Level 2 · Intermediate

MTCSE

MikroTik Certified Security Engineer

In-depth security course — attack prevention per OSI layer, firewall RAW table, IPsec tunnels. Build layered defense systems for network infrastructure.

3 days 100% instructor-led Level 2 Requires: MTCNA

Who is this course for?

Enterprise network security engineer

Design layered defense systems — RAW table, IPsec, port knocking, PKI for enterprise network infrastructure.

NOC/SOC engineer

Detect and prevent attacks per OSI layer — DDoS mitigation, intrusion detection, security monitoring.

ISP infrastructure engineer

Protect carrier infrastructure — DDoS mitigation via RAW table, IPsec for interconnection, security hardening for core routers.

Learning Outcomes

01 Plan and implement appropriate security measures suitable for the network

02 Detect and prevent common network attacks

03 Configure advanced firewall including RAW table and bridge filter

04 Deploy PKI and certificates on RouterOS

05 Secure remote connections with IPsec and SSTP

06 Harden RouterOS: port knocking, secure connections, SSH tunneling

Curriculum

01

Introduction

Lab

Attacks, mechanisms, and security deployment

+

Attacks, mechanisms, and services
The most common threats
RouterOS security deployment

02

Firewall

Lab

Advanced firewall: packet flow, RAW table, bridge filter

+

Packet flow diagram
Firewall chains
Stateful firewall
RAW table
SYN flood mitigation using RAW table
RouterOS default configuration
Best practices for management access
Detecting attacks on critical infrastructure services
Bridge filter
Advanced options in firewall filter
ICMP filtering

03

OSI Layer Attacks

Lab

Layer-by-layer attack vectors and prevention

+

MNDP attacks and prevention
DHCP rogue servers, starvation attacks, and prevention
TCP SYN attacks and prevention
UDP attacks and prevention
ICMP Smurf attacks and prevention
FTP, Telnet, and SSH brute-force attacks and prevention
Port scan detection and prevention

04

Cryptography

Lab

Encryption methods, PKI, certificates

+

Introduction to cryptography and terminology
Encryption methods and algorithms
Symmetric and asymmetric cryptography
Public Key Infrastructure (PKI)
Certificates: self-signed and free valid certificates
Using certificates in RouterOS

05

Securing the Router

Lab

Port knocking, secure connections, SSH tunneling

+

Port knocking
Secure connections: HTTPS, SSH, WinBox
Default ports for services
Tunneling through SSH

06

Secure Tunnels

Lab

IPsec, L2TP+IPsec, SSTP with certificates

+

Introduction to IPsec
IPsec architecture and components
L2TP + IPsec configuration
SSTP with certificates

A Training Day at TNA

09:00

Theory — attack analysis per OSI layer, attack vectors Theory

10:00

Lab — attack detection and prevention exercise Lab

10:30

Break (coffee, tea, water) Break

10:45

Theory — firewall RAW table, cryptography, IPsec Theory

11:45

Lab — IPsec tunnel configuration, PKI/certificates Lab

12:30

Lunch (included in course) Break

13:30

Theory — next module Theory

14:30

Lab — comprehensive security hardening exercise Lab

15:00

Break Break

15:15

Theory + lab — final module of the day Theory

16:45

Day recap, open Q&A Theory

17:00

End Break

* Illustrative schedule for a typical day. Actual timing may adjust based on class progress.

Prerequisites

Required knowledge

Valid MTCNA certificate. Understanding of TCP/IP, basic firewall, and the OSI model.

Valid MTCNA certificate

What to bring

- Laptop with Ethernet (RJ45) port and WiFi
- WinBox installed (download from mikrotik.com/download)
- USB-to-Ethernet adapter if laptop lacks RJ45 port

Language

Instruction in Vietnamese. Materials and exam in English. Trainer provides bilingual Vietnamese-English support for technical terminology.

Included in the course

✓ MikroTik RouterBOARD equipment per student throughout the course
✓ Official MikroTik training materials (English)
✓ Lunch and continuous refreshments (coffee, tea, water, snacks)
✓ 1 MikroTik certification exam voucher + 1 free retake
✓ Post-course technical support via community group

Exam & Certification

MTCSE Certification Exam

Format: 25 single/multiple-choice questions
Duration: 60 minutes
Method: Online via MikroTik website, supervised in-class
Allowed resources: Notes, printouts, WinBox/config interface, official MikroTik docs, wiki, IP calculator
Timing: Immediately after course completion
Retake: 1 free retake within training period

Certification

-International MikroTik certification, globally recognized
-Validity: 3 years from exam date
-Renewal: Retake exam to extend by 3 years

Trainer score: 98%

Tier 2 Benefits

-MikroTik Consultants Directory listing (visible on Google)
-Eligible to become a MikroTik Authorized Dealer
-Eligible for Train-the-Trainer program
-MikroTik Latvia refers customers to nearest consultant

Next Steps

-Combine with other Level 2 certifications to broaden expertise

Trainer

Nikita Tarikin

MikroTik Trainer Candidate

MTCNA 100% MTCSE 98% MTCRE 94% MTCUME 94% MTCWE 92% MTCIPv6E 92% MTCTCE 86%

Average: 94% — 7 certifications

Verify at mikrotik.com

Trainer scored 98% on the MTCSE exam — second highest score across 7 certifications. Experience implementing security hardening for enterprises and ISPs in Vietnam.

10,400+ community members on Facebook

Certification Path

Combine MTCSE with MTCTCE (traffic control) or MTCRE (routing) to build comprehensive secure infrastructure

LEVEL 1 · BASIC

LEVEL 2 · ADVANCED

LEVEL 3 · EXTENDED

MTCNA — Network Associate

⬥ Required prerequisite for Level 2 courses

RouterOSFirewallWirelessQoS

MTCRE — Routing Engineer

MTCSE — Security Engineer

FirewallCryptographyIPsec

MTCTCE — Traffic Control Engineer

MTCWE — Wireless Engineer

802.11NstremeWDS

MTCEWE — Enterprise Wireless Engineer

CAPsMANRFSite Survey

MTCSWE — Switching Engineer

MTCUME — User Management Engineer

HotSpotRADIUSPPPoE

MTCIPv6E — IPv6 Engineer

IPv6Dual-stackNDP

MTCINE — InterNetworking Engineer

3 days Extended

ISP-grade certification

MikroTik Certified Trainer

MikroTik Certified Trainer

⬥ MTCNA + any Level 2 certification

★ MTCNA Basic

MTCNA — Network Associate

MikroTik Certified Network Associate · 4 days

RouterOSFirewallWirelessQoSVPN

ROUTING

MTCRE — Routing Engineer

3 days · Requires: MTCNA

OSPFVPNVLANStatic Routing

MTCINE Extended

MTCINE — InterNetworking Engineer

3 days · Requires: MTCNA + MTCRE

SECURITY

MTCSE — Security Engineer

3 days · Requires: MTCNA

FirewallCryptographyIPsecOSI Attacks

TRAFFIC CONTROL

MTCTCE — Traffic Control Engineer

3 days · Requires: MTCNA

HTBQoSManglePacket Flow

WIRELESS

MTCWE — Wireless Engineer

3 days · Requires: MTCNA

802.11NstremeWDSWiFi Security

MTCEWE — Enterprise Wireless Engineer

3 days · Requires: MTCNA

CAPsMANRFSite SurveyEnterprise WiFi

SWITCHING

MTCSWE — Switching Engineer

3 days · Requires: MTCNA

VLANSTPSwOSL2 Security

USER MANAGEMENT

MTCUME — User Management Engineer

3 days · Requires: MTCNA

HotSpotRADIUSPPPoEIPsec

IPV6

MTCIPv6E — IPv6 Engineer

3 days · Requires: MTCNA

IPv6Dual-stackNDPDHCPv6

Trainer

MikroTik Certified Trainer

MikroTik Certified Trainer

⬥ MTCNA + any Level 2 certification

Frequently Asked Questions

How is the RAW table different from regular firewall filter? +

The RAW table processes packets before connection tracking — significantly more efficient for DDoS mitigation as it drops packets early without consuming connection tracking resources. Regular firewall filter processes after connection tracking. MTCSE teaches when to use RAW table vs filter table for each scenario.

How is MTCSE different from the security section in MTCNA? +

MTCNA only introduces basic firewall filter and best practices. MTCSE dives deep into RAW table, IPsec (site-to-site + remote access), PKI/certificates, port knocking, attack analysis per OSI layer, and cryptography. This is the course that builds a complete defense system.

Is IPsec complex? What preparation is needed? +

IPsec has many components (SA, SP, proposals, peers) but the course breaks them down step by step. Preparation: solid VPN concepts from MTCNA, basic understanding of public/private key cryptography. Trainer guides from simple IKEv2 to complex PKI certificates.

Is MTCNA a mandatory prerequisite? +

Yes. A valid MTCNA certificate (not expired, within 3 years) is a mandatory requirement set by MikroTik. No exceptions.

Which certification should I take after MTCSE? +

MTCTCE (traffic control) to combine security with packet flow optimization, MTCRE (routing) to secure routing infrastructure, or MTCUME (user management) to build secure authentication systems. All three leverage advanced firewall knowledge from MTCSE.

What security changes are there in RouterOS v7? +

RouterOS v7 has significant changes: new IPsec configuration, updated firewall structure, and new security features. The course covers both v6 and v7 — the trainer analyzes differences in detail.

Contact us for schedule and pricing

Telegram @tarikin

Zalo +84 342 208 001

Email hello@tarikin.vn

Community: 10,400+ network engineers on Facebook

Next Courses

MTCTCE Intermediate

MTCTCE — Traffic Control Engineer

Bandwidth and traffic management — HTB queues, burst, mangle, packet marking. Optimize network performance.

3 days Req: MTCNA 86%

MTCRE Intermediate

MTCRE — Routing Engineer

Advanced routing — OSPF, MPLS, VPN, routing filters. Design and deploy complex routing infrastructure.

3 days Req: MTCNA 94%

MTCUME Intermediate

MTCUME — User Management Engineer

User management — Hotspot, User Manager, RADIUS, PPP profiles. Build authentication and access management systems.

3 days Req: MTCNA 94%

Suggested Reading

· OSI model and common attack vectors per layer
· Public Key Infrastructure (PKI) basics
· IPsec protocol fundamentals
· RouterOS firewall chain processing order