500 likes | 1.94k Views
Securing the LAN - FortiGate solution. October 2006 Nathalie Rivat nrivat fortinet.com. Agenda. LAN security challenge Deployment scenarios FortiGate-224B hardware FortiGate-224B features. Threats Inside the Perimeter. The challenge:
E N D
Securing the LAN - FortiGate solution October 2006 Nathalie Rivat nrivat fortinet.com
Agenda • LAN security challenge • Deployment scenarios • FortiGate-224B hardware • FortiGate-224B features
Threats Inside the Perimeter • The challenge: • Malicious traffic is faster to propagate on LANs • Allow access while maintaining the security of the network for: • Outside users and non-managed assets • Visitors in lobbies, conference rooms • Contractors and partners • Corporate users and servers • Meeting rooms • Mobile assets re-entering the network after connecting to outside networks VISITORS MOBILE USERS CONTRACTOR WORKSTATIONS CORPORATE SERVERS CORPORATE USERS
INTERNET FW IPS IPS IPS AV IPS 802.1X FW 802.1X PORT MONITORING 802.1X 802.1X Traditional solutions to secure LANs • Upgrade switchs to traditional NAC for 802.1X services • Authentication only • Consider internal firewalling • Inspect inter-switch traffic only • Deploy inline IPS • Identify attacks on uplinks only • And mirror traffic to identify threats where IPS is missing • Add third party software on hosts to check its security implementation • Complex to manage and maintain • Very expensive • Still ineffective • No intra-switch security • No virus detection $$$$$$ $$$$$$ $$$$$$ $$$$$$ FW CORPORATE SERVERS CONTRACTORS VISITORS MOBILE USERS
INTERNET FW IPS IPS IPS AV IPS 802.1X FW 802.1X PORT MONITORING 802.1X 802.1X Fortinet integrated solution for LAN security • Provide the same level of security into the LAN traffic • Than available on the WAN • Complete content security • Cover the LAN up to the ports where assets are connected • Cover all type of threats • Efficiency • Simplicity • Single device • No software on host side • Cost effectiveness 802.1X FW AV IPS CORPORATE SERVERS CONTRACTORS VISITORS MOBILE USERS
FortiGate benefits • Do not accept compromises on LAN security anymore • LAN security was considered too hard to achieve • Fortinet now allows you to enforce the most secure approach • Deny LAN traffic, unless it is specifically authorized and clean of threats • The only system that allows: • Complete perimeter coverage • Up to the host port • Complete protection • Multi-threat protection up to layer-7 • Meet regulatory requirements
Introducing FortiGate-224B • Unified range of FortiGate products • LAN dedicated security features added to the FortiGate range* • Additional switching hardware available with FortiGate-224B • Simplified and unified security management • Leverage existing product knowledge • Reduce operational cost
Agenda • LAN security challenge • Deployment scenarios • FortiGate-224B hardware • FortiGate-224B features
Unknown users send traffic to the Internet, FortiGate replies with a portal web page (fw session auth) Users provide guest access credentials FortiGate separates guest and employee traffic and allows Internet access for guest and provide appropriate priviledges for contractors and internal users FortiGate identifies threats close to the unmanaged hosts and block malicious FortiGate prevents threats to propagate between open jack zones FortiGate authenticates users when they access the network (802.1X) and provide appropriate access to the network depending on user category FortiGate separates visitors, contractors and employee traffic and provide appropriate network access FortiGate identifies threats and block malicious traffic up to host ports FortiGate quarantines infected hosts INTERNET - LAN BACKBONE Deployment scenarios – Open jacks AUTHENTICATION SERVER LAN BACKBONE AUTHENTICATION SERVER MEETING ROOMS CONFERENCE ROOMS MEETING ROOMS LOBBIES
INTERNET Deployment scenarios – Inside LAN security • Authenticate users when they access the network (802.1X) • Separates visitor, contractors and employee traffic and provide appropriate network access depending on user category • Control host bandwidth usage for egress and ingress traffic • Identify threats and block malicious traffic up to host ports • Quarantine infected hosts CORPORATE LAN AUTHENTICATION SERVER CORPORATE USERS CONTRACTORS CORPORATE SERVERS
INTERNET Deployment scenarios – All in one device for SMB • Small and medium business • Combine layer-2 switching hardware with a FortiGate system • Layer-2 connectivity for hosts • Internet access control USERS SERVERS
Agenda • LAN security challenge • Deployment scenarios • FortiGate-224B hardware • FortiGate-224B features
FortiGate-224B Hardware • Hardware specifications • 24 x 10/100 switch ports • 2 x 10/100/1000 switch ports • 2 x 10/100 wan ports • Performances • 4.4 Gbps layer 2 switch performance • 150 Mbps firewall throughput 2x 10/100 WAN PORTS LAYER-2 SWITCH 24x 10/100 SWITCH PORTS 2x 10/100/1000 SWITCH PORTS
Agenda • LAN security challenge • Deployment scenarios • FortiGate-224B hardware • FortiGate-224B features • Access layer port control • Layer-2, Layer-3 switching • Quality of Service • Complete multi-threat protection
Access Layer Port Control 802.1X authentication Port-based quarantine Layer 2/3 Switching Port-based layer 2 forwarding at wire-speed 802.1Q VLAN Spanning Tree STP, RSTP, PVST+ 802.3ad Link Aggregation* Layer 3 switching Provided by FortiOS IGMP snooping Port monitoring Quality of services 802.1P and DSCP support Per port ingress and egress rate limitation Complete multi-threat protection Provided by FortiOS 3.0 Antivirus Intrusion Detection and Prevention Antispyware Antispam Web Content Filtering Firewall IPSec and SSL VPNs FortiGate Features
Agenda • LAN security challenge • Deployment scenarios • FortiGate-224B hardware • FortiGate-224B features • Access layer port control • Layer-2, Layer-3 switching • Quality of Service • Complete multi-threat protection
Access control – 802 .1X authentication • Enable 802.1X on a per-port basis • Support user name / password, certificates • Define a Radius server to check credentials • Support Radius redundancy • Optionally use Radius to retrieve users VLAN ID • Port VLAN membership is dynamically reconfigured PORTS WILL MOVE FROM THE UNAUTHORIZED DEFAULT STATE TO THE AUTHORIZED STATE AFTER A SUCCESSFULL AUTHENTICATION
Access Control – Quarantine • Once users have been authenticated, FortiGate provide a controlled access to the network in 2 modes: • Strict mode • Clients are initially untrusted • Clients can not access the network before they meet a set of security host criteria • Dynamic mode • Clients are initially trusted • Clients can access the network until they violate the security policy (threats are detected)
Access control – Strict mode • Clients are initially untrusted • Prevent access to the network until clients meet a set of conditions • Define the conditions that the client has to verify in the "client profile" • Antivirus state and version • Personal firewall state and version • Operating system type and version
Access control – Strict mode • Define on which port this client profile should apply • Enable Strict Access on a per-port basis • Every port can receive its own client profile or a profile can apply to multiple ports • Define the action to take when a host did not pass the security check BLOCK ALL TRAFFIC KEEP CLIENT IN QUARANTINE ALLOW TRAFFIC BUT APPLY A PROTECTION PROFILE IGNORE HOST CHECK RESULT AND ALLOW TRAFFIC IF DYNAMIC PROFILE IS SELECTED AS AN ACTION, THIS DEFINES WHICH PROTECTION PROFILE TO USE
Access control – Host check • The user is required to launch a web browser to initially access the FortiGate web portal • The host check is automatically executed through ActiveX • No need for third party software on the client side • The user then submits the result to the FortiGate FORTIGATE INTERCEPTS THE CLIENT WEB SESSION AND REPLIES WITH THE HOST CHECK PORTAL WEB PAGE
Access control – Strict mode • When FortiGate receives the host check result, it enforces the security by executing the action that the administrator has defined in the strict policy • A host in quarantine does not need to renew its IP address • Port based-VLAN FW CHECK FAILED PORT IS QUARANTINED
Access control – Strict mode • The administrator is then notified of the host check failure and can take further appropriate decisions
Access control – Dynamic mode • Clients are initially trusted • If a security violation occurs, the client is quarantined from the network at large • FortiGate detects threats and dynamically moves the port into the quarantine VLAN • Threats are detected based on Antivirus or IPS scanning • This requires the AV/IPS engines to receive traffic • Firewall rules must be defined with a protection profile that enables AV and/or IPS services
Access control – Dynamic mode DEFINE WHICH SECURITY EVENTS TRIGGER PORT QUARANTINE • Define a dynamic policy that controls: • Which event will quarantine hosts • Which resources can be reached by quarantined hosts • If users can self-remediate • Assign this policy to a set of ports DEFINE WEB SITES THAT USERS CAN ACCESS ONCE QUARANTINED ALLOW USERS TO AUTOMATICALLY RECOVER BY RUNNING A SUCCESSFUL HOST CHECK
Access control – Dynamic mode • In addition to the dynamic policy settings, turn on AV/IPS scanning by defining firewall rules and protection profiles • Scenario 1 • Inspect traffic between the host vlan and the wan interface INSPECT TRAFFIC BETWEEN A VLAN AND A WAN PORT SCAN FOR MALICIOUS TRAFFIC
Access control – Dynamic mode • Scenario 2 • Inspect traffic between the host vlan and another vlan INSPECT TRAFFIC BETWEEN 2 VLANS SCAN FOR MALICIOUS TRAFFIC
Access control – Dynamic mode • Scenario 3 • Inspect traffic from the host port to another port inside the same vlan INSPECT TRAFFIC INSIDE A VLAN SCAN FOR MALICIOUS TRAFFIC
Access control – Dynamic mode • Quarantined ports are reassigned to the Quarantine VLAN • Hosts do not need to renew their IP address (port-based VLAN) • Traffic is restricted to ressources that have been defined on the web portal • Once a device is quarantined, it is possible for the user to “self remediate” allowing him to participate in the network again FORTIGATE INTERCEPTS TRAFFIC AND REPLIES WITH THE QUARANTINE PORTAL WEB PAGE RUN THE HOST SECURITY CHECK FOR SELF-REMEDIATION
Agenda • LAN security challenge • Deployment scenarios • FortiGate-224B hardware • FortiGate-224B features • Access layer port control • Layer-2, Layer-3 switching • Quality of Service • Complete multi-threat protection
Switching features • Port-based L2 forwarding • Wirespeed • 802.1Q VLANs • Link Aggregation* • 802.3ad
Switching features – VLAN settings ASSIGN PORTS TO THIS VLAN DEFINE VLAN ID DEFINE TRUNK OR ACCESS PORTS
Switching features – Spanning Tree • Spanning Tree suppport • STP, RSTP, PVST+ • Per-port activation
Switching features – IGMP snooping TURN ON IGMP SNOOPING ENABLE IGMP SNOOPING ON A PER-VLAN BASIS
Switching features – InterVLAN routing DEFINE A VIRTUAL INTERFACE ON FORTIGATE THAT WILL BELONG TO THIS VLAN ASSIGN AN IP ADDRESS ON THIS VIRTUAL INTERFACE FORTIGATE IS THEN ABLE TO ROUTE BETWEEN ITS VIRTUAL INTERFACES
Switching features – SPAN • Enable port monitoring for ingress and egress traffic independently
Agenda • LAN security challenge • Deployment scenarios • FortiGate-224B hardware • FortiGate-224B features • Access layer port control • Layer-2, Layer-3 switching • Quality of Service • Complete multi-threat protection
QOS – 802.1P class of services • QOS settings enable to prioritize network traffic by type • VLAN trunks frames carry 802.1P Class of Service (COS) • Prioritize traffic based on 802.1P tagging ENABLE PRIORITIZATION BASED ON 802.1P TAGGING FOR EACH 802.1P COS VALUE, SELECT QUEUE-1 THROUGH QUEUE-4
QOS – DSCP class of services • FortiGate also supports the use of Layer-3 Differentiated Services Code Point (DSCP) values to prioritize traffic ENABLE PRIORITIZATION BASED ON DSCP TAGGING FOR EACH DSCP VALUE, SELECT QUEUE-1 THROUGH QUEUE-4
QOS – Rate limiting • Control rate limiting on a per-port basis • Define the amount of bandwidth allowed for incoming and outgoing traffic SELECT THE TYPE OF TRAFFIC TO BE RATED LIMITED: • BROADCAST (B) • B + MULTICAST (M) • B + M + FLOODED UNICAST (FU) • B + M + FU + UNICAST
Agenda • LAN security challenge • Deployment scenarios • FortiGate-224B hardware • FortiGate-224B features • Access layer port control • Layer-2, Layer-3 switching • Quality of Service • Complete multi-threat protection
Multi-threat protection • Complete multi-threat protection • Firewall/VPN • Antivirus • Antispyware • Intrusion Prevention • Web Content Filtering • Antispam • Based on FortiOS 3.0
Inspection perimeter • Traffic is inspected: • Between VLANs • Inside VLANs • When it sent to WAN ports INTER-VLAN TRAFFIC INSPECTION WAN PORT INTRA-VLAN TRAFFIC INSPECTION WITH SECURE PORT WAN TRAFFIC INSPECTION VLAN 10 VLAN 20 VLAN 30 LAYER-2 SWITCH