Community discussions

MikroTik App
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Feature Requests for 7.x for improved network security

Sat Feb 22, 2014 6:24 pm

Hi!
I would love following features specially for the CRS.

- Wired MAC Authentication against Radius with dynamic VLAN assignment via Radius
- Wired 802.1x Authentication against Radius with dynamic VLAN assignment via Radius
- Wired Dual (MAC and 802.1x) Authentication against Radius

Following for all Routers/Switches:

- Protection against ARP Spoofing and the same for IPv6
- Binding ARP Table to DHCP Entries in DHCP Relay mode (as long as a lease is valid only you this MAC for the IP)

Thx in Advance.
Regards,
Robert
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Feature Requests for 7.x for improved network security

Sat Feb 22, 2014 8:13 pm

Hi!
I would love following features specially for the CRS.

- Wired MAC Authentication against Radius with dynamic VLAN assignment via Radius
- Wired 802.1x Authentication against Radius with dynamic VLAN assignment via Radius
- Wired Dual (MAC and 802.1x) Authentication against Radius

Following for all Routers/Switches:

- Protection against ARP Spoofing and the same for IPv6
- Binding ARP Table to DHCP Entries in DHCP Relay mode (as long as a lease is valid only you this MAC for the IP)

Thx in Advance.
Regards,
Robert
+1
and why not make VLAN assignment via Radius also for wireless. so one ssid but different networks based on radius attribute
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
mymicha
just joined
Posts: 10
Joined: Tue Sep 20, 2011 12:49 am

Re: Feature Requests for 7.x for improved network security

Thu Feb 27, 2014 11:24 am

+1
Radius VLAN assignment - how I would love that :)

Micha
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Feature Requests for 7.x for improved network security

Wed Apr 16, 2014 3:58 pm

as for ARP, its demand support for MacSec and SecureID, which imply new hardware/PHY for both kind of interfaces, sadly.
or CGA-based SEND replacement for both ARP and NDP, but industry goes for 1st option(actually all controllers vendors).
as for VLAN's - even w/radius they vulnerable in default state. http://resources.infosecinstitute.com/vlan-hacking/ (not most extensive guid/conclusion, but really short and straightforward, probably).
 
lorsungcu
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Sat Jul 09, 2011 11:11 pm

Re: Feature Requests for 7.x for improved network security

Fri Apr 18, 2014 10:57 pm

Yes, VLAN from RADIUS auth would be very very nice.
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: Feature Requests for 7.x for improved network security

Sat Apr 19, 2014 8:26 pm

Zorro: I believe you misunderstood my feature request. If you use the DHCP Server on the Mikrotik it is possible to add the MAC address of the client which got the lease to the ARP table of the router. If you now disabled ARP learning only Clients with DHCP can talk over the router and ARP spoofing got much harder too - just what you need in an enterprise client network. What's just on the Mikrotiks is that this works also if the Mikrotik is doing DHCP Relay. We're doing this with our Extreme Network Switch for years now.

And the other ARP security feature is call Gratuitous ARP. If the router sees an ARP reply with his IP address on the network it sends out a Gratuitous ARP, so the clients which accept Gratuitous ARP are not using the one of the attacker.
 
k5nic
just joined
Posts: 13
Joined: Wed Feb 19, 2014 6:16 pm

Re: Feature Requests for 7.x for improved network security

Mon Apr 21, 2014 12:51 am

Additional feature request for improved security would be adding TACACS support! RADIUS is old, much less secure, and seriously lacking in logging features on the administration side of routers!

If not, then I am seriously having to look at replacing a few dozen MikroTik RB's with a product that is more secure in this respect. I am up for an upgrade of my network, and can easily change to a different brand since I am replacing everything to improve performance anyway! No threat intended, however, I can assure you I have no problem changing brands of equipment.

Jay
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: Feature Requests for 7.x for improved network security

Mon Apr 21, 2014 12:45 pm

What has TACACS (Terminal Access Controller Access-Control System) to do with authenticating network devices? As far as I know TACACS is only used for authenticating users that want to access the router (= the admins) .. it has nothing to do with network security or I'm mistaken?
 
k5nic
just joined
Posts: 13
Joined: Wed Feb 19, 2014 6:16 pm

Re: Feature Requests for 7.x for improved network security

Sun May 04, 2014 9:54 pm

What has TACACS (Terminal Access Controller Access-Control System) to do with authenticating network devices? As far as I know TACACS is only used for authenticating users that want to access the router (= the admins) .. it has nothing to do with network security or I'm mistaken?
My understanding based on my research is that TACACS and RADIUS do exactly the same things. TACACS just does them better and more securely. Also TACACS adds additional logging that RADIUS does not support for more auditing. RADIUS uses UDP whereas TACACS uses TCP. RADIUS does not encrypt the entire transaction where as TACACS does.

Jay
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: Feature Requests for 7.x for improved network security

Sun May 04, 2014 10:48 pm

For authenticating users to login via ssh access onto the router or something like this you're correct. But for authentication devices for network access via 802.1x RADIUS is the only game in town. And the encryption of data is not so important there as EAP-TLS is mostly used (If security is a concern) for the authentication which establishes a secure TLS connection.
 
cchance
newbie
Posts: 39
Joined: Mon Dec 01, 2014 2:42 pm

Re: Feature Requests for 7.x for improved network security

Tue Feb 10, 2015 3:17 pm

how is this not already available?!!?!?!?!?!
 
bronx
newbie
Posts: 39
Joined: Wed Feb 11, 2015 1:04 am
Location: Turin, Italy

Re: Feature Requests for 7.x for improved network security

Fri Feb 13, 2015 9:29 pm

+1 very nice

Who is online

Users browsing this forum: Bing [Bot], markos222, wichets and 75 guests