Skip to main content

SDN for MikroTik - Architecture Overview

PowerCloud’s software-defined network platform was built from the ground up to exist in Amazon's web services environment due to its scalability, reliability, and adherence to ISO standards. At the core of the system is a built-for-RouterOS orchestration service that has hundreds of API endpoints that all work in harmony with the single task of delivering industry-accepted software-defined networking for MikroTik devices with a focus on security and the improvement of network quality, all of course in an automated fashion.
Control Mechanisms Upon installing the PowerCloud bootstrap package on a MikroTik device (router), the orchestration system creates an obfuscated database in AWS Aurora for the storage of all the system and runtime settings of the router. Each router has its own database. The management-plane of the system then accesses this database after adoption and makes changes to it, these changes are prepared in the form of configuration updates using RouterOS command line syntax. These updates are then downloaded by the router and executed as a script. Communication with the Orchestration Service The router polls the orchestration service API endpoint every 30 seconds, this process is a heartbeat that tells the orchestration service that the router is accessible over the network, and during this “check-in” the router also downloads a configuration file if changes to the router configuration is needed. This configuration file is then imported and executed immediately after the check-in is completed. During bootstrapping, the router is issued with a unique authentication token, which is present in a JSON payload that is exchanged between the router and the orchestration service during every check-in. This traffic is SSL encrypted and uses certificates that are issued by Amazon. Management Traffic After the bootstrap process is completed and the SDN services are deployed and active on the router, a management VPN tunnel is created between the router and a VPN concentrator on the PowerCloud network. This VPN tunnel will be either a PPTP or L2TP interface with 128bit encryption enabled. The management VPN tunnel is used to securely transport traffic flow data, logs, and SNMP data to the nearest PowerCloud edge service. Traffic Flow and DNS Logs Netflow data and DNS query logs that contain statistics about network connections to and from the router during operation are transported via the management VPN to the nearest PowerCloud edge service. The PowerCloud edge service processes this data and streams it to Google Big Query every 60 seconds. In Google Big Query, various algorithms and reports are executed against the data and through machine learning, PowerCloud is able to report on usage, enforce network policies, and take action against threats. DNS Filtering PowerCloud anonymizes all DNS queries that it receives, and then uses its own web crawler service to crawl and classify domains accessed by users. DNS requests from users behind a PowerCloud SDN enabled MikroTik are sent down the management VPN tunnel and executed against our own DNS servers that contain response policy zone configurations that are built off the back of hundreds of millions of categorized domain names. After being passed through PowerClouds RPZ’s queries are handed off to Quad9 DNS servers. IBM xForce PowerCloud utilises various threat intelligence services from IBM xForce that are integrated into the control-plane of the orchestration service. This enables an automated response for zero-day attacks and access to the router (and the network it protects) from IP addresses on the internet that are flagged as dangerous by the broader cybersecurity community. Threat vectors that are prohibited from reaching PowerCloud SDN enabled routers to include IP addresses of spambots, malware-infected hosts, command and control networks, and DNR networks. Route Blackholing Routers running PowerCloud SDN are automatically configured with a BGP session to the nearest PowerCloud SDN edge. All threat information gathered from places like IBM xForce, URTS, and around 60 other community maintained threat lists are tested for false positives, and then installed into a “do-not-route” table on the PowerCloud network edge router. These “do-not-route” IP addresses and prefixes are then advertised to the PowerCloud SDN enabled MikroTik over BGP and blackholed. This prevents any communication to and from identified IP based threats. Traffic Flow and DNS Monitoring Netflow streams and DNS logs are monitored in real-time for unusual traffic patterns, attempts to connect to threat identified IP addresses, and bogus DNS requests. This information enables the identification of compromised hosts on the network protected by the router and can be sent to network administrators for manual intervention of a compromised host on the LAN. WAN Interface Monitoring Each WAN interface on the router is automatically monitored using a Zabbix agent from the nearest PowerCloud network edge. Constant awareness of the utilization, latency, packet loss, and jitter of each WAN connection allows the orchestration service to make changes to the policy-based routing (PBR) configuration and the traffic steering of the router. Changes of this nature are deployed and committed during the heartbeat check-in. Optimized Private Backbone Users in South Africa can make use of PowerCloud’s optimized private backbone that is built on Juniper MX technology and boasts private peering relationships with all major cloud vendors and content providers. Some of these include Google, Microsoft, Amazon, Facebook, Akamai, Hurricane Electric, and Huawei Cloud. Private backbone access is billed on a 95th percentile calculation.