Sunday, September 29, 2013

Automatically find unathorized devices and block it on firewall

One of the features I like most in Mikrotik RouterOS is the ability to run custom scripts that will enable you to automate some things on router side. In a workplace where “bring your own device” is practiced, being able to control the registration of these devices on your network is very important especially for mobile devices - laptops, tablets and smartphones.
It’s becoming harder to control these device especially if they are in large number. Smartphone can be just placed inside a bag or pocket while it automatically connect through your access points where wireless key is known to the user and download unnecessary files on the internet thus wasting network bandwidth while increasing network security risk.
Now, if you happen to have a Mikrotik RouterOS in your network and is facing the same dilemma then probably the script below will help you solve it or least get you started on a better solution.

01
02# Tested to work on RouterOS 5.19
03 
04:foreach i in=[/ip dhcp-server lease find dynamic=yes] do={
05   :local dynamicIP [/ip dhcp-server lease get $i address];
06   :local dynamicMAC [/ip dhcp-server lease get $i mac-address];
07   :local dynamicHOST [/ip dhcp-server lease get $i host-name];
08   :local macfound [/ip firewall filter find src-mac-address=$dynamicMAC];
09 
10    :if ($macfound != "") do={
11        :log info ($dynamicMAC. " already filtered")
12    } else= {
13        /ip firewall filter add chain=forward src-mac-address=$dynamicMAC action=drop comment=($dynamicHOST . " - " . $dynamicMAC . " Unregistered device")
14        :log info ("Added " . $dynamicMAC. " to firewall filter")
15    }
16}
Basically, the script will look for dynamic ip addresses inside the dhcp server leases table and search their mac address in the firewall filter table. If it’s not yet blocked then it will create an entry blocking the mac address to prevent it from sending traffic through your network.
To automatically execute the script periodically, you will need to add it on the scheduler, see example below:

1/system scheduler add comment="Find unauthorized devices and block" disabled=no interval=5m  name=block_unauthorized_devices on-event=block_unauthorized_devices policy=read,write,test
You should be able to see on your log what devices are being blocked as the script finds one.
Posted by at
Labels:

1 comment:

  1. UnknownOctober 22, 2013 at 12:14 AM

    Firewall is the oldest and most effective method to secure your system but with the advanced technology it has to be equipped with some tools.

    Thanks
    Silvester Norman

    Change MAC Address

    ReplyDelete

Subscribe to: Post Comments (Atom)