Fortigate防火牆 管理系統/應用

 主講人：
 臺大資工網管室 陳鴻偉
 2012/05/15
 何謂防火牆?

Internet
• 防火牆 :
 兩個不同網路間的安全閘道 “允許資料往Internet”
 追蹤及控制網路的連線
• 可以對每一個網路連線選擇允許,拒絕, “拒絕來自Internet
丟棄,加密,紀錄等動作 的資料”

企業網路
 當今網路安全威脅已遠超過防火牆的防禦能力

Major Pain Points for

Organizations of all Types
Anti- Spam
spam
Banned
Content Content
SPEED, DAMAGE ($)

Filter Worms
Anti- virus Trojans
CONTENT-
Viruses
IDS BASED
VPN Intrusions
Firewall
Lock & Key CONNECTION-BASED
Hardware
PHYSICAL Theft
1970 1980 1990 2000
 FortiGate
- A New Generation of Security Platform

 狀態式防火牆  垃圾郵件過濾
 Granular security policies  Static list, FortiGuard Antispam, RBL
 Authentication enforcement  不當網頁過濾
 Quality of Service  Static list, FortiGuard Web Filtering
 Virutal Firewall  資料加密
 防毒  IPSec, SSLvpn
 HTTP, FTP, SMTP, POP3, IMAP  流量管理 (QoS)
 Signatures, Heuristics, Activity  Guaranteed rate, Max rate, Traffic
priority
 入侵偵測/防禦
 Signature, Anomaly, Activity Inspection

Servers

Users
FortiNet 原生的內容安全ASIC加速
FortiNet特色:一次滿足資安的五大需求
入侵偵測防禦(IPS)
隔離企圖引起網路攻擊事件的使用者
保障企業網路不受異常侵擾

防 毒(Antivirus)
阻絶企圖經由網路散佈病毒的使用者
與企業原有的PC端防毒系統進行交叉防護掃瞄

存取控制 (Acess Control)

可結合WINDOS AD 認證, 忠實的以”使用者”為索
引的存取紀綠 (非IP為索引)

管理監控與稽核(Monitoring & Audit)

•可設定各項網路服務(含IM/P2P)可用頻寬
•隔離不當使用網路者

中央集中控管(Central Management)
• 統一的管理平台與介面,全面掌握網路脈動
• 兼具集中與分散之有效網路安全監控
 完整的異質網路 VPN 解決方案
IPSEC VPN ( Route-Based VPN) (OSPF, RIP /IPSEC VPN)
SSL VPN

Service Provider A

IP-VPN
POS Corporate
Data Center
ADSL
Wan1
FortiGate
HUB/Switch

FTTB

Credit Card Holder

Wan2
HSPDA
ADSL
Service Provider B
FTTB
Media Center IP-VPN G
IP-VPN/3.5
ADSL

VoIP Phone
IPSec/SSL VPN
 System Dashboard

System Information
Message Console

Menu Licensing and Entitlements

Content and Attack Statistics

 DHCP Server

 A DHCP server may be configured on any interface

with a static IP address

 Multiple DHCP servers on a single interface

 Relay a DHCP request to a remote DHCP server

CLI
 Alert E-mail

 Generates an e-mail upon

detection of a message meeting
 a defined severity level
or
 event category type

 Up to three recipients on
specified mail server

 Supports SMTP authentication

 Firewall Session Table
 View current sessions on the
firewall

 Filter based on:

 Protocol
 Source IP/Port
 Destination IP/Port
 Firewall Policy ID

 Allows session removal

 防火牆運作模式
Transparent mode Internet

1. 介於router和switch間, 或
ATU-R

2. 介於ATU-R和Router間 Fortigate firewall

Router

無論是Route/NAT或是Transparent 模式, 通過的 Fortigate firewall

封包都會被Fortigate進行封包檢查
Switch
企
企
企
企
 NAT( Network Address Translation)
轉址運作原理

192.172.1.1-192.172.1.254

Internal 219.22.165.1 Public

IP Addresses IP Address(es)
Internet
企業網路

• 將企業內部使用的保留位址轉換為合法位址
 隱藏內部主機的真實位址,被免遭受攻擊
 可以讓企業內部使用更多的主機
 NAT ( Network Address Translation)
轉址運作原理
NAT 1.1.1.1 1.1.2.1
Internet
.1 .5
.5
Http-Server
192.168.1.0
SrcIP DstIP Prot SrcPort DstPort Data

192.168.1.5 1.1.2.5 6 12345 80 Get

SrcIP DstIP Prot SrcPort DstPort Data

1.1.1.1 1.1.2.5 6 54321 80 Get

• 防火牆Policy (啓動NAT).
 將內部來源IP轉址成FG外部網路介面IP, Fortigate會記錄NAT 轉址表.
 將內部來源IP轉址成FG所定義IP pool中的IP, Fortigate會記錄NAT轉址表.
 RFC1918: Indicates Private IP Networks.

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
 Route 路由運作原理
Route 1.1.1.1 1.1.2.1
Internet
.1 .5
.5
Http-Server
1.1.3.0
SrcIP DstIP Prot SrcPort DstPort Data

1.1.3.5 1.1.2.5 6 12345 80 Get

SrcIP DstIP Prot SrcPort DstPort Data

1.1.3.5 1.1.2.5 6 12345 80 Get

• 防火牆policy (不啓動NAT).
 FG只檢查路由表,根據路由表將封包送往所指定的位址,而不變動
來源IP或來源埠
 Transparent 通透模式運作原理

Trans 1.1.1.1 1.1.2.1

Internet
.1 .5
.5
Http-Server
1.1.1.0
SrcIP DstIP Prot SrcPort DstPort Data

1.1.1.5 1.1.2.5 6 12345 80 Get

SrcIP DstIP Prot SrcPort DstPort Data

1.1.1.5 1.1.2.5 6 12345 80 Get

• 防火牆policy
 沒有NAT或路由,FG單純地檢查經過的封包
 Authentication
 A User object is a instance of an authentication method

 A User Group object is a container for User objects

 Identifies group members
 Protection Profile and Type provides authorization attributes for
members

 FortiGate units control access to resources based on group

membership
 The combination of User Group and Firewall Policy defines the
authorization for a particular user
 Firewall Policy: VPN (SSL/IPSec/PPTP/L2TP), FWUA (firewall user
authentication)
Authentication – User/Server Types

 Local password file

 Username and password prompt
 RADIUS
 Username and password prompt
 LDAP / AD
 Username and password prompt
 FSAE / NTLM (AD)
 Single Sign On based on earlier authentication event
 PKI
 Certificate based authentication
 Authentication – Services

 Firewall Policies (Firewall User Authentication)

 SSL VPN
 IPSec VPN
 PPTP and L2TP
 Admin login
 FortiGuard Web Filtering Override
 Firewall Policies

 User Groups linked to Accept Firewall Policies

 On successful authentication a temporary rule is created
 If no traffic present rule remove after the ‘authtimeout’
 Local, RADIUS, LDAP authentication presents user with a login
page
 On successful authentication the user is redirected to requested
site
 Windows AD (FSAE and NTLM)
 Authentication based on AD Group membership
 PKI user authenticated on presentation of a valid certificate
 HTTPS (and HTTP with redirect to HTTPS)
 SSL VPN

 User Groups are linked to SSL VPN policies

 Allows users access to the SSL VPN portal
 Creates temporary rules based on SSL VPN firewall policies linked
to the User Group

 Local, RADIUS, LDAP present user with a login page

 On successful authentication user is connected to SSL VPN portal

 PKI allows a user to be authenticated on presentation of a

valid certificate
 Users directly connected to portal, no username or password is
required
 IPSec VPN

 Phase 1 objects authenticate remote gateways using a

Peer ID, and a pre-share key or certificate
 Dynamic IP remote gateways (dial up) configure a Local
ID which will be sent in the clear when using aggressive
mode

 Xauth is used with Dial Up remote gateways to

identify the user using a username and password
 Xauth links to a User Group object type firewall
 PPTP and L2TP

 FortiOS terminates the PPTP/L2TP connection and

assigns authenticated users an address out of the
configured address pool
 On successful authentication a temporary rule matching
the configured address pool is created
 Local, RADIUS and LDAP used to authenticate
connecting users
 Admin login

 Admin account link to a profile defining the users role and VDOM
membership

 Local and RADIUS

 If both are configured the RADIUS object is attempted first and
then if no response the Local password is used
 RADIUS Accounting packets sent for Admin users

 PKI allows a user to be authenticated on presentation of a valid

certificate
 Users directly connected to the WebUI, no username or
password is required
 RADIUS
 FortiGate acts as a network access server (NAS)
 User information passed to the RADIUS server
 User authenticated based on the RADIUS servers
response

 Object identifies the IP address and shared secret of

up to two RADIUS servers

 RADIUS object can be used for all services supporting

authentication

 Radius Accounting for Admin users

 LDAP
 FortiGate configured as LDAP client for LDAP server or
Active Directory
 Supports LDAP protocol functionality defined in RFC2251
for looking up and validating user names and passwords
 FortiOS v3.00 supports three LDAP Auth Types:
 Simple: provides simple password authentication without
search capabilities (default).
 Anonymous: binds to the server as an Anonymous user. It
then performs the LDAP search and the secondary bind.
 Regular: binds (logs on) to the LDAP server with a user-
specified username and password. It then performs the
LDAP search and secondary bind.
 Types of SSL VPN

 Web Application mode

 Secured access to a portal interface
 Available via any browser supporting SSL version 2 or 3

 Tunnel mode
 Virtual IP assignment (Similar to PPP)
 Uses ActiveX and Java controls
 Host security is based only on firewall policies
 SSL VPN – Configuration

 VPN > SSL > Config

 SSL VPN – Configuration
 User > User Group
Thanks