MikroTik

I would like to request the addition of a functionality to detect and block applications through the firewall just like a lot of major players are offering it in their products, for example:

- Palo Alto Firewall's App-ID
- Fortinet's Application Control

I know some of this functionality is available under Firewall > L7 Protocols. I would like this to be improved to provide the capabilities these vendors are offering out there. For example, they can even detect applications' encrypted traffic and block it. As an example block encrypted bittorrent protocol traffic, which we cannot with MikroTik. With their offerings it is possible to ALLOW and BLOCK traffic at application level. I want this functionality to be added to MikroTik.

As a generic solution, it would be nice if there was a "snort" package that can be installed (given enough headroom
in CPU power, memory etc) on the router. It should at least be configurable for detection and possible generation
of address list, but it would of course be even nicer when it could be configured in the forwarding path.

I think a Mikrotik API plugin for snort would be a nice feature, so that if a snort box decides to blacklist some address, it can send it to Mikrotik routers using API calls for adding them to an address-list.

Ideally, the ability to place BGP -> address-list will be available in ROSv7, which will make a system-wide blacklist almost trivial to deploy.

But I think OP wants a deep packet inspection firewall so that he can pop up browser messages like "your requested website violates policy" or watches for users with Skype installed, etc....

Honestly, I'd rather use a dedicated box for such things because value-add features like this are rarely as good as purpose-built solutions. (Just look at the p2p match in iptables / ROS firewall.... it doesn't help at all for those who want to limit p2p, and that's not Mikrotik's fault... it's just a full-time job keeping up with that sector)

I think a Mikrotik API plugin for snort would be a nice feature, so that if a snort box decides to blacklist some address, it can send it to Mikrotik routers using API calls for adding them to an address-list.

It looks like someone has written a workaround for that, see the WiKi under IDS
However, I have a CCR-1009 of which most cores are sitting idle, it would be a cool idea to run snort on there.
Unfortunately there is no VM support (MetaROUTER) on that box, or I could try running a Linux VM.

I want IDS on the router, not on a separate box.

I think a Mikrotik API plugin for snort would be a nice feature, so that if a snort box decides to blacklist some address, it can send it to Mikrotik routers using API calls for adding them to an address-list.

Ideally, the ability to place BGP -> address-list will be available in ROSv7, which will make a system-wide blacklist almost trivial to deploy.

But I think OP wants a deep packet inspection firewall so that he can pop up browser messages like "your requested website violates policy" or watches for users with Skype installed, etc....

Honestly, I'd rather use a dedicated box for such things because value-add features like this are rarely as good as purpose-built solutions. (Just look at the p2p match in iptables / ROS firewall.... it doesn't help at all for those who want to limit p2p, and that's not Mikrotik's fault... it's just a full-time job keeping up with that sector)

What I requested is an "Application Level Firewall" where traffic of different applications can be detected and then blocked as per the defined rules. It is fine if MikroTik cannot release signatures for all the different applications out there or keep updating them, what we need this functionality to be available in MikroTik and let the community develop the signatures for whatever applications they want to detect and block. MikroTik community will happily do it.

The examples I gave of Palo Alto and Fortinet are firewalls with the application level detection built-in. It is not a dedicated device for just "application filtering".

What I requested is an "Application Level Firewall" where traffic of different applications can be detected and then blocked as per the defined rules. It is fine if MikroTik cannot release signatures for all the different applications out there or keep updating them, what we need this functionality to be available in MikroTik and let the community develop the signatures for whatever applications they want to detect and block. MikroTik community will happily do it.

But snort can do that I think.... that is why it would be nice to have a snort package that can run on the router.
Of course, snort is traditionally focussed on "network intrusion" rather than application detection, but it is basically
the same task.

What I requested is an "Application Level Firewall" where traffic of different applications can be detected and then blocked as per the defined rules. It is fine if MikroTik cannot release signatures for all the different applications out there or keep updating them, what we need this functionality to be available in MikroTik and let the community develop the signatures for whatever applications they want to detect and block. MikroTik community will happily do it.

I have to disagree. Poorly-maintained definitions can be worse than nothing at all. If users think they're covered when they aren't... And there are some sharp cookies in the ROS community but it's not nearly large enough to say with reasonable assurance that the community has all bases covered. There are many community-supplied recipes/howtos/etc for ROS that make me cringe. For example, there's a firewall recipe that includes blocking bogons, but the bogon list is YEARS out of date, and I still see people posting their firewall configs here which are copy/paste replicas of these rules.

An un-maintained signature database for this would be like your doctor working from the leading medical journals from 1997 or something.

If you argue that an app-level firewall be implemented as a module which can be activated/removed then I would say this is the way to go. I personally wouldn't use it because I see no signs that Mikrotik has the resources to dedicate to maintaining such a service on the level it needs. ROS is quite a wonderful system but it still requires much improvement in its core functionality. Bells and whistles would be too much distraction from this IMO.

Granted, I'm talking about security vs something that just dictates policy like "no Skype allowed" which you actually can do with L7 filters. (This is their original intent, not web site filtering) and you could even use recipes from the Linux/netfilters community since it's the same thing.

I agree that being able to run Snort or another IDS/IPS function on the router would make for a simplified deployment, but you also have to remember that it would necessitate stronger hardware to maintain a given throughput.

Personally, I run pfSense as an inline transparent firewall that sits between my MT router and my ISP. I leave the heavy duty firewalling to the pfSense, and run Snort inline so it functions as an IPS, and simply use the MT router for simple routing tasks within my internal network. The CCR's are great platforms, until you load them down with too many firewall rules, and then throughput starts to seriously suffer.

What I requested is an "Application Level Firewall" where traffic of different applications can be detected and then blocked as per the defined rules. It is fine if MikroTik cannot release signatures for all the different applications out there or keep updating them, what we need this functionality to be available in MikroTik and let the community develop the signatures for whatever applications they want to detect and block. MikroTik community will happily do it.

I have to disagree. Poorly-maintained definitions can be worse than nothing at all. If users think they're covered when they aren't... And there are some sharp cookies in the ROS community but it's not nearly large enough to say with reasonable assurance that the community has all bases covered. There are many community-supplied recipes/howtos/etc for ROS that make me cringe. For example, there's a firewall recipe that includes blocking bogons, but the bogon list is YEARS out of date, and I still see people posting their firewall configs here which are copy/paste replicas of these rules.

An un-maintained signature database for this would be like your doctor working from the leading medical journals from 1997 or something.

If you argue that an app-level firewall be implemented as a module which can be activated/removed then I would say this is the way to go. I personally wouldn't use it because I see no signs that Mikrotik has the resources to dedicate to maintaining such a service on the level it needs. ROS is quite a wonderful system but it still requires much improvement in its core functionality. Bells and whistles would be too much distraction from this IMO.

Granted, I'm talking about security vs something that just dictates policy like "no Skype allowed" which you actually can do with L7 filters. (This is their original intent, not web site filtering) and you could even use recipes from the Linux/netfilters community since it's the same thing.

This functionality would need to be added at some point in time to stay relevant on the market. The routers/firewalls from almost all the major players out there have this app-level filtering functionality available in their products since quite some time.

I agree you can block some of the stuff with ROS, but that's not what we are talking about here in the first place when I am requesting an app-level filtering functionality as feature to be added in to ROS. Let me know how you would block encrypted bittorent traffic with the current feature set of ROS? Or how would you allow port 443 traffic but only for HTTPS and not let OpenVPN or SSTP traffic pass through it?

This functionality would need to be added at some point in time to stay relevant on the market. The routers/firewalls from almost all the major players out there have this app-level filtering functionality available in their products since quite some time.

I agree you can block some of the stuff with ROS, but that's not what we are talking about here in the first place when I am requesting an app-level filtering functionality as feature to be added in to ROS. Let me know how you would block encrypted bittorent traffic with the current feature set of ROS? Or how would you allow port 443 traffic but only for HTTPS and not let OpenVPN or SSTP traffic pass through it?

I know what you're saying, and I know the difference between port filtering and application filtering.
You're right - ROS can't easily or effectively inspect protocols, especially encrypted ones.

I prefer purpose-built appliances for such things, I guess. Cheap SOHO gear that does this sort of thing has always left a bad taste in my mouth. Whenever we had a customer with weird VoIP problems, for instance, you could bet they were using a SonicWall, and you could also bet that the guy at the controls of the SonicWall didn't know what the heck he was doing and that the configuration was going to be a tangled, horrible configuration that would've made Rube Goldberg proud.

You already can define your own signatures to filter application layer (layer 7):
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

Enterprise Next Generation Firewalls (NGFW) can't do a lot about encryption either - even 'man-in-the-middle' decryption is now problematic with modern browsers and clients. They're resorting to extra-firewall intelligence - cloud based threat analysis and mitigation, DNS monitoring, traffic patterns, etc.

Therefore if I were to ask for a new security feature for RouterOS it would be some kind of cloud based database of known threats/malicious traffic that can be referenced by the routers firewall.