FortiGate-224B Hardware

hellhollowreadingNetworking and Communications

Oct 26, 2013 (3 years and 1 month ago)

226 views



Securing the LAN
-

FortiGate
solution

October 2006

Nathalie Rivat

nrivat fortinet.com

Agenda


LAN security challenge


Deployment scenarios


FortiGate
-
224B hardware


FortiGate
-
224B features

Threats Inside the Perimeter


The challenge:


Malicious traffic is faster to
propagate on LANs


Allow access while maintaining
the security of the network for:


Outside users and non
-
managed
assets


Visitors in lobbies, conference
rooms


Contractors and partners


Corporate users and servers


Meeting rooms


Mobile assets re
-
entering the
network after connecting to
outside networks

MOBI LE USERS

VI SI TORS

CONTRACTOR WORKSTATI ONS

CORPORATE SERVERS

CORPORATE USERS

$$$$$$

$$$$$$

$$$$$$

Traditional solutions to secure
LANs


Upgrade switchs to traditional
NAC for 802.1X services


Authentication only


Consider internal firewalling


Inspect inter
-
switch traffic only


Deploy inline IPS


Identify attacks on uplinks only


And mirror traffic to identify
threats where IPS is missing


Add third party software on
hosts to check its security
implementation


Complex to manage and
maintain


Very expensive


Still ineffective


No intra
-
switch security


No virus detection

I PS

I PS

I PS

AV

I PS

$$$$$$

Fortinet integrated solution for LAN
security


Provide the same level
of security into the LAN
traffic


Than available on the
WAN


Complete content
security


Cover the LAN up to the
ports where assets are
connected


Cover all type of threats


Efficiency


Simplicity


Single device


No software on host
side


Cost effectiveness

802.1X

FW

AV

I PS

I PS

I PS

I PS

AV

I PS

FortiGate benefits


Do not accept compromises on LAN security anymore


LAN security was considered too hard to achieve


Fortinet now allows you to enforce the most secure approach


Deny LAN traffic, unless it is specifically authorized and clean of threats


The only system that allows:


Complete perimeter coverage


Up to the host port


Complete protection


Multi
-
threat protection up to layer
-
7


Meet regulatory requirements

FortiGate benefits

Control at the edge who is
allowed to access the
network


Network admission control:


Provide network access to authenticated users


Validate the security level of the asset


Control network resources that users can reach


Validate traffic through firewall inspection

Enforce security policy at the
network access layer before
malicious traffic has an
opportunity to spread
through the network


Secure traffic inside and between VLANs


Detect & block malicious traffic at the port level


Quarantine infected assets

Reduced complexity and
cost by combining many
network functions into a
single solution


Enhanced network security through the
combination of FortiOS security with layer 2
switching hardware


Lowered operational overhead and expense
through automated responses and self
-
remediation options

Introducing FortiGate
-
224B


Unified range of FortiGate products


LAN dedicated security features added to the FortiGate range*


Additional switching hardware available with FortiGate
-
224B


Simplified and unified security management


Leverage existing product knowledge


Reduce operational cost


Agenda


LAN security challenge


Deployment scenarios


FortiGate
-
224B hardware


FortiGate
-
224B features

Deployment scenarios


Open jacks


Unknown users send traffic to the Internet,
FortiGate replies with a portal web page (fw
session auth)


Users provide guest access credentials


FortiGate separates guest and employee
traffic and allows Internet access for guest
and provide appropriate priviledges for
contractors and internal users


FortiGate identifies threats close to the
unmanaged hosts and block malicious


FortiGate prevents threats to propagate
between open jack zones


FortiGate authenticates users when they
access the network (802.1X) and provide
appropriate access to the network
depending on user category


FortiGate separates visitors, contractors and
employee traffic and provide appropriate
network access


FortiGate identifies threats and block
malicious traffic up to host ports


FortiGate quarantines infected hosts

Deployment scenarios


Inside LAN
security


Authenticate users when they access the network (802.1X)


Separates visitor, contractors and employee traffic and provide appropriate network
access depending on user category


Control host bandwidth usage for egress and ingress traffic


Identify threats and block malicious traffic up to host ports


Quarantine infected hosts

CORPORATE
LAN

AUTHENTI CATI ON SERVER

I NTERNET

Deployment scenarios


All in one
device for SMB


Small and medium business


Combine layer
-
2 switching hardware with a FortiGate system


Layer
-
2 connectivity for hosts


Internet access control

I NTERNET

Agenda


LAN security challenge


Deployment scenarios


FortiGate
-
224B hardware


FortiGate
-
224B features

FortiGate
-
224B Hardware


Hardware specifications


24 x 10/100 switch ports


2 x 10/100/1000 switch ports


2 x 10/100 wan ports


Performances


4.4 Gbps layer 2 switch performance


150 Mbps firewall throughput

24x 10/100

SWI TCH PORTS

2x 10/100/1000

SWI TCH PORTS

2x 10/100

WAN PORTS

LAYER
-
2 SWI TCH

Agenda


LAN security challenge


Deployment scenarios


FortiGate
-
224B hardware


FortiGate
-
224B features


Access layer port control


Layer
-
2, Layer
-
3 switching


Quality of Service


Complete multi
-
threat protection



FortiGate Features


Access Layer Port Control


802.1X authentication


Port
-
based quarantine


Layer 2/3 Switching


Port
-
based layer 2 forwarding
at wire
-
speed


802.1Q VLAN


Spanning Tree


STP, RSTP, PVST+


802.3ad Link Aggregation*


Layer 3 switching


Provided by FortiOS


IGMP snooping


Port monitoring


Quality of services


802.1P and DSCP support


Per port ingress and egress
rate limitation


Complete multi
-
threat
protection


Provided by FortiOS 3.0


Antivirus


Intrusion Detection and
Prevention


Antispyware


Antispam


Web Content Filtering


Firewall


IPSec and SSL VPNs

Agenda


LAN security challenge


Deployment scenarios


FortiGate
-
224B hardware


FortiGate
-
224B features


Access layer port control


Layer
-
2, Layer
-
3 switching


Quality of Service


Complete multi
-
threat protection



Access control


802 .1X
authentication


Enable 802.1X on a per
-
port basis


Support user name / password, certificates


Define a Radius server to check credentials


Support Radius redundancy


Optionally use Radius to retrieve users VLAN ID


Port VLAN membership is dynamically reconfigured

PORTS WI LL MOVE FROM THE
UNAUTHORI ZED DEFAULT STATE TO
THE AUTHORI ZED STATE AFTER A
SUCCESSFULL AUTHENTI CATI ON

Access Control


Quarantine


Once users have been authenticated,
FortiGate provide a controlled access to the
network in 2 modes:


Strict mode


Clients are initially untrusted


Clients can not access the network before they
meet a set of security host criteria


Dynamic mode


Clients are initially trusted


Clients can access the network until they
violate the security policy (threats are detected)

Access control


Strict mode


Clients are initially untrusted


Prevent access to the network until clients meet a set of conditions


Define the conditions that the client has to verify in the "client profile"


Antivirus state and version


Personal firewall state and version


Operating system type and version

Access control


Strict mode


Define on which port this client profile should apply


Enable Strict Access on a per
-
port basis


Every port can receive its own client profile or a profile can apply to multiple ports


Define the action to take when a host did not pass the security check

I F DYNAMI C PROFI LE I S SELECTED AS
AN ACTI ON, THI S DEFI NES WHI CH
PROTECTI ON PROFI LE TO USE


BLOCK ALL TRAFFI C


KEEP CLI ENT I N QUARANTI NE


ALLOW TRAFFI C BUT APPLY A PROTECTI ON PROFI LE


I GNORE HOST CHECK RESULT AND ALLOW TRAFFI C

Access control


Host check


The user is required to launch a web browser to initially access the FortiGate web
portal


The host check is automatically executed through ActiveX


No need for third party software on the client side


The user then submits the result to the FortiGate

FORTI GATE I NTERCEPTS THE CLI ENT WEB SESSI ON AND
REPLI ES WI TH THE HOST CHECK PORTAL WEB PAGE

Access control


Strict mode


When FortiGate receives the host check result, it enforces the security by
executing the action that the administrator has defined in the strict policy


A host in quarantine does not need to renew its IP address


Port based
-
VLAN

FW CHECK
FAI LED

PORT I S
QUARANTI NED

Access control


Strict mode


The administrator is then notified of the host check failure and can
take further appropriate decisions

Access control


Dynamic mode


Clients are initially trusted


If a security violation occurs, the client is quarantined from
the network at large


FortiGate detects threats and dynamically moves the port into the
quarantine VLAN


Threats are detected based on Antivirus or IPS scanning


This requires the AV/IPS engines to receive traffic


Firewall rules must be defined with a protection profile that enables
AV and/or IPS services

Access control


Dynamic mode


Define a dynamic policy that
controls:


Which event will quarantine
hosts


Which resources can be
reached by quarantined hosts


If users can self
-
remediate


Assign this policy to a set of
ports

DEFI NE WEB SI TES THAT USERS CAN
ACCESS ONCE QUARANTI NED

ALLOW USERS TO AUTOMATI CALLY
RECOVER BY RUNNI NG A SUCCESSFUL
HOST CHECK

DEFI NE WHI CH SECURI TY EVENTS
TRI GGER PORT QUARANTI NE

Access control


Dynamic mode


In addition to the dynamic policy settings, turn on AV/IPS scanning by
defining firewall rules and protection profiles


Scenario 1


Inspect traffic between the host vlan and the wan interface

SCAN FOR MALI CI OUS
TRAFFI C

I NSPECT TRAFFI C
BETWEEN A VLAN
AND A WAN PORT

Access control


Dynamic mode


Scenario 2


Inspect traffic between the host vlan and another vlan

SCAN FOR MALI CI OUS
TRAFFI C

I NSPECT TRAFFI C
BETWEEN 2 VLANS

Access control


Dynamic mode


Scenario 3


Inspect traffic from the host port to another port inside the same vlan

SCAN FOR MALI CI OUS
TRAFFI C

I NSPECT TRAFFI C
I NSI DE A VLAN

Access control


Dynamic mode


Quarantined ports are reassigned to the Quarantine VLAN


Hosts do not need to renew their IP address (port
-
based VLAN)


Traffic is restricted to ressources that have been defined on the web portal


Once a device is quarantined, it is possible for the user to “self remediate”
allowing him to participate in the network again

FORTI GATE I NTERCEPTS TRAFFI C
AND REPLI ES WI TH THE
QUARANTI NE PORTAL WEB PAGE

RUN THE HOST SECURI TY CHECK
FOR SELF
-
REMEDI ATI ON

Agenda


LAN security challenge


Deployment scenarios


FortiGate
-
224B hardware


FortiGate
-
224B features


Access layer port control


Layer
-
2, Layer
-
3 switching


Quality of Service


Complete multi
-
threat protection



Switching features


Port
-
based L2
forwarding


Wirespeed


802.1Q VLANs


Link Aggregation*


802.3ad

Switching features


VLAN settings

DEFI NE TRUNK OR
ACCESS PORTS

DEFI NE VLAN I D

ASSI GN PORTS
TO THI S VLAN

Switching features


Spanning Tree


Spanning Tree suppport


STP, RSTP, PVST+


Per
-
port activation


Switching features


Spanning Tree

Switching features


IGMP snooping

ENABLE I GMP
SNOOPI NG ON A
PER
-
VLAN BASI S

TURN ON I GMP
SNOOPI NG

Switching features


InterVLAN
routing

ASSI GN AN I P ADDRESS ON
THI S VI RTUAL I NTERFACE

FORTI GATE I S THEN ABLE TO
ROUTE BETWEEN I TS
VI RTUAL I NTERFACES

DEFI NE A VI RTUAL I NTERFACE
ON FORTI GATE THAT WI LL
BELONG TO THI S VLAN

Switching features


SPAN


Enable port monitoring for ingress and egress traffic
independently

Agenda


LAN security challenge


Deployment scenarios


FortiGate
-
224B hardware


FortiGate
-
224B features


Access layer port control


Layer
-
2, Layer
-
3 switching


Quality of Service


Complete multi
-
threat protection



QOS


802.1P class of services


QOS settings enable to prioritize network traffic by type


VLAN trunks frames carry 802.1P Class of Service (COS)


Prioritize traffic based on 802.1P tagging

FOR EACH 802.1P COS VALUE,
SELECT QUEUE
-
1 THROUGH
QUEUE
-
4

ENABLE PRI ORI TI ZATI ON
BASED ON 802.1P TAGGI NG

QOS


DSCP class of services


FortiGate also supports the use of Layer
-
3 Differentiated
Services Code Point (DSCP) values to prioritize traffic


ENABLE PRI ORI TI ZATI ON
BASED ON DSCP TAGGI NG

FOR EACH DSCP VALUE,
SELECT QUEUE
-
1
THROUGH QUEUE
-
4

QOS


Rate limiting


Control rate limiting on a per
-
port basis


Define the amount of bandwidth allowed for incoming and
outgoing traffic

SELECT THE TYPE OF TRAFFI C TO BE
RATED LI MI TED:


BROADCAST (B)


B + MULTI CAST (M)


B + M + FLOODED UNI CAST (FU)


B + M + FU + UNI CAST

Agenda


LAN security challenge


Deployment scenarios


FortiGate
-
224B hardware


FortiGate
-
224B features


Access layer port control


Layer
-
2, Layer
-
3 switching


Quality of Service


Complete multi
-
threat protection



Multi
-
threat protection


Complete multi
-
threat protection


Firewall/VPN


Antivirus


Antispyware


Intrusion Prevention


Web Content Filtering


Antispam


Based on FortiOS 3.0

Inspection perimeter


Traffic is inspected:


Between VLANs


Inside VLANs


When it sent to WAN ports

LAYER
-
2 SWI TCH

VLAN 10

VLAN 30




VLAN 20

I NTRA
-
VLAN TRAFFI C
I NSPECTI ON WI TH
SECURE PORT

WAN TRAFFI C
I NSPECTI ON

WAN PORT

I NTER
-
VLAN TRAFFI C
I NSPECTI ON



Questions ?