Community discussions

MikroTik App
 
User avatar
miroxlav
just joined
Topic Author
Posts: 12
Joined: Thu Sep 11, 2014 10:58 am
Location: Slovakia

Will separate hardware firewall make the router safer?

Thu Sep 16, 2021 10:45 am

I plan to expose MikroTik (2011 series) running a small network to a public static IP address. Since security issues from time to time surface on any device (until they are fixed), will it make a sense to put a separate firewall (e.g. ZyXEL) in front of the MikroTik?

Maybe firewall on the MikroTik can still remain active, but the point is to increase the effort needed for exploitation and also to relieve the MikroTik from many attacks randomly coming to the public static IP address.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Will separate hardware firewall make the router safer?  [SOLVED]

Thu Sep 16, 2021 10:59 am

Make sure you run a recent/latest-stable RouterOS release and have a GOOD config & good security principles. (no default usernames, strong password, filter/restric management IP's and restrict/deny remote management etc,etc)
(most dangers are actually coming from inside your network, compromised systems etc after installing some software, clicking some mail-links etc,etc)
(also badly configured NAT-rules to expose services might be a door-opener)

Then a Mikrotik device with firewall function is solid! (unless there exists some yet-unknown security vulnerability)
I'm running this for years, I have thousands daily "tries" of remote IP's trying the obvious tricks but that is nothing to be worried about.

Mikrotik is NO real "UTM" firewall (Unified Threat Management) so no fancy features like application detection.
But very,very flexible in terms of scripting (eg. make your own filter-lists to deny malware/tor-nodes/ networks etc)
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Will separate firewall make MikroTik safer?

Thu Sep 16, 2021 11:17 am

It is a good practice to have two firewalls from different Manufacturer...
But i don't think it is necessary for a lot of small businesses and households
Especially if the network doen't provide any Services to the internet like Web,Mail, etc...

I find it is more important to invest time and Money and,
Keep the Router up to date
and regularly check Firewall and Co. for security breaches
 
User avatar
miroxlav
just joined
Topic Author
Posts: 12
Joined: Thu Sep 11, 2014 10:58 am
Location: Slovakia

Re: Will separate firewall make MikroTik safer?

Thu Sep 16, 2021 12:19 pm

It is a good practice to have two firewalls from different Manufacturer...
But i don't think it is necessary for a lot of small businesses and households, especially if the network doen't provide any Services to the internet like Web,Mail, etc...

I find it is more important to invest time and Money and keep the Router up to date and regularly check Firewall and Co. for security breaches
Thank you for additional insights.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will separate hardware firewall make the router safer?

Thu Sep 16, 2021 12:27 pm

Feel free to post your config here before you go live for advice.

/export hide-sensitive file=anynameyouwish
 
User avatar
miroxlav
just joined
Topic Author
Posts: 12
Joined: Thu Sep 11, 2014 10:58 am
Location: Slovakia

Re: Will separate hardware firewall make the router safer?

Thu Sep 16, 2021 1:00 pm

Feel free to post your config here before you go live for advice.

/export hide-sensitive file=anynameyouwish
Thank you for the offer and also for that cool@MikroTik export statement.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Will separate hardware firewall make the router safer?

Thu Sep 16, 2021 1:10 pm

Especially important is the statement : Feel free to post your config here before you go live for advice.
Certain devices have no default protection, and depending on the OS they are running they could be compromised very quickly!
So before you hook this thing to Internet, check & double-check everything, routerOS release etc.

You don't want to become a valued Mēris botnet contributor I guess ;-)

viewtopic.php?f=21&t=178417
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Will separate hardware firewall make the router safer?

Thu Sep 16, 2021 2:24 pm

Make sure you run a recent/latest-stable RouterOS release

What jvanhambelgium obviously meant was latest "Long-term" (not "Stable") :lol:

Also specifically make a mental distinction between exposing RouterOS vs hosts / services behind it, that is a huge difference.
 
User avatar
miroxlav
just joined
Topic Author
Posts: 12
Joined: Thu Sep 11, 2014 10:58 am
Location: Slovakia

Re: Will separate hardware firewall make the router safer?

Thu Sep 16, 2021 6:19 pm

Make sure you run a recent/latest-stable RouterOS release
What jvanhambelgium obviously meant was latest "Long-term" (not "Stable") :lol:
This is a good reminder that Long-term releases may be preferred over Stable ones.

Also specifically make a mental distinction between exposing RouterOS vs hosts / services behind it, that is a huge difference.
I plan to expose:
0. no RouterOS management access
1. a few necessary ports from machines/VMs behind the router (e. g. a web server or a few Synology ports)
2. a few services located in firewall's DMZ (or without firewall, in router's DMZ)
3. a VPN gateway (maybe also preferably provided by firewall instead of a router?)

Who is online

Users browsing this forum: JDF and 45 guests