This topic doesn't seam to come up at all. I started out in the ISP biz and moved over to Information security for a company who was small enough that tik's still seamed to fit the bill.

However we are starting to get hit with PCI-DSS evaluations, Risk Assessments and Gap Analysis with an array of requirements -- most which I have been able to meet easily except one : Security authentication on the router. Almost every third part wants to see me doing it the 'cisco' way with primary remote logins being strictly unprivileged and forcing elevation to a privileged user after connection. IE - enable.

Now I can emulate this functionality by allowing only a stripped down user remote access and setting up a loopback bridge interface with no ports, setting an ip address to that bridge and ssh'ing into itself from there as the allowed ip address for the administrative full access user being the router itself.

Which in of itself isn't too terrible other than i prefer to work with firewall rules using winbox. Anyone else had experience with this and other PCI-DSS compliance rules and getting the tik to be compliant ?

I would really like to see permission elevation within both winbox and ssh as a native functionality instead of the config needing to be creative.

Also, to ssh out (use the ssh client) the test policy is required. I couldn't find this documented anywhere.

To answer your question, elevation of privileges, although nice, is not a PCI requirement so I think your QSA is smoking something . Using Radius for AAA should be sufficient.

Myself I don't use mikotik in such environment due to number of things:

- Unstable ROS versions. PCI compliancy requires that you use latest version available which is likely not stable.
- Logging bogs down routerboards too much
- Lack of security patches from Mikrotik

Certainly some advice to take to heart on that. The most recent request for the elevation of privvies wasn't PCI but an internal risk assessment they had built up using bits and pieces here and there. Now that you mention it, I think it has only been internal risk assessments that have had that question. All three seam to lump together in my brain. We went with 'tiks initially because like most entry organizations, the IT budget isn't one they want to think about let alone actually devote to getting it done right, and I already had experience with it.

As just a router and firewall, I've rarely had stability issues. I stopped using 'tiks for wireless long ago. I suppose if they really want to pass those assessments its their budget they will need to adjust.

Why not put some firewall behind the server you need PCI-DSS compliance.

security settings differ in RouterOS from other vendor offerings. A lot of know-how you can find in these forums and also on wiki.mikrotik.com on what is best practices on how to secure the device.

First of all, if safe environment is required one approach would be to create secure tunnel to device and allow connections of privileged users to router only via tunnels.

About logging - you can create remote logging rules that would log to remote location - that has negligible additional load on the router itself. And yet again, if security is a concern - that can be done via secure tunnel. How good are logs if they are gone with the device?

About ssh client http://wiki.mikrotik.com/wiki/Manual:System/SSH_client

you can see that even keyed logins from router to another host are available. Also, can look into ssh tunnel feature, that will create secure connection to the router where you can login via secured winbox into the device.