I was invited to present at the first ever MikroTik MUM in the UK. My chosen topic was, naturally, about securing networks.
I decided to divide the talk into two halves, covering our experience using RouterOS devices and subsequently explaining how we are using them to filter abusive traffic at the network edge.
Due to problems with fire alarms earlier in the day, I had to keep very rigidly to time. I anticipated needing a short while at the end for questions, but at the end of my 25 minutes of speaking I found there were none. But I hadn't even made it back to my seat before people started asking for more details… and that set the tone for the rest of the conference.
MikroTik at the Provider Edge
With a couple of MikroTik devices costing under £1000 for the pair, it's very affordable to use RouterOS at the provider edge. But is it a good idea?
Our hosting network has deliberately been architected to be compartmentalised and flat, with as little "cleverness" going on at layer-2 as possible. This means we work around some of the features missing from RouterOS 6 such as lack of recursive next-hop calculations in IPv6, and can make use of their devices in the default-free zone.
Firewalling with zero filter rules
I explain our decision for blocking traffic without using any "filter" rules:
- We want to use an address-list to take advantage of O(1) lookups, rather than multiple filter rules which would incur O(n) penalty.
- If we are to block on multiple password failures then we need to mitigate the increased support cost of complaints from customers that "the server is down" (it isn't, you just blocked yourself).
- NAT at the provider edge could overload the routers with connection tracking information.
- We operate as an autonomous system in the DFZ, and so the best paths in and out of our network are only obvious to our network edge.
Watch and Read
You can skim through my slides of the talk, or watch the video:
I was very grateful to be able to present at this, the first MUM in the UK. Thank you to everybody who attended, and the team involved in making this event happen. See you all next time!