Adding dynamic firewall rules to mikrotik - Suricata - Axiom Shield

Stril · June 18, 2020, 7:08am

Hi!

I am looking for some additional security to block attacks directly at the perimeter.

What I found, is:

Suricata-integration with ETPro-rules
Looks great, but it’s hard to decide and manage which rules should be blocked, because there is no “severity” level at the rules.
Axiom Cyber Shild
I found that professional add-in for mikrotik that claims to add dynamic firewall rules:
https://axiomcyber.com/shield/
Is anybody here using that product? What are your thoughts about it?

Thank you and best wishes
Stril

jvanhambelgium · June 18, 2020, 8:14am

Hmm..MT is absolutely not a “next-generation” player in the firewall area…filtering at L7 is getting more & more useless and kills the performance of these units.

My MikroTik has a firewall?
Yes! Mikrotik’s firewall capabilities outperform some of the most expensive and elaborate firewall solutions from the “other guys”. It is considered next-generation which means it can do Deep Packet Inspection (DPI) and also track connections like a stateful firewall but also able to filter up to Layer 7. At Axiom, we utilize these tools to protect networks at the ingress to stop repeat offenders from probing or attempting to penetrate your network. We also catch a lot of stuff going out the egress such as ransomware, tor (DarkWeb), torrenting, and more.

Stril · June 18, 2020, 9:21am

Hi!

I am not really interested in L7 capabilities. What I am looking for is:

a good set of blacklists, that are maintained
some DDOS-rules
a good IDS-link (seperate IDS-system with API-link)

anav · June 18, 2020, 11:55am

This is the best provider I am aware of, costs pennies and is very good.
If I wasnt using axiom shield ( i can write it off for tax purposes) I would be using this service.
https://itexpertoncall.com/
https://itexpertoncall.com/additional_info/moabpre.html

Stril · June 18, 2020, 12:14pm

But what is your expirience with Axiom? It seems like the Axiom website did not get any updates for two years? Are you getting updates frequently?

anav · June 18, 2020, 1:00pm

The updates are done by scripts, the router fetches updates every 10 minutes.

Stril · June 18, 2020, 1:02pm

But did you see, if the content is really “managed”?

anav · June 18, 2020, 1:42pm

If you provide a bit more detail on the question I can certainly make inquiries.

Stril · June 18, 2020, 2:30pm

Hi!

Let’s take the IP: 2.59.200.1 (from Spamhaus DROP).

Can you ping the IP?

anav · June 18, 2020, 3:46pm

Doing some testing at the moment, so the first view is winmtr to that IP from a non loaded router.
If able will load up a second router with the rules in place…

…

|------------------------------------------------------------------------------------------|
|                                      WinMTR statistics                                   |
|                       Host              -   %  | Sent | Recv | Best | Avrg | Wrst | Last |
|------------------------------------------------|------|------|------|------|------|------|
|                             192.168.0.1 -    0 |  105 |  105 |    0 |    0 |    6 |    0 |
|       loop0.52w.ba06.drmo.ns.aliant.net -    0 |  105 |  105 |    0 |    2 |   17 |    8 |
|         be12-83.cr01.drmo.ns.aliant.net -    0 |  105 |  105 |    1 |    2 |    5 |    1 |
|     et-5-1-0-50.cr02.drmo.ns.aliant.net -    0 |  105 |  105 |    1 |    3 |   29 |   25 |
|             ae4.cr02.stjh.nb.aliant.net -    0 |  105 |  105 |    4 |    5 |   26 |    5 |
|             ae0.bx01.toro.on.aliant.net -    0 |  105 |  105 |   21 |   23 |   47 |   23 |
|           bx3-torontoxn_be8.net.bell.ca -    0 |  105 |  105 |   22 |   23 |   41 |   23 |
|tcore4-torontoxn_hundredgige0-6-0-0.net.bell.ca -   23 |   54 |   42 |    0 |   22 |   25 |   22 |
|           bx5-torontoxn_ae1.net.bell.ca -    0 |  105 |  105 |   22 |   23 |   37 |   23 |
|                  toro-b1-link.telia.net -    0 |  105 |  105 |   22 |   22 |   26 |   23 |
|                   No response from host -  100 |   21 |    0 |    0 |    0 |    0 |    0 |
|                  ldn-bb3-link.telia.net -   13 |   70 |   61 |    0 |  100 |  104 |  100 |
|                   ldn-b1-link.telia.net -    0 |  105 |  105 |   99 |  100 |  107 |  101 |
|                   No response from host -  100 |   21 |    0 |    0 |    0 |    0 |    0 |
|                   No response from host -  100 |   21 |    0 |    0 |    0 |    0 |    0 |
|                   No response from host -  100 |   21 |    0 |    0 |    0 |    0 |    0 |
|                              2.59.200.1 -    4 |   94 |   91 |  154 |  155 |  162 |  157 |
|________________________________________________|______|______|______|______|______|______|
   WinMTR v0.92 GPL V2 by Appnor MSP - Fully Managed Hosting & Cloud Provider