Community discussions

 
User avatar
otgooneo
Trainer
Trainer
Topic Author
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALITIES

Wed Dec 10, 2014 9:26 pm

It`s time to implement and develop firewall features on RouterOS such as IPS, DDoS, spam, Malware, worm, virus protections. Some people say "RouterOS is a router not firewall, router and firewall purposes are different". But I think it`s not. Technology convergence happens in everywhere. I will be happy to pay for additional advanced firewall security features. I don`t think it`s easy, but there is a few way to accomplish this. If MT doesn`t have enough resource to work on that, MT can cooperate with those kind of vendors like Snort. Really want this kind of features.
----------------------------
Want to learn more and more...
 
santa
newbie
Posts: 43
Joined: Sun Jul 06, 2014 10:53 pm
Location: POLAND, Gdansk

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Thu Dec 11, 2014 2:45 pm

-1 :shock:

Yes, you are right, firewall is not a router and router is not a firewall. If I need good application firewall, I will go and buy one. Router is not a place to do application and content filtering (etc.).
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Sun Dec 14, 2014 4:30 pm

routerOS needs more firewall features but not in the way that you mean. What you see in those dedicated firewalls and also consumer routers are basically preset rules. Its a bit like an antivirus that inspects certain rules, This can be replicated with some effort in routerOS currently. You should be asking for more example firewall rules to prevent worms and such. It sounds to me like you dont know much about routerOS firewall because there already is IP and DDOS protection but it just has to be set up.
-1 :shock:

Yes, you are right, firewall is not a router and router is not a firewall. If I need good application firewall, I will go and buy one. Router is not a place to do application and content filtering (etc.).
Its like you're saying that hotspot should be on a dedicated hotspot server not on the router and that wifi APs cannot be routers/gateways.

RouterOS is an industrial grade router meaning that it includes a lot of functionality from firewalls to many different routing methods like BGP and clearly has L7 firewall capability that can be used for virus protection on the software level. WIth a dedicated firewall, the small ones have limited throughput and if you're a building or institution you'd be using big ones that take up like 2 rack units each which is basically about the same throughput you would get if you use L7 on routerOS for the similar hardware. I've seen dedicated networked AVs and firewalls and they got phased out.

What routerOS needs is more flexibility in firewall such as multiple addresses using the OR attribute so that rules can be generalised for multiple networks, using address list in targets, interface with all protocols, etc.
 
User avatar
otgooneo
Trainer
Trainer
Topic Author
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Wed Dec 24, 2014 7:06 am

HI SystemErrorMessage,
Not exactly. Firewall rules can do DoS but I don`t think DDoS, IPS can be done using firewall rules. Any firewall or security appliance should include database, which need to be updated frequently by research team. Which means better to cooperate with 3rd party security solution. In other hand, cloud routers have excellent CPU power to use for extra features like security, why not.
----------------------------
Want to learn more and more...
 
User avatar
pribasv
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Thu Mar 10, 2011 12:09 pm
Contact:

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Wed Dec 24, 2014 1:59 pm

I should say that a firewall is a firewall, not an UTM (Unified Thread Management) appliance. If you need AV, IPS, spam filtering,... then you don't need a firewall you need something else that involves some online services to keep threat databases for all those services (Fortinet, Juniper, Sonicwall, etc.) or build a linux machine with open source components and services. I think RouterOS works perfectly as what is strictly defined as a firewall. The only think I miss in RouterOS's firewall is that dns names o dns regexs could be used in firewall rules.
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Sun Dec 28, 2014 3:37 pm

but couldnt DDOS protection be done in firewall? I know L7 can be used for av if you are willing to write all those rules. For spam filtering i know you need an application server to read the mails individually and verify their source.

Would it be possible than to have these features in firewall even if it takes 100 manually configured rules for example just for each single protection element? I see many fields in detection but the only thing i cannot do so far is to mirror hacker traffic back to the hacker with his own packets (but source and destination IP changed to hacker's) because routerOS firewall doesnt let me use address lists in action.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Sun Dec 28, 2014 4:42 pm

Thinking this way we should have: print server...easy...www server with php ...easy....imap server...easy...etc. etc...

IMHO: the mail rule for future should be the KISS one.
Real admins use real keyboards.

Who is online

Users browsing this forum: Google [Bot] and 110 guests