Community discussions

MikroTik App
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

IDS / IPS Package

Sat Sep 12, 2020 4:20 am

Hi.

Would it be plausible to 'integrate' an IDS / IPS "package" into RouterOS 7 ?
I know it would be both CPU & storage-wise expensive. That said, I propose it as a package, and aimed at x86 / CHR (virtualized) & up-scaled Mikrotik Hardware.
I know you can of course stream IP traffic & mirror(L2) off to a 'SEPARATE' box(Snort e.t.c.) to look at traffic, and you can even feed back to RouterOS data to close down bad flows/IP's ETC.

Having played recently with pFSense and the ease of adding Snort and Suricata into 1 piece of hardware OR virtualized instance, makes security much more streamlined.
For me, being able to add it to a Captive Portal/Hotspot for a large client base is my take on this point of view, but there are plenty of other areas of application for an "integrated IDS/IPS"

Thoughts ?
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: IDS / IPS Package

Sat Sep 12, 2020 5:21 am

MikroTik ROS is currently not able to do DPI [deep packet inspection] and I do not know if DPI is planned for v7 plus to do DPI properly would require a powerful CHIP [ASIC] ... currently looking at the Tik hardware platform I do not see anything that can possible do it .... would require new class of hardware.

Ubiquiti UDM-PRO can do DPI plus a lot more and at $380 would be very hard to beat ... check out the data sheet for the UDM Pro and look at the Superior Performance section ...somewhat amazing for the money.

Can Tik compete???
 
killersoft
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: IDS / IPS Package

Sat Sep 12, 2020 7:04 am

Actually mikrotik does DPI (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7). And no, it cannot break SSL etc, nor do I care whats inside normal day to day end user traffic as long as the end machine its not breaking my or SNIFFING around my NETWORK, and if it IS, then I want to detect those LAN/WAN side scans and unusual traffic flows to/from that machine and have that traffic both LOGGED and automatically have the end host machine/device blocked.

Since I don't own /control the END user devices attached to say my hotspot's, I care about my NETWORK SECURITY posture.
Using signature based detection / heuristic / Machine Learning systems its possible to detect such abnormal network traffic discrepancies.
Having a built in IDS / IPS integrated with RouterOS would makes this easy rather than using an alternate product, or bolting on another VM to received mirrored traffic processing it, and feedbacking into the front end router to blackhole the traffic or IP.
If I can do all of that it with pfSense (with snort OR suricata package) in VMWare Esxi in a test environment, then its not a stretch to think that it could also be done in RouterOS 7.

I prefer RouterOS over pfSense, and given I manage over 80 MT devices & VM's in a campus environment. I see the benefits of adding such a package.

https://suricata-ids.org/
https://www.snort.org/faq/what-is-snort
https://en.wikipedia.org/wiki/Intrusion ... on_systems
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: IDS / IPS Package

Mon Sep 14, 2020 3:02 pm

I agree that RouterOS is far superior to pfSense and especially because of Winbox ... ROS L7 is very limited in its capability and very CPU intensive and most capable techs would not consider that an effective IDS/IPS mechanism ....

IDS/IPS requires proper decryption because in the current world 90%+ websites use SSL and those packet headers are encrypted so if attack is going through SSL/TLS encryption ROS L7 can't detect it.
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: IDS / IPS Package

Thu Feb 16, 2023 10:26 pm

AFAIK you can use a transpranten IDS/IPS. Eg. put a Sonicwall in as a "transparent" Layer2-Bridge in front of the Mikrotik.
Like: WAN <-> Sonicwall <-> Mikrotik <-> LAN

https://www.sonicwall.com/support/knowl ... 277832289/
But I have never tested this, but the design would be nice. And the IDS/IPS runs on a hardware which is designed for exactly this purpose. I see no MT device which could do a real IDS/IPS.

Who is online

Users browsing this forum: No registered users and 18 guests