Page 1 of 1

FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALITIES

Posted: Wed Dec 10, 2014 9:26 pm
by otgooneo
It`s time to implement and develop firewall features on RouterOS such as IPS, DDoS, spam, Malware, worm, virus protections. Some people say "RouterOS is a router not firewall, router and firewall purposes are different". But I think it`s not. Technology convergence happens in everywhere. I will be happy to pay for additional advanced firewall security features. I don`t think it`s easy, but there is a few way to accomplish this. If MT doesn`t have enough resource to work on that, MT can cooperate with those kind of vendors like Snort. Really want this kind of features.

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Posted: Thu Dec 11, 2014 2:45 pm
by santa
-1 :shock:

Yes, you are right, firewall is not a router and router is not a firewall. If I need good application firewall, I will go and buy one. Router is not a place to do application and content filtering (etc.).

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Posted: Sun Dec 14, 2014 4:30 pm
by SystemErrorMessage
routerOS needs more firewall features but not in the way that you mean. What you see in those dedicated firewalls and also consumer routers are basically preset rules. Its a bit like an antivirus that inspects certain rules, This can be replicated with some effort in routerOS currently. You should be asking for more example firewall rules to prevent worms and such. It sounds to me like you dont know much about routerOS firewall because there already is IP and DDOS protection but it just has to be set up.
-1 :shock:

Yes, you are right, firewall is not a router and router is not a firewall. If I need good application firewall, I will go and buy one. Router is not a place to do application and content filtering (etc.).
Its like you're saying that hotspot should be on a dedicated hotspot server not on the router and that wifi APs cannot be routers/gateways.

RouterOS is an industrial grade router meaning that it includes a lot of functionality from firewalls to many different routing methods like BGP and clearly has L7 firewall capability that can be used for virus protection on the software level. WIth a dedicated firewall, the small ones have limited throughput and if you're a building or institution you'd be using big ones that take up like 2 rack units each which is basically about the same throughput you would get if you use L7 on routerOS for the similar hardware. I've seen dedicated networked AVs and firewalls and they got phased out.

What routerOS needs is more flexibility in firewall such as multiple addresses using the OR attribute so that rules can be generalised for multiple networks, using address list in targets, interface with all protocols, etc.

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Posted: Wed Dec 24, 2014 7:06 am
by otgooneo
HI SystemErrorMessage,
Not exactly. Firewall rules can do DoS but I don`t think DDoS, IPS can be done using firewall rules. Any firewall or security appliance should include database, which need to be updated frequently by research team. Which means better to cooperate with 3rd party security solution. In other hand, cloud routers have excellent CPU power to use for extra features like security, why not.

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Posted: Wed Dec 24, 2014 1:59 pm
by pribasv
I should say that a firewall is a firewall, not an UTM (Unified Thread Management) appliance. If you need AV, IPS, spam filtering,... then you don't need a firewall you need something else that involves some online services to keep threat databases for all those services (Fortinet, Juniper, Sonicwall, etc.) or build a linux machine with open source components and services. I think RouterOS works perfectly as what is strictly defined as a firewall. The only think I miss in RouterOS's firewall is that dns names o dns regexs could be used in firewall rules.

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Posted: Sun Dec 28, 2014 3:37 pm
by SystemErrorMessage
but couldnt DDOS protection be done in firewall? I know L7 can be used for av if you are willing to write all those rules. For spam filtering i know you need an application server to read the mails individually and verify their source.

Would it be possible than to have these features in firewall even if it takes 100 manually configured rules for example just for each single protection element? I see many fields in detection but the only thing i cannot do so far is to mirror hacker traffic back to the hacker with his own packets (but source and destination IP changed to hacker's) because routerOS firewall doesnt let me use address lists in action.

Re: FEATURE REQUEST: MORE FIREWALL FEATURES AND FUNCTIONALIT

Posted: Sun Dec 28, 2014 4:42 pm
by BartoszP
Thinking this way we should have: print server...easy...www server with php ...easy....imap server...easy...etc. etc...

IMHO: the mail rule for future should be the KISS one.