detecting network virus using mikrotik
TRANSCRIPT
www.glcnetworks.com
Detecting network viruses using mikrotik
GLC webinar, 25 august 2016
Achmad [email protected] Networks, Indonesia
www.glcnetworks.com
Agenda
● Introduction● Computer Virus● Monitoring network with mikrotik● Demo● Q & A
www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)● An Indonesian company● Located in Bandung● Areas: Training, IT Consulting● Mikrotik Certified Training Partner● Mikrotik Certified Consultant● Mikrotik distributor
3
www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah● Base: bandung, Indonesia● Linux user since ’99● Certified Trainer (MTCNA/RE/WE/UME/INE/TCE)● Mikrotik Certified Consultant● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer● Personal website: http://achmad.glcnetworks.com● More info:
http://au.linkedin.com/in/achmadmardiansyah
4
www.glcnetworks.com
Please introduce yourself
● Your name● Your company/university?● Your networking experience?● Your mikrotik experience?● Your expectation from this course?
5
www.glcnetworks.com
What is Mikrotik?
● Name of a company● A brand● A program (e.g. mikrotik academy)● Headquarter: Riga, Latvia
6
www.glcnetworks.com
What are mikrotik products?
● Router OS○ The OS. Specialized for networking○ Website: www.mikrotik.com/download
● RouterBoard○ The hardware○ RouterOS installed○ Website: www.routerboard.com
7
www.glcnetworks.com
What Router OS can do?
● Go to www.mikrotik.com○ Download: what_is_routeros.pdf○ Download: product catalog○ Download: newsletter
8
www.glcnetworks.com
What are Mikrotik training & certifications?
9
Certificate validity is 3 years
www.glcnetworks.com
What is virus, worms, trojan horse?
Virus
● A self-replicating program. Often Viruses require a host, and their goal is to infect other files so that the virus can live longer.
● Nothing to do with biological virus!!
Worms
● Worms are insidious because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others.
Trojan Horses
● A Trojan Horse is a one which pretend to be useful programs but do some unwanted action.
www.glcnetworks.com
Virus characteristic
● Very small size● Versatile: available for many application● Propagation: able to infect to other software, to other computer● Can cause catastrophic effects: data loss, slow processing, botnet● Persistence: able to reoccur through replication
www.glcnetworks.com
How computer virus infects other software
www.glcnetworks.com
Virus propagation
● Boot sector● Non resident● Macro virus● Via hacked website (XSS - cross side scripting)
www.glcnetworks.com
Virus countermeasures on network
www.glcnetworks.com
Virus identification
● Host based (need to install antivirus software on host)○ Signature based○ heuristic
● Network based (analysing traffic that flows through devices)○ Using protocol analyser○ IDS (intrusion detection system)
■ Use signature based■ Use heuristics■ Using anomaly analytics
○ Devices:■ Hub■ Switch -> port mirrorring■ Router -> activate sniff feature
www.glcnetworks.com
Virus countermeasures
Local host
● Install antivirus● Use checksum software
Network devices
● Apply IDS● Setup firewall rules
www.glcnetworks.com
On routeros...
● limit outgoing sync rate for SMTP● drop/limit outgoing SMB/CIFS port: 135-139, 445● Identify src-ip-addr that send high number of connection -> use src-addr-list ● Apply limit / conn-limit● use tarpit / drop / reject● redirect customer to a webpage● setup whitelist● run torch● Run sniffer and send the traffic to protocol analyser software
○ Snort○ Sourcefire○ Wireshark○ etc
www.glcnetworks.com
Firewall limit, conn-limit, address-list, tarpit
www.glcnetworks.com
End of slides
● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback● Like our facebook page: “GLC networks”● Stay tune with our schedule