[secops] Initial problem statement

Mon Feb 20 13:52:29 PST 2023

Is Wireguard only available on RouterOS 7+?  I don't see it as a command
option on 6.x devices.

-Doug-

On Mon, Feb 20, 2023 at 12:02 PM Bart Kus <me at bartk.us> wrote:

> Wireguard is also a recent popular option.  Someone also suggested
> ZeroTier.  SO many choices.
>
> --Bart
>
> On 2/20/2023 11:33 AM, Doug Kingston wrote:
>
> There claims to be an OpenVPN client for Android available from the
> Play Store.
>
> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en_US&gl=US
>
> I have not tried this but can check it out to confirm viability and
> process.
>
> There also appears to be iOS support.
>
> -Doug-
>
> On Mon, Feb 20, 2023 at 9:52 AM Bart Kus <me at bartk.us> wrote:
>
>> For lack of any other guidance, this sounds good to me.  I'm definitely
>> not a security professional though, so it could be awful.  No idea how
>> it'll work with phones in the field yet.
>>
>> I think we should tag both the public + mgmt networks, since an untagged
>> network can always have tags inserted by users and gain access to the mgmt
>> VLAN?
>>
>> I propose we use 10.44.0.0/16 for the mgmt space, with a VLAN number of
>> 1044.  Each site can take a /24 from that /16.
>>
>> For sectors that carry public untagged, that must also for some reason
>> carry mgmt, maybe they can macsec?  I dunno if we can do that on RouterOS.
>>
>> Also no idea how the VRF and any route leaking are gonna work.  They've
>> been problematic on VyOS, and always tricky on RouterOS, but maybe that's
>> just me holding them wrong.
>>
>> This may also be a good time to flip the cell sites to mostly bridge
>> modems?  Our R1 CPUs aren't very strong though, so that may be a blocker.
>>
>> I'm about to install a switch at SnoDEM that should definitely not be on
>> the Internet, so I guess the mgmt VLAN will start there.
>>
>> --Bart
>>
>> On 2/15/2023 11:33 PM, Doug Kingston wrote:
>>
>> I am guessing that we will want some form of overlay admin network
>> potentially using VLANS and VPN access of some form?
>> I have been working recently to get OpenVPN up and running with various
>> client platforms to Mikrotik routers with some success.
>>
>> -Doug-
>>
>> On Sun, Feb 12, 2023 at 4:03 PM Bart Kus <me at bartk.us> wrote:
>>
>>> Hello,
>>>
>>> I'd like to kick off discussion about HamWAN security with a relatively
>>> high level problem statement.
>>>
>>> We need to limit access to our control infrastructure (routers,
>>> switches, modems, hypervisors, iLOs, etc) while still allowing easy
>>> reliable access for amateur administrators to control that
>>> infrastructure.  We also need to support the case of a person on a tower
>>> with a cell phone being able to easily login it to a modem to get
>>> real-time signal readings for dish alignment.
>>>
>>> The current network is mostly a single flat OSPF routing domain.  We
>>> have a couple peering points, and some IPsec tunnels.  Our routers are
>>> mostly RouterOS flavor, which supports a pretty wide set of
>>> capabilities.  We may want to look at switching the edge routers to VyOS
>>> though.
>>>
>>> What general high level design would be useful in keeping access easy,
>>> while moving the control points out of public reach?
>>>
>>> --Bart
>>>
>>> _______________________________________________
>>> SecOps mailing list
>>> SecOps at hamwan.org
>>> http://mail01.fmt.hamwan.net/mailman/listinfo/secops
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail01.fmt.hamwan.net/pipermail/secops/attachments/20230220/fa21a759/attachment.html>