I plan to expose MikroTik (2011 series) running a small network to a public static IP address. Since security issues from time to time surface on any device (until they are fixed), will it make a sense to put a separate firewall (e.g. ZyXEL) in front of the MikroTik?
Maybe firewall on the MikroTik can still remain active, but the point is to increase the effort needed for exploitation and also to relieve the MikroTik from many attacks randomly coming to the public static IP address.
Make sure you run a recent/latest-stable RouterOS release and have a GOOD config & good security principles. (no default usernames, strong password, filter/restric management IP’s and restrict/deny remote management etc,etc)
(most dangers are actually coming from inside your network, compromised systems etc after installing some software, clicking some mail-links etc,etc)
(also badly configured NAT-rules to expose services might be a door-opener)
Then a Mikrotik device with firewall function is solid! (unless there exists some yet-unknown security vulnerability)
I’m running this for years, I have thousands daily “tries” of remote IP’s trying the obvious tricks but that is nothing to be worried about.
Mikrotik is NO real “UTM” firewall (Unified Threat Management) so no fancy features like application detection.
But very,very flexible in terms of scripting (eg. make your own filter-lists to deny malware/tor-nodes/ networks etc)
It is a good practice to have two firewalls from different Manufacturer…
But i don’t think it is necessary for a lot of small businesses and households
Especially if the network doen’t provide any Services to the internet like Web,Mail, etc…
I find it is more important to invest time and Money and,
Keep the Router up to date
and regularly check Firewall and Co. for security breaches
Thank you for additional insights.
Feel free to post your config here before you go live for advice.
/export hide-sensitive file=anynameyouwish
Thank you for the offer and also for that cool@MikroTik export statement.
Especially important is the statement : Feel free to post your config here before you go live for advice.
Certain devices have no default protection, and depending on the OS they are running they could be compromised very quickly!
So before you hook this thing to Internet, check & double-check everything, routerOS release etc.
You don’t want to become a valued Mēris botnet contributor I guess 
http://forum.mikrotik.com/t/meris-botnet-information/151776/1
What jvanhambelgium obviously meant was latest “Long-term” (not “Stable”) 
Also specifically make a mental distinction between exposing RouterOS vs hosts / services behind it, that is a huge difference.
This is a good reminder that Long-term releases may be preferred over Stable ones.
Also specifically make a mental distinction between exposing RouterOS vs hosts / services behind it, that is a huge difference.
I plan to expose:
0. no RouterOS management access