For any port scan we pay particular attention to the open ports that are found, and the services that are running on those ports. The relevant portions of the port scan output are shown in the following sections. If you want to learn more about using Nmap check out the Network Scanning With Nmap write-up that will get you going. This will our starting point, shown below: nmap -A -T4 -Pn -v 192.168.88.181 Next we'll do an Nmap scan of the stock router from the WAN side to get a baseline of open ports and services. Once your network interfaces have been secured and the rest of this guide is complete also take a look at segment your networks with VLANs. In our case interfaces 1, 2, and 3 are in use, and we're not using interfaces 4 and 5: /interface set 4,5 disabled=yes Then shut off all the interfaces that aren't live so they can't be used to access the device. Show Interfacesįirst list all the interfaces, making note of the numbers associated with each interface (refer to the table above for the interfaces in this exercise): /interface print Disable Unused Interfaces To plug into the router they'd have to disconnect a live connection and draw attention. The first step we'll take is disabling any physical network interfaces that aren't in use, denying an intruder access to the device if they somehow got into the wiring closet or server room. The network devices must only allow management connections for administrative access from hosts residing in the management network. The Management network isn't strictly necessary in organizations without applicable compliance requirements but it's a best practice.įor organizations that do have compliance standards in place, having a separate management network statisfies Infrastructure Router STIG Finding V-5611: It could very easily be an RB-751 in a home office, or an RB-951 or hAP in a branch office. This is a typical branch office configuration with Inside, Outside, and Management network "zones". Almost all of the configuration changes below are included in requirements for PCI-DSS and HIPAA compliance, and the best-practice steps are also included in CIS security benchmarks and DISA STIGs. Some very basic configuration changes can be made immediately to reduce attack surface while also implementing best practices, and more advanced changes allow routers to pass compliance scans and formal audits. Mikrotik routers straight out of the box require security hardening like any Arista, Cisco, Juniper, or Ubiquiti router. MikroTik Security Guide and Networking with MikroTik: MTCNA Study Guide by Tyler Hart are both available in paperback and Kindle! Preface You can now get MikroTik training direct from Manito Networks.
0 kommentar(er)
