SlideShare ist ein Scribd-Unternehmen logo

MikroTik Firewall : Securing your Router with Port Knocking

Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP

This presentation was presented at MUM Indonesia at Bali in 2008. Discussed about how to put extra layer of security into your MikroTik Router using Port Knocking mechanism.

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
Mikrotik Firewall Securing Your Router With Port Knocking
Introduction  Name : Akbar  Mikrotik User Since : Mid 2005  IT Manager @ Agung Sedayu Group  Trainer For Ufoakses Mikrotik Training  www.forummikrotik.com  akbar@forummikrotik.com Forum Mikrotik Indonesia www.forummikrotik.com 2
What is Port Knocking ?  Port Knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports  Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s) Forum Mikrotik Indonesia www.forummikrotik.com 3
Port Knocking Process Connection Attempt to Router with Winbox or Telnet or SSH Connection Attempt Rejected / Drop Knock : Connection Attempt to Pre Defined Port Firewall Rules Dynamically Modified to Allow Access From That Host Connection Attempt to Router with Winbox or Telnet or SSH Connection Granted Host Router with Firewall Forum Mikrotik Indonesia www.forummikrotik.com 4
Why Port Knocking ?  The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed. Forum Mikrotik Indonesia www.forummikrotik.com 5
When to Use Port Knocking ?  When you need to do remote configuration or monitoring from remote area  When you try to decrease brute force attack Forum Mikrotik Indonesia www.forummikrotik.com 6
How to Apply Port Knocking in Mikrotik ? Forum Mikrotik Indonesia www.forummikrotik.com 7  Using :  Firewall Filter  Address List  Knock Application Please download the application from : www.zeroflux.org
The Basic of Firewall Filter Forum Mikrotik Indonesia www.forummikrotik.com 8
The Basic of Firewall Filter  Firewall Filter is used for packet filtering  Firewall Filter consist of IF-THEN rules IF <conditions> THEN <action>  Firewall Filter is done in sequential top to bottom  Firewall Filter are organized in chains Forum Mikrotik Indonesia www.forummikrotik.com 9
The Basic of Firewall Filter  Input : Processes packets addressed to the router itself  Output : Processes packets sent by the router itself  Forward : processes traffic sent through the router Forum Mikrotik Indonesia www.forummikrotik.com 10
Chain Input Forum Mikrotik Indonesia www.forummikrotik.com 11
Chain Output Forum Mikrotik Indonesia www.forummikrotik.com 12
Chain Forward Forum Mikrotik Indonesia www.forummikrotik.com 13
Firewall Filter Action  Accept – accept the packet. No action is taken, I.e the packet is passed thourgh and no more rules applied to it  Add-dst-to-address-list – adds destination address of an IP packet to the address list specified by address-list parameter  Add-src-to-address-list – adds source address of an IP packet to the address list specified by address-list parameter  Drop – silently drop the packet (without sending the ICMP reject messege)  Jump – jump to the chain specified by the value of the jump-target-parameter  Log – each match with this action will add a messege to the system log  Passthrogh – ignores this rule and goes on the next one  Reject – reject the packet and send an ICMP reject messege  Return – passes control back to the chain where the jump took place  Tarpit – captures and hold incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet Forum Mikrotik Indonesia www.forummikrotik.com 14
IP Address List  You can also define group of IP address using “IP address List”  IP address List can be used in Firewall Rules to apply certain action  You can use mangle or firewall filter rule to dynamicly add IP address to IP address List certain time limit Forum Mikrotik Indonesia www.forummikrotik.com 15
Let’s Start Implementing Port Knocking in Mikrotik Router OS… Forum Mikrotik Indonesia www.forummikrotik.com 16
Case Studies 192.168.33.254 LAN 10.1.1.254 192.168.33.0/24 Internet Mikrotik Router Forum Mikrotik Indonesia www.forummikrotik.com 17 Remote Area (Home, Café, etc)
Case Studies  We only allowed access to router only from several IP from LAN :  192.168.33.10 Until 192.168.33.20  Different IP from LAN have to knock first before gain access to router  Remote area from Internet have to knock first before gain access to router Forum Mikrotik Indonesia www.forummikrotik.com 18
Case Studies  We will only allowed access to router from address list named “Safe Haven”  Other have to knock first to :  Protocol TCP, Port 1337  Protocol UDP, Port 17954 Forum Mikrotik Indonesia www.forummikrotik.com 19
Adding Allowed LAN Address to Address List add address=192.168.33.10-192.168.33.20 comment="" disabled=no list= "Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 20
Knock Rules 1 add action=add-src-to-address-list address-list=knock-knock address-list-timeout= 15s chain=input comment="Knock 1" disabled=no dst-port=1337 Forum Mikrotik Indonesia www.forummikrotik.com 21 protocol=tcp
Knock Rules 2 add action=add-src-to-address-list address-list="Save Haven“ address-list-timeout= 3h chain=input comment="Knock 2 - OK" disabled=no dst-port=17954 protocol=udp src-address-list=knock-knock Forum Mikrotik Indonesia www.forummikrotik.com 22
Only Allowing “Save Haven” to Connect to the router add action=accept chain=input comment="Only Allow Access from Save Haven" disabled=no src-address-list="Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 23
Drop Everything Else add action=drop chain=input comment="Drop Everything Else" disabled=no Forum Mikrotik Indonesia www.forummikrotik.com 24
Configuration Here’s the configuration for port knocking. Just make sure you don’t change the sequence or this will not worked Forum Mikrotik Indonesia www.forummikrotik.com 25
Knock Attempt  Hosts have to Knock the correct ports  Hosts IP Address that have knocked the correct ports will be put in dynamically to “Save Haven” Address List  Hosts can access router Forum Mikrotik Indonesia www.forummikrotik.com 26
Forum Mikrotik Indonesia www.forummikrotik.com 27 Closing  Port Knocking is useful for securing the router  Port Knocking is also useful to decrease a brute force attack  Port Knocking has it’s weakness also:  It' s possible to spy out the knocking sequence by sniffing the network  It' s necessary to have a special knocking-client  Port Knocking is only one method to secure the router, best to combine this with other methods.
Thank You Your Question Will be Appreciated Forum Mikrotik Indonesia www.forummikrotik.com 28

Empfohlen

Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced trainingJignesh H. Bhalsod
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Fools your enemy with MikroTik
Fools your enemy with MikroTikFools your enemy with MikroTik
Fools your enemy with MikroTikDidiet Kusumadihardja
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radiusAchmad Mardiansyah
 
Mikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerMikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerKHNOG
 
MikroTik Security
MikroTik SecurityMikroTik Security
MikroTik SecurityRofiq Fauzi
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNAAli Layth
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansingКирилл Кекер
 

Empfohlen

Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced trainingJignesh H. Bhalsod
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Fools your enemy with MikroTik
Fools your enemy with MikroTikFools your enemy with MikroTik
Fools your enemy with MikroTikDidiet Kusumadihardja
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radiusAchmad Mardiansyah
 
Mikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerMikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerKHNOG
 
MikroTik Security
MikroTik SecurityMikroTik Security
MikroTik SecurityRofiq Fauzi
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNAAli Layth
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansingКирилл Кекер
 
Mikrotik Tutorial
Mikrotik TutorialMikrotik Tutorial
Mikrotik TutorialMd Sohrab Hossain Sourav
 
Mikrotik advanced
Mikrotik advancedMikrotik advanced
Mikrotik advancedguest8423a64e
 
BGP on mikrotik
BGP on mikrotikBGP on mikrotik
BGP on mikrotikAchmad Mardiansyah
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf sarasanandam
 
VLAN on mikrotik
VLAN on mikrotikVLAN on mikrotik
VLAN on mikrotikAchmad Mardiansyah
 
PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusDashamir Hoxha
 
Ccna (200 125)
Ccna (200 125)Ccna (200 125)
Ccna (200 125)shajeeha khalid
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik HotspotGLC Networks
 
CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9Nil Menon
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing ProtocolsDsunte Wilson
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
HOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterHOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterKHNOG
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate TrainingNCS Computech Ltd.
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCGLC Networks
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training PresentationRohit Singh
 
MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2Yaser Rahmati
 
Iperf Tutorial
Iperf Tutorial Iperf Tutorial
Iperf Tutorial Febrian ‎
 
2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cmeYves Jean Louis
 
Ccna command
Ccna commandCcna command
Ccna commandSiddhartha Rajbhatt
 
Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Riza Hafizhuddin
 
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXSETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXKadek Kamastika
 

Weitere ähnliche Inhalte

Was ist angesagt?

PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusDashamir Hoxha
 
CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9Nil Menon
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing ProtocolsDsunte Wilson
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
HOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterHOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterKHNOG
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCGLC Networks
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training PresentationRohit Singh
 
MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2Yaser Rahmati
 
2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cmeYves Jean Louis
 

Was ist angesagt? (20)

Mikrotik Tutorial
Mikrotik TutorialMikrotik Tutorial
Mikrotik Tutorial
 
Mikrotik advanced
Mikrotik advancedMikrotik advanced
Mikrotik advanced
 
BGP on mikrotik
BGP on mikrotikBGP on mikrotik
BGP on mikrotik
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
 
VLAN on mikrotik
VLAN on mikrotikVLAN on mikrotik
VLAN on mikrotik
 
PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and Radius
 
Ccna (200 125)
Ccna (200 125)Ccna (200 125)
Ccna (200 125)
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
 
CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP Peering
 
HOTSPOT on MikroTik Router
HOTSPOT on MikroTik RouterHOTSPOT on MikroTik Router
HOTSPOT on MikroTik Router
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotik
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCC
 
CCNA Course Training Presentation
CCNA Course Training PresentationCCNA Course Training Presentation
CCNA Course Training Presentation
 
MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2MTCNA - MikroTik Certified Network Associate - v2
MTCNA - MikroTik Certified Network Associate - v2
 
Iperf Tutorial
Iperf Tutorial Iperf Tutorial
Iperf Tutorial
 
2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme
 
Ccna command
Ccna commandCcna command
Ccna command
 

Ähnlich wie MikroTik Firewall : Securing your Router with Port Knocking

Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Riza Hafizhuddin
 
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXSETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXKadek Kamastika
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.pptcemporku
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsAhmed Habib
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summarymoonmanik
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfBT Digital
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
Floodlight with Firewall and Network Virtualization
Floodlight with Firewall and Network VirtualizationFloodlight with Firewall and Network Virtualization
Floodlight with Firewall and Network VirtualizationAnkita Mandekar
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfezonesolutions
 

Ähnlich wie MikroTik Firewall : Securing your Router with Port Knocking (20)

Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015Ukk tkj p1 proxy mikrotik2014 2015
Ukk tkj p1 proxy mikrotik2014 2015
 
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEXSETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
SETING DAN KONFIGURASI ROUTERBOARD MIKROTIK RB 750 METODE TEX
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.ppt
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
100197
100197100197
100197
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdf
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.
 
Floodlight with Firewall and Network Virtualization
Floodlight with Firewall and Network VirtualizationFloodlight with Firewall and Network Virtualization
Floodlight with Firewall and Network Virtualization
 
Set review 1
Set review 1Set review 1
Set review 1
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 

Mehr von Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP

Mehr von Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP (7)

Multi-criteria Decision Making dengan Advance Hierarchy Process
Multi-criteria Decision Making dengan Advance Hierarchy Process Multi-criteria Decision Making dengan Advance Hierarchy Process
Multi-criteria Decision Making dengan Advance Hierarchy Process
 
Open Zoom Conference - Let's talk about PMP Certification
Open Zoom Conference - Let's talk about PMP CertificationOpen Zoom Conference - Let's talk about PMP Certification
Open Zoom Conference - Let's talk about PMP Certification
 
Risks in Project
Risks in ProjectRisks in Project
Risks in Project
 
Blockchain presentation for prudential
Blockchain presentation for prudentialBlockchain presentation for prudential
Blockchain presentation for prudential
 
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar AzwirMikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
 
Introduction to MikroTik RouterOS API
Introduction to MikroTik RouterOS APIIntroduction to MikroTik RouterOS API
Introduction to MikroTik RouterOS API
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
 

Kürzlich hochgeladen

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Kürzlich hochgeladen (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

MikroTik Firewall : Securing your Router with Port Knocking

  • 1. Mikrotik Firewall Securing Your Router With Port Knocking
  • 2. Introduction  Name : Akbar  Mikrotik User Since : Mid 2005  IT Manager @ Agung Sedayu Group  Trainer For Ufoakses Mikrotik Training  www.forummikrotik.com  akbar@forummikrotik.com Forum Mikrotik Indonesia www.forummikrotik.com 2
  • 3. What is Port Knocking ?  Port Knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports  Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s) Forum Mikrotik Indonesia www.forummikrotik.com 3
  • 4. Port Knocking Process Connection Attempt to Router with Winbox or Telnet or SSH Connection Attempt Rejected / Drop Knock : Connection Attempt to Pre Defined Port Firewall Rules Dynamically Modified to Allow Access From That Host Connection Attempt to Router with Winbox or Telnet or SSH Connection Granted Host Router with Firewall Forum Mikrotik Indonesia www.forummikrotik.com 4
  • 5. Why Port Knocking ?  The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed. Forum Mikrotik Indonesia www.forummikrotik.com 5
  • 6. When to Use Port Knocking ?  When you need to do remote configuration or monitoring from remote area  When you try to decrease brute force attack Forum Mikrotik Indonesia www.forummikrotik.com 6
  • 7. How to Apply Port Knocking in Mikrotik ? Forum Mikrotik Indonesia www.forummikrotik.com 7  Using :  Firewall Filter  Address List  Knock Application Please download the application from : www.zeroflux.org
  • 8. The Basic of Firewall Filter Forum Mikrotik Indonesia www.forummikrotik.com 8
  • 9. The Basic of Firewall Filter  Firewall Filter is used for packet filtering  Firewall Filter consist of IF-THEN rules IF <conditions> THEN <action>  Firewall Filter is done in sequential top to bottom  Firewall Filter are organized in chains Forum Mikrotik Indonesia www.forummikrotik.com 9
  • 10. The Basic of Firewall Filter  Input : Processes packets addressed to the router itself  Output : Processes packets sent by the router itself  Forward : processes traffic sent through the router Forum Mikrotik Indonesia www.forummikrotik.com 10
  • 11. Chain Input Forum Mikrotik Indonesia www.forummikrotik.com 11
  • 12. Chain Output Forum Mikrotik Indonesia www.forummikrotik.com 12
  • 13. Chain Forward Forum Mikrotik Indonesia www.forummikrotik.com 13
  • 14. Firewall Filter Action  Accept – accept the packet. No action is taken, I.e the packet is passed thourgh and no more rules applied to it  Add-dst-to-address-list – adds destination address of an IP packet to the address list specified by address-list parameter  Add-src-to-address-list – adds source address of an IP packet to the address list specified by address-list parameter  Drop – silently drop the packet (without sending the ICMP reject messege)  Jump – jump to the chain specified by the value of the jump-target-parameter  Log – each match with this action will add a messege to the system log  Passthrogh – ignores this rule and goes on the next one  Reject – reject the packet and send an ICMP reject messege  Return – passes control back to the chain where the jump took place  Tarpit – captures and hold incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet Forum Mikrotik Indonesia www.forummikrotik.com 14
  • 15. IP Address List  You can also define group of IP address using “IP address List”  IP address List can be used in Firewall Rules to apply certain action  You can use mangle or firewall filter rule to dynamicly add IP address to IP address List certain time limit Forum Mikrotik Indonesia www.forummikrotik.com 15
  • 16. Let’s Start Implementing Port Knocking in Mikrotik Router OS… Forum Mikrotik Indonesia www.forummikrotik.com 16
  • 17. Case Studies 192.168.33.254 LAN 10.1.1.254 192.168.33.0/24 Internet Mikrotik Router Forum Mikrotik Indonesia www.forummikrotik.com 17 Remote Area (Home, Café, etc)
  • 18. Case Studies  We only allowed access to router only from several IP from LAN :  192.168.33.10 Until 192.168.33.20  Different IP from LAN have to knock first before gain access to router  Remote area from Internet have to knock first before gain access to router Forum Mikrotik Indonesia www.forummikrotik.com 18
  • 19. Case Studies  We will only allowed access to router from address list named “Safe Haven”  Other have to knock first to :  Protocol TCP, Port 1337  Protocol UDP, Port 17954 Forum Mikrotik Indonesia www.forummikrotik.com 19
  • 20. Adding Allowed LAN Address to Address List add address=192.168.33.10-192.168.33.20 comment="" disabled=no list= "Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 20
  • 21. Knock Rules 1 add action=add-src-to-address-list address-list=knock-knock address-list-timeout= 15s chain=input comment="Knock 1" disabled=no dst-port=1337 Forum Mikrotik Indonesia www.forummikrotik.com 21 protocol=tcp
  • 22. Knock Rules 2 add action=add-src-to-address-list address-list="Save Haven“ address-list-timeout= 3h chain=input comment="Knock 2 - OK" disabled=no dst-port=17954 protocol=udp src-address-list=knock-knock Forum Mikrotik Indonesia www.forummikrotik.com 22
  • 23. Only Allowing “Save Haven” to Connect to the router add action=accept chain=input comment="Only Allow Access from Save Haven" disabled=no src-address-list="Save Haven" Forum Mikrotik Indonesia www.forummikrotik.com 23
  • 24. Drop Everything Else add action=drop chain=input comment="Drop Everything Else" disabled=no Forum Mikrotik Indonesia www.forummikrotik.com 24
  • 25. Configuration Here’s the configuration for port knocking. Just make sure you don’t change the sequence or this will not worked Forum Mikrotik Indonesia www.forummikrotik.com 25
  • 26. Knock Attempt  Hosts have to Knock the correct ports  Hosts IP Address that have knocked the correct ports will be put in dynamically to “Save Haven” Address List  Hosts can access router Forum Mikrotik Indonesia www.forummikrotik.com 26
  • 27. Forum Mikrotik Indonesia www.forummikrotik.com 27 Closing  Port Knocking is useful for securing the router  Port Knocking is also useful to decrease a brute force attack  Port Knocking has it’s weakness also:  It' s possible to spy out the knocking sequence by sniffing the network  It' s necessary to have a special knocking-client  Port Knocking is only one method to secure the router, best to combine this with other methods.
  • 28. Thank You Your Question Will be Appreciated Forum Mikrotik Indonesia www.forummikrotik.com 28