DYNAFA - The Dynamic Firewall Authenticator, David Reeves (EIT Hawke's Bay, New Zealand). PDF: https:https://mum.mikrotik.com/presentations/NZ18/presentation_5619_1526976443.pdf.
DYNAFA is a small project I have been working on. It is a firewall based authentication system which can leverage RouterOS scheduler and script tools, as well as address lists and packet filtering. This creates an virtually impenetrable network, which can only be unlocked with the correct sequence of packets. The correct sequences are randomized and mixed together in a way which an attacker could never reproduce, even while understand the system. They are then hard coded into the firewall rules, and those rules can be altered over time, to leave only but the smallest number of ports open to attack. This minimizes attack surface significantly ( less 0.02 % ), counters port scans and probes ( Dynamic attack surface ), counters replay attacks ( Dynamic Authentication Requirements ) stings attackers with booby-traps within the authentication surface topology ( High risks of being blacklisted ), is resource efficient ( Negative filtering ) and near impossible to crack with brute force
DYNAFA is a small project I have been working on. It is a firewall based authentication system which can leverage RouterOS scheduler and script tools, as well as address lists and packet filtering. This creates an virtually impenetrable network, which can only be unlocked with the correct sequence of packets. The correct sequences are randomized and mixed together in a way which an attacker could never reproduce, even while understand the system. They are then hard coded into the firewall rules, and those rules can be altered over time, to leave only but the smallest number of ports open to attack. This minimizes attack surface significantly ( less 0.02 % ), counters port scans and probes ( Dynamic attack surface ), counters replay attacks ( Dynamic Authentication Requirements ) stings attackers with booby-traps within the authentication surface topology ( High risks of being blacklisted ), is resource efficient ( Negative filtering ) and near impossible to crack with brute force
- Category
- MikroTik
- Tags
- mikrotik, routerboard, routeros
Be the first to comment