MikroTik

Dear MikroTik team,

I recently bought a MikroTik CRS317-1G-16S+RM and I am very happy with the device. Because Router OS was a little overwhealming I switched to SwOS which is great. The only thing I am missing is https for the webui. Is there a possibility that you port this feature from Router OS to switch OS as far as I understood Router OS has this feature?

Thanks in advance

hansdampf

Not trying to downplay your request, but: what is your use case where plain http isn't good enough?

Not trying to downplay your request, but: what is your use case where plain http isn't good enough?

It is quite reasonably to want this feature. I don't need it - my switches (and the networks) are all under my physical control. But you can't always have this. If the switch he manages is behind a single third part router, he already needs HTTPS.

Or a CRS and VPN - but this is RoS only, and we are talking SwOS.

Not trying to downplay your request, but: what is your use case where plain http isn't good enough?

Dear mkx,

thank you for your question. I am not requesting this because http isn't good enough. Besides the fact that most browsers complain about plan authentication via http it is because of security considerations. If a computer in my network would get compromised I want as little attacking vectors as possible. All my webapplications are served via https. Logins to servers are all secured via ssh. LDAP login is also secured via ldaps and so on... So it would be great to have this feature.

Thanks for supporting my request.

Why not SSH to the unit (better than web based config)?
You could go back to RouterOS(The switch menu is there, if you need pure wire-speed config ) and use Winbox or SSH for secure logging in.
RouterOS supports HTTPS too.
https://wiki.mikrotik.com/wiki/Manual:W ... ling_HTTPS

Why not SSH to the unit (better than web based config)?

Because not all units can run RoS. The CRS can - the CSS no. I have two CSS326, and they can't run RoS. There is a version that can - the CRS326.

Not trying to downplay your request, but: what is your use case where plain http isn't good enough?

The same use case where telnet isn't good enough.

Quite simply, having any kind of credentials, or any kind of config info being passed around the network unencrypted is a non-starter. I'm a big fan of Mikrotik routers, and use them quite regularly when appropriate. But the lack of any secure method of configuration is literally the reason I have never looked at the switches outside of a lab setting. Auditors would tear me a new one for allowing that on the network, and rightfully so. I can't even install these at car dealerships (and if any of you have done work for car dealers, you know what a low bar that is!)

No matter what features or what price point (and Mikrotik is good-to-great in both those categories, generally) no https or SSH means no sale. Sorry.

(That said, I *have* been very impressed with the progress made in the switching since Mikrotik released their first few dedicated switches. Those first few were pretty rough around the edges, software- and feature-wise. So great work on that part. I just don't understand how a secure channel for any kind of configuration isn't the default these days, much less not even an option.)

The switch support already SSH, HTTPS on RouterOS, simply use already included RouterOS instead of SwOS...

As has been already stated in this thread - RouterOS can NOT be used on CSS devices.

@Paternot is not the OP, and the op do not have one CSS but one CRS317-1G-16S+RM

No he is not the OP, but the thread is still valid. SwitchOS does not support any form of secure connectivity - AND IT SHOULD!

I would also like to have this feature in SwOS. That should be common standard nowadays.

Definitely shocking to login via HTTP basic auth. Just unboxed my CSS610 and can't believe it. If it were opensource, the community would have already added basic TLS support to the web server because otherwise the software can't really be taken seriously, IMO. Which is crazy because the overall product seems like such a feat of advanced programming and electrical engineering. But hey, the price is right.

( Are the CPU and RAM in the CSS610 too limited to accommodate TLS termination, or similar? )

You're just fooled by cryptography, look for Zuchongzhi 2.1 and Jiuzhang 2.0, nothing is secure now, devices 10 million times faster than traditional "supercomputers" can decrypt anyting on some minutes or seconds, or less...

You're just fooled by cryptography

By this logic, you don't believe in putting locks on doors or windows because there are big enough tools in the world to defeat these common protections. So, I wonder: Does rextended lock his doors when he leaves home? Don't be a hypocrite, now...tell the truth.

I'm well acquainted with the long history and nature of cryptanalysis, as well as the fallacy of putting a "huge padlock on a small and rickety fence." I'm not dealing with savvy targeted attackers -- especially not state-level ones with access to resources like those of your imagination -- so I'd want TLS like any reasonable person who locks their doors at night. Security in layers is good. Thanks.

For starters I wouldn't expose simple managed switch (like CSS) to internet at large. If one can not trust their LAN, then most (if not alI) managed switches support "management VLAN". It's up to router/firewall to filter access to management VLAN at large. And if paranoid enough, management workstation is not hosted outside management VLAN ... and communications between management VLAN and the rest of the universe (LANs included) is severely limited (if not outright blocked).

So if one is really paranoid, encryption is not even needed.

By this logic, you don't believe in putting locks on doors or windows because there are big enough tools in the world to defeat these common protections. So, I wonder: Does rextended lock his doors when he leaves home? Don't be a hypocrite, now...tell the truth.

I'm well acquainted with the long history and nature of cryptanalysis, as well as the fallacy of putting a "huge padlock on a small and rickety fence." I'm not dealing with savvy targeted attackers -- especially not state-level ones with access to resources like those of your imagination -- so I'd want TLS like any reasonable person who locks their doors at night. Security in layers is good. Thanks.

I have learn how open "standard" door or padlock with some video on youtube...
I have choiced to not buy any "secure" lock because... much nice are the box, much interest go in...
Simply I do not leave anything of some reasonable value inside the house when I go away...

A "simply switch" where can't you put inside any password or username, is completly useless...
There is no effort to enter inside one "useless" switch...

Speaking of the "digital world" I prefer to hide the keyhole than to have a big padlock, and I never treat a TLS connection a secure one, even if it reasonably is.

I understand both points above -- they are logical. And it's not worth debating every possibility of ever topology in every environment (e.g., lab vs. prod) against the comfort levels of every different person.

However, I do think it's worth pointing out that when systems are deployed professionally in the industry, there is no defensible case to be made ever that sending secrets in plain text is acceptable. You just won't see it. The world mostly stopped using telnet and rlogin a long time ago, even in switched networks that use microsegmentation to unicast ethernet frames, because it's just common protection against common/unsophisticated thieves. Just like locks on windows. Even if the cipher is flawed, even if the secret is stored in memory in plain text somewhere by a running process, even if the system architecture is flawed, etc (i.e., any stupid old avenue that presents a risk in overall protection of the secret), you will never hear an expert approve transmission of secrets in plain text in the 21st century, even within a mgmt VLAN. That is just not really up for discussion at this point in the game.

(I don't know that any U.S. enterprise is running an ecommerce platform on a CSS610 in production, but the world is a pretty crazy place...so, what do I know. )

Nothing is really secure, but that doesn't mean we stop manufacturing cars with door locks just because glass windows defeat the purpose of security -- it's a common feature & expectation this day in age, and it would be a red flag for any manufacturer to say, "Nah, we don't believe in that...it's pointless and everything is futile." (Hence my original question about hardware or cost/benefit in this product line, trying to understand the actual reason from the company.. Not sure if you guys are employees or owners.)

The switch support already SSH, HTTPS on RouterOS, simply use already included RouterOS instead of SwOS...

Funny advice... IMHO SwOS is much simpler and setup is faster for some use cases.

I don't need it - my switches (and the networks) are all under my physical control.

As long as there is no intruder in your network.
Yes, I'm also doing stuff like this, but it's not good security practice anymore: look for Zero Trust.

User is referring to http.
And who would be this intruder between the computer, and the router connected directly with a network cable?

Malware on your computer also renders https useless.

Your comments to this resurrected thread add nothing new.

Maybe this has changed. I recall SwOS doesn't even have a default gateway either. So that limits both the scope of an attack, AND, its usefulness e.g. it's only manageable locally (or via some NAT). e.g. recall not being to use it from different subnets – so the HTTP can't get very far.

Now if they support a default gateway nowadays, then HTTP allows anyone who can use Wireshark in an organization to obtain the password. If you're a one-man shop this isn't a big deal, but in any medium/large organization there is likely policy/RFPs/etc requiring HTTPS.

And who would be this intruder between the computer, and the router connected directly with a network cable?

Apparantly it's called network, because I always have direct connections between computer and switch

And who would be this intruder between the computer, and the router connected directly with a network cable?

Apparantly it's called network, because I always have direct connections between computer and switch

Is it difficult to understand the concept of "directly connected"? Or should it be supplemented with dozens of useless examples and frills?
No need to climb mirrors.

(P.S.: For router I mean RouterBOARD, a generic hardware produced from MikroTik regardless the specific model name.)

Seeing how you use the networking term "router" (which connects separate networks) to mean RouterBOARD: Yes, examples would be in order to convey basic concepts and communicate effectively, yet you aren't interested in being reasoned with and you've won your game of killing the thread.

It's probably useless to argue this. If you can't see it yourself, I can't make you.

Obviously any use of login credentials regardless of the network topology it is used in must always be encrypted.

FYI, I very recently participated in a PCI compliance audit for someone, and in order for their business to continue to process customer credit cards, all web managed network devices on their LAN, like switches, are required to restrict web management to HTTPS only (and any use of telnet to manage a device is strictly prohibited). Plain text logins are now considered a compliance failure no matter what protocol they use, even over your own LAN.

FYI, I very recently participated in a PCI compliance audit for someone, and in order for their business to continue to process customer credit cards, all web managed network devices on their LAN, like switches, are required to restrict web management to HTTPS only (and any use of telnet to manage a device is strictly prohibited). Plain text logins are now considered a compliance failure no matter what protocol they use, even over your own LAN.

Good point!
I have been required to go through the PCI training (even though my job has nothing to do it) for several years. Non-encrypted webFig for RouterOS would also be affected. At least with RouterOS, we have a choice.

Listen up Mikrotik! We need HTTPS for SwitchOS...

Landed here because I too was surprise SwOS doesn't have HTTPS support. Using a CRS-328.

Also surprising to read some of the views that hand-wave away the security implications. I wouldn't expect anyone serious about security to take such a position, and as a vendor of networking equipment I would imagine security to be one of the top priorities.

As has been stated, security in depth generally is the best approach to infosec. Most organisations are likely to expect authentication and data confidentiality on their networks. And sure, one can have expectations and assumptions of what is or should be secure, but breaches happen which is why we generally layer defenses, and reduce attack surface. This is ripe for MITM attacks or to encourage bad practice like not validating/checking the connection similar to those that regularly click through TLS warnings for self-signed certs.

For any org that needs to meet PCI compliance, has data protection requirements, has a respectable security policy, or does any kind of pen testing/threat modelling - this sort of thing isn't going to cut it and this one is a low bar to hit.

Recommendations to just use ROS instead, are also unhelpful. That's not the point of the OP - it's specifically about HTTPS support in SwOS. Customers are entitled to have their own reasons for using it and there should be a reasonable expectation be able to use it securely. But still it's a good point, because the fact ROS supports HTTPS is an implicit acknowledgement by Mikrotik that it's a requirement to have sufficient security guarantees, or else it wouldn't be included there either.

Thanks,
t04s

SWos does not have much functionality. To support HTTPS it would need crypto, time, a filesystem, a mechanism to upload certificates, etc. I expect that a 'RouterOS lite' which has enough functionality would be easier than trying to retrofit SWos.

And make sure you keep any downloaded configuration files secure - the password is an easily read hex representation of the ASCII string.

+1 for https support in swos

I manage a decent amount of swos devices. Not enough that I need to start looking for something that can be centrally managed (TR-069).

routeros has to many features for us.

HTTPS is not easy to implement on a small microcontroller that's probably inside the SwOS devices (except those capable of SwOS/RouterOS dual-boot). But, why isn't the password hashed I really don't understand. UNIX V7 released in 1979 already had the crypt() function based on DES. While it's not considered very strong anymore, it's still better than nothing, good enough against most script-kiddies. If it was possible on "big computers" of 45 years ago, should also be possible to implement on a small microcontroller today.