MikroTik

Community discussions
https://forum.mikrotik.com/

Transparent firewall

https://forum.mikrotik.com/viewtopic.php?t=120021

Page 1 of 1

Transparent firewall

Posted: Wed Mar 22, 2017 12:24 pm
by KDmitrii
Hello Gentlemens!
Tell me please, can RouteOS to work in transparent mode firewall? Such as Cisco ASA.

The scheme is as follows: ISP --> Mikrotik SW --> multiple servers.
Task is to defend against DDOS or other intrusion from the outside my servers

Re: Transparent firewall

Posted: Wed Mar 22, 2017 2:05 pm
by okazdal
Hello,
You can have MikroTik work as a layer 3 stateful firewall. And I must add it is a very good stateful firewall. I have many customers who replaced their Cisco ASA with a CCR MikroTik router.

DDOS and intrusion prevention depends on the kind of the attack. You have very good tools to fight against DDoS attacks. But when you think about it if DDoS attack arrived at your firewall, that means it was successful.

MikroTik does not work like an application layer firewall like Palo Alto.

Osman Kazdal

Re: Transparent firewall

Posted: Wed Mar 22, 2017 5:23 pm
by KDmitrii
Thank you very much Osman Kazdal!
Can you tell me more about the settings of your equipment. How did you solve the problem with DDOS. Can you show me the rule or instruction.
I heard about PaloAlto, but unfortunately not dealt with them.

Best Regards
Dmitrii

Re: Transparent firewall

Posted: Wed Mar 22, 2017 6:34 pm
by R1CH
A typical DDoS involves bandwidth exhaustion, you cannot defend against it without upstream filtering. By the time your firewall is inspecting the packets, your uplink is already saturated and useless.

Re: Transparent firewall

Posted: Wed Mar 22, 2017 8:06 pm
by soulflyhigh
A typical DDoS involves bandwidth exhaustion, you cannot defend against it without upstream filtering. By the time your firewall is inspecting the packets, your uplink is already saturated and useless.
Yes, the attacker simply saturate your internet connection with gigabits/sec of "junk traffic" BEFORE your firewall can do anything really useful.
Ask your ISP if they can offer you some kind of DDoS protection as a paid service.

Regards,
M.

Re: Transparent firewall

Posted: Thu Mar 23, 2017 11:04 am
by okazdal
Hi again,
I would suggest you watch MUM presentations by Tom Smyth and Wardner Maia. Their presentations are a great start to give you pointers and ideas about what you should do against DDoS.
Below are the links to their presentations. I think you can also find videos.
https://mum.mikrotik.com//presentations/US12/tom.pdf
https://mum.mikrotik.com//presentations ... 752556.pdf

Osman Kazdal
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/