Fortigate 防火牆管理系統/應用

31  Download (0)

Full text

(1)

Fortigate 防火牆 管理系統 / 應 用

主講人:

臺大資工網管室 陳鴻偉

2012/05/15

(2)

何謂防火牆 ?

防火牆 :

兩個不同網路間的安全閘道

追蹤及控制網路的連線

可以對每一個網路連線選擇允許 , 拒絕 , 丟棄 , 加密 , 紀錄等動作

企業網路

“ 允許資料往 Internet”

Internet

“ 拒絕來自 Internet 的資料”

(3)

當今網路安全威脅已遠超過防火牆的防禦能力

1970 1980 1990 2000

PHYSICAL

CONNECTION-BASED CONTENT -BASED

Hardwar e Theft Intrusions Viruses Trojans Worms Banned Content Spam

SPEED, DAMAGE ($)

Major Pain Points for Organizations of all Types

Lock & KeyFirewall

IDS

Anti- virus VPN

Conten t Filter

Anti- spam

(4)

FortiGate

- A New Generation of Security Platform

Users Servers

狀態式防火牆

Granular security policies

Authentication enforcement

Quality of Service

Virutal Firewall

防毒

HTTP, FTP, SMTP, POP3, IMAP

Signatures, Heuristics, Activity

入侵偵測 / 防禦

Signature, Anomaly, Activity Inspection

垃圾郵件過濾

Static list, FortiGuard Antispam, RBL

不當網頁過濾

Static list, FortiGuard Web Filtering

資料加密

IPSec, SSLvpn

流量管理 (QoS)

Guaranteed rate, Max rate, Traffic priority

(5)

FortiNet 原生的內容安全 ASIC 加速

(6)

入侵偵測防禦 (IPS)

隔離企圖引起網路攻擊事件的使用者 保障企業網路不受異常侵擾

防 毒 (Antivirus)

阻絶企圖經由網路散佈病毒的使用者

與企業原有的 PC 端防毒系統進行交叉防護掃瞄

存取控制 (Acess Control)

可結合 WINDOS AD 認證, 忠實的以”使用者”

為索引的存取紀綠 ( 非 IP 為索引 )

管理監控與稽核 (Monitoring & Audit)

可設定各項網路服務 ( 含 IM/P2P)可用頻寬

隔離不當使用網路者

FortiNet 特色 : 一次滿足資安的五大需

中央集中控管 (Central Management)

統一的管理平台與介面 , 全面掌握網路脈動

兼具集中與分散之有效網路安全監控

(7)

完整的異質網路 VPN 解決方案

POS

Credit Card Holder

VoIP Phone

Wan1

Wan2

Corporate Data Center

Media Center

Service Provider A

FortiGate

Service Provider B ADSL

ADSL

FTTB

FTTB

IP-VPN

IP-VPN

HUB/Switch

IPSEC VPN ( Route-Based VPN) (OSPF, RIP /IPSEC VPN) SSL VPN

ADSL

IPSec/SSL VPN

HSPDA

IP-VPN/3.5 G

(8)

System Dashboard

System Information

Licensing and Entitlements

Content and Attack Statistics

Menu

Message Console

(9)

DHCP Server

A DHCP server may be configured on any interface with a static IP address

 Multiple DHCP servers on a single interface

Relay a DHCP request to a remote DHCP server

(10)

CLI

(11)

Alert E-mail

Generates an e-mail upon detection of a message meeting

 a defined severity level or

 event category type

Up to three recipients on specified mail server

Supports SMTP authentication

(12)

Firewall Session Table

View current sessions on the firewall

Filter based on:

 Protocol

 Source IP/Port

 Destination IP/Port

 Firewall Policy ID

Allows session removal

(13)

防火牆運作模式

Transparent mode

1. 介於 router 和 switch 間 , 2. 介於 ATU-R 和 Router 間

無論是 Route/NAT 或是 Transparent 模式 , 通過的封包都會被 Fortigate 進行封包檢查

(14)

NAT( Network Address Translation) 轉址運作原理

Internet

Internal IP Addresses

Public

IP Address(es)

219.22.165.

1 企業網路

192.172.1.1-192.172.1.254

• 將企業內部使用的保留位址轉換為合法位址

隱藏內部主機的真實位址 , 被免遭受攻擊

可以讓企業內部使用更多的主機

(15)

NAT ( Network Address Translation) 轉址運作原理

防火牆 Policy ( 啓動 NAT).

將內部來源 IP 轉址成 FG 外部網路介面 IP, Fortigate 會記錄 NAT 轉址表 .

將內部來源 IP 轉址成 FG 所定義 IP pool 中的 IP, Fortigate 會記錄 NAT 轉址表 .

RFC1918: Indicates Private IP Networks.

Intern et Intern

et 192.168.1.0

.5 .5

Http-Server .1

1.1.1.1 1.1.2.1

SrcIP DstIP Prot SrcPort DstPort Data

192.168.1.5 1.1.2.5 6 12345 80 Get

SrcIP DstIP Prot SrcPort DstPort Data

1.1.1.1 1.1.2.5 6 54321 80 Get

10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

NAT

(16)

Route 路由運作原理

Intern et Intern

et 1.1.3.0

.5 .5

Http-Server .1

1.1.1.1 1.1.2.1

SrcIP DstIP Prot SrcPort DstPort Data

1.1.3.5 1.1.2.5 6 12345 80 Get

SrcIP DstIP Prot SrcPort DstPort Data

1.1.3.5 1.1.2.5 6 12345 80 Get

Route

防火牆 policy ( 不啓動 NAT).

FG 只檢查路由表 , 根據路由表將封包送往所指定的位址 , 而不變 動來源 IP 或來源埠

(17)

Transparent 通透模式運作原理

防火牆 policy

沒有 NAT 或路由 ,FG 單純地檢查經過的封包

Intern et Intern

et 1.1.1.0

.5 .5

Http-Server .1

1.1.1.1 1.1.2.1

SrcIP DstIP Prot SrcPort DstPort Data

1.1.1.5 1.1.2.5 6 12345 80 Get

SrcIP DstIP Prot SrcPort DstPort Data

1.1.1.5 1.1.2.5 6 12345 80 Get

Trans

(18)

Authentication

A User object is a instance of an authentication method

A User Group object is a container for User objects

Identifies group members

Protection Profile and Type provides authorization attributes for members

FortiGate units control access to resources based on group membership

The combination of User Group and Firewall Policy defines the authorization for a particular user

Firewall Policy: VPN (SSL/IPSec/PPTP/L2TP), FWUA (firewall user authentication)

(19)

Authentication – User/Server Types

Local password file

Username and password prompt

RADIUS

Username and password prompt

LDAP / AD

Username and password prompt

FSAE / NTLM (AD)

Single Sign On based on earlier authentication event

PKI

Certificate based authentication

(20)

Authentication – Services

Firewall Policies (Firewall User Authentication)

SSL VPN

IPSec VPN

PPTP and L2TP

Admin login

FortiGuard Web Filtering Override

(21)

Firewall Policies

User Groups linked to Accept Firewall Policies

On successful authentication a temporary rule is created

If no traffic present rule remove after the ‘authtimeout’

Local, RADIUS, LDAP authentication presents user with a login page

On successful authentication the user is redirected to requested site

Windows AD (FSAE and NTLM)

Authentication based on AD Group membership

PKI user authenticated on presentation of a valid certificate

HTTPS (and HTTP with redirect to HTTPS)

(22)

SSL VPN

User Groups are linked to SSL VPN policies

Allows users access to the SSL VPN portal

Creates temporary rules based on SSL VPN firewall policies linked to the User Group

Local, RADIUS, LDAP present user with a login page

On successful authentication user is connected to SSL VPN portal

PKI allows a user to be authenticated on presentation of a valid certificate

Users directly connected to portal, no username or password is required

(23)

IPSec VPN

 Phase 1 objects authenticate remote gateways using a Peer ID, and a pre-share key or certificate

Dynamic IP remote gateways (dial up) configure a Local ID which will be sent in the clear when using aggressive mode

 Xauth is used with Dial Up remote gateways to identify the user using a username and password

Xauth links to a User Group object type firewall

(24)

PPTP and L2TP

FortiOS terminates the PPTP/L2TP connection and assigns authenticated users an address out of the configured address pool

 On successful authentication a temporary rule matching the configured address pool is

created

 Local, RADIUS and LDAP used to authenticate connecting users

(25)

Admin login

Admin account link to a profile defining the users role and VDOM membership

Local and RADIUS

If both are configured the RADIUS object is attempted first and then if no response the Local password is used

RADIUS Accounting packets sent for Admin users

PKI allows a user to be authenticated on presentation of a valid certificate

Users directly connected to the WebUI, no username or password is required

(26)

RADIUS

FortiGate acts as a network access server (NAS)

 User information passed to the RADIUS server

 User authenticated based on the RADIUS servers response

Object identifies the IP address and shared secret of up to two RADIUS servers

RADIUS object can be used for all services supporting authentication

Radius Accounting for Admin users

(27)

LDAP

FortiGate configured as LDAP client for LDAP server or Active Directory

Supports LDAP protocol functionality defined in RFC2251 for looking up and validating user

names and passwords

FortiOS v3.00 supports three LDAP Auth Types:

Simple: provides simple password authentication without search capabilities (default).

Anonymous: binds to the server as an

Anonymous user. It then performs the LDAP search and the secondary bind.

Regular: binds (logs on) to the LDAP server with a user-specified username and password. It then

performs the LDAP search and secondary bind.

(28)

Types of SSL VPN

Web Application mode

 Secured access to a portal interface

 Available via any browser supporting SSL version 2 or 3

Tunnel mode

 Virtual IP assignment (Similar to PPP)

 Uses ActiveX and Java controls

 Host security is based only on firewall policies

(29)

SSL VPN – Configuration

VPN > SSL > Config

(30)

SSL VPN – Configuration

User > User Group

(31)

Thanks

Figure

Updating...

References

Related subjects :