Suggestion: Simple security hardening method
Posted: Wed Sep 12, 2018 2:26 pm
Hi, I have been thinking about hardening options and like to share my idea with you:
The default IP address of all routerOS is 192.168.88.1, so if options in /ip service were set to address 192.168.88.0/24, all users have changed this to your network, but not let in 0.0.0.0/0.
In my point of view, 0.0.0.0/0 is a big problem.
Of course, nothing prevents the user from changing this to 0.0.0.0/0, but that would be at the user's risk.
With this, new vulnerabilities could be contained or minimized.
This is a simple action that any user or administrator can to do, but Mikrotik can add this as the default setting.
Are there, problems? Yes!
If the user changes the network address to 192.168.0.1 or any other that not 192.168.88.X the access in Layer 3 will be closed and only accessible in Layer 2 with mac-telnet, winbox with mac...
Another option would be set the address to networks of RFC1918, so any access on private networks would be granted.
What do you think about this?
The default IP address of all routerOS is 192.168.88.1, so if options in /ip service were set to address 192.168.88.0/24, all users have changed this to your network, but not let in 0.0.0.0/0.
In my point of view, 0.0.0.0/0 is a big problem.
Of course, nothing prevents the user from changing this to 0.0.0.0/0, but that would be at the user's risk.
With this, new vulnerabilities could be contained or minimized.
This is a simple action that any user or administrator can to do, but Mikrotik can add this as the default setting.
Are there, problems? Yes!
If the user changes the network address to 192.168.0.1 or any other that not 192.168.88.X the access in Layer 3 will be closed and only accessible in Layer 2 with mac-telnet, winbox with mac...
Another option would be set the address to networks of RFC1918, so any access on private networks would be granted.
What do you think about this?