Fortigate 防火牆 管理系統 / 應 用
主講人:
臺大資工網管室 陳鴻偉
2012/05/15何謂防火牆 ?
• 防火牆 :
兩個不同網路間的安全閘道
追蹤及控制網路的連線
• 可以對每一個網路連線選擇允許 , 拒絕 , 丟棄 , 加密 , 紀錄等動作
企業網路
“ 允許資料往 Internet”
Internet
“ 拒絕來自 Internet 的資料”
當今網路安全威脅已遠超過防火牆的防禦能力
1970 1980 1990 2000
PHYSICAL
CONNECTION-BASED CONTENT -BASED
Hardwar e Theft Intrusions Viruses Trojans Worms Banned Content Spam
SPEED, DAMAGE ($)
Major Pain Points for Organizations of all Types
Lock & KeyFirewall
IDS
Anti- virus VPN
Conten t Filter
Anti- spam
FortiGate
- A New Generation of Security Platform
Users Servers
狀態式防火牆
Granular security policies
Authentication enforcement
Quality of Service
Virutal Firewall
防毒
HTTP, FTP, SMTP, POP3, IMAP
Signatures, Heuristics, Activity
入侵偵測 / 防禦
Signature, Anomaly, Activity Inspection
垃圾郵件過濾
Static list, FortiGuard Antispam, RBL
不當網頁過濾
Static list, FortiGuard Web Filtering
資料加密
IPSec, SSLvpn
流量管理 (QoS)
Guaranteed rate, Max rate, Traffic priority
FortiNet 原生的內容安全 ASIC 加速
入侵偵測防禦 (IPS)
隔離企圖引起網路攻擊事件的使用者 保障企業網路不受異常侵擾
防 毒 (Antivirus)
阻絶企圖經由網路散佈病毒的使用者
與企業原有的 PC 端防毒系統進行交叉防護掃瞄
存取控制 (Acess Control)
可結合 WINDOS AD 認證, 忠實的以”使用者”
為索引的存取紀綠 ( 非 IP 為索引 )
管理監控與稽核 (Monitoring & Audit)
•可設定各項網路服務 ( 含 IM/P2P)可用頻寬
•隔離不當使用網路者
FortiNet 特色 : 一次滿足資安的五大需 求
中央集中控管 (Central Management)
• 統一的管理平台與介面 , 全面掌握網路脈動
• 兼具集中與分散之有效網路安全監控
完整的異質網路 VPN 解決方案
POS
Credit Card Holder
VoIP Phone
Wan1
Wan2
Corporate Data Center
Media Center
Service Provider A
FortiGate
Service Provider B ADSL
ADSL
FTTB
FTTB
IP-VPN
IP-VPN
HUB/Switch
IPSEC VPN ( Route-Based VPN) (OSPF, RIP /IPSEC VPN) SSL VPN
ADSL
IPSec/SSL VPN
HSPDA
IP-VPN/3.5 G
System Dashboard
System Information
Licensing and Entitlements
Content and Attack Statistics
Menu
Message Console
DHCP Server
A DHCP server may be configured on any interface with a static IP address Multiple DHCP servers on a single interface
Relay a DHCP request to a remote DHCP serverCLI
Alert E-mail
Generates an e-mail upon detection of a message meeting a defined severity level or
event category type
Up to three recipients on specified mail server
Supports SMTP authenticationFirewall Session Table
View current sessions on the firewall
Filter based on: Protocol
Source IP/Port
Destination IP/Port
Firewall Policy ID
Allows session removal防火牆運作模式
Transparent mode
1. 介於 router 和 switch 間 , 或2. 介於 ATU-R 和 Router 間
無論是 Route/NAT 或是 Transparent 模式 , 通過的封包都會被 Fortigate 進行封包檢查
NAT( Network Address Translation) 轉址運作原理
Internet
Internal IP Addresses
Public
IP Address(es)
219.22.165.
1 企業網路
192.172.1.1-192.172.1.254
• 將企業內部使用的保留位址轉換為合法位址
隱藏內部主機的真實位址 , 被免遭受攻擊
可以讓企業內部使用更多的主機
NAT ( Network Address Translation) 轉址運作原理
• 防火牆 Policy ( 啓動 NAT).
將內部來源 IP 轉址成 FG 外部網路介面 IP, Fortigate 會記錄 NAT 轉址表 .
將內部來源 IP 轉址成 FG 所定義 IP pool 中的 IP, Fortigate 會記錄 NAT 轉址表 .
RFC1918: Indicates Private IP Networks.
Intern et Intern
et 192.168.1.0
.5 .5
Http-Server .1
1.1.1.1 1.1.2.1
SrcIP DstIP Prot SrcPort DstPort Data
192.168.1.5 1.1.2.5 6 12345 80 Get
SrcIP DstIP Prot SrcPort DstPort Data
1.1.1.1 1.1.2.5 6 54321 80 Get
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
NAT
Route 路由運作原理
Intern et Intern
et 1.1.3.0
.5 .5
Http-Server .1
1.1.1.1 1.1.2.1
SrcIP DstIP Prot SrcPort DstPort Data
1.1.3.5 1.1.2.5 6 12345 80 Get
SrcIP DstIP Prot SrcPort DstPort Data
1.1.3.5 1.1.2.5 6 12345 80 Get
Route
•
防火牆 policy ( 不啓動 NAT). FG 只檢查路由表 , 根據路由表將封包送往所指定的位址 , 而不變 動來源 IP 或來源埠
Transparent 通透模式運作原理
• 防火牆 policy
沒有 NAT 或路由 ,FG 單純地檢查經過的封包
Intern et Intern
et 1.1.1.0
.5 .5
Http-Server .1
1.1.1.1 1.1.2.1
SrcIP DstIP Prot SrcPort DstPort Data
1.1.1.5 1.1.2.5 6 12345 80 Get
SrcIP DstIP Prot SrcPort DstPort Data
1.1.1.5 1.1.2.5 6 12345 80 Get
Trans
Authentication
A User object is a instance of an authentication method
A User Group object is a container for User objects
Identifies group members
Protection Profile and Type provides authorization attributes for members
FortiGate units control access to resources based on group membership
The combination of User Group and Firewall Policy defines the authorization for a particular user
Firewall Policy: VPN (SSL/IPSec/PPTP/L2TP), FWUA (firewall user authentication)
Authentication – User/Server Types
Local password file
Username and password prompt
RADIUS
Username and password prompt
LDAP / AD
Username and password prompt
FSAE / NTLM (AD)
Single Sign On based on earlier authentication event
PKI
Certificate based authentication
Authentication – Services
Firewall Policies (Firewall User Authentication)
SSL VPN
IPSec VPN
PPTP and L2TP
Admin login
FortiGuard Web Filtering OverrideFirewall Policies
User Groups linked to Accept Firewall Policies
On successful authentication a temporary rule is created
If no traffic present rule remove after the ‘authtimeout’
Local, RADIUS, LDAP authentication presents user with a login page
On successful authentication the user is redirected to requested site
Windows AD (FSAE and NTLM)
Authentication based on AD Group membership
PKI user authenticated on presentation of a valid certificate
HTTPS (and HTTP with redirect to HTTPS)
SSL VPN
User Groups are linked to SSL VPN policies
Allows users access to the SSL VPN portal
Creates temporary rules based on SSL VPN firewall policies linked to the User Group
Local, RADIUS, LDAP present user with a login page
On successful authentication user is connected to SSL VPN portal
PKI allows a user to be authenticated on presentation of a valid certificate
Users directly connected to portal, no username or password is required
IPSec VPN
Phase 1 objects authenticate remote gateways using a Peer ID, and a pre-share key or certificate
Dynamic IP remote gateways (dial up) configure a Local ID which will be sent in the clear when using aggressive mode
Xauth is used with Dial Up remote gateways to identify the user using a username and password
Xauth links to a User Group object type firewall
PPTP and L2TP
FortiOS terminates the PPTP/L2TP connection and assigns authenticated users an address out of the configured address pool On successful authentication a temporary rule matching the configured address pool is
created
Local, RADIUS and LDAP used to authenticate connecting users
Admin login
Admin account link to a profile defining the users role and VDOM membership
Local and RADIUS
If both are configured the RADIUS object is attempted first and then if no response the Local password is used
RADIUS Accounting packets sent for Admin users
PKI allows a user to be authenticated on presentation of a valid certificate
Users directly connected to the WebUI, no username or password is required
RADIUS
FortiGate acts as a network access server (NAS) User information passed to the RADIUS server
User authenticated based on the RADIUS servers response
Object identifies the IP address and shared secret of up to two RADIUS servers
RADIUS object can be used for all services supporting authentication
Radius Accounting for Admin usersLDAP
FortiGate configured as LDAP client for LDAP server or Active Directory
Supports LDAP protocol functionality defined in RFC2251 for looking up and validating usernames and passwords
FortiOS v3.00 supports three LDAP Auth Types: Simple: provides simple password authentication without search capabilities (default).
Anonymous: binds to the server as an
Anonymous user. It then performs the LDAP search and the secondary bind.
Regular: binds (logs on) to the LDAP server with a user-specified username and password. It then
performs the LDAP search and secondary bind.
Types of SSL VPN
Web Application mode Secured access to a portal interface
Available via any browser supporting SSL version 2 or 3
Tunnel mode Virtual IP assignment (Similar to PPP)
Uses ActiveX and Java controls
Host security is based only on firewall policies