Title: Securing the LAN - FortiGate solution
1Securing the LAN - FortiGate solution
- October 2006
- Nathalie Rivat
- nrivat fortinet.com
2Agenda
- LAN security challenge
- Deployment scenarios
- FortiGate-224B hardware
- FortiGate-224B features
3Threats Inside the Perimeter
- The challenge
- Malicious traffic is faster to propagate on LANs
- Allow access while maintaining the security of
the network for - Outside users and non-managed assets
- Visitors in lobbies, conference rooms
- Contractors and partners
- Corporate users and servers
- Meeting rooms
- Mobile assets re-entering the network after
connecting to outside networks
VISITORS
MOBILE USERS
CONTRACTOR WORKSTATIONS
CORPORATE SERVERS
CORPORATE USERS
4Traditional solutions to secure LANs
- Upgrade switchs to traditional NAC for 802.1X
services - Authentication only
- Consider internal firewalling
- Inspect inter-switch traffic only
- Deploy inline IPS
- Identify attacks on uplinks only
- And mirror traffic to identify threats where IPS
is missing - Add third party software on hosts to check its
security implementation - Complex to manage and maintain
- Very expensive
- Still ineffective
- No intra-switch security
- No virus detection
FW
CORPORATE SERVERS
CONTRACTORS
VISITORS
MOBILE USERS
5Fortinet integrated solution for LAN security
- Provide the same level of security into the LAN
traffic - Than available on the WAN
- Complete content security
- Cover the LAN up to the ports where assets are
connected - Cover all type of threats
- Efficiency
- Simplicity
- Single device
- No software on host side
- Cost effectiveness
802.1X FW AV IPS
CORPORATE SERVERS
CONTRACTORS
VISITORS
MOBILE USERS
6FortiGate benefits
- Do not accept compromises on LAN security anymore
- LAN security was considered too hard to achieve
- Fortinet now allows you to enforce the most
secure approach - Deny LAN traffic, unless it is specifically
authorized and clean of threats - The only system that allows
- Complete perimeter coverage
- Up to the host port
- Complete protection
- Multi-threat protection up to layer-7
- Meet regulatory requirements
7FortiGate benefits
Control at the edge who is allowed to access the network Network admission control Provide network access to authenticated users Validate the security level of the asset Control network resources that users can reach Validate traffic through firewall inspection
Enforce security policy at the network access layer before malicious traffic has an opportunity to spread through the network Secure traffic inside and between VLANs Detect block malicious traffic at the port level Quarantine infected assets
Reduced complexity and cost by combining many network functions into a single solution Enhanced network security through the combination of FortiOS security with layer 2 switching hardware Lowered operational overhead and expense through automated responses and self-remediation options
8Introducing FortiGate-224B
- Unified range of FortiGate products
- LAN dedicated security features added to the
FortiGate range - Additional switching hardware available with
FortiGate-224B - Simplified and unified security management
- Leverage existing product knowledge
- Reduce operational cost
9Agenda
- LAN security challenge
- Deployment scenarios
- FortiGate-224B hardware
- FortiGate-224B features
10Deployment scenarios Open jacks
AUTHENTICATION SERVER
LAN BACKBONE
AUTHENTICATION SERVER
MEETING ROOMS
CONFERENCE ROOMS
MEETING ROOMS
LOBBIES
- Unknown users send traffic to the Internet,
FortiGate replies with a portal web page (fw
session auth) - Users provide guest access credentials
- FortiGate separates guest and employee traffic
and allows Internet access for guest and provide
appropriate priviledges for contractors and
internal users - FortiGate identifies threats close to the
unmanaged hosts and block malicious - FortiGate prevents threats to propagate between
open jack zones
- FortiGate authenticates users when they access
the network (802.1X) and provide appropriate
access to the network depending on user category - FortiGate separates visitors, contractors and
employee traffic and provide appropriate network
access - FortiGate identifies threats and block malicious
traffic up to host ports - FortiGate quarantines infected hosts
11Deployment scenarios Inside LAN security
CORPORATE LAN
AUTHENTICATION SERVER
CORPORATE USERS CONTRACTORS
CORPORATE SERVERS
- Authenticate users when they access the network
(802.1X) - Separates visitor, contractors and employee
traffic and provide appropriate network access
depending on user category - Control host bandwidth usage for egress and
ingress traffic - Identify threats and block malicious traffic up
to host ports - Quarantine infected hosts
12Deployment scenarios All in one device for SMB
USERS
SERVERS
- Small and medium business
- Combine layer-2 switching hardware with a
FortiGate system - Layer-2 connectivity for hosts
- Internet access control
13Agenda
- LAN security challenge
- Deployment scenarios
- FortiGate-224B hardware
- FortiGate-224B features
14FortiGate-224B Hardware
- Hardware specifications
- 24 x 10/100 switch ports
- 2 x 10/100/1000 switch ports
- 2 x 10/100 wan ports
- Performances
- 4.4 Gbps layer 2 switch performance
- 150 Mbps firewall throughput
2x 10/100 WAN PORTS
LAYER-2 SWITCH
24x 10/100 SWITCH PORTS
2x 10/100/1000 SWITCH PORTS
15Agenda
- LAN security challenge
- Deployment scenarios
- FortiGate-224B hardware
- FortiGate-224B features
- Access layer port control
- Layer-2, Layer-3 switching
- Quality of Service
- Complete multi-threat protection
16FortiGate Features
- Access Layer Port Control
- 802.1X authentication
- Port-based quarantine
- Layer 2/3 Switching
- Port-based layer 2 forwarding at wire-speed
- 802.1Q VLAN
- Spanning Tree
- STP, RSTP, PVST
- 802.3ad Link Aggregation
- Layer 3 switching
- Provided by FortiOS
- IGMP snooping
- Port monitoring
- Quality of services
- 802.1P and DSCP support
- Per port ingress and egress rate limitation
- Complete multi-threat protection
- Provided by FortiOS 3.0
- Antivirus
- Intrusion Detection and Prevention
- Antispyware
- Antispam
- Web Content Filtering
- Firewall
- IPSec and SSL VPNs
17Agenda
- LAN security challenge
- Deployment scenarios
- FortiGate-224B hardware
- FortiGate-224B features
- Access layer port control
- Layer-2, Layer-3 switching
- Quality of Service
- Complete multi-threat protection
18Access control 802 .1X authentication
- Enable 802.1X on a per-port basis
- Support user name / password, certificates
- Define a Radius server to check credentials
- Support Radius redundancy
- Optionally use Radius to retrieve users VLAN ID
- Port VLAN membership is dynamically reconfigured
PORTS WILL MOVE FROM THE UNAUTHORIZED DEFAULT
STATE TO THE AUTHORIZED STATE AFTER A SUCCESSFULL
AUTHENTICATION
19Access Control Quarantine
- Once users have been authenticated, FortiGate
provide a controlled access to the network in 2
modes - Strict mode
- Clients are initially untrusted
- Clients can not access the network before they
meet a set of security host criteria - Dynamic mode
- Clients are initially trusted
- Clients can access the network until they violate
the security policy (threats are detected)
20Access control Strict mode
- Clients are initially untrusted
- Prevent access to the network until clients meet
a set of conditions - Define the conditions that the client has to
verify in the "client profile" - Antivirus state and version
- Personal firewall state and version
- Operating system type and version
21Access control Strict mode
- Define on which port this client profile should
apply - Enable Strict Access on a per-port basis
- Every port can receive its own client profile or
a profile can apply to multiple ports - Define the action to take when a host did not
pass the security check
- BLOCK ALL TRAFFIC
- KEEP CLIENT IN QUARANTINE
- ALLOW TRAFFIC BUT APPLY A PROTECTION PROFILE
- IGNORE HOST CHECK RESULT AND ALLOW TRAFFIC
IF DYNAMIC PROFILE IS SELECTED AS AN ACTION, THIS
DEFINES WHICH PROTECTION PROFILE TO USE
22Access control Host check
- The user is required to launch a web browser to
initially access the FortiGate web portal - The host check is automatically executed through
ActiveX - No need for third party software on the client
side - The user then submits the result to the FortiGate
FORTIGATE INTERCEPTS THE CLIENT WEB SESSION AND
REPLIES WITH THE HOST CHECK PORTAL WEB PAGE
23Access control Strict mode
- When FortiGate receives the host check result, it
enforces the security by executing the action
that the administrator has defined in the strict
policy - A host in quarantine does not need to renew its
IP address - Port based-VLAN
FW CHECK FAILED
PORT IS QUARANTINED
24Access control Strict mode
- The administrator is then notified of the host
check failure and can take further appropriate
decisions
25Access control Dynamic mode
- Clients are initially trusted
- If a security violation occurs, the client is
quarantined from the network at large - FortiGate detects threats and dynamically moves
the port into the quarantine VLAN - Threats are detected based on Antivirus or IPS
scanning - This requires the AV/IPS engines to receive
traffic - Firewall rules must be defined with a protection
profile that enables AV and/or IPS services
26Access control Dynamic mode
DEFINE WHICH SECURITY EVENTS TRIGGER PORT
QUARANTINE
- Define a dynamic policy that controls
- Which event will quarantine hosts
- Which resources can be reached by quarantined
hosts - If users can self-remediate
- Assign this policy to a set of ports
DEFINE WEB SITES THAT USERS CAN ACCESS ONCE
QUARANTINED
ALLOW USERS TO AUTOMATICALLY RECOVER BY RUNNING A
SUCCESSFUL HOST CHECK
27Access control Dynamic mode
- In addition to the dynamic policy settings, turn
on AV/IPS scanning by defining firewall rules and
protection profiles - Scenario 1
- Inspect traffic between the host vlan and the wan
interface
INSPECT TRAFFIC BETWEEN A VLAN AND A WAN PORT
SCAN FOR MALICIOUS TRAFFIC
28Access control Dynamic mode
- Scenario 2
- Inspect traffic between the host vlan and another
vlan
INSPECT TRAFFIC BETWEEN 2 VLANS
SCAN FOR MALICIOUS TRAFFIC
29Access control Dynamic mode
- Scenario 3
- Inspect traffic from the host port to another
port inside the same vlan
INSPECT TRAFFIC INSIDE A VLAN
SCAN FOR MALICIOUS TRAFFIC
30Access control Dynamic mode
- Quarantined ports are reassigned to the
Quarantine VLAN - Hosts do not need to renew their IP address
(port-based VLAN) - Traffic is restricted to ressources that have
been defined on the web portal - Once a device is quarantined, it is possible for
the user to self remediate allowing him to
participate in the network again
FORTIGATE INTERCEPTS TRAFFIC AND REPLIES WITH THE
QUARANTINE PORTAL WEB PAGE
RUN THE HOST SECURITY CHECK FOR SELF-REMEDIATION
31Agenda
- LAN security challenge
- Deployment scenarios
- FortiGate-224B hardware
- FortiGate-224B features
- Access layer port control
- Layer-2, Layer-3 switching
- Quality of Service
- Complete multi-threat protection
32Switching features
- Port-based L2 forwarding
- Wirespeed
- 802.1Q VLANs
- Link Aggregation
- 802.3ad
33Switching features VLAN settings
ASSIGN PORTS TO THIS VLAN
DEFINE VLAN ID
DEFINE TRUNK OR ACCESS PORTS
34Switching features Spanning Tree
- Spanning Tree suppport
- STP, RSTP, PVST
- Per-port activation
35Switching features Spanning Tree
36Switching features IGMP snooping
TURN ON IGMP SNOOPING
ENABLE IGMP SNOOPING ON A PER-VLAN BASIS
37Switching features InterVLAN routing
DEFINE A VIRTUAL INTERFACE ON FORTIGATE THAT WILL
BELONG TO THIS VLAN
ASSIGN AN IP ADDRESS ON THIS VIRTUAL INTERFACE
FORTIGATE IS THEN ABLE TO ROUTE BETWEEN ITS
VIRTUAL INTERFACES
38Switching features SPAN
- Enable port monitoring for ingress and egress
traffic independently
39Agenda
- LAN security challenge
- Deployment scenarios
- FortiGate-224B hardware
- FortiGate-224B features
- Access layer port control
- Layer-2, Layer-3 switching
- Quality of Service
- Complete multi-threat protection
40QOS 802.1P class of services
- QOS settings enable to prioritize network traffic
by type - VLAN trunks frames carry 802.1P Class of Service
(COS) - Prioritize traffic based on 802.1P tagging
ENABLE PRIORITIZATION BASED ON 802.1P TAGGING
FOR EACH 802.1P COS VALUE, SELECT QUEUE-1 THROUGH
QUEUE-4
41QOS DSCP class of services
- FortiGate also supports the use of Layer-3
Differentiated Services Code Point (DSCP) values
to prioritize traffic
ENABLE PRIORITIZATION BASED ON DSCP TAGGING
FOR EACH DSCP VALUE, SELECT QUEUE-1 THROUGH
QUEUE-4
42QOS Rate limiting
- Control rate limiting on a per-port basis
- Define the amount of bandwidth allowed for
incoming and outgoing traffic
- SELECT THE TYPE OF TRAFFIC TO BE RATED LIMITED
- BROADCAST (B)
- B MULTICAST (M)
- B M FLOODED UNICAST (FU)
- B M FU UNICAST
43Agenda
- LAN security challenge
- Deployment scenarios
- FortiGate-224B hardware
- FortiGate-224B features
- Access layer port control
- Layer-2, Layer-3 switching
- Quality of Service
- Complete multi-threat protection
44Multi-threat protection
- Complete multi-threat protection
- Firewall/VPN
- Antivirus
- Antispyware
- Intrusion Prevention
- Web Content Filtering
- Antispam
- Based on FortiOS 3.0
45Inspection perimeter
- Traffic is inspected
- Between VLANs
- Inside VLANs
- When it sent to WAN ports
INTER-VLAN TRAFFIC INSPECTION
WAN PORT
INTRA-VLAN TRAFFIC INSPECTION WITH SECURE PORT
WAN TRAFFIC INSPECTION
VLAN 10
VLAN 30
VLAN 20
LAYER-2 SWITCH
46Questions ?