Mikrotik RouterOS Security Audit Checklist Ver 0.91

Mikrotik RouterOS Security Audit Checklist

Questions

Findings Yes No

ISO 27001 Control

Standard/Best Practice

Router Policy Is a router security policy in place?

A.5.1.1 A.9.1.2

Router security policy will address the requirements from business, regulations, etc. It will consist policy topics such as access control, backup, etc.

A.12.1.1 A.9.2.1 A.9.2.2

A documented procedure for creation of administrators on the router should exist. The procedure should address:  Approval from the department head  Recording the authorization level given to the new administrator and the duration

A.9.2.1 A.9.2.2

Each router administrator should have a unique account for him/her to maintain accountability.

Administrator Authentication Is there a documented procedure for creation of users?

Does each router administrator have a unique account for himself/herself? According to policy, how often do admin passwords have to be changed?

A.9.4.3

Do the admin passwords meet with the required complexity as defined by the policy?

A.9.3.1

Are all user accounts assigned the lowest privilege level that allows them to perform their duties? (Principle of Least Privilege)

A.9.2.3

Is a Message of the Day (MOTD) banner defined?

A.9.4.2

Admin passwords need to be changed periodically, typically once every 4-6 months depending on the functionality of the router. All password defined on the router should meet the following criteria:  Minimum 8 characters in length  Should be alphanumeric along with special characters (@#$%)  Should not include organization’s name in it All user accounts should be assigned the lowest privilege level that allows them to perform their duties. If multiple administrators exist on the router, each administrator should be given an individual username and password and assigned the lowest privilege levels. Login banners should be used as a preventive measure against unauthorized access to the routers. Use the following command to enable a MOTD banner: /system note set note=[MOTD]

Router Access Management Are unused services such as webfig, ssh, telnet, dns allow remote request, etc disabled?

A.9.4.4

Is Mikrotik Network Discovery Protocol disabled on the router?

A.12.6.1 A.9.4.4 A.13.1.3

Which version of SNMP is used to manage the router?

A.13.1.1

Is the SNMP process restricted to

A.13.1.1

Unused services needs to disabled to prevent any unauthorized access and possible exploitation Mikrotik Network Discovery Protocol enable neighbor routers (connected router) to learn information about the neighbor. This should be disabled if not used or on the interface facing external network. Ideally SNMP version 3 should be used on the router since it introduces authentication in the form of a username and password and offers encryption as well. SNMP is disabled by default in MikroTik, however, if enabled, there will be one default community called “public” If SNMP v1 or v2c is used, ACL’s should be configured to

Mikrotik RouterOS Security Audit Checklist

Questions

Findings Yes No

ISO 27001 Control

certain range of IP Addresses only?

Is the default community strings such as ‘public’ changed?

A.9.2.4

How often is the SNMP community string changed?

A.9.3.1

Standard/Best Practice limit the addresses that can send SNMP commands to the device. SNMP v1 or v2c uses the community string as the only form of authentication and is sent in clear text across the network. Default community strings such as ‘public’ should be changed immediately before bring the router on the network. If SNMP v1 or v2c is being used, the SNMP community strings should be treated like root passwords by changing them often and introducing complexity in them.

Configuration Management How often is the router configurations backed up? Is there any technical control to prevent unauthorized access to configuration backup? Is there a documented procedure for backup of router configurations? Is there any procedure for system reset or recovery from backup? Are all router configuration changes and updates documented in a manner suitable for review according to a change management procedure? Is there any periodically router capacity review for performance assurance? Is the network engineer aware of the latest vulnerabilities that could affect the router and aware of recent updates?

A.12.3.1

Router configurations should be backed up periodically depending on importance and frequency of changes made to the configuration.

A.8.2.1 A.12.3.1

If a file server is used to store configuration files, the files should be restricted to authorized personnel only.

A.12.3.1 A.12.1.1

Procedure for backup, such as periods and backup storage place needs to be documented

A.12.1.1

A clear procedure for system reset or recovery from backup needs to be documented to prevent unnecessary downtime

A.12.1.2

Any changes in router configuration changes and updates needs to follow change management procedure to prevent unnecessary downtime and to maintain the integrity of the configuration

A.12.1.3

Periodically there is a need to review the router capacity if it is still sufficient for operation requirements capacity

A.6.1.4 A.12.6.1

Network engineer should receive periodic RouterOS updates

A.17.1.1 A.17.1.2

Depends on your organization requirements, time critical and strategic routers needs to have redundancy

A.17.1.2 A.17.1.3

Any disaster recovery plan needs to be documented properly and tested periodically

Business Continuity Is there a router redundancy in cold standby or hot standby? Are disaster recovery procedures for the router/network documented and are they tested? Is the configuration backup saved to an off-site/DR site?

A.12.3.1 A.17.1.1

Copy of router configuration needs to saved to an offsite/DR site for disaster recovery purpose

Log Management and Incident Handling Is login and logout

A.12.4.1

A detailed log of every command typed on the router as

Mikrotik RouterOS Security Audit Checklist

Questions tracking/command logging for the router administrators enabled? Is the NTP server service used to synchronize the clocks of all the routers? Are all attempts to any port, protocol, or service that is denied logged? Is logging to a syslog server enabled on the router? How often is the router logs (covering administrator access /access control) reviewed? Are reports and analyses carried out based on the log messages? Is there any documentation for course of action to be followed if any incident is noticed?

Findings Yes No

ISO 27001 Control A.12.4.3

Standard/Best Practice well as when an administrator logged in or out can be recorded for audit purposes.

A.12.4.4

The NTP service helps to synchronize clocks between networking devices thereby maintaining a consistent time which is essential for diagnostic and security alerts and log data.

A.12.4.1 A.16.1.2

All security events needs to be logged

A.12.4.2 A.16.1.2

Critical and important logs should be send and stored on external syslog

A.12.4.1

Logs need to reviewed regularly

A.16.1.6

Reports and analysis should be based from the log messages

A.16.1.1

Course of action for any incidents should be planned and documented properly

This work is a derivative work from a document ISO27k Cisco Router Security Audit Checklist copyright © 2007, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum (www.ISO27001security.com), and (c) if shared, any derivative works are shared under the same terms as this. Note: this is NOT security advice. Do not rely on this checklist. Refer to the Mikrotik RouterOS documentation and take advice from competent network security professionals.