Community discussions

MikroTik App
 
Arcee
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Fri Jun 27, 2014 2:33 pm

SwOS at Network Perimeter?

Sun May 12, 2019 1:59 am

Today I learned that the difference between CSS, CRS and CCR; The Cloud Smart Switch (CSS) series is the only device of the three that cannot use RouterOS.

Being so use to RouterOS, I took my new CSS326-24G-2S+ out box, and tried to mac-telnet and even winbox into it only to find out that you can only manage the box over HTTP (correct me of I'm wrong).

I would like to use this device at the edge of my network. That is, this will be the only fabric between my core router and the upstream provider equipment (i.e. public facing interface).

That being said, what are your thoughts on placing this device at public edge of of a network? Is this safe?

I have already tested the "Allow from" feature and confirmed that the switch is not accessible from a port that has this option unchecked.

Any comments on best practice would be very helpful.
 
Arcee
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Fri Jun 27, 2014 2:33 pm

Re: SwOS at Network Perimeter?

Sun May 12, 2019 3:49 pm

Bump...
Last edited by Arcee on Mon May 13, 2019 3:48 pm, edited 1 time in total.
 
Tobei
newbie
Posts: 25
Joined: Sun Sep 11, 2016 3:25 pm

Re: SwOS at Network Perimeter?

Mon May 13, 2019 4:34 pm

Hi,
you should never expose the management GUI/CLI or whatever on your external interfaces of your network. If configure your switch in a way, that the management GUI is not accessible, than you will be fine. But keep in mind that you should think about using a specific VLAN only for your management stuff, so that the other traffic is separated from your management GUI/CLI.

There is no difference if you use SwOS or RouterOS both are embedded operating systems and both doesn't have DOS protection for their authentication mechanisms. If you need a login possibility from outside use a normal Linux/Unix/Windows box and jump from there to your MikroTik devices. I usually use a Linux Box with additional SSH DOS protection mechanisms like Fail2Ban or SSHGuard, and of course installing OS updates fast and regularly.


Regards Tobias

Who is online

Users browsing this forum: No registered users and 13 guests