Scribd
Upload
260 views69 pages

BSI Mikrotik Security Presentation

Oky Tria Saputra presents on network security using MikroTik. He discusses his background and experience working with MikroTik since 2009. He is certified in several MikroTik certifications and currently works as a network engineer. He discusses ID Networkers, the company he co-founded that provides MikroTik training and consulting. The presentation covers security threats on networks and applications as well as examples of internet crime and the effects of hacking on businesses.

Uploaded by

Amri Wibawa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
260 views69 pages

BSI Mikrotik Security Presentation

Oky Tria Saputra presents on network security using MikroTik. He discusses his background and experience working with MikroTik since 2009. He is certified in several MikroTik certifications and currently works as a network engineer. He discusses ID Networkers, the company he co-founded that provides MikroTik training and consulting. The presentation covers security threats on networks and applications as well as examples of internet crime and the effects of hacking on businesses.

Uploaded by

Amri Wibawa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 69

Jakarta, April 28, 2016

MikroTik
Network Security By: Oky Tria Saputra

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Oky Tria Saputra
about me  Awal kenal MikroTik pada tahun 2009

 Lulusan dari
Pesantren Networkers

 Certified MTCNA, MTCRE, MTCWE,


MTCTCE, MTCINE, Mikrotik Certified
Trainer, Mikrotik Academy Coordinator

 2014 : System Engineer at Softbank


Telecom Indonesia

 2015 - Now : Network Engineer at


ID - Networkers

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Previous Job. . .
Softbank Telecom Indonesia

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Four Quadrant

Most Indonesian people want to be an “Employee”


Quit from Comfort Zone, move, move, move!

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
5

ID NETWORKERS
EXPERT LEVEL TRAINERS & CONSULTANS

In the Most Prestigious Networking Certification

OVERVIEW
We are young entrepreneurs, we are only one training
partner & consultant who has expert level trainers in the
most prestigious networking certification, CCIE Guru ,
JNCIE Guru and MTCINE guru, which very limited
number in Indonesia even Asia. Proven that hundred of
our students pass the certification exam every year. We
are the biggest certification factory in Indonesia.

WEBSITE
www.idn.id | www.trainingmikrotik.com

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Activity Now. . .

Wireless Bootcamp, Bandung MTCRE, Batam MTCNA, Medan

Seminar, Samarinda Seminar, Jakarta Seminar, Kendari

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Activity Now. . .(2) Colombo, Srilanka

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Activity Now. . .(3) Colombo, Srilanka

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Activity Now. . .(4)
Colombo, Srilanka

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Activity Now. . .(4)

Colombo, Srilanka

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Activity Now. . .(5)

Ohio, United States


of America

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Activity Now. . .(6)

Ohio, United States


of America

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
Activity Now. . .(7) Ohio, United States
of America

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
TECHNOLOGY TREND
Which one you want to be?
JUST WATCHER
or
PLAYER

Source:ericsson.com

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
15

SECURITY?

SECURITY GUARD Source image http://akarpadinews.com/

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
16

INTERNET SECURITY THREATS

Network Threats Host Threats Application Threats

o Information gathering o Malware attacks o Data/Input validation


o Sniffing and eavesdropping o Target Footprinting o Authentication and Authorization
o Spoofing attacks
o Password attacks
o Session hijacking and man-in- o Configuration management
o Denial of service attacks
the-middle attacks 0 SQL o Information disclosure
injection o Arbitrary code execution
o Session management issues
o ARP Poisoning o Unauthorized access Privilege
o Cryptography attacks
o Password-based attacks escalation
o Parameter manipulation
o Denial of service attack o Back door Attacks o Improper error handling and
o Compromised-key attack
o Physical security threats exception management

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
17

INTERNET CRIME

Cybercrime Gang Tied to 20


Million Stolen Cards

Source image =freepix.com

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
18

INTERNET CRIME REPORT


The following is the crime report data from IC3; the Internet Crime Complaint Center (IC3) is a partnership among the
Federal Bureau of Investigation (FBI)

Internet Crime Compliant Overall Statistic


REPORT
320,000
• Victims are encouraged by law
310,000 enforcement to file a complaint
300,000 $800M online at www.ic3.gov
290,000 LOSS • Total Complaints Received in 2014
280,000 is amount 269,422
• Complaints Reporting a Loss is
270,000
123,684
260,000 • Total Losses Reported was
250,000 $800,492,073
240,000
230,000
2010 2011 2012 2013 2014 YEAR

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
19

HACKING EFFECTS IN BUSINESS

Source image =freepix.com

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
20

HACKING EFFECTS IN BUSINESS


Every business must provide strong security for its customers. Attackers use hacking techniques to steal, pilfer, and
redistribute intellectual property of businesses and in turn to make financial gain

According to the Symantec 2012 State of Information survey,


information costs businesses worldwide $1.1 trillion annually.
Theft of customers' personal information may risk
Reputation the business's reputation and invite lawsuits

Hacking can be used to steal, pilfer, and redistribute


Business Loss intellectual property leading to business loss
Botnets can be used to launch various types of DoS and other web-based attacks,
Revenue Loss which may lead to business down-time and significant loss of revenues

Attackers may steal corporate secrets and sell them to competitors,


Compromise Information compromise critical financial I information, and leak information to rivals

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
21

HACKING EFFECTS IN BUSINESS

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
22

HACKING EFFECTS IN BUSINESS

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
23

KNOW THE ATTACK


If you know both of yourself
and your enemies, you will
not be lose in a hundred
battles.

If you do not know yourself


nor your enemies, you will be
lose in every single battle.
(The Art of War - Sun Tzu).

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
24

WHO IS HACKER?
A hacker is a person who illegally breaks into a system or network without any authorization to destroy, steal sensitive
data, or perform malicious attacks.

Multitude of Reasons

• Intelligent individuals with excellent computer


skills
• Hacking is a hobby to see how many
computers or networks they can compromise
• Their intention can either be to gain knowledge
or to poke around doing illegal things
• Some hack with malicious intent, such as
stealing business data, credit card information,
social security numbers, email passwords, etc.

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
25

HER?
The Girl with the Dragon Tattoo Movie

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
26

HIM?
M16 Agent at James Bond Movie

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
27

HIM?
User Warnet

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
28

THEM ?

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
29

HACKING PHASE

Scanning Maintaining Access

Reconnaissance Gaining Access Clearing Tracks

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
30

GATHER INFORMATION

SOCIAL ENGINEERING ATTACK


because there is no patch for human stupidity.

gathers as much information as possible about the target prior to launching the attack.

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
31

GOOGLE SCAM

How to bypass the two-factor google authentication systems using fake SMS

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
32

Hacking Scene !

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
33

PORT SCANNING
Port scanners can be used to detect listening ports to find information about the nature of services
running on the target machine

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
34

PORTS
• Port is an specific application or specific process on the computer /
host running that running service.
• In a host, total number of port is 65535, with numbering classification
as follows:
1. From 0 to 1023 (well-known ports),
2. From 1024 to 49151 (registered port),
3. From 49152 to 65535 (unregistered / dynamic, private or
ephemeral ports)

The primary defense technique in this regard is to shut down services that are not required. Appropriate filtering may also
be adopted as a defense mechanism. However, attackers can still use tools to determine the rules implemented for filtering.

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
35

SERVICE PORT

21 22 53 80

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
36

GAINING ACCESS

OPERATING SYSTEM APPLICATION LEVEL MISCONFIGURATION SRINK WRAP CODE

Attackers search for OS Software applications Most administrators don't some scripts have
vulnerabilities and exploit come with large number have the necessary skills various vulnerabilities,
them to gain access to a of functionalities and to maintain or fix issues, which can lead to shrink
network system features which may lead to wrap code attacks
configuration errors

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
37

INTRUSION DETECTION SYSTEM


38
INTRUSION DETECTION SYSTEM

• Intrusion: activities that can detected as


anomalies, incorrect, inappropriate occurring on
the network or host, usually done by hacker
• IDS (Intrusion Detecting System): system that
can detect intrusion, it is like the alarm system

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
39
INTRUSION DETECTION SYSTEM

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
40

BACKGROUND
• Admin can not always monitor the servers directly or
always login in to check the servers for intruder.
• We need firewall not just to blocking intruder, but also
log and report them to admin immediately.
• In wide network with many MikroTik router, we don’t
know which is under attack.
• We can report the to the IP owner of the intruders as
abuse.

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
41

HOW IDS WORK


• Passive System
 sensor detects a potential security breach
 logs the information
 alert on the console
• Reactive System
 Like Passive System, but plus:
 auto-responds (resetting the connection or drop the
traffic) from intruders
 Send the report to admin
Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
42

ATTACK PROCESS

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
43

DROP BY FIREWALL

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
44

DROP BY FIREWALL

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
45

IDS WORK FLOW IN MIKROTIK

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
46

MALICIOUS CONNECTION
Kind of Malicious Connection
• From outside:
 Port Scanning, Brute Force, DDoS attack
• From inside:
 Virus, spam, ilegal Tunneling (utrasurf),
Anonymous Proxy, Internet Download
manager, url filtered.

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
47

DEMO SECTION
48

TOOLS
We want simulation with the following tools:
• MikroTik (I am using RB 751)
as IDS machine
• Attacker (my laptop)
it will attack the MikroTik with different method
• Email Account (gmail account)
there are 1 email for smtp relay and some mail as mail
of administrator.

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
49

MIKROTIK CONFIGURATION
Router Identity
In menu /system identity, set the router name, ex : customer identity

Why we must set the router id?


– If we have many routers, which one is being attacked.
– Because router identity will be informed in email as subject.
Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
50

MIKROTIK CONFIGURATION
Configure Mikrotik to Send e-mail
Create mail account for the smtp relay, In this lab we using Gmail.
In /tool e-mail , set the smtp server, your username & password of gmail
/tool email
set address=74.125.141.108 user=yourgmailuser
password=yourpassword port=587

Lets try to send some email to make sure its work

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
51

MIKROTIK FIREWALL
• To protect the router from unauthorized access,
both originating from the WAN (Internet) or from
the LAN (local).
• To protect the network that through the router.
• In MikroTik, firewall has many features that are
all included in the IP Firewall menu.
• Basic Firewall in MikroTik configure at
IP>Firewall>Filter Rule.
Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
52

MIKROTIK FIREWALL
• Each firewall filter rules are organized in a chain and read
sequentially.
• Each chain will be read by the router from top to bottom.
• In Firewall Filter Rule there 3 default chain
• input – processes packets sent to the router
• output – processes packets sent by the router
• forward – processes packets sent through the router
• In addition to the 3 default chain, We can make chain by our self as
needed.
• Every user-defined chain should subordinate to at least one of the
default chains
Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
53

MIKROTIK FIREWALL
Rules can be placed in three default chains
• input (to router)
• output (from router)
• forward (trough the router)
Output
Ping from Router
Input
Winbox

Forward
WWW E-Mail
Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
54

MIKROTIK FIREWALL
• Rule IF….THEN….
• IF packet match with our define criteria.
• THEN what will we do for that packet?
• In IP firewall IF condition define in tab General,
Advanced and Extra, and THEN condition define
in Action tab

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
55

MIKROTIK FIREWALL
IP>Firewall>Filter Rules>General

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
56

MIKROTIK FIREWALL
IP>Firewall>Filter Rules>Extra

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
57

MIKROTIK FIREWALL
IP>Firewall>Filter Rules>Action accept - accept the packet. Packet is not passed to next firewall rule.
add-dst-to-address-list - add destination address to address list
specified by address-list parameter
add-src-to-address-list - add source address to address list
specified by address-list parameter
drop - silently drop the packet
jump - jump to the user defined chain specified by the value of jump-
target parameter
log - add a message to the system log containing following data: in-
interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and
length of the packet. After packet is matched it is passed to next rule
in the list, similar as passthrough
passthrough - ignore this rule and go to next one (useful for
statistics).
reject - drop the packet and send an ICMP reject message
return - passes control back to the chain from where the jump took
place
tarpit - captures and holds TCP connections (replies with SYN/ACK
to the inbound TCP SYN packet)

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
58

IP Firewall Filter Rule (Extra) - PSD


PSD (Port Scan Detection)
Filter or and identify port scanning (TCP)
low port : 0 – 1023
high port : 1024 - 65535

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
59

MIKROTIK CONFIGURATION
Configure IP Firewall to detect Port Scan Detect
/ip firewall filter
add action=add-src-to-address-list address-list=port_scaners
address-list-timeout=5m10s chain=input comment="QUICK
SCANNING" psd=21,3s,3,1
Add chain=input protocol=icmp reject-with=icmp-host-unreachable
src-address-list=port_scaners action=reject

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
60

MIKROTIK CONFIGURATION
Configure MikroTik to Run the Script
Scripts can be written directly to console or can be stored in Script
repository
• Example script that directly run in console:
[admin@MikroTik]>:put (45+23+1)
• Script repository ( /system script) can be run by running other
script, on event scheduler or netwatch

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
61

MIKROTIK CONFIGURATION
Find match address list
Configure in Script Repository (/system script)
:foreach a in=[/ip firewall address-list find list=port_scaners] do={:global
ip [/ip firewall address-list get $a address]; Get the IP address
:log warning ("Scan Attack from:" .$ip); Log it on machine
:local sysname [/system identity get name];
:local date [/system clock get date]; Get router id, date & time
:local time [/system clock get time]; send the report
/tool e-mail send from="Router $sysname<[email protected]>"
to="[email protected]" start-tls=yes server=74.125.127.108
port=587 user=mikrotik.ids password=t3ddyb3ar subject="Scan Attack!" body="
Dear Admin, \n \nWe have note that on $date at $time. There is scanning attack
to $sysname from IP $ip, and has been blocked by firewall. \nSee
http://whois.sc/$ip for detail IP attacker information. \n \n Thanks & Regard
\nIDS Machine":log warning "IP intruder telah diblock dan Email report telah
dikirim."}

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
62

MIKROTIK CONFIGURATION
Configure in Script Repository (/system script)
Download script from www.trainingmikrotik.com/ids

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
63

MIKROTIK CONFIGURATION
Configure in System Scheduler
In /system schedule add schedule in order to run the scripts within a certain period

Interval set to 5m, because the ip address list time out set to 5m 10s,
its to ensure that the IP in address-list sent once.

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
64

MIKROTIK CONFIGURATION
In /system log, add logging for mail topics, Its make us easy to get the log if there are
troubleshoot in send mail

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
65

ATACKER DEMO
– Today most of the attackers who attacked
continuously usually is a machine or boot
– In this demonstration, we will use Software for
testing/simulation
– For demo, We will using Nmap for scanning and
Brute Force for involves systematically checking
all possible code, combination, or password until
the correct one is found
Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
66

ATACKER DEMO
Download NMAP from https://nmap.org/, and run it:

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
67

ATACKER DEMO
Check in your email inbox:

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
68

CONCLUTIONS
 We can change our mikrotik box to become a
smart machine that inform us if it’s attacked by
intruders.
 We can improve this method to any malicious
connection

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika
69

If you have any other questions or would like me


to clarify anything else, please, let me know. I am
always glad to help in any way I can

CONTACT
ADDRESS: Jakarta, Indonesia
WEBSITE: www.trainingmikrotik.com
EMAIL: [email protected]
TELEPHONE: +62 85780740217

THANK YOU @okytria


www.facebook.com/okytria

FOR YOUR TIME id.linkedin.com/in/okytria/


okytria

“If you cannot survive in the tired of learning, then you will be suffering by the pain of stupidity” (Imam
Syafi’i)

Oky Tria Saputra | [email protected] | 0857 8074 0217 | www.idn.id | Bina Sarana Informatika

You might also like