Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«58 »
  • Post
  • Reply
Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I don't think you can be totally safe if you expose management interfaces to the web. Either manage your devices in a way where they connect out to a central location, or via VPN etc.

Adbot
ADBOT LOVES YOU

Pendent
Nov 16, 2011

The bonds of blood transcend all others.
But no blood runs stronger than that of Sanguinius

Grimey Drawer

We have explicitly permitted management IPs, which is really the standard for most networking gear in my experience. If that isn't good enough here, well I'll be probably 90% Mikrotik free by early next year.

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

I'm also losing confidence in their stuff. In the past it was kind of worth it for the cost savings but things have changed.

Methylethylaldehyde
Oct 23, 2004

BAKA BAKA


redeyes posted:

I'm also losing confidence in their stuff. In the past it was kind of worth it for the cost savings but things have changed.

Basically everyone who makes internet facing networking gear is getting the poo poo hammered out of them now. Mikrotik is just the latest round of casualties. Cisco had some amazing as gently caress vulnerabilities a while back, and new ones keep getting discovered.

Pendent
Nov 16, 2011

The bonds of blood transcend all others.
But no blood runs stronger than that of Sanguinius

Grimey Drawer

Methylethylaldehyde posted:

Basically everyone who makes internet facing networking gear is getting the poo poo hammered out of them now. Mikrotik is just the latest round of casualties. Cisco had some amazing as gently caress vulnerabilities a while back, and new ones keep getting discovered.

I am not aware of any recent Cisco vulnerabilities that allowed an attacker complete access to their devices with no authentication necessary.

Having worked with both types of gear for years I trust Cisco significantly more when it comes to this stuff.

im depressed lol
Mar 12, 2013


redeyes posted:

I'm also losing confidence in their stuff. In the past it was kind of worth it for the cost savings but things have changed.

i've been following this thread hawkishly and can at least appreciate MikroTik for being one of the few router manufacturers to patch quickly, promptly, in an easy and transparent manner. i don't have any illusions about the router being bullet-proof and recognize any actor with enough motivation will ruin you regardless of defenses.

for reference my previous home router experiences were all cheapie blue/black boxes that required you to download firmware from a site and upload it to the router. and i'm sure in many years ago before https was ubiquitous, i downloaded router firmware in an absurd, insecure manner. not that doing this via https is some fool-proof, secure method either but this was before i was even aware of crap like firesheep in the late 00s.

im depressed lol
Mar 12, 2013


Pendent posted:

I am not aware of any recent Cisco vulnerabilities that allowed an attacker complete access to their devices with no authentication necessary.

Having worked with both types of gear for years I trust Cisco significantly more when it comes to this stuff.

I just listen to the Security Now! podcast as background noise, but I remembered a tidbit regarding this. Sorry for the whole wall of text, but I'm not a genius (to put it lightly) when it comes to this stuff and wouldn't want to miss anything relevant.

https://www.grc.com/sn/sn-667.htm
June 12th, 2018

quote:

Steve: So what the heck has been going on at Cisco? Throughout this year Cisco has been performing some internal code auditing for which they should be encouraged and congratulated. And I've been watching these reports, and I haven't said anything because it's like, okay, I mean, I've been a little - I've wondered why Cisco keeps finding backdoors in their own products. That's a little worrisome. But it's not the end of the world. I mean, while it's disturbing that for some reason they're finding backdoors buried in their own products, at least they have the maturity and the foresight to be looking at their own code and not just assuming it's all fine.
And this actually was triggered, I think, by an earlier discovery by an outside party of a worrisome backdoor. And we did talk about that even further back. But now an external security researcher, Aaron Blair of RIoT, I got a kick out of that, RIoT as in R-I-O-T Solutions. He was researching a vulnerability in some Cisco software, their Wide Area Application Services, WAAS. And he leveraged a vulnerability that gave him access to the underlying file system on the platform he was using, which not even a normal device admin would get. With Cisco you could log in with extra, like, root administrative privileges, but that gives you more commands. You don't get underneath the OS in order to see the actual file system.

Well, this vulnerability allowed Aaron to do just that. And what he discovered was another previously unknown hardcoded backdoor, which he responsibly reported to Cisco, and they are fixing or have fixed. There's now an update for this Wide Area Application Services software. So that's good. And it even wasn't a really bad problem. In all of these networking devices there's a service called SNMP, Simple Network Management Protocol, which is a - I think it runs over port 161, if I recall. I use it a lot. Anytime you are monitoring, like, traffic on a remote device, you're sending SNMP, typically UDP packets, querying for specific counters to be told to you.

And they have a bizarre protocol. It's like there's a unified - they're called MIBs, M-I-B, which are sort of a dictionary of dotted numerical tree. So it's like 1.3.7.4.16.2., it's like that. And at each dot is a multiway branch through this tree. And after about 20 of these dots, you finally get down to a leaf node where is a counter, which is like bytes in or bytes out or packets in or firewall firings of this packet or whatever. So it is cool because it allows - it's a standardized mechanism for allowing remote over-the-network monitoring of devices.

Now, write access is significantly more dangerous because it's possible also to configure devices over SNMP, if you have write access. For example, that tree, benign as it is, allows you to do things like add and remove filters and rules and NAT mappings and so forth. So it can be powerful. Still, nobody who's concerned about security wants somebody remotely, without authorization, to access the entire SNMP statistics tree of any of these devices where this WAAS software is. And who knows what other devices may also have this secret. So the big problem is here is like the fourth in just a few months of discovered hardcoded backdoors in the devices of a major, like the major - I mean, there's a lot of competition now, but used to be Cisco was it - Internet big iron hardware manufacturer with routers and switches and so forth.

And so, if you step back, you just sort of have to say, as I did at the top of this, what the heck has been going on at Cisco? I don't want to do the conspiracy theory thing; but of course in the post-Snowden era, where we have seen clear evidence of prior involvement by the NSA, their fingers seem to be in these things, and the idea that employees could be implanted in corporations or turned once they're there or believe that they are supporting U.S. domestic security by just putting a cute little backdoor into something. The problem is, as we know, a backdoor of this nature can be used by anybody who knows about it.

And so here's Aaron discovering this because he gets access to the file system through a vulnerability, which he then reported responsibly to Cisco. But then he also had to say, oh, and by the way, I found an undocumented backdoor in your SNMP service which you might want to look at, too. So of course it begs several questions. Why are there backdoors that it sounds like even Cisco themselves do not officially know about? How long have they been there? Why are they there? And which other ones are there that aren't known? And this clearly got onto Cisco management radar somewhere because it had to have come, apparently it came as a surprise to them, too. And so they started performing an internal code audit of their own code to figure out, okay, we can't deny the truth any longer, that somebody has been putting code in our own products. So, yikes.

Edit: VVV yeah I obviously don't know poo poo about poo poo (not sarcastic; recognition of ignorance), but it would have been interesting if this slipped under your radar due to cisco marketing.

im depressed lol fucked around with this message at Oct 3, 2018 around 20:09

Pendent
Nov 16, 2011

The bonds of blood transcend all others.
But no blood runs stronger than that of Sanguinius

Grimey Drawer

im depressed lol posted:

I just listen to the Security Now! podcast as background noise, but I remembered a tidbit regarding this. Sorry for the whole wall of text, but I'm not a genius (to put it lightly) when it comes to this stuff and wouldn't want to miss anything relevant.

https://www.grc.com/sn/sn-667.htm
June 12th, 2018

I have a lot less to say about their software offerings like WAAS aside from to say that I agree it's a lot less good that their core products. I'm referring to their mainline routing and switching gear though- stuff like Nexus series switches or ASRs. There are vulnerabilities to be sure but I haven't seen anything as egregious as this Winbox vuln from them in a long time.

EssOEss
Oct 23, 2006
128-bit approved

Pendent posted:

I am not aware of any recent Cisco vulnerabilities that allowed an attacker complete access to their devices with no authentication necessary.

Having worked with both types of gear for years I trust Cisco significantly more when it comes to this stuff.

I guess having a hardcoded root password or two does not count has no authentication, in a way.

These were not specifically routers but there is no reason to believe their router department is any different.

Methylethylaldehyde
Oct 23, 2004

BAKA BAKA


Pendent posted:

I have a lot less to say about their software offerings like WAAS aside from to say that I agree it's a lot less good that their core products. I'm referring to their mainline routing and switching gear though- stuff like Nexus series switches or ASRs. There are vulnerabilities to be sure but I haven't seen anything as egregious as this Winbox vuln from them in a long time.

Not nearly as transparently loving bad, but there is a lot of sketchy poo poo in Cisco's various product offerings, though you're right, their core routing gear doesn't seem to have anything really bad in recent memory. All the fancy enterprise grade management services that touch them though? Those seem to have a good deal more fun CVEs released.

jeeves
May 27, 2001

Deranged Psychopathic
Butler Extraordinaire


Lock down your ACLs. Hopefully there isn't an exploit that goes around the ACLs... :\

/ip service
set telnet address=192.168.1.0/24 disabled=yes
set ftp address=192.168.1.0/24 disabled=yes
set www address=192.168.1.0/24 disabled=yes
set ssh address=192.168.1.0/24
set www-ssl address=192.168.1.0/24
set api address=192.168.1.0/24 disabled=yes
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24 disabled=yes

This locks out everything but my internal LAN's NAT of 192.168.1.0/24 from hitting my home Mikrotik on SSH or Winbox. Fun fact: via the GUI on Winbox it says www-ssl is disabled but from the export above it doesn't. Maybe disabled=yes is default for JUST that one specific entry.

I could add some more WAN IP blocks if I want to have access to my Mikrotik from outside/WAN/somewhere else.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

If there's an exploit that can bypass basic ACLs then we're hosed

Pendent
Nov 16, 2011

The bonds of blood transcend all others.
But no blood runs stronger than that of Sanguinius

Grimey Drawer

EssOEss posted:

I guess having a hardcoded root password or two does not count has no authentication, in a way.

These were not specifically routers but there is no reason to believe their router department is any different.

There is actually a ton of reason to expect that the routing and switching gear is better. People have had literally decades to attack IOS/NXOS etc and it's not like they aren't huge targets. When I look around at other ISP's racks in our various colos I see a hell of a lot of Cisco gear and there's a reason for that. I would be absolutely shocked if some sort of amateur hour exploit like this Mikrotik bug was discovered with the software in an ASR.

These other products are generally things they've bought and are not used nearly as widely. Something like the denial of service bug that was recently announced is annoying. Allowing unathenticated access to routing equipment is quite another and is completely unacceptable for anyone that gives the slightest poo poo about what these devices are doing.

Thanks Ants posted:

If there's an exploit that can bypass basic ACLs then we're hosed

I feel like it's just a matter of time and I am trying to pull my migration timeline forward as a result.

PUBLIC TOILET
Jun 13, 2009



im depressed lol posted:

Is there a go-to guide on hardening the default configs of various Mikrotik devices?

I use this:

https://www.manitonetworks.com/netw...outer-hardening

Thanks Ants posted:

If there's an exploit that can bypass basic ACLs then we're hosed

If/when that happens, I'll gladly start the immediate transition to pfSense or Cisco. Until then, I've personally had no reported issues with the MikroTik routers I've configured for people. Then again, I haven't yet installed the major bugfix revision firmware. Not looking forward to testing that on my router first.

jeeves
May 27, 2001

Deranged Psychopathic
Butler Extraordinaire


Mikrotik is great for cheap gigabit switches and small WISP-style routing areas.

If you keep stuff private IPs then great. If you need to route with WAN IPs, then just pray that ACL code never gets compromised.

Also you could turn on a firewall too also mayhap to supplement the ACLs.

im depressed lol
Mar 12, 2013



thank you for this. i'm 90% sure i used a GUI-only variant of this guide on initial setup a year ago.

PUBLIC TOILET
Jun 13, 2009



im depressed lol posted:

thank you for this. i'm 90% sure i used a GUI-only variant of this guide on initial setup a year ago.

Yeah just be careful if you copy it verbatim to your own MikroTik. Some of the IP addressing/ranges may have to be modified, especially when you build the firewall rules. Been using this for years with no issue.

Just pulled the trigger on 6.42.9 (hAP AC) and shockingly no issues to report. I did however notice this change and it confused me at first:

http://www.mtin.net/blog/mikrotik-c...sion-numbering/

Didn't know the RouterBOARD firmware versioning was changed.

thebigcow
Jan 3, 2001

Bully!

Upgraded to 6.42.9 at work and nothing blew up.

Also saw the RB4011 is out. 10 Gigabit ports on two switch chips, each switch chip has a 2.5gb/s link to the CPU, and an SFP+ cage. Desktop unit has dual band radios and a million antennas. Rack unit is just fancy ears on a desktop box without antennas.

yoloer420
May 19, 2006


Yeah it looks real good. I'd buy it if RouterOS had proper support for IPv6. They still don't support PBR on V6...

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Are there any ‘bargain’ routers that have better software than MikroTik/Ubiquiti, or is the answer just to buy Juniper?

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

Thanks Ants posted:

Are there any ‘bargain’ routers that have better software than MikroTik/Ubiquiti, or is the answer just to buy Juniper?

Pfsense/Opensense might be the answer depending on how many computer parts you have laying around.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

From experience the pfSense distros aren't fantastic routing platforms, they're fine for SMB NAT gateway requirements and have lots of plugins available, but OSPF can be flakey and they can't do route based IPsec.

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

Thanks Ants posted:

From experience the pfSense distros aren't fantastic routing platforms, they're fine for SMB NAT gateway requirements and have lots of plugins available, but OSPF can be flakey and they can't do route based IPsec.

2.4.4 has some new features and I thought IPsec routes were one of them but I haven't upgraded to it yet.

PUBLIC TOILET
Jun 13, 2009



https://www.tenable.com/blog/tenabl...rotiks-routeros

Fixed in new releases but drat. I haven't utilized MikroTik on a business scale but come on, at least keep your poo poo up to date via the bugfix channel.

EssOEss
Oct 23, 2006
128-bit approved

quote:

What’s the attack vector? Attackers could use default credentials, frequently left unchanged on routers, to exploit these vulnerabilities.

Yawn.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Yeah being able to use correct credentials and do bad things to a system isn't really a huge exploit. Close management off to untrusted networks, use TACACS/RADIUS/whatever for your staff to auth to devices.

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity



Fun Shoe

I've got a UniFi question if anyone can help. I have two AC-Lites, one bought when they first came out, and another bought in the last month or so.

The one I bought in the last month seems to have better reach and range. Did they update the antennas? I can see a pretty noticeable board revision difference, but I don't see enough of their hardware to know if they've really gone through that many versions or if they just updated the number.

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

FWIW I have a couple year old AC-Lite that has absolutely crap for range. I was thinking it was broken or something.

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof


FunOne posted:

I've got a UniFi question if anyone can help. I have two AC-Lites, one bought when they first came out, and another bought in the last month or so.

The one I bought in the last month seems to have better reach and range. Did they update the antennas? I can see a pretty noticeable board revision difference, but I don't see enough of their hardware to know if they've really gone through that many versions or if they just updated the number.

Yeah the new AC lite is basically a whole new AP and is actually good. The 1st gen ones are absolute trash.

edit: i meant v1 not gen 1. although the gen1 UAP are pretty bad.

GnarlyCharlie4u fucked around with this message at Oct 11, 2018 around 15:47

SamDabbers
May 26, 2003

QUITE.


Fallen Rib

I have a first gen AC Lite (the 24V passive PoE one) and the range and speed are more than adequate for my purposes, but I live in an apartment. I even have the transmit power set low and only have the 5GHz radio enabled.

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity



Fun Shoe

GnarlyCharlie4u posted:

Yeah the new AC lite is basically a whole new AP and is actually good. The 1st gen ones are absolute trash.

edit: i meant v1 not gen 1. although the gen1 UAP are pretty bad.

Board revision 18 vs. 33?

For the most part, the home network is perfectly fine now that I have the APs mounted on both sides of the house. Everywhere gets 5ghz, but I do notice that most of them are on the 'new' AP even if it is farther away.

I guess the correct thing to do is wait for the AC-Lite 2 or AC mega-pro or whatever it is that comes out next to consider upgrading the 'old' one.

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof


^^yeah? I don't know the board numbers offhand.

I will say this. I kinda wish I had 2 Lites instead of one pro. But I'll just get another pro and everything will be peachy. Ubiquiti does the hand off really well between. APs so I'd be comfortable with one in the foyer and another in the basement.
Right now it's in the office and I get wifi all the way down the drat street.

Anywho... Which one of you is going around patching everyone's routers?

https://www.zdnet.com/article/a-mys...krotik-routers/

GnarlyCharlie4u fucked around with this message at Oct 13, 2018 around 01:38

devmd01
Mar 7, 2006

Elektronik
Supersonik


I'm jumping on the mikrotik train for home and just ordered a RB3011UiAS-RM. Time to start reading this thread!

alyandon
Dec 9, 2001
Poster of the Month for July!

Fun Shoe

devmd01 posted:

I'm jumping on the mikrotik train for home and just ordered a RB3011UiAS-RM. Time to start reading this thread!

Prepare for some pain compared to consumer routers. Having to set up everything manually is not a lot of fun - especially figuring out how to do more obscure crap like NAT-reflection.

However, currently watching my $160 RB3011 using <10% cpu while 400 mbit/s of traffic transits ether1. Totally worth it.

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

alyandon posted:

Prepare for some pain compared to consumer routers. Having to set up everything manually is not a lot of fun - especially figuring out how to do more obscure crap like NAT-reflection.

However, currently watching my $160 RB3011 using <10% cpu while 400 mbit/s of traffic transits ether1. Totally worth it.

I used DNS instead of NAT reflection to access my webserver by name. Not sure if that is good enough.
You can set these routers up really fast. Assuming you mean port forwarding? Internet guides will have that working in a few minutes.

Advice: update the firmware before setting up the rest of the stuff, then do a factory reset (using Winbox). This will make sure it comes with default IPv4 and 6 firewall rules and will make things much easier.

redeyes fucked around with this message at Oct 15, 2018 around 15:41

Adbot
ADBOT LOVES YOU

alyandon
Dec 9, 2001
Poster of the Month for July!

Fun Shoe

redeyes posted:

I used DNS instead of NAT reflection to access my webserver by name. Not sure if that is good enough.
You can set these routers up really fast. Assuming you mean port forwarding? Internet guides will have that working in a few minutes.

Most of the basic stuff like port forwarding was trivial enough to set up as I'm pretty handy with basic networking and iptables stuff.

However, transitioning from a consumer router running Tomato that did so many things in the background like mapping dhcp clients to internal queues so that it could then account usage on a per-IP instead of per-interface basis, NAT-reflection, etc to setting up that mess of stuff was rough.

I still don't have an easy answer to the per-IP accounting for non-persistent network devices other than forwarding netflow data from the router to a linux box and dissecting the information streams there.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«58 »