[secops] Initial problem statement

Mon Feb 20 22:18:33 PST 2023

I use wireguard at home on my pfsense, and linked to an AWS instance giving
me full access to my aws resources. I did read that wireguard is possible,
although someone mentioned not default.

I have previously used openvpn, and have found wireguard's setup,
configuration and client setups to be much easier. So once I switched to
wireguard I was sold over openvpn.

I don't have access to any Devices with RouterOS to research/test/verify.

On Mon, Feb 20, 2023 at 1:53 PM Doug Kingston <dpk at randomnotes.org> wrote:

> Is Wireguard only available on RouterOS 7+?  I don't see it as a command
> option on 6.x devices.
>
> -Doug-
>
> On Mon, Feb 20, 2023 at 12:02 PM Bart Kus <me at bartk.us> wrote:
>
>> Wireguard is also a recent popular option.  Someone also suggested
>> ZeroTier.  SO many choices.
>>
>> --Bart
>>
>> On 2/20/2023 11:33 AM, Doug Kingston wrote:
>>
>> There claims to be an OpenVPN client for Android available from the
>> Play Store.
>>
>> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en_US&gl=US
>>
>> I have not tried this but can check it out to confirm viability and
>> process.
>>
>> There also appears to be iOS support.
>>
>> -Doug-
>>
>> On Mon, Feb 20, 2023 at 9:52 AM Bart Kus <me at bartk.us> wrote:
>>
>>> For lack of any other guidance, this sounds good to me.  I'm definitely
>>> not a security professional though, so it could be awful.  No idea how
>>> it'll work with phones in the field yet.
>>>
>>> I think we should tag both the public + mgmt networks, since an untagged
>>> network can always have tags inserted by users and gain access to the mgmt
>>> VLAN?
>>>
>>> I propose we use 10.44.0.0/16 for the mgmt space, with a VLAN number of
>>> 1044.  Each site can take a /24 from that /16.
>>>
>>> For sectors that carry public untagged, that must also for some reason
>>> carry mgmt, maybe they can macsec?  I dunno if we can do that on RouterOS.
>>>
>>> Also no idea how the VRF and any route leaking are gonna work.  They've
>>> been problematic on VyOS, and always tricky on RouterOS, but maybe that's
>>> just me holding them wrong.
>>>
>>> This may also be a good time to flip the cell sites to mostly bridge
>>> modems?  Our R1 CPUs aren't very strong though, so that may be a blocker.
>>>
>>> I'm about to install a switch at SnoDEM that should definitely not be on
>>> the Internet, so I guess the mgmt VLAN will start there.
>>>
>>> --Bart
>>>
>>> On 2/15/2023 11:33 PM, Doug Kingston wrote:
>>>
>>> I am guessing that we will want some form of overlay admin network
>>> potentially using VLANS and VPN access of some form?
>>> I have been working recently to get OpenVPN up and running with various
>>> client platforms to Mikrotik routers with some success.
>>>
>>> -Doug-
>>>
>>> On Sun, Feb 12, 2023 at 4:03 PM Bart Kus <me at bartk.us> wrote:
>>>
>>>> Hello,
>>>>
>>>> I'd like to kick off discussion about HamWAN security with a relatively
>>>> high level problem statement.
>>>>
>>>> We need to limit access to our control infrastructure (routers,
>>>> switches, modems, hypervisors, iLOs, etc) while still allowing easy
>>>> reliable access for amateur administrators to control that
>>>> infrastructure.  We also need to support the case of a person on a
>>>> tower
>>>> with a cell phone being able to easily login it to a modem to get
>>>> real-time signal readings for dish alignment.
>>>>
>>>> The current network is mostly a single flat OSPF routing domain.  We
>>>> have a couple peering points, and some IPsec tunnels.  Our routers are
>>>> mostly RouterOS flavor, which supports a pretty wide set of
>>>> capabilities.  We may want to look at switching the edge routers to
>>>> VyOS
>>>> though.
>>>>
>>>> What general high level design would be useful in keeping access easy,
>>>> while moving the control points out of public reach?
>>>>
>>>> --Bart
>>>>
>>>> _______________________________________________
>>>> SecOps mailing list
>>>> SecOps at hamwan.org
>>>> http://mail01.fmt.hamwan.net/mailman/listinfo/secops
>>>>
>>>
>>>
>> _______________________________________________
> SecOps mailing list
> SecOps at hamwan.org
> http://mail01.fmt.hamwan.net/mailman/listinfo/secops
>

-- 
Thanks,
Jamie Owens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail01.fmt.hamwan.net/pipermail/secops/attachments/20230220/1f6585f0/attachment.html>