 Mikrotik Router OS on a dedicated intermediary. Now, this is another problem that we've seen again with Mikrotik and the way that they implemented Winbox. Now, a lot of people like Mikrotik, I know because I get so many messages about them and I think they like them because they're inexpensive and admittedly true, they do have a lot of features. The downside is and why I'm so careful about any firewall choice I make, whether it be a commercial one or an open source one such as PF Sense is you have to keep an eye on security patches, security updates. Good news is they did patch this rather quick. That's the good news. The bad news is that it happened at all. I know someone's gonna point out that there's been flaws in their products and things like that, but that's also why I wanted to talk about this as a learning lesson in the way you configure things. So the good news is if you have one of these Mikrotiks and you don't have the Winbox 8192 port exposed on the WAN side, this is much less of a risk. If you did stop watching this video, go patch your Mikrotik. This is a very serious flaw in the system because it allows people to probe things behind the firewall, basically negating the firewall itself. So the kind of problem we have with firewalls in general is remote administration. So how should you be remotely administering them? Ideally, and one of the methods we do is we have access to machines on the inside of those firewalls. That's one method. So we can get to the machines inside through some of the remote access tools that we have. And then from there, we only allow administration from a management LAN side. And I've talked about this before. This is one of the reasons we segment our networks is so only a management LAN can get to the firewall and not the actual main computers that are running on there because that poses a security risk. And especially, I mean, convenience is wonderful being able to administer things through the LAN side. But the downside of that, once you start exposing the LAN side, if there's any minor problems, they become much bigger problems because the greater internet has the accessibility to our year router. So let's break this one down a little bit. I'm gonna do a separate video on securing routers. But there's a couple of articles I'll leave here, making it rain with Mikrotik. And this is also an interesting side note to this is that Serodium, due to the number of Mikrotiks out there is offering quite a big bug bounty to $100,000 for exploits in Mikrotik. So we're probably gonna see even more of these come out because people are really starting to poke away at it. And this is the breakdown of the design flaw, which I did find very interesting. This person has an entire proof of concept of how it works. They did a video on it and everything else. And they use an NVR behind there. Now, I like that they did it. I'm not gonna go to every in-depth of detail of what they did, but to give you the idea, they set up a laptop. This is on the outside of the firewall. Here's the Mikrotik firewall. Now, the piece of information that they need to have is access to information on the inside of the network. I have to know some IP addresses. But that's not a far reach because the way the flaw works over port 8291 here is you can start probing inside the network and start looking for things. And many people leave things at a default config or a common network setting, either a 10 network or a 192.1 network. And what happens is as they start probing this and there is no authentication, well, there's a way to bypass it. There is authentication, but it allows the packets to come into 192 using the dude as a tool that Mikrotik has to scan devices within subnets. So essentially, it's kind of like a better version of Nmap put together by Mikrotik. I've heard good things. I never use the software, but by using the functionality of it, they were able to start mapping inside the network. Like I said, they're negating all the reasons for the firewall. And it didn't take long before this person put this toe together, put it all on GitHub, proved it. Yes, you can just go through there. You can do a connection. You can proxy said connection right through here and boom, you're in. So it was, it's a really interesting read through on the process. I like that they documented it really well so they can walk you through each step that they did and how they found it and how they exploited it. But it's also a reminder of, hey, will you test this firewall? And sometimes I say, I don't really have a use case. The firewall has to be a compelling reason for me to use it and a track record of security or me thinking it's secure. This is something really important when you're choosing firewalls is one is companies that are very security minded. I have in the past complained about this so me critic, I don't feel as though they're security minded as they could be. And the weird way that they do this wind box which is a unique feature to them to be able to run some external software and give lots of functionality comes at this trade-off of complexity and complexity is harder to secure. But make sure when you're doing this you have a good methodology by which to manage things, use common things such as SSH is a great way to manage your firewalls where you can get into them via SSH and then even tunnel forward a port so you can get to a web interface that's common on many firewalls. There's always better ways to do it. You don't necessarily want to just open up a port like this. And there's other firewalls that I've seen over the time that have this weird complicated software. I don't know if WatchGuard does any more but I know this is similar in a way to the old WatchGuard systems or these weird software that you had to run to push configurations to it. I think it's been a while since I've had that as a less. WatchGuard I've seen had some interface software but there's almost things. You need to be very conscious of security on these firewalls and you have to make sure that you understand what you're doing when you deploy one that you're not opening any ports to the public and doing it at the absolute minimum. All right, thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going and if you want to help the channel out in other ways, we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you on next time.