Page 1 of 1

Feature Requests for 7.x for improved network security

Posted: Sat Feb 22, 2014 6:24 pm
by robertpenz
Hi!
I would love following features specially for the CRS.

- Wired MAC Authentication against Radius with dynamic VLAN assignment via Radius
- Wired 802.1x Authentication against Radius with dynamic VLAN assignment via Radius
- Wired Dual (MAC and 802.1x) Authentication against Radius

Following for all Routers/Switches:

- Protection against ARP Spoofing and the same for IPv6
- Binding ARP Table to DHCP Entries in DHCP Relay mode (as long as a lease is valid only you this MAC for the IP)

Thx in Advance.
Regards,
Robert

Re: Feature Requests for 7.x for improved network security

Posted: Sat Feb 22, 2014 8:13 pm
by jaykay2342
Hi!
I would love following features specially for the CRS.

- Wired MAC Authentication against Radius with dynamic VLAN assignment via Radius
- Wired 802.1x Authentication against Radius with dynamic VLAN assignment via Radius
- Wired Dual (MAC and 802.1x) Authentication against Radius

Following for all Routers/Switches:

- Protection against ARP Spoofing and the same for IPv6
- Binding ARP Table to DHCP Entries in DHCP Relay mode (as long as a lease is valid only you this MAC for the IP)

Thx in Advance.
Regards,
Robert
+1
and why not make VLAN assignment via Radius also for wireless. so one ssid but different networks based on radius attribute

Re: Feature Requests for 7.x for improved network security

Posted: Thu Feb 27, 2014 11:24 am
by mymicha
+1
Radius VLAN assignment - how I would love that :)

Micha

Re: Feature Requests for 7.x for improved network security

Posted: Wed Apr 16, 2014 3:58 pm
by Zorro
as for ARP, its demand support for MacSec and SecureID, which imply new hardware/PHY for both kind of interfaces, sadly.
or CGA-based SEND replacement for both ARP and NDP, but industry goes for 1st option(actually all controllers vendors).
as for VLAN's - even w/radius they vulnerable in default state. http://resources.infosecinstitute.com/vlan-hacking/ (not most extensive guid/conclusion, but really short and straightforward, probably).

Re: Feature Requests for 7.x for improved network security

Posted: Fri Apr 18, 2014 10:57 pm
by lorsungcu
Yes, VLAN from RADIUS auth would be very very nice.

Re: Feature Requests for 7.x for improved network security

Posted: Sat Apr 19, 2014 8:26 pm
by robertpenz
Zorro: I believe you misunderstood my feature request. If you use the DHCP Server on the Mikrotik it is possible to add the MAC address of the client which got the lease to the ARP table of the router. If you now disabled ARP learning only Clients with DHCP can talk over the router and ARP spoofing got much harder too - just what you need in an enterprise client network. What's just on the Mikrotiks is that this works also if the Mikrotik is doing DHCP Relay. We're doing this with our Extreme Network Switch for years now.

And the other ARP security feature is call Gratuitous ARP. If the router sees an ARP reply with his IP address on the network it sends out a Gratuitous ARP, so the clients which accept Gratuitous ARP are not using the one of the attacker.

Re: Feature Requests for 7.x for improved network security

Posted: Mon Apr 21, 2014 12:51 am
by k5nic
Additional feature request for improved security would be adding TACACS support! RADIUS is old, much less secure, and seriously lacking in logging features on the administration side of routers!

If not, then I am seriously having to look at replacing a few dozen MikroTik RB's with a product that is more secure in this respect. I am up for an upgrade of my network, and can easily change to a different brand since I am replacing everything to improve performance anyway! No threat intended, however, I can assure you I have no problem changing brands of equipment.

Jay

Re: Feature Requests for 7.x for improved network security

Posted: Mon Apr 21, 2014 12:45 pm
by robertpenz
What has TACACS (Terminal Access Controller Access-Control System) to do with authenticating network devices? As far as I know TACACS is only used for authenticating users that want to access the router (= the admins) .. it has nothing to do with network security or I'm mistaken?

Re: Feature Requests for 7.x for improved network security

Posted: Sun May 04, 2014 9:54 pm
by k5nic
What has TACACS (Terminal Access Controller Access-Control System) to do with authenticating network devices? As far as I know TACACS is only used for authenticating users that want to access the router (= the admins) .. it has nothing to do with network security or I'm mistaken?
My understanding based on my research is that TACACS and RADIUS do exactly the same things. TACACS just does them better and more securely. Also TACACS adds additional logging that RADIUS does not support for more auditing. RADIUS uses UDP whereas TACACS uses TCP. RADIUS does not encrypt the entire transaction where as TACACS does.

Jay

Re: Feature Requests for 7.x for improved network security

Posted: Sun May 04, 2014 10:48 pm
by robertpenz
For authenticating users to login via ssh access onto the router or something like this you're correct. But for authentication devices for network access via 802.1x RADIUS is the only game in town. And the encryption of data is not so important there as EAP-TLS is mostly used (If security is a concern) for the authentication which establishes a secure TLS connection.

Re: Feature Requests for 7.x for improved network security

Posted: Tue Feb 10, 2015 3:17 pm
by cchance
how is this not already available?!!?!?!?!?!

Re: Feature Requests for 7.x for improved network security

Posted: Fri Feb 13, 2015 9:29 pm
by bronx
+1 very nice