FortiGate MultiThreat Security Systems Administration and Content Inspection

About This Presentation

Title:

FortiGate MultiThreat Security Systems Administration and Content Inspection

Description:

The FortiGate unit is shipped with a factory default configuration that allows ... Bit Torrent. eDonkey. Gnutella. KaZaa. Skype. WinNY ... – PowerPoint PPT presentation

Number of Views:3480

Avg rating:3.0/5.0

Slides: 119

Provided by: trevor9

Category:

more less

Transcript and Presenter's Notes

Title: FortiGate MultiThreat Security Systems Administration and Content Inspection

1
FortiGate Multi-ThreatSecurity Systems
Administration and Content Inspection
2
Topics

System setup
Logging and Alerts
Firewall Policies
Antivirus Scanning and Content Inspection
Web Filtering
IM and P2P Filtering
Administration and Maintenance
Transparent Mode

3
System SetupFortiGate Multi-Threat Security
Systems - Administration and Content Inspection
4
FortiGate Antivirus Firewall

Network-level Services
Firewall
Intrusion prevention and detection
VPN
Traffic shaping
Application-level Services
Firewall
Intrusion prevention and detection
Virus protection
Content filtering for web connections and email

5
Web-based Manager

HTTP or HTTPS
Web browser
Windows
Mac
Linux
Configure and monitor a FortiGate unit
Configuration changes effective immediately
Download, save, and restore configurations

6
Command Line Interface

Serial port
RS232
Network
Telnet
SSH
Same configuration capabilities as the web-based
manager
Advanced configuration capabilities

7
Factory Default Settings

The FortiGate unit is shipped with a factory
default configuration that allows you to connect
to and use the FortiGate web-based manager to
configure the unit onto the network
Internal interface 192.168.1.99/24
https , ping access is enabled
External interface 192.168.100.99/24
ping is enabled
Firmware upgrade using TFTP is done using the
internal interface only (interrupt boot process)

8
Modes of Operation

NAT/Route Mode
Default out of box configuration
Each interface is on a different network
Allows the firewall to operate as a bastion
gateway
Transparent Mode
Firewall operates as a bridge
Administration performed via a management IP
address
Allows for most FortiGate features without
altering IP infrastructure of network

9
NAT/Route Mode

Hide your internal addressing scheme behind a
firewall

10
Transparent Mode

The firewall acts as a bridge and requires an IP
address for management and updates
The FortiGate unit is invisible to the network

11
System Dashboard

Shown after a successful GUI login
Displays firewall status at a glance including
FortiGuard Subscriptions status
Statistics for content archiving and IPS
Current system time and uptime
CPU and memory utilization

12
System Dashboard
13
FortiGuard Distribution Network Updates

For updating Antivirus and IPS signatures
World wide points of presence.
There are three ways to update via FDN
Scheduled
Push
Manual

14
FortiGuard Distribution Network Updates
15
Administrative Access

Options for access to the firewall for purpose of
administration and maintenance
Enabled per interface
Administrative access options are
HTTP (GUI)
HTTPS (GUI)
Telnet (CLI)
SSH (CLI)
SNMP
PING

16
Administrative Users

Accounts responsible for firewall administration
Have CLI / GUI access to the firewall
User account can be held locally or via RADIUS
Logins and passwords are case sensitive

17
Administrative Users

Accounts can be limited by use of Access Profiles
The default administrative account is admin
The default access profile is prof_admin. This
profile has all permissions

18
IP Addressing

IP addresses can be assigned in three ways
Static
DHCP
PPPoE
Dynamic DNS (DDNS) supported for major providers
Administrative access is configured per interface

19
VLANs

Highly flexible, efficient network segmentation
Supported on models 60 and higher
IEEE 802.1Q
Segregate devices logically instead of physically
by adding 802.1Q VLAN tags to all packets sent
and received by the devices
A single FortiGate unit can provide security
services and control connections between multiple
security domains
NAT/Route and Transparent modes

20
Virtual Domains

ease of management
lower costs one system with multiple firewalls
each virtual domain functions like a single
FortiGate unit
exclusive firewall and routing services to
multiple networks
traffic from each network is effectively
separated for every other network
packets never cross virtual domain borders
NAT/Route and Transparent modes

21
DHCP Server

A DHCP server may be configured on any interface
with a static IP address
The firewall can support multiple DHCP servers on
a single interface.

22
DHCP Relay

Allows the firewall to relay a DHCP request to a
remote DHCP server

23
Static Routes

Default gateway entry. Required for public
network access
Routing decision is based on destination network
The outgoing interface and metric can be
specified
Multiple routes to the same destination can
exist, but only one is preferred

24
Logging and AlertsFortiGate Multi-Threat
Security Systems - Administration and Content
Inspection
25
Overview

Ability to log session transaction data and
downloaded files
Ability to log to multiple locations
simultaneously
Seamless integration with FortiAnalyzer appliance
Alert e-mail system

26
Configuration

Choose the location and level
FortiAnalyzer
SysLog
Memory
Enable logging
Protection Profile (Content, Content Archiving)
Event log
Firewall Policy or Interface (Traffic)

27
FortiAnalyzer

A logging and security center point on the
network
Allows for IPSec encrypted log transfer from the
firewall
Full reporting functions
Required for content and file archiving functions

28
Viewing Log Files

View logs located on the FortiAnalyzer from the
firewalls GUI

29
Event Logging

Responsible for
Core system events
VPN events
Administration events

30
Content Archiving

The ability to log session transaction data for
HTTP
FTP
NNTP
IM (AIM, ICQ, MSN, Yahoo!)
Mail (POP3, IMAP, SMTP)
Ability to archive downloaded files and e-mails
Requires a FortiAnalyzer appliance

31
Log Message Priorities

All messages have a Priority level
Emergency
Alert (IPS Signature)
Critical (IPS Anomaly)
Error (Category rating, network address)
Warning (Content filtering, system event)
Notice (Configuration change)
Information (traffic, authentication, content)
2006-03-22 142337 log_id0104032126 typeevent
subtypeadmin prinotice vdroot useradmin
uiGUI(192.168.96.1) seq3 msg"User admin added
new firewall policy 3 from GUI(192.168.96.1)"

32
Alert E-mail

Generates an e-mail upon detection of a message
meeting a defined severity level
Supports multiple recipients
Supports servers requiring SMTP authentication

33
Traffic Logging

Cannot be logged to memory
Traffic logging is enabled within
Firewall policies
Interfaces
Logging traffic per firewall policy is usually
preferred

34
Firewall PoliciesFortiGate Multi-Threat
Security Systems - Administration and Content
Inspection
35
Description

Allows traffic to pass through the firewall from
one interface to another
Traffic cannot pass through a firewall unless
matched exactly by a firewall policy

36
Firewall Policies

Are comprised of an interface pair source and
destination
In NAT/Route mode the firewall policy dictates
whether traffic will NAT or route
There are two primary types of firewall policies
Accept
Deny

37
Firewall Policy Example
Interface pair
Schedule
Service
NAT/Route
38
Firewall Address Objects

Two types of addresses
IP / IP Range
Fully Qualified Domain Name (FQDN)
Several ways to declare an IP / IP Range
192.168.1.99
192.168.1.0/255.255.255.0
192.168.1.0/24
192.168.1.99-192.168.1.105
192.168.1.99-105

39
Firewall Addresses - FQDN

The firewall must have functioning DNS entries to
utilize FQDN address objects
FQDN resolution cache is dictated by the DNS
server

40
Firewall Address Object Groups

Used to group multiple address objects
Object groups are available for selection in
firewall policies

41
Firewall Service Objects

Allows firewall policies to use specific
protocol-port combinations
The firewall has many predefined service objects
Creation of custom service objects
Can create service groups for additional
flexibility

42
Firewall Service Objects - Custom

Three types of custom service objects
TCP/UDP
ICMP
IP

43
NAT

Default NAT behavior
Source IP translated to destination interfaces
IP
Sessions differentiated by port
Fixed Port behavior
Source IP translated to destination interfaces
IP
Source and destination port not altered
IP Pool behavior
Source IP translated to available IP within
selected IP Pool

44
Virtual IP Description

Used to allow the public limited access to an
internal host
Two primary types
Static NAT
Load Balance
Ability to perform port forwarding

45
Virtual IP Static NAT

Creates a bi-directional translation between an
internal IP and an external IP
The source IP of traffic originating from the
internal host will be translated
It is possible to utilize IP ranges
Port Forwarding can be used to alter the source
or destination ports

46
Virtual IP - Load Balancing

External IP address is mapped to multiple
internal IP addresses
A single IP address seen by the outside
External IP address must be static, and not
assigned to an interface
Round robin is utilized for load balancing

47
Firewall Policy Authentication Description

Enabled within a firewall accept policy
Users must authenticate with the firewall in
order for sessions to pass
Authentication occurs against object(s) in a user
group or an active directory

48
Firewall Authentication

User groups may contain
Radius server
LDAP directory
Local users
Selection of protection profile is now in the
user group
To authenticate against an Active Directory the
FSAE extensions must be installed

49
Firewall Authentication Protocols

The firewalls allows authentication on the
following protocols
HTTP/HTTPS
FTP
Telnet
Service groups can be used to force
authentication of protocols not directly
supported
Default authentication timeout is 15 minutes

50
Antivirus Scanningand Content InspectionFortiGa
te Multi-Threat Security Systems -
Administration and Content Inspection
51
Content Inspection

Antivirus is a component of the Content
Inspection System
Content inspection is comprised of many services
including
Antivirus
Spam filtering
Web filtering
Instant Message (IM) filtering
Logging
Content archiving

52
Content Inspection

Content inspection applies to the following
protocols
HTTP
FTP
Mail (IMAP, POP3, SMTP)
IM (AIM, ICQ, MSN, Yahoo!)
NNTP

53
Content Inspection Configuration

For traffic to flow two parts are necessary
A source-destination interface pair
A firewall policy permitting the traffic
Content inspection requires an additional
component
Protection Profile
The Protection Profile is applied to either
Firewall policy
Authentication group

54
Protection Profile

Each content inspection system has its own
configuration area
The Protection Profile is where content
inspection is enabled

55
Protection Profiles - Defaults

There are four preconfigured Protection Profiles
Web (HTTP AV scan, Basic WF)
Scan (All AV scan)
Strict (All AV, Full WF, No Oversize, IPS)
Unfiltered
A custom Protection Profile is recommended.

56
Protection Profile Creation

For firewalls up to the FortiGate 1000 a maximum
of 32 Protection Profiles can be created
For firewalls beyond the FortiGate 1000 a maximum
of 200 Protection Profiles can be created

57
Antivirus

To decrease the chance of malicious code
execution by clients
Accelerated by proprietary FortiASIC
Capable of protecting
HTTP
FTP
Mail (IMAP, POP3, SMTP)
IM (AIM, ICQ, MSN, Yahoo!)
NNTP

58
Antivirus Features

The Antivirus system has many components
including
Real-time scanning of traffic
File pattern blocking
Fragmented e-mail blocking
Oversized file/e-mail blocking
E-mail signatures
Logging

59
Antivirus Updates

The Antivirus has two components that require
regular update
Engine
Signatures
The updates can be retrieved from
FortiGuard Distribution Network (FDN)
Packages located on the support site

60
Antivirus Scanning - Archives

Scanning of archives
Scanning of packers
Scanning of encoded files
The uncompression size limit may need to be
changed

61
Antivirus Engine

The Antivirus system is port based
It is possible to add additional ports to each
supported protocol
Only active in a session when a file transfer is
detected

62
Grayware / Spyware

The firewall supports scanning for grayware and
spyware threats such as
Adware
Browser Helper Objects (BHO)
Spyware
Disabled by default
Can be selectively enabled in the Antivirus config

63
File Pattern Blocking

Configured in the File Pattern section of
Antivirus
Can be enabled in Protection Profile for all
protocols supported by Antivirus scanning
Performed before Antivirus scanning

64
Client Comforting

Can be enabled within the Protection Profile
Passes data to the client during scanning process
Available for
HTTP
FTP

65
Oversized Files

Firewalls below the enterprise class can scan
files up to 10 of total memory size
Files above this threshold are termed Oversized
files
The oversized file threshold can be lowered to
improve performance
The firewall can be configured to pass or block
oversized files

66
Quarantine

Allows the firewall to quarantine files to a
FortiAnalyzer for later retrieval or analysis
Blocked HTTP and FTP files cannot be quarantined

67
Web FilteringFortiGate Multi-Threat Security
Systems - Administration and Content Inspection
68
Description

Web Filtering is a content inspection service
that allows for control of HTTP data through a
firewall
Blocked content is replaced with a customizable
replacement page

69
Web Filtering - Features

The firewalls web filter includes the following
FortiGuard Web Filter
Score based content blocking
URL filtering
Content exempting
URL exempting
ActiveX, cookie, and Java applet filter
Web resume download blocking

70
URL Filtering

Allows for the filtering of a URL using
Simple
Regular Expression (regex)
The following actions can be taken
Block
Allow (Allowed, and processed by AV)
Exempt (Allowed, and not processed by AV)
These rules are sensitive to ordering

71
Content Blocking

Allows for blocking of web content using
Wildcards
Regular expressions
Ability to assign a score to individual banned
patterns
Choose a score threshold within the Protection
Profile

72
Content Exemption

Can be used with content blocking to only allow
selected content
Language sensitive
Content exempted is not processed by AV

73
FortiGuard Web Filter

Managed web filtering solution with 76 categories
Allows for selective override and local
categorization
Images can be blocked based on URL

74
FortiGuard Web Filter - Override

Manual override of ratings can be based upon
Domain (www.fortinet.com)
Directory (www.fortinet.com/support)
Categories (Information Technology)
The override can be effective for
Users
User Groups
IP
Protection Profile

75
IM and P2P FilteringFortiGate Multi-Threat
Security Systems - Administration and Content
Inspection
76
IM Features

IM protocols supported
MSN Messenger
ICQ
AOL Instant Messenger (AIM)
Yahoo! Instant Messenger (Yahoo!)
Features
Protocol block/allow
User block/allow
Usage statistics
File transfer and audio blocking

77
IM Features - FortiAnalyzer

IM chat summary information
Full IM chat information
Archiving copies of files transferred

78
IM Configuration

For all IM functions the appropriate protocols
must be enabled in the Protection Profile

79
IM/P2P Overview Screen

Ability to view for each IM protocol
Amount of current users
Amount of chat sessions / total messages
Amount of file transfers / voice chats
Ability to view for each P2P protocol
Total number of bytes transferred
Average bandwidth utilization

80
Protocol Screen

Allows for more detailed information for each IM
protocol including
Amount of group chats
Amount of private chats
Amount of messages sent/received
Amount of voice chats received/blocked

81
IM Users

By default all IM traffic is automatically
blocked
Users that are allowed/blocked automatically are
added to the temporary users list
Users can then be permanently blocked/allowed on
a per protocol basis
Current IM users can be viewed

82
Extended Options IM Protection Profile

Block audio/voice transfer
Block file transfers
Block logins (per protocol)
Enable detection for IM traffic on non-standard
ports

83
IM Antivirus

Features
Antivirus scanning for file transfers
File pattern blocking
Must be enabled within the Anti-Virus section of
the Protection Profile
If a virus is detected during an IM session a
message will appear within the window stating
that a virus has been blocked

84
P2P Features

Ability to block pass or block traffic for
Bit Torrent
eDonkey
Gnutella
KaZaa
Skype
WinNY
Ability to limit transfer rates (KB/s) for all
but Skype traffic

85
FortiAnalyzerFortiGate Multi-Threat Security
Systems - Administration and Content Inspection
86
Description

A purpose-built appliance for centralized logging
and network security analysis

87
Features

Hardened, IPSec capable appliance
Certain models allow for hard disc redundancy
using RAID
Full suite of reports
Enables quarantine of potentially malicious files

88
Features

Forensic analysis and aggregation of log data
Network vulnerability scanning
Ability to function as a secured NAS device

89
Configuration

The firewall must have the FortiAnalyzer selected
as a logging destination
The firewall must be registered on the
FortiAnalyzer

90
Log Browser

Ability to view specific log types for individual
devices

91
Reporting Features

Three types of reports
Scheduled
On demand
Built in summary
Reporting in several output formats
HTML
PDF
MS Word
Text

92
Reporting Features

Ability to use IP aliases
Reports can have custom graphics and titles
High degree of selection granularity

93
Quarantine

The FortiAnalyzer allows all FortiGates to have a
quarantine
Automatic uploading of files can be enabled
Automatic ticketing system
Only one copy of a quarantined file is held on
the FortiAnalyzer.

94
FortiAnalyzer Quarantine

FortiAnalyzer quarantine example

95
Security Events

Can view recent security events for
Virus
Intrusion (IPS)
Suspicious

96
Vulnerability Scan

Can scan hosts/subnets for security
vulnerabilities
Can be scheduled or on demand

97
Log Rolling and FTP archive

Log files can be rolled based on
File size
Time
Logs can be uploaded to an FTP server

98
Log Viewer

Allows for real-time viewing of log messages
Full filtering capability

99
Administration and MaintenanceFortiGate
Multi-Threat Security Systems - Administration
and Content Inspection
100
Maintenance

Maintenance of firewalls includes many tasks such
as
Configuration backup
IPS signature updates
Antivirus signature updates
FortiGuard Center
Firmware upgrades
FortiGuard Services registration / maintenance

101
Configuration Backup

Configuration can be backed up from
GUI
CLI
The backup file can be sent to
FortiUSB
Local PC GUI (HTTP)
Local PC CLI (TFTP)

102
Configuration Backup

There are two types of backup
Clear text (default)
Password protected
Password protected backups provide
Backup of IPSec certificates
Protection from alteration (checksum)

103
Configuration Restore

A password protected backup will be invalid
Password is forgotten
Backup file is altered or corrupted

104
Registration

Registering your firewall provides many benefits
including
FortiGuard Services activation and trials
Service and support contracts
Centralized device information
Creation of support tickets
Technical support forum access
Access to firmware updates

105
Fortinet Support Registration
Product Information
Service agreements
Active support tickets
106
FortiGuard Distribution Network

A Fortinet maintained world wide network for
update distribution
Antivirus signatures
IPS signatures
There are three ways to update using FDN
Scheduled
Push
Manual

107
FDN Push Updates

When Push updating is configured the FDN network
Sends a token to your firewall when an update is
available
Update occurs on 9443/UDP
The firewall will require a virtual IP on any NAT
device between it and the public network

108
Firmware Maintenance

Fortinet makes firmware updates available at
support.fortinet.com
A configuration backup should be performed before
any firmware maintenance
Firmware files are platform specific

109
Firmware Upgrades

Firmware can be updated in three ways
FortiUSB
GUI
CLI (TFTP)
During a firmware upgrade the configuration will
be retained

110
Firmware Testing and Multiple Images

Starting with the FortiGate 100A, firewalls have
two partitions within NVRAM.
This allows these models to have
Two independent firmware images
Two independent configuration files

111
http//www.fortinet.com/FortiGuardCenter

Fortinets most current Malware information and
security alerts
Advisories
Virus and Spyware encyclopedias
Latest IPS vulnerabilities
Global threat statistics
FortiGuard URL lookup
and more!

112
Transparent ModeFortiGate Multi-Threat Security
Systems - Administration and Content Inspection
113
Description

A mode that enables the firewall to behave like a
layer 2 bridge and still retain its content
inspection capabilities

114
Positioning

Reasons to use Transparent mode
Network diagnostics
Not wanting to alter IP addressing scheme
Wishing to try out the firewall
A drop in solution for content inspection and
filtering (including AV, IPS, web filter)

115
Configuration

Enabling transparent mode can be done in a few
ways
GUI
CLI or console
LCD (on supported models)
Most configuration performed in NAT/Route mode
will be lost
The GUI and CLI must now be accessed using the
management IP

116
Configuration

The default management IP is 10.10.10.1
accessible via the Internal or Port 1 of the
firewall
Administrative access is still performed on a per
interface basis
Firewall policies remain necessary for traffic to
flow through the firewall

117
Limits of Transparent Mode

Transparent mode cannot
Perform NAT/Route of traffic
SSL VPN
PPTP/L2TP VPN
DHCP server

118
FortiGuard

The firewall must have a valid default gateway
FortiGuard Services require Internet access, and
occur on 53/UDP by default or optionally on
8888/UDP
Push updates will require a virtual IP on the
gateway pointing to the management IP

119
Interfaces