I had several thoughts, and by the way you must be really bored to read my thread.
Is Normis saying by that ref to the article, that accessing my Router via the MT app with IKEv2 is not secure enough??
Can the APP with just 2 factor authentication be a replacement for VPN for users to access LAN resources??
Or in other words can one use usermanager (assuming this is what one uses to tap into a radius server (list of approved users) with this 2 factor authentication WITHOUT adding in the complicated mess of VPN tunnels and yet still be secure?? For example lets say people use SSH or HTTPS or some other âNORMALâ protocol (by normal=easy to use and administer).
I donât mind ridicule and laughter in response, part of the MTUNA certification is psychology training for just this very sort of thing!!
I think youâre mixing different things together. Thereâs a physical way how to get somewhere (like a gate to the castle) and method how to gain access (proving to guards that you should be allowed to enter). You can play with the latter as much as you want, from simple claim that youâre you (anyone can say that), through some form of identification (someone can steal it from you), to additionally waking up the king who would look through the window and confirm that itâs really you (pretty reliable, if heâs not shortsighted). But you still need the gate.
Yes, you are exactly right.
What I am saying is that does the gate have to be made of titanium that is 20 inches thick, or made of aluminum as long as its sufficient to allow people through once the king confirms identity.
Titanium is better, because from time to time, someone will try to get in by force. Itâs also important to not have other weaknesses. Like simple lock that could by picked by anyone. Or magic talking gate that tells passwords to anyone who asks (that was the famous WinBox vulnerability ).
I think @anav is actually asking why one should use ssh (or https) over IPsec given that those two protocols use authentication and encryption on their own, so itâs like adding a second gate before the first one, with another guard possibly asking for a different passport/password, to use @Sobâs analogy. But then the topic name is wrong, as âaccess to router LANâ means to me something different than âaccess to the router itselfâ.
Accessing other devices in routerâs LAN via an SSH session to the router itself is possible but not as convenient as accessing them via a VPN tunnel; accessing them via a HTTPS session to the router itself is not possible.
Accessing the router itself using SSH over an IPsec tunnel follows the âsecurity onionâ principle, assuming that you donât use the same credentials for both layers. In ideal world, a single layer would be sufficient; in real world, there is no certainty but death, the rest are just probabilities. And the combined probability that an attacker can discover a vulnerability in both IPsec and SSH implementations in RouterOS is lower than the probability that an attacker can find it in the SSH implementation alone.
But donât forget that routerOS is just one end of the connection, the other one being the PC or phone you use to connect, which can be infected by malware too. So unless the second authentication factor completely bypasses the PCâs keyboard and storage, you cannot be sure that SSH over IPsec is more secure against keyloggers et al. than either of the two alone.
Thanks Sindy, I think you are closer to the mark in what I was thinking.
Yes one cannot assume the PC is clean, but does that really matter in the equation.
I could have a fantastic IPSEC tunnel on a dirty PC and cause just as much havoc.
BUT YES, I mean access to LAN services or drives (not really discussing here the config of the router).
If you want to access something in LAN, you can either have VPN to router and then secure access to anything in LAN, or forward ports to selected services in LAN. If itâs the latter, then security depends on LAN device itself. And it doesnât really matter if itâs something else in LAN, or service on router. Either way, with VPN you have extra level of protection.
The point of two factor authentication is to avoid single weak spot. If you have only password and someone steals it (because you have it written on paper next to monitor, someone managed to sneak keylogger in your computers, etc), itâs the only thing they need to get in. If you have another factor, e.g. some hardware token, verification code sent as sms to your phone, etc, itâs better, because password alone is useless, they would also have to steal the other thing.
The difference is:
2F (for one service) is there to protect you from yourself (your mistakes). It wonât help you if device manufacturer creates product with exploitable security holes.
Two different authentications (like VPN + SSH) protect from the other kind of mistakes. Not completely, but itâs much less likely that someone like MikroTik will have exploitable security holes in both than in just one. But it wonât help with your mistakes, e.g. if you use only password for both and write them on the same piece of paper.
Got it, 2F is just getting to a secure door, one with a fixed key, the other with a changing key,
The door is separate and still has to be secure otherwise the door will be circumvented regardless of keys
).