Hello for all ..!
So in my company we have the follwoing :
1 server
25 PC
25 IP phone
36 camera
5 Access Points
and other devices that connected to network
and absolutely Mikrotik CCR Router.

and the Question is :
Is the Mikrotik Firewall Rules is enough to protect my full network ..? or I have to add a firewall to it..?

Weakest point in every network is rarely router or firewall.
It's usually the people using that network.

If you configure that router with a proper firewall config to block ALL incoming traffic into your network except for 1 or 2 (keep it LIMITED) entry points via purely VPN (make no concessions there, don't open ports directly for SSH or Winbox !) you should be perfectly fine.

-Train employees to think and ask questions if unsure before clicking on anything. ( on web or in emails #1 issue )
-Make sure device firmware is always up to date.
-Use reasonable passwords for devices. ( add wo factor authentication for better protection )
-Always use antivirus.

++++++++++++++++++++++++++++++++++

The above has nothing to do with Mikrotik.
The one area where MT may be weak is IPS, intrustion protection, where deep packet inspection can occur.
I gather this means the ability to scan https type traffic and typically slows down performance considerably.


The IPS is placed inline, directly in the flow of network traffic between the source and destination. This is what differentiates IPS from its predecessor, the intrusion detection system (IDS). Conversely, IDS is a passive system that scans traffic and reports back on threats.
Usually sitting right behind the firewall, the solution analyzes all traffic flows that enter the network and takes automated actions when necessary.

These actions can include:
Sending an alarm to the administrator (as would be seen in an IDS)
Dropping the malicious packets
Blocking traffic from the source address
Resetting the connection
Configuring firewalls to prevent future attacks

High end Routers, provided IPS, so expect a high cost outlay and then yearly subscription costs as this now a cloud based service ( which keeps the router updated I imagine to threats several times a day ). The one exception, no subscription fees is something called firewalla... I wonder if anyone has used this device and can comment??

and the Question is :
Is the Mikrotik Firewall Rules is enough to protect my full network ..? or I have to add a firewall to it..?

If the firewall is properly configured to meet your business requirements then Yes it is ennough.

The Key Point is business requirements. Your business may have requirements that the MikroTik Firewall cannot meet so that is why it is critical that business requirement are effectly understood by the IT department [person] ...for example MikroTik Firewall is not good on layer 7 so Firewall like Fortigate or Arista is need to deal with layer 7 ...

The one exception, no subscription fees is something called firewalla... I wonder if anyone has used this device and can comment??

firewalla is just a fork of pfSense --- IMO does not compare to Fortigate/Arista/Juniper/Cisco for layer 7

How did you figure it out Mozerd?
So pfsense has layer 7 capabilities? If so how do they compare to MTs efforts with regex?
Im assuming that they are probably not all that different and if so, then pfsense DPI is also not viable???

Similar crapola then to NETGATE PFSense Plus ~ Cheaper device but they charge for cloud access.

How did you figure it out Mozerd?

I attendid a demo ... Yes they have layer 7 capabilities as long as a properly equipped machine is used [3+ Ghz and dedicated asics etc] but not many off the shelf units do not have the power or ASICS to be effective [far too slow] ... With FortiGate etc. the performance is outstanding but so is the price ...

Try Palo Alto ...

Okay they are telling me they use their own software coupled with Zeek monitoring software, say they do not use any existing platform???
Their new 10gig box supposedly comes with 8gigs of memory and quad core cpu ???

Performance & function-wise - Yes, no problem.

But if you need to protect your network from your users (that will download malliscius stuff and click on all links) then you probably need a firewall with subscription services for Botnets and dynamic blocking-services.

Okay they are telling me they use their own software coupled with Zeek monitoring software, say they do not use any existing platform???
Their new 10gig box supposedly comes with 8gigs of memory and quad core cpu ???

I will try and get a trial and personally see how it goes ….

Last email I got said they use ubuntu as the underlying operating system........ A trial report would be amazing.
I am most interested in using it in the BRIDGE MODE, which means after the main router and between the main router and network.
Using it as a main router to replace the MT is not what most are looking for.
There appears to be no option for it to simply terminate the WAN connection and then connect to the MT.

Thus the crux of the question becomes how do you put it behind the MT but between the MT and the entire network.
Trunk from MT to Firewalla and then trunk to main switch>?>>

Layer 7 firewalls are pretty useless without SSL Termination which usually requires extensive configuration.

I have used a Firewalla Gold. It can be put in bridge mode behind a normal router and still provide its usual traffic inspection and blocking.

My reasons for dissatisfaction with Firewalla have nothing much to do with its capability. Today that J3160, with expanded memory and storage, is reinstalled as just another unix-variant box within the network.

My reasons for dissatisfaction with Firewalla have nothing much to do with its capability. Today that J3160, with expanded memory and storage, is reinstalled as just another unix-variant box within the network.

@phascogale
I 4 1 do not understand your dissatisfaction .... any chance you could be a little more explicit please?

@phascogale: Firewalla, along with other 'Smart' or 'Next-Generation' firewalls, cannot perform deep packet inspection on encrypted traffic without utilizing SSL/TLS termination. They primarily rely on fundamental info such as endpoint ip addresses, stream sizes, etc. Even SNI (ESNI) is encrypted nowadays.

@mozerd: Call it historical. They released a faulty product (early version manufacturing fault) then made it difficult for people not in the US to get straightforward replacement, having no local dealers at the time. I also disliked the app-based management which required cloud connection to work, and continual irritating alerts to say it was just doing what it was supposed to do though often to no point. Despite these I would still commend them to those who want a bit more than a basic store router without a complex UI.

@Larsa: I know, thanks. I was responding @anav’s apparent query.

Larsa, how do know that firewalla doesnt use SSL/TSL in its DPI functionality??

Latest email update
Quote: " We do not man-in-the-middle encrypted protocols. (e.g. adding certificate to endpoints and terminating ssl/tls in firewalla and re-encrypt them). this behavior is not safe for our customers, and usually should be managed by IT/InfoSec.

Firewalla can see (and control/filter) SSL/TLS protocols, headers, traffic size .." unquote.

The verdict is in, and the damn flying vampire mouse is right again, this is getting very annoying.

….. this is getting very annoying.

@anav
Why is it annoying?

Larsa being right all the time? Probably because I have a big llama brain and he has a tiny mouse/bat brain.
Maybe I should stick to flatulence and biting........