standar bandwidth ban-pt

AKREDITASI INSTITUSI PERGURUAN TINGGI, BADAN AKREDITASI NASIONAL PERGURUAN TINGGI 2007 menerapkan standar penilaian untuk bandwidth sebagai berikut (buku VI page. 22) :

Perguruan tinggi memiliki kapasitas internet dengan rasio bandwidth per mahasiswa yang memadai

  1. >0.75 Kbps/mhs = sangat baik (nilai 4)
  2. 0.5 – 0.75 Kbps/mhs = baik (nilai 3)
  3. 0.25 – 0.49 Kbps/mhs = cukup (nilai 2)

hardening mikrotik and set DMZ

1. login from mikrotik terminal console as user admin and blank password, then change password:
> /password
enter new password twice.

2. from now on, if you get lost just press the ? button… )
3. to make a dmz router we need 3 nic’s, let’s check it out :
> /interface
interface> print
Flags: X – disabled, D – dynamic, R – running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R ether3 ether 0 0 1500

ok. they’re all there….

4. if you want to disable ether1 here’s what to do :
interface> set 0 disabled=yes
or
interface> disable 0
to enable:
interface> set 0 disabled=no
or
interface> enable 0
5. let’s give them the IP now :
>/ip address
ip address>add address=192.168.100.1/24 interface=ether3
that’s for the dmz
ip address>add address=172.16.10.1/24 interface=ether2
that’s for the LAN
ip address>add address=202.x.x.x/28 interface=ether1
that’s for the public

6. add default gateway
>/ip route
ip route> add gateway=202.x.x.x

7. testing connection (don’t forget to plug the cable)
>/ping 202.x.x.x

8.now let’s harden the router.
>/ip service print
let’s only let ssh available :
>/ip service disable 0
do the same for all but 3

9. more hardening
create user that can only login from console. this is useful when we lost our admin password
>/user add name=gregor password=typepassword group=full address=127.0.0.1/32

10. more hardening with firewall
> /ip firewall filter
ip firewall filter>add chain=input connection-state=established action=accept comment=”accept established connection packets” disabled=no
ip firewall filter>add chain=input connection-state=related action=accept comment=”accept related connection packets” disabled=no
ip firewall filter>add chain=input connection-state=invalid action=drop comment=”drop invalid packets” disabled=no

those 3 lines will let only valid connection to the router

ip firewall filter>add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and drop port scan connections” disabled=no
that’s for protection against port scan

ip firewall filter>add chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to chain ICMP” disabled=no
ip firewall filter>add chain=input action=jump jump-target=services comment=”jump to chain services” disabled=no

create a separate chain to handle ICMP and services that the router provides

ip firewall filter>add chain=input dst- address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=no

that’s for broadcast

ip firewall filter>add chain=input action=drop comment=”drop everything else” disabled=no

read the comment please…:)

ip firewall filter>add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”0:0 and limit for 5pac/s” disabled=no
ip firewall filter>add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”3:3 and limit for 5pac/s” disabled=no
ip firewall filter>add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”3:4 and limit for 5pac/s” disabled=no
ip firewall filter>add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”8:0 and limit for 5pac/s” disabled=no
ip firewall filter>add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”11:0 and limit for 5pac/s” disabled=no
ip firewall filter>add chain=ICMP protocol=icmp action=drop comment=”Drop everything else” disabled=no

those lines are to handle ICMP

ip firewall filter>add chain=services protocol=tcp dst-address=172.16.10.1 dst-port=8291 action=accept comment=”allow winbox from LAN” disabled=no
ip firewall filter>add chain=services protocol=tcp dst-address=172.16.10.1 dst-port=22 action=accept comment=”allow ssh from LAN” disabled=no
ip firewall filter>add chain=services protocol=tcp dst-address=192.168.100.1 dst-port=53 action=accept comment=”allow DNS from DMZ” disabled=no

please read the comment…… )

10. now set the dns with dns server provided by your ISP
>/ip dns
ip dns> set primary-dns=202.x.x.x

now you can set all machines in your DMZ to use 192.168.100.1 as their DNS server.
you can also add some static entries for them to find each other.
eg. www.example.com is publicly known as 202.x.x.x while it’s actual IP in the DMZ is 192.168.100.5

>/ip dns static
ip dns static> add name www.example.com address=192.168.100.5

11.let’s set the port forwarding now
> ip firewall nat
ip firewall nat>add chain=dstnat action=dst-nat dst-address=202.x.x.x dst-port=80 to-addresses=192.168.100.5 to-ports=80 disabled=no
ip firewall nat>add chain=srcnat src-address=192.168.100.5 action=src-nat to-addresses=202.x.x.x disabled=no

12. on your LAN, you should have a router who has 172.16.10.1 as it’s default gateway and you should masquerade all connections from it.