Page 1 of 1

Firewall SIEM IPS IDS and MIKROTIK

Posted: Sun Jun 21, 2020 10:47 pm
by uberkie
For many networks, the firewall is the 1st and last line of defence and RouterOS does a pretty good job, but there is something missing.
To set up a firewall rule you need at least a source or destination ip/port/interface and some action like drop, return etc
IF you have that info then its plain and simple, but what if you have nothing?

There is a lot of solutions/software that claims they can do it all and normally comes with a huge price tag

So today I'll share how to set up an all in one solution and its completely open-source
I won't go into the actual config there is more than enough documentation online, but I will tell you what to use
and how the layout should be

Image

From the above image, we have a 4011 acting as a transparent firewall all the port are in the bridge and the firewall is enabled on the bridge.
Then on the we used a CCR as an edge router and NetFlow is enabled and streaming to the server. A direct cable to the server is preferred this will also act as the management port
let say it will be eth0 on the server.

Then the switch is a CRS series and this is important because you are able to mirror ports. The mirrored port does not have to be part of the bridge.
So all the traffic is entering spf1 then we will mirror sfp1 to sfp3 which is connected to the server on eth1. On the server eth1 will be the monitored port. Be warned this will send both tx and rx data to the server

The server itself the bigger the better but a i5 3ghz 8-16gb ram should do the trick ( test before you go and buy new equipment) and the more had space you have the better.
With full caps and logs, you could do an avg of 500gb a day. But with proper setup it gets to about 10-20gb a day

The software:
We use ossec for connecting the server to the Mikrotik. Ossec is an advanced version of fail2ban with a lot more features. Ossec will also be issuing the commands to the Mikrotik.
For the packet inspection, we can use both Suricata and Zeek or Snort or you can use only one. Zeek combined with Suricata or Snort gives you a much more detailed look into the traffic.
This software will be using the mirrored port on the CRS. The CRS will be streaming live traffic to the server and Suricata/Snort/Zeek will analyze it

Then we use the ELK stack for visuals Elasticsearch Kibana Logstash/Filebeat.

The reason for this kind of setup its that the server does not interrupt the traffic flow but manipulate it through the transparent firewall so in the event the server fails you would still be up and running
Always make static entries on your firewall 1st in case of failure by the server you would still be protected
This setup you should be able to scale to whatever your demands are with clustering and keep the options open for different layouts

I hope some will find this useful

ps To connect Ossec to a mikrotik you should use the agentless setup.This will connect with ssh and should work with any piece of hardware that supports ssh