About Me
MikroTik Certified Switching Engineer (MTCSWE)
1 Introduction to Networking
1-1 Basic Networking Concepts
1-2 OSI Model
1-3 TCPIP Model
1-4 Network Devices
2 MikroTik RouterOS Basics
2-1 Introduction to RouterOS
2-2 RouterOS Interface Types
2-3 Basic Configuration
2-4 User Management
2-5 System Logging
3 Switching Fundamentals
3-1 Introduction to Switching
3-2 MAC Addresses
3-3 Ethernet Frame Structure
3-4 VLAN Basics
3-5 Trunking and Inter-VLAN Routing
4 MikroTik SwitchOS Basics
4-1 Introduction to SwitchOS
4-2 SwitchOS Interface Types
4-3 Basic Configuration
4-4 User Management
4-5 System Logging
5 VLAN Configuration
5-1 VLAN Creation and Configuration
5-2 VLAN Trunking Protocol (VTP)
5-3 Inter-VLAN Routing
5-4 VLAN Security
6 Spanning Tree Protocol (STP)
6-1 Introduction to STP
6-2 STP Operation
6-3 Rapid Spanning Tree Protocol (RSTP)
6-4 Multiple Spanning Tree Protocol (MSTP)
6-5 STP Configuration
7 Link Aggregation
7-1 Introduction to Link Aggregation
7-2 Link Aggregation Control Protocol (LACP)
7-3 Static Link Aggregation
7-4 Link Aggregation Configuration
8 Quality of Service (QoS)
8-1 Introduction to QoS
8-2 QoS Models
8-3 Traffic Shaping and Policing
8-4 QoS Configuration
9 Security Features
9-1 Introduction to Network Security
9-2 Port Security
9-3 Access Control Lists (ACLs)
9-4 DHCP Snooping
9-5 Dynamic ARP Inspection (DAI)
10 Advanced Switching Topics
10-1 Layer 3 Switching
10-2 Multicast Routing
10-3 Link Layer Discovery Protocol (LLDP)
10-4 Power over Ethernet (PoE)
11 Troubleshooting and Maintenance
11-1 Common Switching Issues
11-2 Troubleshooting Tools
11-3 Switch Maintenance
11-4 Backup and Restore
12 MikroTik Certification Exam Preparation
12-1 Exam Overview
12-2 Study Tips
12-3 Practice Questions
12-4 Exam Registration and Scheduling
9 Security Features Explained

9 Security Features Explained

Key Concepts of Security Features

Security features in networking are essential to protect data, devices, and users from unauthorized access and malicious activities. Key concepts include:

Firewall

A firewall is a security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet.

Example: A MikroTik router can be configured with a firewall to block all incoming traffic except for specific services like SSH and HTTPS. This ensures that only authorized traffic can access the internal network.

Access Control Lists (ACLs)

Access Control Lists (ACLs) are sets of rules that control network traffic and reduce network attacks by denying or allowing traffic based on source and destination addresses. ACLs can be applied to interfaces, VLANs, and other network elements.

Example: On a MikroTik switch, an ACL can be configured to allow traffic only from specific IP ranges and deny all other traffic. This helps in securing the network by limiting access to authorized users.

Port Security

Port Security is a feature that restricts the number of MAC addresses allowed on a switch port, preventing unauthorized devices from connecting. It also allows for the configuration of security violations, such as port shutdown or MAC address violation alerts.

Example: A MikroTik switch port can be configured with port security to allow only two MAC addresses. If a third device attempts to connect, the port will be shut down, preventing unauthorized access.

802.1X Authentication

802.1X is a network access control standard that provides authentication for devices connecting to a network. It uses an authentication server, such as a RADIUS server, to verify the identity of devices before granting network access.

Example: In a corporate network, MikroTik switches can be configured to use 802.1X authentication. When a user connects to the network, they must authenticate using their credentials, ensuring that only authorized users can access the network.

VLAN Security

VLAN Security involves techniques to secure Virtual LANs by isolating traffic and controlling access. This includes configuring VLANs to prevent unauthorized access and using VLAN Trunking Protocol (VTP) pruning to limit the spread of VLAN information.

Example: A MikroTik switch can be configured with multiple VLANs, each assigned to different departments. Access to these VLANs can be restricted using ACLs, ensuring that only authorized users can access specific VLANs.

DHCP Snooping

DHCP Snooping is a security feature that filters and monitors DHCP traffic to prevent unauthorized DHCP servers from operating on the network. It builds a DHCP snooping binding database that contains information about the devices and their IP addresses.

Example: On a MikroTik switch, DHCP snooping can be enabled to monitor DHCP traffic. If an unauthorized DHCP server is detected, it can be blocked, preventing it from assigning IP addresses to devices on the network.

ARP Inspection

ARP Inspection is a security feature that validates ARP packets in a network to prevent ARP spoofing attacks. It uses the DHCP snooping binding database to verify the authenticity of ARP requests and responses.

Example: A MikroTik switch can be configured with ARP inspection to monitor ARP traffic. If an ARP packet is detected that does not match the DHCP snooping binding database, it can be dropped, preventing ARP spoofing attacks.

IP Source Guard

IP Source Guard is a security feature that filters IP traffic based on the DHCP snooping binding database to prevent IP address spoofing. It ensures that only authorized devices can use specific IP addresses on the network.

Example: On a MikroTik switch, IP Source Guard can be configured to filter IP traffic. If a device attempts to use an IP address that is not in the DHCP snooping binding database, the traffic can be blocked, preventing IP address spoofing.

SSL/TLS

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols that provide secure communication over a computer network. They are often used for encrypting data between devices, such as web browsers and servers.

Example: A MikroTik router can be configured to use SSL/TLS for secure communication with remote management tools. This ensures that all data transmitted between the router and the management tool is encrypted and secure.

© 2024 Ahmed Baheeg Khorshid. All rights reserved.