Community discussions

 
Askey307
newbie
Topic Author
Posts: 49
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Mikrotik State of the Art Security and Firewalling

Wed Mar 07, 2018 9:22 am

Good Morning.

I would like your help and input setting up state of the art firewall system (attached you will fine a Cisco Packet Tracer drawing concept example). I would like to use Mikrotiks for this due to the price of Cisco and Juniper. I am still new to Cyber Security (2 years) thus all type of input of do's and don'ts will be appreciated. The

So the following will be used:
* VoIP Phones, PBX and ATA's.
* File Share, Active Directory and Domain Control Server.
* 1500+ PC's via LAN only.
* 500+ VoIP phones.
* CCTV cameras with DVR's, LAN only.
* 2 Fiber line each 1000mbps business priority. (Fail over will need to be done as the one line will act as a redundant line).
* Internal WiFi with for example UNIFI AC-SHD's. (Optional due to easy hacking of WiFi, thus might not be used)
* Antivirus, Malware and Threat Detection Software needed.
* For Routers CCR1072-1G-8S+
* Switches CRS317-1G-16S+RM/CRS328-24P-4S+RM


The sketch attached is a rough example of the network. Your input will be appreciated to extend it and make it better.
The plan is to use 1x1072 for VoIP with another as a fallover if the first fails and a 1x1072 per 200 users.
The network must not be breached from the outside.
Logs must be written for any erros, threats, breaches etc.
Only necessary ports must be blocked.
Aim is to use IPv6.

I've done CCNA, CCNP Routing and Switching as well as other vendor certificates like MTCNA and MTCRE for example. So I would appreciate criticisms with solutions how you would do it. From a strong firewall script and logging examples.

If more information is required I would gladly provide.
 
Askey307
newbie
Topic Author
Posts: 49
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: Mikrotik State of the Art Security and Firewalling

Wed Mar 07, 2018 9:23 am

Here is the picture of above mentioned post.
You do not have the required permissions to view the files attached to this post.
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Mon Sep 02, 2013 1:42 am

Re: Mikrotik State of the Art Security and Firewalling

Wed Mar 07, 2018 10:06 am

Where are you located? I am experienced in large ‘MikroTik’ networks. And might help you with this.

Which brand of switches are you going to use?
 
Askey307
newbie
Topic Author
Posts: 49
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: Mikrotik State of the Art Security and Firewalling

Wed Mar 07, 2018 10:45 am

Where are you located? I am experienced in large ‘MikroTik’ networks. And might help you with this.

Which brand of switches are you going to use?

I'm in South Africa. So far they want me to come up with a solid new age Proposal with Cloud Computing, Top Cyber security etc. They will get Ethical Hackers afterwards to test for vulnerabilities so I want to impress them. So far Mikrotik is a real favourite of mine so I want to go full blown Mikrotik but if stronger switches are needed I'll go Ubiquiti Edgeswitches.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5919
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik State of the Art Security and Firewalling

Wed Mar 07, 2018 11:56 am

I would spend more money on switches and when required spend less on the router.
Get switches from a reputable switch manufacturer like HP Procurve (now Aruba networks) or Cisco.
L3 switches with PoE from those manufacturers have come down in price and offer functionality that
is currently way beyond reach for MikroTik.
A CCR1072 seems way overdimensioned for this task. A CCR1009 or 1016 would easily handle it as well.
 
Askey307
newbie
Topic Author
Posts: 49
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: Mikrotik State of the Art Security and Firewalling

Wed Mar 07, 2018 4:13 pm

I would spend more money on switches and when required spend less on the router.
Get switches from a reputable switch manufacturer like HP Procurve (now Aruba networks) or Cisco.
L3 switches with PoE from those manufacturers have come down in price and offer functionality that
is currently way beyond reach for MikroTik.
A CCR1072 seems way overdimensioned for this task. A CCR1009 or 1016 would easily handle it as well.
Good to know. Been working with Cisco for quite a while. So would you suggest the two ISP routers one main big router with WAN failover and from there only switches layer 3?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5919
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik State of the Art Security and Firewalling

Wed Mar 07, 2018 4:36 pm

It depends on what your requirements are and what your switches can do (e.g. ACL on L3 routing) but that is what
we normally do, yes. Use the switch capabilities for fiber failover, to keep VLANs for public/guest facilities separate
from the L3 routing of the LAN, and use a data and voice VLAN that are L3 routes and with the proper QoS.
The central router(s) then only have to do the internet routing and firewalling.
The class of router depends on the amount of traffic there, and also if you do BGP towards the internet or simply
get a subnet from the ISP and a default gateway. If the latter, a CCR1072 would be way overkill in such cases,
I think (unless you have very long access lists that cannot be fasttracked).
 
Askey307
newbie
Topic Author
Posts: 49
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: Mikrotik State of the Art Security and Firewalling

Thu Mar 08, 2018 8:32 am

It depends on what your requirements are and what your switches can do (e.g. ACL on L3 routing) but that is what
we normally do, yes. Use the switch capabilities for fiber failover, to keep VLANs for public/guest facilities separate
from the L3 routing of the LAN, and use a data and voice VLAN that are L3 routes and with the proper QoS.
The central router(s) then only have to do the internet routing and firewalling.
The class of router depends on the amount of traffic there, and also if you do BGP towards the internet or simply
get a subnet from the ISP and a default gateway. If the latter, a CCR1072 would be way overkill in such cases,
I think (unless you have very long access lists that cannot be fasttracked).

Thank you for the valuable input. This network scenario will carry a lot of traffic. From extensive data transfers, VoIP (200+ concurrent calls PBX will be accounted for), tons of architectural, electronic robotics blueprints, CCTV footage etc, each pc must have 100mbps download minimum, tons of conference calls, no packet loss are allowed due to sensitive data transfers, all files will be encrypted with 256 AES etc. All in all the network will carry 5000+ users simultaneous and the number will rise often. Biggest concern is that the network must be secure, fail overs must be in place for when one unit fails so the next kicks in almost immediately. Requirements are 2 fail overs for every 1 working router (overkill I know) an off site server room will also be used for backup files etc in case of a disaster. What worries me is my inadequate knowledge to secure an entire network to prevent hackers without cutting outside access to internet. We've considered cloud routing, but it's to new and we're not to clued up on it yet.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5919
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik State of the Art Security and Firewalling

Thu Mar 08, 2018 11:21 am

Well that is a bit larger than what I have experience with. We have a network with some 200 users and 100 VoIP telephones
distributed over 3 locations and the users are employees of a company who are not intentionally hacking the system, and if
they would they would not have to be prevented to do that using technical means. (HR would take care of that)
Of course security is still important and we separate the local network in many VLANs to isolate devices (computers,
VoIP telephones, WiFi users (company, guests), video surveillance, building automation/IoT, etc. In that regard the situation
is similar. But we do not have EVERYTHING redundant, so I don't have experience with that.
(e.g. we have dual independent internet connections but there is only a single router and core switch, however there are
redundant links to the workplace switches using spanning tree)
 
Askey307
newbie
Topic Author
Posts: 49
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: Mikrotik State of the Art Security and Firewalling

Thu Mar 08, 2018 1:00 pm

Well that is a bit larger than what I have experience with. We have a network with some 200 users and 100 VoIP telephones
distributed over 3 locations and the users are employees of a company who are not intentionally hacking the system, and if
they would they would not have to be prevented to do that using technical means. (HR would take care of that)
Of course security is still important and we separate the local network in many VLANs to isolate devices (computers,
VoIP telephones, WiFi users (company, guests), video surveillance, building automation/IoT, etc. In that regard the situation
is similar. But we do not have EVERYTHING redundant, so I don't have experience with that.
(e.g. we have dual independent internet connections but there is only a single router and core switch, however there are
redundant links to the workplace switches using spanning tree)
Yeah this network is a 24 month thing so we haven't started yet till I have done all my homework. The biggest vulnerability still comes down to humans, one tiny mistake and the entire system is compromised. Social Engineering will always be a problem as well as MiTMA's. Biggest concern is file security, network security and DDOS prevention is a big must.

Who is online

Users browsing this forum: MSN [Bot] and 176 guests