Scribd Logo
Importer

Bienvenue sur Scribd !

  • Top 10 Router OS Configuration Mistakes

    Transféré par

    innovativekalu
    116 vues43 pages
    s

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    s

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    116 vues43 pages

    Top 10 Router OS Configuration Mistakes

    Transféré par

    innovativekalu
    s

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 43

    TOP10 RouterOS

    configuration mistakes

    Presenter Andis Arins


     MikroTik Consultant at

    2
    /

     MikroTik / Microsoft certified trainer


     Member of the board in Latvian Internet Association
     Review expert for EU in future networking research

    andis[at]router.lv

    www.linkedin.com/in/andisarins
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    The same IP on multiple interfaces

    10
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    The same IP on multiple interfaces

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    The same IP on multiple interfaces

    survival strategy: MAC telnet or


    connection from different network
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Lack of monitoring

    9
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Lack of monitoring

     What is the health of my router?


     Is it reachable from everywhere it should?
     Isnt it overloaded ?

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Lack of monitoring

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Lack of monitoring

    9
    IP - SNMP

    /snmp> send-trap
    for proactive
    action

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Lack of monitoring
    The Dude
    you can monitor and
    manage your devices

    new features since


    RouterOS 6.34

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    10

    Lack of monitoring

    11
    toolsnetwatch

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Lack of monitoring

    12
    toolsTraffic monitor

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Lack of monitoring
    IP- Traffic Flow

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    13

    Lack of monitoring
    Also HA solutions without monitoring may fail one day
    VRRP for 99.9%+
    availability
    0.365 days or
    8.76 hours
    down in year

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    14

    DNS issues

    15

    8
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    DNS issues

    16
    Many requests from
    spoofed IPs

    VICTIM
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    DNS issues

    17

    10.0.0.0/24

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Firewall inefficiency

    18

    7
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Firewall inefficiency

    internet

    19

    123.123.123.123
    webserver

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    NAT issues

    20

    6
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    NAT issues

    21

    10.0.0.0/24

    123.123.123.123

    159.148.147.196
    src-ip: 10.0.0.10
    dst-ip: 159.148.147.196

    NAT
    masquarade

    src-ip: 10.0.0.10

    src-ip: 123.123.123.123
    dst-ip: 159.148.147.196

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    NAT issues

    22
    10.1.1.0/24
    10.0.0.0/24

    10.1.1.0/24

    123.123.123.0/24
    bad
    ok
    ok

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    NAT issues

    23

    192.168.0.0/24

    10.0.0.0/24
    IPSec

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Allowed IP Spoofing

    5
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    24

    Allowed IP Spoofing

    10.0.0.0/24

    src-ip: 13.13.13.13
    dst-ip: 159.148.147.196

    25

    123.123.123.123

    1. routing decision
    2. firewall decision

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Allowed IP Spoofing
    Tools- Traffic Generator

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    26

    Allowed IP Spoofing
    Test your network

    https://spoofer.caida.org/

    http://ieeexplore.ieee.org/

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    27

    Allowed IP Spoofing

    28

    10.0.0.0/24

    src-ip: 13.13.13.13
    dst-ip: 159.148.147.196

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    routing
    decision

    Bridge issues

    29

    4
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Bridge issues

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    30

    Bridge issues

    wan

    31

    master slave

    slave

    slave

    lan
    bridge

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Bridge issues

    32

    bridge-lan

    DHCP-Server on individual port, not on bridge itself

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    PoE issues

    33

    3
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    PoE issues

    34
    Mikrotik PoE standart
    (4,5pin +) (7,8pin -)

    Hello from DC !!!

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    PoE issues

    35
    DC adaper

    DC power 1

    eth1
    PoE in

    data,power 2

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Waiting for hackers

    2
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    36

    Waiting for hackers

    Dude (if installed ) port 2211

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    37

    Waiting for hackers

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    38

    Waiting for hackers


    MAC telnet/winbox server on all interfaces

    default configuration allows MAC access only from initial bridge

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    39

    Try to Guess

    40

    1
    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    admin / no password

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    41

    admin / no password

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    42

    Thats it!

    MUM USA, Dallas 2016.04.28 Andis Arins / WISP TRACON | router.lv

    Vous aimerez peut-être aussi