Community discussions

MikroTik App
 
vdelarenal75
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 70
Joined: Fri May 22, 2009 1:28 am

Protect from customers

Fri Sep 25, 2009 11:18 pm

Hi, I been trying to find a way to protect my network from my own customers, I will try to explain myself. Like a week ago one of my customers connected a router to the network and instead of conecting it to the wan port he connected it to one of the ethernet ports and it was assigning ip adress, it was easy to discover but meanwhile it afceted some other customers.

The first example was easy to fix but I had another client that had a virus that killed his network and somehow managed to mess up with my whole netwok, it made the conections to drop, the network was very slow, some pages didn't open, and all this was made by a single computer, I was able to discover this when I restarted the router and all the clients started to login and everything was fine until this client conected and the internet started to fail. I wen't with this customer and every time I connceted his machine to the network it started to fail. I took me like 15 days to find out what was happening and I need a way to prevent this from happening again.

I just use Mikrotik for client authentification and load balance, for the wireles part I'm using Skypilot.

Regards,
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8488
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Protect from customers

Sat Sep 26, 2009 12:49 am

well, I think, that virus was using some kind of ARP Spoofing for redirecting traffic to the infected machine. it's poisoning of one client by another client, without router's participation. so your switches should have some security functions. on RouterOS side you may just use static ARP Table (or read-only one, with 'Add ARP for Leases' DHCP Server option)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
vdelarenal75
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 70
Joined: Fri May 22, 2009 1:28 am

Re: Protect from customers

Sat Sep 26, 2009 12:58 am

well, I think, that virus was using some kind of ARP Spoofing for redirecting traffic to the infected machine. it's poisoning of one client by another client, without router's participation. so your switches should have some security functions. on RouterOS side you may just use static ARP Table (or read-only one, with 'Add ARP for Leases' DHCP Server option)
Ok thank you, I checked the 'Add ARP for leases', will that protect also PPoE Clients (I use both Hotspot and PPoE)?

Regards,
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8488
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Protect from customers

Sun Sep 27, 2009 12:02 am

are your PPPoE clients suffer from that problem? wo_Ot

p.s. have you set 'ARP Mode' to read-only?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
vdelarenal75
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 70
Joined: Fri May 22, 2009 1:28 am

Re: Protect from customers

Wed Sep 30, 2009 2:49 am

Hi, thank you very much for your time. I don't find where can I set ARP for read only, can you please tell how to do it? I had to disable the add ARP for leases in the DHCP because it was stopping my clients from authenticating in the hotspot. Also can you suggest a switch that can protect my network from this?

Regrads
 
kthameen
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Wed Dec 21, 2005 4:22 am
Location: Leuven,Belgium

Re: Protect from customers

Wed Sep 30, 2009 3:54 am

To prevent arp attacks on your network try ARPon website:http://arpon.sourceforge.net/,
otherwise you have to buy cisco catalyst at least 4500 series with these kind of protections.
 
gregsowell
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Aug 28, 2007 1:24 am
Contact:

Re: Protect from customers

Wed Sep 30, 2009 6:40 am

What you want is a Cisco 3550 or better...so a 3550, 3560, 3750, 6500 with sup 32 or better. 3550 48 port switch is $310. You want to use port security(limits macs per port/prevents mac table overruning/dhcp starvation), dhcp snooping(prevents rogue DHCP/build DHCP snooping binding table) and dynamic arp inspection(prevents man-in-the-middle attacks). Allll of this protection for $320 is pretty remarkable.
Hit my blog for video tutorials of Mikrotik and Cacti.
Just so I look as cool as everyone else ->CCNA / CCNP / CCIE W / MCNA / MCRE / MCIE / Certified Trainer / A+ / N+ / Partridge in pear tree <- *sigh* I'll never know enough...
 
kthameen
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Wed Dec 21, 2005 4:22 am
Location: Leuven,Belgium

Re: Protect from customers

Wed Sep 30, 2009 1:17 pm

Cisco 3550 can not handle arp floods, cpu will hit 100% and can restart, while using hotspot many features r limited.
 
gregsowell
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Aug 28, 2007 1:24 am
Contact:

Re: Protect from customers

Thu Dec 17, 2009 12:36 am

3550 won't go 100%, it will err-disable the port(shut it down). You can then set a recovery timer on ports that are err-disabled, so the port will move back to forwarding traffic after a given interval. 3550s are the cheapest option in the Cisco line to take care of these issues.

Here's an article on configuring your equipment. It also explains the issues more in depth. http://gregsowell.com/?p=1133
Hit my blog for video tutorials of Mikrotik and Cacti.
Just so I look as cool as everyone else ->CCNA / CCNP / CCIE W / MCNA / MCRE / MCIE / Certified Trainer / A+ / N+ / Partridge in pear tree <- *sigh* I'll never know enough...
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Protect from customers

Thu Dec 17, 2009 12:46 am

Cisco 2950s and 2960s also have port security and DHCP snooping.

Who is online

Users browsing this forum: Baidu [Spider] and 110 guests