Webinar - MikroTik RouterOS Statefull Firewall Howto

Transcription

1 Webinar - MikroTik RouterOS Statefull Firewall Howto

2 About Me Steve Discher MikroTik Certified Trainer and Consultant, teach MikroTik Certification classes, LearnMikroTik.com Author of RouterOS by Example, the MTCNA Textbook

3 RouterOS by Example 300+ pages and almost 100 examples Follows the MikroTik Certified Network Associate (MTCNA) Course Syllabus to teach all of the vital functions of RouterOS Available from LearnMikroTik.com/book

4 Intro to the MikroTik Product Line Two broad categories of products: Integrated Solutions RouterBoards

5 Integrated Solutions RouterBOARD, case, power supply and POE in the case of outdoor products RB750 Series SXT

6 RouterBOARD s Bare circuit board, optional integrate radio module RB411 RB711series

7 Features Features are controlled by the license level Feature set is standard across the entire product line with minor exceptions for concurrent number of tunnels and the ability to operate in multipoint AP mode In summary, a device designed to be a client device will not operate in wireless AP mode but will still perform all complex routing functions

8 Feature Set Wireless capability, a/b/g/n, station, AP, wds, mesh, bridging, routing Full suite of routing protocols including BGP, OSPF, MPLS, VPLS Stateful firewalls

9 Three Hottest New Products from MikroTik

10 RB1100AHx2 Best performance 1U rackmount Gigabit Ethernet router Dual core CPU, it can reach up to a million packets per second It has thirteen individual gigabit Ethernet ports, two 5-port switch groups, and includes Ethernet bypass capability 2 GB of SODIMM RAM are included, one microsd card slot The RB1100AH comes preinstalled in a 1U aluminum rackmount case, assembled and ready to deploy

11 RB751U-2HnD 5 Ethernet ports Integrated dual chain n wireless External MMCX antenna connector

12 RB750UP 5 port Ethernet router Includes USB 2.0 port Ports 2-5 are POE ports (500 ma each)!

13 Mini HowTo Stateful Firewalls

14 Stateful Firewalls Stateful Firewall - A firewall that is able to track the state and attributes of connections passing through it or to it. Stateless Firewall - Also known as a packet filter, makes go/no-go decisions about packets based on source/destination with no previous knowledge about preceding packets.

15 Stateless Firewalls 1. Vulnerable to spoofing attacks 2. Don t play well with certain protocols such as FTP 3. Brute force firewalls with little granularity and few advanced options

16 Stateful Firewalls 1. Invention generally credited to Checkpoint in the mid 1990 s 2. Can store a significant amount of information about packets passing through or to the firewall 3. High level of granularity and highly efficient.

17 Elements of the Foundation for Firewalls 1. Connections 2. Chains 3. Packet matchers 4. Create a simple stateful firewall in RouterOS

18 Connections Four elements of an IP packet: Source Address/Source Port/Destination Address/Destination Port

19 Connections Source Address The IP of the computer trying to access the internet Destination Address The IP of the host the computer is trying to access

20 Connections Source Port The IP of the computer trying to access the internet Destination Port The port from which the packet was sent, determined by the host sending the packet

21 Connections These four pieces of information define each unique connection seen by the stateful firewall

22 Connection States In addition to these four pieces of information, connections pass thru one of four states: 1. New 2. Established 3. Related 4. Invalid

23 Connection States 1. New - First time this connection combination of port, src address, dst address, dst port has been seen, 2. Established - Known connection combination 3. Related - Part of a know connection combination 4. Invalid - Not part of a known connection combination, not new

24 Connection States

25 Summarize Connections Connections Combination - four pieces of information in an IP packet, source address, source port, destination address and destination port Connection states - new, established, related and invalid

26 Chains In RouterOS, firewalls are constructed using chains Chains are the locations where packets are seen by the firewall Three default chains are Input, Forward and Output

27 Chains Input - Packets going TO the firewall (protects router) Forward - Packets going THROUGH the router (protects clients) Output - Packets generated by the router itself, or FROM the router (less often used)

28 Summarize Chains Three default chains: 1. Input - Protects the router 2. Forward - Protects the clients 3. Output - From the router, less commonly used in simple firewalls

29 Packet Matchers Firewall rules operate on an IF - THEN principal RouterOS uses packet matchers to identify packets (IF) Action tab to perform some action on the packets that match (THEN)

30 Firewall Rules - Where?

31 Packet Matchers Chain Optional, more or less restrictive{ Matches all traffic FROM /24 network

32 Action to perform{ Action Tab

33 Summarize Packet Matchers General Tab - Specify one or many criteria Action Tab - Perform some action if the packet matches

34 Create a Simple Stateful Firewall in RouterOS Input Chain 1. Drop invalid connections. 2. Allow the router to be managed from our LAN IP subnet only. 3. Allow connections back to our router IF we initiate the connection. 4. Drop all other packets to the router.

35 Input Chain - 1 Drop invalid connections to the router.

36 Input Chain - 2 Allow everything from our subnet.

37 Input Chain - 3 Special Rule - Allow any inbound traffic IF we initiated it (the established part of the connection.)

38 Input Chain - 4 Drop everything else from anywhere.

39 Create a Simple Stateful Firewall in RouterOS Forward Chain 1. Drop invalid connections. 2. Allow new connections if originated from our LAN subnet. 3. Allow related connections. 4. Allow established connections. 5. Drop everything else.

40 Forward Chain - 1

41 Forward Chain - 2

42 Forward Chain - 3

43 Forward Chain - 4

44 Forward Chain - 5

45 Summarize Firewall Rules Allow what is desired on the input chain. Drop everything else on input chain. Allow desired connection states on forward chain. Drop everything else on forward chain.

46 Common Errors 1. Rule order is important, accept must be before drop or you could lose connection. 2. Work in safe mode but don t forget to save occasionally by exiting safe mode and then re-enter. 3. Start of simple, then build on the foundation provided herein.

47 Common Errors 4. If you use this example verbatim, don t forget to use YOUR IP subnet in the rules. 5. Use comments in your rules. 6. Make your rules more extensible by using address lists. 7. Make your firewall more intelligent by using intelligent actions.

48 Questions Get the Book! LearnMikroTik.com/book Class Schedules LearnMikroTik.com, next MTCNA class January Houston, Texas, then advanced training February in Dallas

49 Thank You!