Our client has very strict environment and wants read only access to our devices. So far, so good (thats easy).
But he also checks hourly if the router config has changed. Now he worries that, within the hour, we can:
modify configuration,
hack their network,
revert configuration back so they won’t notice.
Is there a way to say there was a change in the configuration even if it was reverted back? I know logs would help, but the client says that seeing cleared logs wouldn’t help a lot, and in my opinion he is right here too.
Anything like last system modification time? anything like that?
RouterOS does not keep logs of full commands edit by particular user.
/log print and /system history reflect most important part of configuration.
You can get something like this from history and logs will give similar output,
/system history> print detail
Flags: U - undoable, R - redoable, F - floating-undo
U action="nat rule moved" by="sergejs" policy=write
time=jun/13/2011 11:47:54
But what if make the firewall changes, and later reset the lines in history? is there any sign of changes? version hash with date? mtime / ctime of a file?
EDIT: of course, I’m going with the firewall back to the original so config is same as previously.
But what if make the firewall changes, and later reset the lines in history? is there any sign of changes? version hash with date? mtime / ctime of a file?
You will see notification that firewall rules are changed at least two times,
I’m delivering a service to the client and need VPN to my site. But the client is unable to separate Mikrotik router into VLAN network (as he has dumb router). As the client have very sensitive data inside his network, everything from behind Mikrotiks NAT (read: my service) shall not be able to reach clients network. The client service and my service share only internet access.
So we make gentlemans’ agreement: I’ll setup MT so it don’t route traffic info clients network and only to internet and to my vpn concentrator (which is btw RB1100), but the client needs to know if there are really no tries to disable this firewall.
So what he needs to know is if there was ANY change in configuration, even if logs were deleted and configuration reverted back. He needs some immutable information which is steady, say, until the router is reset.
I would think about an immutable configuration change counter or an md5 sum including date.
In line with what Feklar said I think you’re approaching this completely wrong. The issue is that your client does not trust you. That is a social problem, and there isn’t a technical solution for it.
Particularly since the proper solution is obvious: the client purchases equipment so that the trust boundary is entirely under his control.
Remove changing parts of that config file (second line or so has export time written out), all the rest of the config should remain static, but just in case check that also;
Use MD5SUM or something else over that file;
Compare it with old MD5SUM of that system config file performed last time.
If the MD5SUM is the same then configuration has not been changed.
That’s very close look. The client has 90 locations with half of routers from ISP. I need a service made and separated. I need to sell him an option and I’m done with 45 locations where he is able to separate my routers.
And although your perspective is technical, you missed the solution I’m trying to get right and I’m also almost done:
client has ro access to my routers so he is fully aware of changes via Nagios check,
my service is fully separated from his infrastructure,
the missing part is that he check hourly for a change. I need
Syslog like always is a way to go, so thanks Feklar, haven’t propose this yet to the client, I must have been blind when fighting the issue
I think you need to educate client about security theatre (look at http://ww.schneier.com or google). I don’t know how much they have spend on other type of security, but if they are not ready to buy another 45 firewalls. And this trying to solve just one ‘movie plot’.
I guess that you are in direct contact with customer - so me as customer, i will trust you more, or don’t trust you less that somebody i can contact only over internet, phone or so. In short i would be more afraid of attacks over http initiated by my employees (shortly browsing), than by ISP with certain non zero level of professional pride and responsibility.
Thank you very much for this, but this is off topic - client is perfectly aware about the security as we discussed it already… but because business is moving fast we really need additional services and the price here is high here. Delivering and configuring 45 firewalls throughout the whole country costs much and if we can achieve the goal faster / cheaper we’ll go for it.
