VIEWS: 19 PAGES: 118 POSTED ON: 3/18/2011
FortiGate Multi-Threat Security Systems Administration and Content Inspection Topics • System setup • Logging and Alerts • Firewall Policies • Antivirus Scanning and Content Inspection • Web Filtering • IM and P2P Filtering • Administration and Maintenance • Transparent Mode System Setup FortiGate Multi-Threat Security Systems - Administration and Content Inspection FortiGate Antivirus Firewall Network-level Services • Firewall • Intrusion prevention and detection • VPN • Traffic shaping Application-level Services • Firewall • Intrusion prevention and detection • Virus protection • Content filtering for web connections and email Web-based Manager • HTTP or HTTPS • Web browser – Windows – Mac – Linux • Configure and monitor a FortiGate unit • Configuration changes effective immediately • Download, save, and restore configurations Command Line Interface • Serial port – RS232 • Network – Telnet – SSH • Same configuration capabilities as the web- based manager • Advanced configuration capabilities Factory Default Settings The FortiGate unit is shipped with a factory default configuration that allows you to connect to and use the FortiGate web-based manager to configure the unit onto the network • Internal interface 192.168.1.99/24 – https , ping access is enabled • External interface 192.168.100.99/24 – ping is enabled • Firmware upgrade using TFTP is done using the internal interface only (interrupt boot process) Modes of Operation • NAT/Route Mode – Default “out of box” configuration – Each interface is on a different network – Allows the firewall to operate as a bastion gateway • Transparent Mode – Firewall operates as a bridge – Administration performed via a management IP address – Allows for most FortiGate features without altering IP infrastructure of network NAT/Route Mode Hide your internal addressing scheme behind a firewall Transparent Mode The firewall acts as a bridge and requires an IP address for management and updates The FortiGate unit is invisible to the network System Dashboard • Shown after a successful GUI login • Displays firewall status at a glance including: – FortiGuard Subscriptions status – Statistics for content archiving and IPS – Current system time and uptime – CPU and memory utilization System Dashboard Administrative Access • Options for access to the firewall for purpose of administration and maintenance • Enabled per interface • Administrative access options are: – HTTP (GUI) – HTTPS (GUI) – Telnet (CLI) – SSH (CLI) – SNMP – PING Administrative Users • Accounts responsible for firewall administration • Have CLI / GUI access to the firewall • User account can be held locally or via RADIUS • Logins and passwords are case sensitive Administrative Users • Accounts can be limited by use of Access Profiles • The default administrative account is “admin” • The default access profile is “prof_admin”. This profile has all permissions IP Addressing • IP addresses can be assigned in three ways: – Static – DHCP – PPPoE • Dynamic DNS (DDNS) supported for major providers • Administrative access is configured per interface VLANs • Highly flexible, efficient network segmentation • Supported on models 60 and higher • IEEE 802.1Q • Segregate devices logically instead of physically by adding 802.1Q VLAN tags to all packets sent and received by the devices • A single FortiGate unit can provide security services and control connections between multiple security domains • NAT/Route and Transparent modes Virtual Domains • ease of management • lower costs – one system with multiple firewalls • each virtual domain functions like a single FortiGate unit • exclusive firewall and routing services to multiple networks • traffic from each network is effectively separated for every other network • packets never cross virtual domain borders • NAT/Route and Transparent modes DHCP Server • A DHCP server may be configured on any interface with a static IP address • The firewall can support multiple DHCP servers on a single interface. DHCP Relay • Allows the firewall to relay a DHCP request to a remote DHCP server Static Routes • Default gateway entry. Required for public network access • Routing decision is based on destination network • The outgoing interface and metric can be specified • Multiple routes to the same destination can exist, but only one is preferred Logging and Alerts FortiGate Multi-Threat Security Systems - Administration and Content Inspection Overview • Ability to log session transaction data and downloaded files • Ability to log to multiple locations simultaneously • Seamless integration with FortiAnalyzer appliance • Alert e-mail system Configuration • Choose the location and level: – FortiAnalyzer – SysLog – Memory • Enable logging: – Protection Profile (Content, Content Archiving) – Event log – Firewall Policy or Interface (Traffic) FortiAnalyzer • A logging and security center point on the network • Allows for IPSec encrypted log transfer from the firewall • Full reporting functions • Required for content and file archiving functions Viewing Log Files • View logs located on the FortiAnalyzer from the firewall’s GUI Event Logging • Responsible for: – Core system events – VPN events – Administration events Content Archiving • The ability to log session transaction data for: – HTTP – FTP – NNTP – IM (AIM, ICQ, MSN, Yahoo!) – Mail (POP3, IMAP, SMTP) • Ability to archive downloaded files and e-mails • Requires a FortiAnalyzer appliance Log Message Priorities • All messages have a Priority level: – Emergency – Alert (IPS Signature) – Critical (IPS Anomaly) – Error (Category rating, network address) – Warning (Content filtering, system event) – Notice (Configuration change) – Information (traffic, authentication, content) 2006-03-22 14:23:37 log_id=0104032126 type=event subtype=admin pri=notice vd=root user=admin ui=GUI(192.168.96.1) seq=3 msg="User admin added new firewall policy 3 from GUI(192.168.96.1)" Alert E-mail • Generates an e-mail upon detection of a message meeting a defined severity level • Supports multiple recipients • Supports servers requiring SMTP authentication Traffic Logging • Cannot be logged to memory • Traffic logging is enabled within: – Firewall policies – Interfaces • Logging traffic per firewall policy is usually preferred Firewall Policies FortiGate Multi-Threat Security Systems - Administration and Content Inspection Description • Allows traffic to pass through the firewall from one interface to another • Traffic cannot pass through a firewall unless matched exactly by a firewall policy Firewall Policies • Are comprised of an interface pair; source and destination • In NAT/Route mode the firewall policy dictates whether traffic will NAT or route • There are two primary types of firewall policies: – Accept – Deny Firewall Policy Example Interface pair Schedule Service NAT/Route Firewall Address Objects • Two types of addresses: – IP / IP Range – Fully Qualified Domain Name (FQDN) • Several ways to declare an IP / IP Range: – 192.168.1.99 – 192.168.1.0/255.255.255.0 – 192.168.1.0/24 – 192.168.1.99-192.168.1.105 – 192.168.1.[99-105] Firewall Address Object Groups • Used to group multiple address objects • Object groups are available for selection in firewall policies Firewall Service Objects • Allows firewall policies to use specific protocol-port combinations • The firewall has many predefined service objects • Creation of custom service objects • Can create service groups for additional flexibility Firewall Service Objects - Custom • Three types of custom service objects: – TCP/UDP – ICMP – IP NAT • Default NAT behavior: – Source IP translated to destination interface’s IP – Sessions differentiated by port • Fixed Port behavior: – Source IP translated to destination interface’s IP – Source and destination port not altered • IP Pool behavior: – Source IP translated to available IP within selected IP Pool Virtual IP Description • Used to allow the public limited access to an internal host • Two primary types: – Static NAT – Load Balance • Ability to perform port forwarding Virtual IP – Static NAT • Creates a bi-directional translation between an internal IP and an external IP • The source IP of traffic originating from the internal host will be translated • It is possible to utilize IP ranges • Port Forwarding can be used to alter the source or destination ports Firewall Policy Authentication Description • Enabled within a firewall accept policy • Users must authenticate with the firewall in order for sessions to pass • Authentication occurs against object(s) in a user group or an active directory Firewall Authentication • User groups may contain: – Radius server – LDAP directory – Local users • Selection of protection profile is now in the user group • To authenticate against an Active Directory the FSAE extensions must be installed Firewall Authentication Protocols • The firewalls allows authentication on the following protocols: – HTTP/HTTPS – FTP – Telnet • Service groups can be used to force authentication of protocols not directly supported • Default authentication timeout is 15 minutes Antivirus Scanning and Content Inspection FortiGate Multi-Threat Security Systems - Administration and Content Inspection Content Inspection • Antivirus is a component of the Content Inspection System • Content inspection is comprised of many services including: – Antivirus – Spam filtering – Web filtering – Instant Message (IM) filtering – Logging – Content archiving Content Inspection • Content inspection applies to the following protocols: – HTTP – FTP – Mail (IMAP, POP3, SMTP) – IM (AIM, ICQ, MSN, Yahoo!) – NNTP Content Inspection Configuration • For traffic to flow two parts are necessary: – A source-destination interface pair – A firewall policy permitting the traffic • Content inspection requires an additional component: – Protection Profile • The Protection Profile is applied to either: – Firewall policy – Authentication group Protection Profile • Each content inspection system has its own configuration area • The Protection Profile is where content inspection is enabled Protection Profiles - Defaults • There are four preconfigured Protection Profiles: – Web (HTTP AV scan, Basic WF) – Scan (All AV scan) – Strict (All AV, Full WF, No Oversize, IPS) – Unfiltered • A custom Protection Profile is recommended. Protection Profile Creation • For firewalls up to the FortiGate 1000 a maximum of 32 Protection Profiles can be created • For firewalls beyond the FortiGate 1000 a maximum of 200 Protection Profiles can be created Antivirus • To decrease the chance of malicious code execution by clients • Accelerated by proprietary FortiASIC • Capable of protecting: – HTTP – FTP – Mail (IMAP, POP3, SMTP) – IM (AIM, ICQ, MSN, Yahoo!) – NNTP Antivirus Features • The Antivirus system has many components including: – Real-time scanning of traffic – File pattern blocking – Fragmented e-mail blocking – Oversized file/e-mail blocking – E-mail signatures – Logging Antivirus Updates • The Antivirus has two components that require regular update: – Engine – Signatures • The updates can be retrieved from: – FortiGuard Distribution Network (FDN) – Packages located on the support site Antivirus Scanning - Archives • Scanning of archives • Scanning of “packers” • Scanning of encoded files • The uncompression size limit may need to be changed Antivirus Engine • The Antivirus system is port based • It is possible to add additional ports to each supported protocol • Only active in a session when a file transfer is detected Grayware / Spyware • The firewall supports scanning for grayware and spyware threats such as: – Adware – Browser Helper Objects (BHO) – Spyware • Disabled by default • Can be selectively enabled in the Antivirus config File Pattern Blocking • Configured in the File Pattern section of Antivirus • Can be enabled in Protection Profile for all protocols supported by Antivirus scanning • Performed before Antivirus scanning Client Comforting • Can be enabled within the Protection Profile • Passes data to the client during scanning process • Available for: – HTTP – FTP Oversized Files • Firewalls below the enterprise class can scan files up to 10% of total memory size • Files above this threshold are termed “Oversized files” • The oversized file threshold can be lowered to improve performance • The firewall can be configured to pass or block oversized files Quarantine • Allows the firewall to quarantine files to a FortiAnalyzer for later retrieval or analysis • Blocked HTTP and FTP files cannot be quarantined Web Filtering FortiGate Multi-Threat Security Systems - Administration and Content Inspection Description • Web Filtering is a content inspection service that allows for control of HTTP data through a firewall • Blocked content is replaced with a customizable replacement page Web Filtering - Features • The firewall’s web filter includes the following: – FortiGuard – Web Filter – Score based content blocking – URL filtering – Content exempting – URL exempting – ActiveX, cookie, and Java applet filter – Web resume download blocking URL Filtering • Allows for the filtering of a URL using: – Simple – Regular Expression (regex) • The following actions can be taken: – Block – Allow (Allowed, and processed by AV) – Exempt (Allowed, and not processed by AV) • These rules are sensitive to ordering Content Blocking • Allows for blocking of web content using: – Wildcards – Regular expressions • Ability to assign a score to individual banned patterns • Choose a score threshold within the Protection Profile Content Exemption • Can be used with content blocking to only allow selected content • Language sensitive • Content exempted is not processed by AV FortiGuard – Web Filter • Managed web filtering solution with 76 categories • Allows for selective override and local categorization • Images can be blocked based on URL FortiGuard – Web Filter - Override • Manual override of ratings can be based upon: – Domain (www.fortinet.com) – Directory (www.fortinet.com/support) – Categories (Information Technology) • The override can be effective for: – Users – User Groups – IP – Protection Profile IM and P2P Filtering FortiGate Multi-Threat Security Systems - Administration and Content Inspection IM Features • IM protocols supported: – MSN Messenger – ICQ – AOL Instant Messenger (AIM) – Yahoo! Instant Messenger (Yahoo!) • Features: – Protocol block/allow – User block/allow – Usage statistics – File transfer and audio blocking IM Features - FortiAnalyzer • IM chat summary information • Full IM chat information • Archiving copies of files transferred IM Configuration • For all IM functions the appropriate protocols must be enabled in the Protection Profile IM/P2P Overview Screen • Ability to view for each IM protocol – Amount of current users – Amount of chat sessions / total messages – Amount of file transfers / voice chats • Ability to view for each P2P protocol: – Total number of bytes transferred – Average bandwidth utilization Protocol Screen • Allows for more detailed information for each IM protocol including: – Amount of group chats – Amount of private chats – Amount of messages sent/received – Amount of voice chats received/blocked IM Users • By default all IM traffic is automatically blocked • Users that are allowed/blocked automatically are added to the temporary users list • Users can then be permanently blocked/allowed on a per protocol basis • Current IM users can be viewed Extended Options – IM Protection Profile • Block audio/voice transfer • Block file transfers • Block logins (per protocol) • Enable detection for IM traffic on non- standard ports IM Antivirus • Features: – Antivirus scanning for file transfers – File pattern blocking • Must be enabled within the Anti-Virus section of the Protection Profile • If a virus is detected during an IM session a message will appear within the window stating that a virus has been blocked P2P Features • Ability to block pass or block traffic for: – Bit Torrent – eDonkey – Gnutella – KaZaa – Skype – WinNY • Ability to limit transfer rates (KB/s) for all but Skype traffic FortiAnalyzer FortiGate Multi-Threat Security Systems - Administration and Content Inspection Description • A purpose-built appliance for centralized logging and network security analysis Features • Hardened, IPSec capable appliance • Certain models allow for hard disc redundancy using RAID • Full suite of reports • Enables quarantine of potentially malicious files Features • Forensic analysis and aggregation of log data • Network vulnerability scanning • Ability to function as a secured NAS device Configuration • The firewall must have the FortiAnalyzer selected as a logging destination • The firewall must be registered on the FortiAnalyzer Log Browser • Ability to view specific log types for individual devices Reporting Features • Three types of reports: – Scheduled – On demand – Built in summary • Reporting in several output formats: – HTML – PDF – MS Word – Text Reporting Features • Ability to use IP aliases • Reports can have custom graphics and titles • High degree of selection granularity Quarantine • The FortiAnalyzer allows all FortiGates to have a quarantine • Automatic uploading of files can be enabled • Automatic ticketing system • Only one copy of a quarantined file is held on the FortiAnalyzer. FortiAnalyzer Quarantine • FortiAnalyzer quarantine example Security Events • Can view recent security events for: – Virus – Intrusion (IPS) – Suspicious Vulnerability Scan • Can scan hosts/subnets for security vulnerabilities • Can be scheduled or on demand Log Rolling and FTP archive • Log files can be rolled based on: – File size – Time • Logs can be uploaded to an FTP server Log Viewer • Allows for real-time viewing of log messages • Full filtering capability Administration and Maintenance FortiGate Multi-Threat Security Systems - Administration and Content Inspection Maintenance • Maintenance of firewalls includes many tasks such as: – Configuration backup – IPS signature updates – Antivirus signature updates – FortiGuard Center – Firmware upgrades – FortiGuard Services registration / maintenance Configuration Backup • Configuration can be backed up from: – GUI – CLI • The backup file can be sent to: – FortiUSB – Local PC GUI (HTTP) – Local PC CLI (TFTP) Configuration Backup • There are two types of backup: – Clear text (default) – Password protected • Password protected backups provide: – Backup of IPSec certificates – Protection from alteration (checksum) Configuration Restore • A password protected backup will be invalid: – Password is forgotten – Backup file is altered or corrupted Registration • Registering your firewall provides many benefits including: – FortiGuard Services activation and trials – Service and support contracts – Centralized device information – Creation of support tickets – Technical support forum access – Access to firmware updates Fortinet Support Registration Product Information Service agreements Active support tickets FortiGuard Distribution Network • A Fortinet maintained world wide network for update distribution: – Antivirus signatures – IPS signatures • There are three ways to update using FDN: – Scheduled – Push – Manual FDN Push Updates • When Push updating is configured the FDN network: – Sends a token to your firewall when an update is available – Update occurs on 9443/UDP – The firewall will require a virtual IP on any NAT device between it and the public network Firmware Maintenance • Fortinet makes firmware updates available at support.fortinet.com • A configuration backup should be performed before any firmware maintenance • Firmware files are platform specific Firmware Upgrades • Firmware can be updated in three ways: – FortiUSB – GUI – CLI (TFTP) • During a firmware upgrade the configuration will be retained Firmware Testing and Multiple Images • Starting with the FortiGate 100A, firewalls have two partitions within NVRAM. • This allows these models to have: – Two independent firmware images – Two independent configuration files http://www.fortinet.com/FortiGuardCenter • Fortinet’s most current Malware information and security alerts – Advisories – Virus and Spyware encyclopedias – Latest IPS vulnerabilities – Global threat statistics – FortiGuard URL lookup – and more! Transparent Mode FortiGate Multi-Threat Security Systems - Administration and Content Inspection Description • A mode that enables the firewall to behave like a layer 2 bridge and still retain its content inspection capabilities Positioning • Reasons to use Transparent mode: – Network diagnostics – Not wanting to alter IP addressing scheme – Wishing to “try out” the firewall – A drop in solution for content inspection and filtering (including AV, IPS, web filter) Configuration • Enabling transparent mode can be done in a few ways: – GUI – CLI or console – LCD (on supported models) • Most configuration performed in NAT/Route mode will be lost • The GUI and CLI must now be accessed using the management IP Configuration • The default management IP is 10.10.10.1 accessible via the Internal or Port 1 of the firewall • Administrative access is still performed on a per interface basis • Firewall policies remain necessary for traffic to flow through the firewall Limits of Transparent Mode • Transparent mode cannot: – Perform NAT/Route of traffic – SSL VPN – PPTP/L2TP VPN – DHCP server FortiGuard • The firewall must have a valid default gateway • FortiGuard Services require Internet access, and occur on 53/UDP by default or optionally on 8888/UDP • Push updates will require a virtual IP on the gateway pointing to the management IP Interfaces • For a transparent mode firewall to pass VLAN traffic it must have: – VLAN interfaces with appropriate VLAN ID # – Firewall policy permitting the exact traffic • VLAN interfaces must be present on any ports in which tagged packets will flow System Health Monitoring • Firewall health monitoring: – CPU utilization history – Memory utilization history – Active session table – FortiAnalyzer disc space Firewall Session Table • View current sessions on the firewall • Filter based on: – Protocol – Source IP/Port – Destination IP/Port – Firewall Policy ID • Allows session removal THANK YOU
"Course _201 - Introduction"