In the last part of this chapter, you need to know how to secure the MikroTik Switch Access. There are different things you can do to harden your MikroTik Switch so you do not allow anyone to access the switch. For this you require to do many steps to harden the switch as follows:
- Use a different username from admin and put a new password, then delete the default admin username.
- Allow only some IPs to login to the Switch. Those IPs should be for the administrators. This can be done from here:
- Disable unsecure services that a hacker may use to access your switch such as Telnet and FTP.
[mepr-show rules=”319″ unauth=”message”]
- Update the RouterOS to the latest version. MikroTik provides every now and then a newer version fixing bugs and adding new features. So it is highly recommended to upgrade your RouterOS to the latest stable version.
- Upgrade the RouterBOARD firmware to the latest version as the following:
- On RouterOS you can do MAC-Telnet, MAC-Winbox and MAC-Ping. That means you use Layer2 addressing to do Telnet, Winbox and ping. If you don’t require that, you can disable them as following:
- Neighbor discovery is another way that a hacker can use to discover neighbor switches on the network. You can disable that option if you want.
- Switch ports that are un-used you better disable them completely so you don’t allow un-authorized access to your network by just plugging a UTP cable to one of the available ports.
- It is a good practice to disable Bandwidth-test because some hackers use this tool to issue some Denial of Service Attack (DOS). When BW-Test is operational, the Switch CPU is 100% then the Switch won’t be able to forward frames correctly and will end up sending frames to all ports which a hacker can profit from that to capture the network frames.
- Put the right clock on the Switch. You can use an NTP client. It is very important that the clock is correctly especially when you want to check the logs in case of any problem.
- Disable packages that your switch will not be using. Think of Hotspot, IPv6, MPLS, PPP, Routing, Wireless. All those packages are not needed for a Switching job.
- Use the Layer 2 Firewall that is available on the Switch when you want to filter Layer 2 traffic. This is a very important feature that MikroTik switches have, so why not to profit from it.
This is everything I wanted to show you on Layer 2 Security, see in you the upcoming chapter.