[secops] Initial problem statement

Doug Kingston dpk at randomnotes.org
Mon Feb 20 22:33:16 PST 2023 

Don't get me wrong, I have also heard good things about Wireguard as well,
but I believe we need something on the RouterOS end that is standard.
I don't see it in RouterOS 6.x.  Perhaps we could put RouterOS 7 devices on
the periphery of our net, but it can really complicate managing isolated
devices

-Doug-

On Mon, Feb 20, 2023 at 10:18 PM Jamie Owens <jlowens76 at gmail.com> wrote:

> I use wireguard at home on my pfsense, and linked to an AWS instance
> giving me full access to my aws resources. I did read that wireguard is
> possible, although someone mentioned not default.
>
> I have previously used openvpn, and have found wireguard's setup,
> configuration and client setups to be much easier. So once I switched to
> wireguard I was sold over openvpn.
>
> I don't have access to any Devices with RouterOS to research/test/verify.
>
>
>
> On Mon, Feb 20, 2023 at 1:53 PM Doug Kingston <dpk at randomnotes.org> wrote:
>
>> Is Wireguard only available on RouterOS 7+?  I don't see it as a command
>> option on 6.x devices.
>>
>> -Doug-
>>
>> On Mon, Feb 20, 2023 at 12:02 PM Bart Kus <me at bartk.us> wrote:
>>
>>> Wireguard is also a recent popular option.  Someone also suggested
>>> ZeroTier.  SO many choices.
>>>
>>> --Bart
>>>
>>> On 2/20/2023 11:33 AM, Doug Kingston wrote:
>>>
>>> There claims to be an OpenVPN client for Android available from the
>>> Play Store.
>>>
>>> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en_US&gl=US
>>>
>>> I have not tried this but can check it out to confirm viability and
>>> process.
>>>
>>> There also appears to be iOS support.
>>>
>>> -Doug-
>>>
>>> On Mon, Feb 20, 2023 at 9:52 AM Bart Kus <me at bartk.us> wrote:
>>>
>>>> For lack of any other guidance, this sounds good to me.  I'm definitely
>>>> not a security professional though, so it could be awful.  No idea how
>>>> it'll work with phones in the field yet.
>>>>
>>>> I think we should tag both the public + mgmt networks, since an
>>>> untagged network can always have tags inserted by users and gain access to
>>>> the mgmt VLAN?
>>>>
>>>> I propose we use 10.44.0.0/16 for the mgmt space, with a VLAN number
>>>> of 1044.  Each site can take a /24 from that /16.
>>>>
>>>> For sectors that carry public untagged, that must also for some reason
>>>> carry mgmt, maybe they can macsec?  I dunno if we can do that on RouterOS.
>>>>
>>>> Also no idea how the VRF and any route leaking are gonna work.  They've
>>>> been problematic on VyOS, and always tricky on RouterOS, but maybe that's
>>>> just me holding them wrong.
>>>>
>>>> This may also be a good time to flip the cell sites to mostly bridge
>>>> modems?  Our R1 CPUs aren't very strong though, so that may be a blocker.
>>>>
>>>> I'm about to install a switch at SnoDEM that should definitely not be
>>>> on the Internet, so I guess the mgmt VLAN will start there.
>>>>
>>>> --Bart
>>>>
>>>> On 2/15/2023 11:33 PM, Doug Kingston wrote:
>>>>
>>>> I am guessing that we will want some form of overlay admin network
>>>> potentially using VLANS and VPN access of some form?
>>>> I have been working recently to get OpenVPN up and running with various
>>>> client platforms to Mikrotik routers with some success.
>>>>
>>>> -Doug-
>>>>
>>>> On Sun, Feb 12, 2023 at 4:03 PM Bart Kus <me at bartk.us> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I'd like to kick off discussion about HamWAN security with a
>>>>> relatively
>>>>> high level problem statement.
>>>>>
>>>>> We need to limit access to our control infrastructure (routers,
>>>>> switches, modems, hypervisors, iLOs, etc) while still allowing easy
>>>>> reliable access for amateur administrators to control that
>>>>> infrastructure.  We also need to support the case of a person on a
>>>>> tower
>>>>> with a cell phone being able to easily login it to a modem to get
>>>>> real-time signal readings for dish alignment.
>>>>>
>>>>> The current network is mostly a single flat OSPF routing domain.  We
>>>>> have a couple peering points, and some IPsec tunnels.  Our routers are
>>>>> mostly RouterOS flavor, which supports a pretty wide set of
>>>>> capabilities.  We may want to look at switching the edge routers to
>>>>> VyOS
>>>>> though.
>>>>>
>>>>> What general high level design would be useful in keeping access easy,
>>>>> while moving the control points out of public reach?
>>>>>
>>>>> --Bart
>>>>>
>>>>> _______________________________________________
>>>>> SecOps mailing list
>>>>> SecOps at hamwan.org
>>>>> http://mail01.fmt.hamwan.net/mailman/listinfo/secops
>>>>>
>>>>
>>>>
>>> _______________________________________________
>> SecOps mailing list
>> SecOps at hamwan.org
>> http://mail01.fmt.hamwan.net/mailman/listinfo/secops
>>
>
>
> --
> Thanks,
> Jamie Owens
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail01.fmt.hamwan.net/pipermail/secops/attachments/20230220/e24ab0c4/attachment-0001.html>

More information about the SecOps mailing list