Community discussions

MikroTik App
 
tikker
newbie
Topic Author
Posts: 49
Joined: Tue Nov 19, 2019 11:40 pm

Trusted Device in Untrusted Environment

Mon Jan 24, 2022 12:52 am

Suppose I have a network socket in a room where access to it pretty open. Connected to that socket is a CAP which provides various wireless networks, like "company" and "guests".

Of course the CAP is a trusted device, as it also provides the "company" wifi. It shall also be configured from the trusted LAN.

But I don't want an untrusted person (guest) to unplug the CAP, attach a laptop and receive a trusted DHCP offer.

Is there a config option to restrict the physical connection on that port to the CAP? And all other devices simply get no connection at all?

I don't even have a keyword for this scenario to search for...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Trusted Device in Untrusted Environment

Mon Jan 24, 2022 1:01 am

It depends on how good you want it. A simple "good enough against beginners" way would be to check MAC address of connected device, and block all traffic if it's not the right one. Real solution is https://help.mikrotik.com/docs/display/ROS/Dot1X, but it's not exactly simple.
 
tikker
newbie
Topic Author
Posts: 49
Joined: Tue Nov 19, 2019 11:40 pm

Re: Trusted Device in Untrusted Environment

Mon Jan 24, 2022 1:15 am

It depends on how good you want it. A simple "good enough against beginners" way would be to check MAC address of connected device, and block all traffic if it's not the right one.
By means of a firewall rule on in-interface and src-mac?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Trusted Device in Untrusted Environment

Mon Jan 24, 2022 1:55 am

Yes. Also dhcp server can have only static reservation for the right MAC address and no other addresses, but that would probably require to have the interface separate from others (at least I don't think there's a way for dhcp to work with specific bridge port). Or if it needs to be part of bridge, then bridge filters should work too.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Trusted Device in Untrusted Environment

Mon Jan 24, 2022 2:03 am

A simple "good enough against beginners" way would be to check MAC address

Let's be clear: MAC address checking is approximately as secure as "My Name Is…" name tag checking at a party. All someone has to do to to get into the party is watch who enters the party and write one of the names that passes the security check another tag, purchased for pennies at the party supply store.

My name is Bill Gates. Really! It says so right here on this bit of sticky-backed paper.

Real solution is Dot1X

Yes.

it's not exactly simple.

Proper security rarely is.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Trusted Device in Untrusted Environment

Mon Jan 24, 2022 2:09 am

I did write "good enough against beginners". Maybe "beginner" should be clarified further as someone who knows how to plug in ethernet cable at first try, but not much more. :)
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Trusted Device in Untrusted Environment

Mon Jan 24, 2022 2:16 am

I did write "good enough against beginners".

Yes, and I quoted it, so I got that point in your answer. What I wanted to get across here is that your threshold for "beginner" probably stops at about seven years old for some attackers. If I had a WAP in the OP's situation, I wouldn't consider MAC address checking any solution at all.

I don't think we should even talk about MAC address matching any more, except to deprecate it. I think we've got too many old hands here who remember the days when changing a MAC address required blowing a new EPROM and soldering it in place on the NIC in place of the old one. That stopped being the major impediment to changing a host's MAC address decades ago. Today, the MAC address setting's right there in the OS's network configuration GUI!

Mind, I'm not saying remembering how it used to be is the problem. It's designing our security as if those obsolete facts still obtained.

You don't even have to sniff the port to break MAC address matching as a security method. You look at the label on the WAP, find it's a MikroTik device, go to an Ethernet OUI tool, faff about for a bit to work out that Mikrotik registers their MAC perfixes under "Routerboard.com", find the 14 MAC prefixes registered to Routerboard.com, and write a loop to try all 235 million possible MAC addresses. At a million packets per second (easy for a computer) you'll find the right MAC in under 5 minutes.

If you're really clever, you try them in reverse order, gambling that recent hardware will have one of the later MAC address prefixes, likely breaking it in under a minute.

Who is online

Users browsing this forum: RobertsN, TheCat12 and 85 guests