Securing the LAN - FortiGate solution

1
Securing the LAN - FortiGate solution

• October 2006
• Nathalie Rivat
• nrivat fortinet.com

2
Agenda

• LAN security challenge
• Deployment scenarios
• FortiGate-224B hardware
• FortiGate-224B features

3
Threats Inside the Perimeter

• The challenge
• Malicious traffic is faster to propagate on LANs
• Allow access while maintaining the security of
  the network for
• Outside users and non-managed assets
• Visitors in lobbies, conference rooms
• Contractors and partners
• Corporate users and servers
• Meeting rooms
• Mobile assets re-entering the network after
  connecting to outside networks

VISITORS
MOBILE USERS
CONTRACTOR WORKSTATIONS
CORPORATE SERVERS
CORPORATE USERS
4
Traditional solutions to secure LANs

• Upgrade switchs to traditional NAC for 802.1X
  services
• Authentication only
• Consider internal firewalling
• Inspect inter-switch traffic only
• Deploy inline IPS
• Identify attacks on uplinks only
• And mirror traffic to identify threats where IPS
  is missing
• Add third party software on hosts to check its
  security implementation
• Complex to manage and maintain
• Very expensive
• Still ineffective
• No intra-switch security
• No virus detection

FW
CORPORATE SERVERS
CONTRACTORS
VISITORS
MOBILE USERS
5
Fortinet integrated solution for LAN security

• Provide the same level of security into the LAN
  traffic
• Than available on the WAN
• Complete content security
• Cover the LAN up to the ports where assets are
  connected
• Cover all type of threats
• Efficiency
• Simplicity
• Single device
• No software on host side
• Cost effectiveness

802.1X FW AV IPS
CORPORATE SERVERS
CONTRACTORS
VISITORS
MOBILE USERS
6
FortiGate benefits

• Do not accept compromises on LAN security anymore
• LAN security was considered too hard to achieve
• Fortinet now allows you to enforce the most
  secure approach
• Deny LAN traffic, unless it is specifically
  authorized and clean of threats
• The only system that allows
• Complete perimeter coverage
• Up to the host port
• Complete protection
• Multi-threat protection up to layer-7
• Meet regulatory requirements

7
FortiGate benefits
Control at the edge who is allowed to access the network Network admission control Provide network access to authenticated users Validate the security level of the asset Control network resources that users can reach Validate traffic through firewall inspection
Enforce security policy at the network access layer before malicious traffic has an opportunity to spread through the network Secure traffic inside and between VLANs Detect block malicious traffic at the port level Quarantine infected assets
Reduced complexity and cost by combining many network functions into a single solution Enhanced network security through the combination of FortiOS security with layer 2 switching hardware Lowered operational overhead and expense through automated responses and self-remediation options
8
Introducing FortiGate-224B

• Unified range of FortiGate products
• LAN dedicated security features added to the
  FortiGate range
• Additional switching hardware available with
  FortiGate-224B
• Simplified and unified security management
• Leverage existing product knowledge
• Reduce operational cost

9
Agenda

• LAN security challenge
• Deployment scenarios
• FortiGate-224B hardware
• FortiGate-224B features

10
Deployment scenarios Open jacks
AUTHENTICATION SERVER
LAN BACKBONE
AUTHENTICATION SERVER
MEETING ROOMS
CONFERENCE ROOMS
MEETING ROOMS
LOBBIES

• Unknown users send traffic to the Internet,
  FortiGate replies with a portal web page (fw
  session auth)
• Users provide guest access credentials
• FortiGate separates guest and employee traffic
  and allows Internet access for guest and provide
  appropriate priviledges for contractors and
  internal users
• FortiGate identifies threats close to the
  unmanaged hosts and block malicious
• FortiGate prevents threats to propagate between
  open jack zones

• FortiGate authenticates users when they access
  the network (802.1X) and provide appropriate
  access to the network depending on user category
• FortiGate separates visitors, contractors and
  employee traffic and provide appropriate network
  access
• FortiGate identifies threats and block malicious
  traffic up to host ports
• FortiGate quarantines infected hosts

11
Deployment scenarios Inside LAN security
CORPORATE LAN
AUTHENTICATION SERVER
CORPORATE USERS CONTRACTORS
CORPORATE SERVERS

• Authenticate users when they access the network
  (802.1X)
• Separates visitor, contractors and employee
  traffic and provide appropriate network access
  depending on user category
• Control host bandwidth usage for egress and
  ingress traffic
• Identify threats and block malicious traffic up
  to host ports
• Quarantine infected hosts

12
Deployment scenarios All in one device for SMB
USERS
SERVERS

• Small and medium business
• Combine layer-2 switching hardware with a
  FortiGate system
• Layer-2 connectivity for hosts
• Internet access control

13
Agenda

• LAN security challenge
• Deployment scenarios
• FortiGate-224B hardware
• FortiGate-224B features

14
FortiGate-224B Hardware

• Hardware specifications
• 24 x 10/100 switch ports
• 2 x 10/100/1000 switch ports
• 2 x 10/100 wan ports
• Performances
• 4.4 Gbps layer 2 switch performance
• 150 Mbps firewall throughput

2x 10/100 WAN PORTS
LAYER-2 SWITCH
24x 10/100 SWITCH PORTS
2x 10/100/1000 SWITCH PORTS
15
Agenda

• LAN security challenge
• Deployment scenarios
• FortiGate-224B hardware
• FortiGate-224B features
• Access layer port control
• Layer-2, Layer-3 switching
• Quality of Service
• Complete multi-threat protection

16
FortiGate Features

• Access Layer Port Control
• 802.1X authentication
• Port-based quarantine
• Layer 2/3 Switching
• Port-based layer 2 forwarding at wire-speed
• 802.1Q VLAN
• Spanning Tree
• STP, RSTP, PVST
• 802.3ad Link Aggregation
• Layer 3 switching
• Provided by FortiOS
• IGMP snooping
• Port monitoring

• Quality of services
• 802.1P and DSCP support
• Per port ingress and egress rate limitation
• Complete multi-threat protection
• Provided by FortiOS 3.0
• Antivirus
• Intrusion Detection and Prevention
• Antispyware
• Antispam
• Web Content Filtering
• Firewall
• IPSec and SSL VPNs

17
Agenda

• LAN security challenge
• Deployment scenarios
• FortiGate-224B hardware
• FortiGate-224B features
• Access layer port control
• Layer-2, Layer-3 switching
• Quality of Service
• Complete multi-threat protection

18
Access control 802 .1X authentication

• Enable 802.1X on a per-port basis
• Support user name / password, certificates
• Define a Radius server to check credentials
• Support Radius redundancy
• Optionally use Radius to retrieve users VLAN ID
• Port VLAN membership is dynamically reconfigured

PORTS WILL MOVE FROM THE UNAUTHORIZED DEFAULT
STATE TO THE AUTHORIZED STATE AFTER A SUCCESSFULL
AUTHENTICATION
19
Access Control Quarantine

• Once users have been authenticated, FortiGate
  provide a controlled access to the network in 2
  modes
• Strict mode
• Clients are initially untrusted
• Clients can not access the network before they
  meet a set of security host criteria
• Dynamic mode
• Clients are initially trusted
• Clients can access the network until they violate
  the security policy (threats are detected)

20
Access control Strict mode

• Clients are initially untrusted
• Prevent access to the network until clients meet
  a set of conditions
• Define the conditions that the client has to
  verify in the "client profile"
• Antivirus state and version
• Personal firewall state and version
• Operating system type and version

21
Access control Strict mode

• Define on which port this client profile should
  apply
• Enable Strict Access on a per-port basis
• Every port can receive its own client profile or
  a profile can apply to multiple ports
• Define the action to take when a host did not
  pass the security check

• BLOCK ALL TRAFFIC
• KEEP CLIENT IN QUARANTINE
• ALLOW TRAFFIC BUT APPLY A PROTECTION PROFILE
• IGNORE HOST CHECK RESULT AND ALLOW TRAFFIC

IF DYNAMIC PROFILE IS SELECTED AS AN ACTION, THIS
DEFINES WHICH PROTECTION PROFILE TO USE
22
Access control Host check

• The user is required to launch a web browser to
  initially access the FortiGate web portal
• The host check is automatically executed through
  ActiveX
• No need for third party software on the client
  side
• The user then submits the result to the FortiGate

FORTIGATE INTERCEPTS THE CLIENT WEB SESSION AND
REPLIES WITH THE HOST CHECK PORTAL WEB PAGE
23
Access control Strict mode

• When FortiGate receives the host check result, it
  enforces the security by executing the action
  that the administrator has defined in the strict
  policy
• A host in quarantine does not need to renew its
  IP address
• Port based-VLAN

FW CHECK FAILED
PORT IS QUARANTINED
24
Access control Strict mode

• The administrator is then notified of the host
  check failure and can take further appropriate
  decisions

25
Access control Dynamic mode

• Clients are initially trusted
• If a security violation occurs, the client is
  quarantined from the network at large
• FortiGate detects threats and dynamically moves
  the port into the quarantine VLAN
• Threats are detected based on Antivirus or IPS
  scanning
• This requires the AV/IPS engines to receive
  traffic
• Firewall rules must be defined with a protection
  profile that enables AV and/or IPS services

26
Access control Dynamic mode
DEFINE WHICH SECURITY EVENTS TRIGGER PORT
QUARANTINE

• Define a dynamic policy that controls
• Which event will quarantine hosts
• Which resources can be reached by quarantined
  hosts
• If users can self-remediate
• Assign this policy to a set of ports

DEFINE WEB SITES THAT USERS CAN ACCESS ONCE
QUARANTINED
ALLOW USERS TO AUTOMATICALLY RECOVER BY RUNNING A
SUCCESSFUL HOST CHECK
27
Access control Dynamic mode

• In addition to the dynamic policy settings, turn
  on AV/IPS scanning by defining firewall rules and
  protection profiles
• Scenario 1
• Inspect traffic between the host vlan and the wan
  interface

INSPECT TRAFFIC BETWEEN A VLAN AND A WAN PORT
SCAN FOR MALICIOUS TRAFFIC
28
Access control Dynamic mode

• Scenario 2
• Inspect traffic between the host vlan and another
  vlan

INSPECT TRAFFIC BETWEEN 2 VLANS
SCAN FOR MALICIOUS TRAFFIC
29
Access control Dynamic mode

• Scenario 3
• Inspect traffic from the host port to another
  port inside the same vlan

INSPECT TRAFFIC INSIDE A VLAN
SCAN FOR MALICIOUS TRAFFIC
30
Access control Dynamic mode

• Quarantined ports are reassigned to the
  Quarantine VLAN
• Hosts do not need to renew their IP address
  (port-based VLAN)
• Traffic is restricted to ressources that have
  been defined on the web portal
• Once a device is quarantined, it is possible for
  the user to self remediate allowing him to
  participate in the network again

FORTIGATE INTERCEPTS TRAFFIC AND REPLIES WITH THE
QUARANTINE PORTAL WEB PAGE
RUN THE HOST SECURITY CHECK FOR SELF-REMEDIATION
31
Agenda

• LAN security challenge
• Deployment scenarios
• FortiGate-224B hardware
• FortiGate-224B features
• Access layer port control
• Layer-2, Layer-3 switching
• Quality of Service
• Complete multi-threat protection

32
Switching features

• Port-based L2 forwarding
• Wirespeed
• 802.1Q VLANs
• Link Aggregation
• 802.3ad

33
Switching features VLAN settings
ASSIGN PORTS TO THIS VLAN
DEFINE VLAN ID
DEFINE TRUNK OR ACCESS PORTS
34
Switching features Spanning Tree

• Spanning Tree suppport
• STP, RSTP, PVST
• Per-port activation

35
Switching features Spanning Tree
36
Switching features IGMP snooping
TURN ON IGMP SNOOPING
ENABLE IGMP SNOOPING ON A PER-VLAN BASIS
37
Switching features InterVLAN routing
DEFINE A VIRTUAL INTERFACE ON FORTIGATE THAT WILL
BELONG TO THIS VLAN
ASSIGN AN IP ADDRESS ON THIS VIRTUAL INTERFACE
FORTIGATE IS THEN ABLE TO ROUTE BETWEEN ITS
VIRTUAL INTERFACES
38
Switching features SPAN

• Enable port monitoring for ingress and egress
  traffic independently

39
Agenda

• LAN security challenge
• Deployment scenarios
• FortiGate-224B hardware
• FortiGate-224B features
• Access layer port control
• Layer-2, Layer-3 switching
• Quality of Service
• Complete multi-threat protection

40
QOS 802.1P class of services

• QOS settings enable to prioritize network traffic
  by type
• VLAN trunks frames carry 802.1P Class of Service
  (COS)
• Prioritize traffic based on 802.1P tagging

ENABLE PRIORITIZATION BASED ON 802.1P TAGGING
FOR EACH 802.1P COS VALUE, SELECT QUEUE-1 THROUGH
QUEUE-4
41
QOS DSCP class of services

• FortiGate also supports the use of Layer-3
  Differentiated Services Code Point (DSCP) values
  to prioritize traffic

ENABLE PRIORITIZATION BASED ON DSCP TAGGING
FOR EACH DSCP VALUE, SELECT QUEUE-1 THROUGH
QUEUE-4
42
QOS Rate limiting

• Control rate limiting on a per-port basis
• Define the amount of bandwidth allowed for
  incoming and outgoing traffic

• SELECT THE TYPE OF TRAFFIC TO BE RATED LIMITED
• BROADCAST (B)
• B MULTICAST (M)
• B M FLOODED UNICAST (FU)
• B M FU UNICAST

43
Agenda

• LAN security challenge
• Deployment scenarios
• FortiGate-224B hardware
• FortiGate-224B features
• Access layer port control
• Layer-2, Layer-3 switching
• Quality of Service
• Complete multi-threat protection

44
Multi-threat protection

• Complete multi-threat protection
• Firewall/VPN
• Antivirus
• Antispyware
• Intrusion Prevention
• Web Content Filtering
• Antispam
• Based on FortiOS 3.0

45
Inspection perimeter

• Traffic is inspected
• Between VLANs
• Inside VLANs
• When it sent to WAN ports

INTER-VLAN TRAFFIC INSPECTION
WAN PORT

INTRA-VLAN TRAFFIC INSPECTION WITH SECURE PORT
WAN TRAFFIC INSPECTION
VLAN 10
VLAN 30
VLAN 20
LAYER-2 SWITCH
46
Questions ?