Community discussions

MikroTik App
 
dalr
just joined
Topic Author
Posts: 4
Joined: Sun Dec 27, 2020 12:42 pm

Best practice for management isolation/security

Mon Nov 22, 2021 2:52 pm

Hello all,

I am currently preparing a bunch of routers that will be connected to the web, routing public IPs (BGP feeds).
In the "big vendors" world, I would have a separate VRF for the management, that would be completely isolated from the normal traffic.

Trying to replicate this, I have prepared my management interface/VRF as such:
/ip address
add address=yyy.yyy.yyy.yyy/24 interface=ether2 network yyy.yyy.yyy.0
add address=xxx.xxx.xxx.xxx/24 interface=ether1 network xxx.xxx.xxx.0
/ip route
add distance=1 gateway=xxx.xxx.xxx.1 routing-mark=mgmt
add distance=1 gateway=yyy.yyy.yyy.1
/ip route vrf
add interfaces=ether1 routing-mark=mgmt

Where yyy.yyy.yyy.yyy is a public IP of the router, and xxx.xxx.xxx.xxx its management IP. Doing this however still makes it possible to reach the mgmt IP if I have a static route manually, such as
route add xxx.xxx.xxx.0/24 yyy.yyy.yyy.yyy

Mind you, that enables me to reach xxx.xxx.xxx.xxx only, not the whole management network xxx.xxx.xxx.0/24.

As I want as little firewalling on this router as possible, I was wondering if there is a best practice to make sure that this management interface isn't reachable on the default routing table without using firewalling? I know that I can disable management services from answering on any but the defined management interface, but that still makes it possible to at least ping this management IP from public IPs.

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Best practice for management isolation/security

Mon Nov 22, 2021 4:17 pm

Just curious what is the advantage of this VRF approach compared to
a. ipsec connection to router (then using winbox).
b. running dude (internal network normally not sure how this is handled remotely as a server).
c. cloud SSTP connection using Remote Winbox service (dont like it for business as I dont think the security provided is commensurate)
 
dalr
just joined
Topic Author
Posts: 4
Joined: Sun Dec 27, 2020 12:42 pm

Re: Best practice for management isolation/security

Mon Nov 22, 2021 4:26 pm

Just curious what is the advantage of this VRF approach compared to
a. ipsec connection to router (then using winbox).
b. running dude (internal network normally not sure how this is handled remotely as a server).
c. cloud SSTP connection using Remote Winbox service (dont like it for business as I dont think the security provided is commensurate)

Thanks for the reply. We have a physical management network available where the routers will be, so no need for IPsec, SSTP or HTTPS. It's a proper dedicated connection to an isolated network.
Opening IPsec, SSTP or HTTPS to the outside world is the kind of action that I want to avoid, even if only to enable access to the management itself. The goal is to have 0 open service, 0 open port on the public IPs of the routers, apart from BGP for peers.

Furthermore, having a properly segmented management network doesn't preclude the use of the Dude itself.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Best practice for management isolation/security

Mon Nov 22, 2021 4:37 pm

I have never used VRFs, so do not know how complex they are but it if more secure than using a management VLAN, then it sounds like a good idea!!
Wish I could be of more help!
 
dalr
just joined
Topic Author
Posts: 4
Joined: Sun Dec 27, 2020 12:42 pm

Re: Best practice for management isolation/security

Mon Nov 22, 2021 5:29 pm

I have never used VRFs, so do not know how complex they are but it if more secure than using a management VLAN, then it sounds like a good idea!!
Wish I could be of more help!
A VLAN is a network itself, on which you might have an interface with an IP, so basically another network in the routing table of your router. A VRF enables the use of multiple routing tables in the router.

Who is online

Users browsing this forum: Google [Bot] and 38 guests