ssl-vpn tunnels using fortigate and forticlient info-byte ssl-vpn v1.2.pdf · ssl-vpn access with a...
TRANSCRIPT
1CONFIDENTIAL
SSL-VPN TUNNELS USING FORTIGATE AND FORTICLIENT
2
WHAT IS?: VIRTUAL PRIVATE NETWORK (VPN)
▪ A VPN creates a tunnel that extends a private network across the public network (internet)
to your corporate network
▪ Designed to safely transmit data:
» Tamper-proof to stop messages/files from changing
» Encrypted so unauthorized users cannot eavesdrop or read
» Requires authentication so that only known users send/receive
▪ SSL and TLS are commonly used to encapsulate
and secure online banking; they reside higher up
on the network stack than IP and therefore usually
require more identification (bits/bandwidth) in their
protocol headers and can only be established
between a computer and vendor specific software
3
WHAT IS?: VIRTUAL PRIVATE NETWORK (VPN)
▪ Examples of workers in a private network:
» Branch offices connecting to central HQ (even
on the other side of the world
» Workers using hotspot (3/4G) on the road
» Workers travelling on hotel internet/laptop
» Workers on home internet/PC
» Hackers also attempt to hijack these virtual
private networks
4
BEST PRACTICE SECURITY
“Virtual Private Network (VPN) connections can be an effective means of providing
remote access to a network; however, VPN connections can be abused by an
adversary to gain access to a network without relying on malware and covert
communication channels.
If a device using a VPN connection is compromised there is the security risk it could
be used to compromise connected networks. Because of this, all VPN traffic should
be treated as untrusted, potentially malicious and subjected to the same scrutiny as
any external communications.”
- Australia Signals Directorate, April 2020
5
BEST PRACTICE SECURITY
▪ VPNs should be configured to have the following:
» VPN termination points with DMZ security access rules
» Multi-factor authentication and device/operating system
restrictions for user logins
» Enforcing a host-check for anti-virus and geo-location
(Aust. IP address)
» Effective logging and log analysis
▪ If split-tunnel (directing only corporate destined traffic
trough the VPN) is to be used, you must use the
configuration methods above as a user who is
compromised during a split-tunnel VPN session could
create a breach tunnel into your corporate network
6
CURRENT LANDSCAPE
▪ ID and password to the
remote-controlled PC:
» Usually installed on
domain server to access
Active Directory
» Not often updated as
server is not accessed
daily, sometimes not for
months
» Hackers regularly exploit,
last major was admin
password in clear text [1]
▪ External IP address
and username/pass:
» Workers connect to a
terminal server to access
their sharedrive and
office apps
» Part of VM farm which
resides on the physical
business server that
usually hosts other
important apps
» Hackers brute force a
log-on session then
perform a survey
▪ Ports are opened to the
internet to allow IT
equipment to work:
» Phone and video
conferencing open ports
to communicate with
branch systems,
make/receive calls
» Some equipment open
ports to allow for auto-
updates and remote
settings administration
» Hackers test for port then
try default credentials
7
Fortinet Recognized as a Leader
Marks 10th time in a row that Fortinet is in the Magic Quadrant for Network Firewalls
8
▪ Most recent 2019 test results
9Next-gen Firewall (NGFW)
Next-gen Intrusion Prevention System (NGIPS)
Data Centre IPS
Data Centre Security Gateway (DCSG)
Breach Prevention System (BPS)
Breach Detection System (BDS)
Advanced Endpoint Protection (AEP)
Web Application Firewall (WAF)
Software-Defined Wide Area Network (SD-WAN)
Palo Alto Networks - 4
Check Point - 3
Cisco - 2
NSS LabsRecommendations
NSS Labs 3rd-Party Certifications
9
VPN
Web
Filtering
IPS
Application
Control
Wi-Fi Controller
Advanced
Threat
Protection
Antivirus
Firewall
Management
Switching
Complexity is the Enemy
▪ Multiple point solutions
▪ Multiple platforms
▪ Multiple management consoles
▪ Inconsistent policy and networking
▪ Varying upgrade cycles
▪ Slow and porous threat response
▪ Resources strained to maintain
▪ Prone to configuration complexity
Traditional access layer approach = Complexity
10
Management
Fortinet Security Fabric = Simplicity
FortiGate
FortiGate consolidates
▪ One UI to learn
▪ Single platform to manage
▪ Single place for security polices
▪ Reduced chance of config error
▪ Lower CAPEX, OPEX, Training,
Personnel
11
FORTINET SOLUTION FORM FACTORS
Hardware Appliance
» Dedicated processor chips to
process Content and Network
functions separately
» Ruggedized and dual power
supply options
» Australian stock for FortiCare
hardware replacements
Virtual Machine
» Licensed per CPU or log
capacity
» Worry less about projected
growth and throughput sizing
» Deploy in your own AWS or
Azure cloud to apply true cloud
flexibility
Azure/AWS Marketplace
» Auto Scaling functionality
and FortiGate CloudFormation
template configuration
provides automation based on
resource demand
» Deploy native Azure/AWS
scripting to automatically
push malicious IP/DNS
addresses or load balancing
into dynamic FortiGate policies
12
Concurrent SSL-VPNs AUD RRP (H/W inc 1YR subscription)
FGT-30E
100 ~$1,000
FGT-50E-60E-80E
200 ~$1,300 - ~$2,500
FGT-100E-200E
500 ~$5,000 - ~$9,000
FGT-300E
5,000 ~$15,000
FGT-VM01
1,000 ~$3,600
PRODUCT MATRIX» FortiGate
13
SKU DESCRIPTION AUD RRP (1YR subscription)
FCT-VPN
N/A
Download from forticlient.com, gives
SSL-VPN access with a quick install for
the max client limit of your FGT~$ FREE
FCT-FortiClient
FC1-15-EMS01-297-01-12
25 devices (computer, server or mobile)
and will unlock the logon at start-up and
auto reconnect features as well all AV
features and tech support
~$420 (~$1.40 per
device per month)
FGT-FortiClient Cloud
FC1-15-EMS01-302-01-12
25 devices with the features of the FCT
license above but no need for central
management program on your network,
Fortinet hosted EMS
~$1,050 (~$3.50 per
device per month)
PRODUCT MATRIX» FortiClient
14
SKU DESCRIPTION AUD RRP (1YR subscription)
FortiToken app
FTM-ELIC-5
5 device codes for one-time password
tokens for iOS and Android mobile
devices. Perpetual licenses.~$475 (~$95 ea)
FortiToken physical
FTK-200-5 (keychain)
FTK-220-5 (credit card)
5 one-time password physical token in
keychain style or credit card style.
Perpetual licenses.~$490 (~$98 ea)
FortiToken dongle
FTK-300-5 5 USB dongles for PKI certificate and
client software. Perpetual license~$530 (~$106 ea)
PRODUCT MATRIX» FortiToken
15
Secure Access
Simplified, consolidated
management for your entire
infrastructure
16
Improper remote access Proper remote access
Live Demonstration
VPN termination points with
DMZ security access rules
18
FGT-MEL-FortiGate60E
Live Demonstration
Multi-factor authentication
and device/operating system
restrictions for user logins
20
FGT-MEL-FortiGate60E, user: jzullo
Live Demonstration
Enforcing a host-check for
anti-virus and geo-location
(Aust. IP address)
22
FGT-MEL-FortiGate60E
Live Demonstration
Effective logging and log
analysis
24
FGT-MEL-FortiGate60E
Live Demonstration
Split-tunnel
26
FGT-MEL-FortiGate60E
Questions?