A sta se ovde misli o Mikrotiku u toj ulozi?
Ovo je ono sto ja znam o RouterOS-u (na kojem trce Mikrotikovi):
Citat:
Mikrotik Security
Mikrotik RouterOS is routing operating system based on Linux 2.6 kernel and has all the functionalities and flexibility of FLASK (Flux Advanced Security Kernel) architecture.
Its main characteristic is implementation of SELinux forcing mandatory access control (MAC) limiting user applications only to a minimum level of privileges required for task completion. This approach significantly limits/eliminates possibilities of programs and system services compromising with methods such as Buffer Overflow, Structured Exception Handler, Local Privilege Escalation, Stack Smashing, NULL dereference, etc.
The effect of such closed architecture is elimination of ACL mechanisms where there is no concept of super-user, completely eliminating dependence on setuid/setgid mechanisms. With this concept Mikrotik has applied highest security standards in design and implementation of RouterOS system. This can be easily checked by browsing any prominent public and up-to-date exploit databases and a fact that it is impossible to find any known exploit for this system.
Apart from system security level, MikrotikOS also conforms to very high security standards in user access security. Various protocols such as IPSec, PPTP, PPPoE, OpenVPN, SSTP, L2TP, IPIP, GRE, EOIP, SSH and system modularity segregation provide Mikrotik with ability to comply to the highest possible security standards.
Furthermore, system designed in this way enables easy applications on various architectures (single processor and multiprocessor, PC and PowerPC, and embedded systems). Security mechanisms on any of supported IDE, SATA, CF, SD or USB media eliminate comprising of the system even with direct physical access. This is especially emphasized if used on Mikrotik RouterBoard platform (as proposed for your project) since they all have coupled memory modules with system installation (operating and backup) which makes it practically impossible to change/modify any core system module by user side (protect the user from himself or herself).
Another valuable aspect of system security is the fact that user access parameters are stored in system memory unable to be accessed by user (loss off access parameters results in deletion of user access configuration parameters) which disables possibility of exploiting user to map vectors of attack on a system or any of its parts.
Nevertheless, user access and management has been kept simple and flexible with terminal access available through api, ftp, ssh, telnet, winbox, www and www-ssl. By the way, admin/management interface GUI is, at same time, sleek and comprehensive.
Mikrotik IDS/IPS
Mikrotik RouterOS has a very extensive set of firewall functionalities, such as:
· Complete packet inspection
· Protocol detection at application layer
· P2P filtering
· Traffic classification/management:
o by MAC addresses, IP addresses, IP ranges, IP address classes, etc.
o ports or range of ports
o IP protocol
o Protocol options (ICMP types and codes, TCP statuses, IP options and MSS)
o By input/output interface
· Control and marking of internal traffic
· DSCP (Differentiated Services Code Point)
· Deep inspection (packet contents)
· Control over speed and schedule of packets routing
· Packet size
· Etc.
One of the most effective combinations to use for complete IDS/IPS solution is Mikrotik with Snort (open source IDS software)
---- nasa online podrska je trenutno offline ----