list address-list="Save Haven“ address-list-timeout= 3h chain=input comment="Knock 2 - OK" disabled=no dst-port=17954 protocol=udp src-address-list=knock-knock Forum Mikrotik Indonesia www.forummikrotik.com 22
  • 23. Only Allowing “Save Haven” to Connect to the router add action=accept chain=input comment="Only Allow Access from Save Haven" disabled=no src-address-list="Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 23
  • 24. Drop Everything Else add action=drop chain=input comment="Drop Everything Else" disabled=no Forum Mikrotik Indonesia www.forummikrotik.com 24
  • 25. Configuration Here’s the configuration for port knocking. Just make sure you don’t change the sequence or this will not worked Forum Mikrotik Indonesia www.forummikrotik.com 25
  • 26. Knock Attempt  Hosts have to Knock the correct ports  Hosts IP Address that have knocked the correct ports will be put in dynamically to “Save Haven” Address List  Hosts can access router Forum Mikrotik Indonesia www.forummikrotik.com 26
  • 27. Forum Mikrotik Indonesia www.forummikrotik.com 27 Closing  Port Knocking is useful for securing the router  Port Knocking is also useful to decrease a brute force attack  Port Knocking has it’s weakness also:  It' s possible to spy out the knocking sequence by sniffing the network  It' s necessary to have a special knocking-client  Port Knocking is only one method to secure the router, best to combine this with other methods.
  • 28. Thank You Your Question Will be Appreciated Forum Mikrotik Indonesia www.forummikrotik.com 28