fortigate 防火牆 管理系統 / 應用 主講人: 臺大資工網管室 陳鴻偉 2012/05/15
TRANSCRIPT
Fortigate 防火牆 管理系統 / 應用
主講人: 臺大資工網管室 陳鴻偉 2012/05/15
何謂防火牆 ?
• 防火牆 : 兩個不同網路間的安全閘道 追蹤及控制網路的連線
• 可以對每一個網路連線選擇允許 , 拒絕 ,丟棄 , 加密 , 紀錄等動作
企業網路
“ 允許資料往 Internet”
Internet
“ 拒絕來自 Internet的資料”
當今網路安全威脅已遠超過防火牆的防禦能力
1970 1980 1990 2000
PHYSICAL
CONNECTION-BASED
CONTENT-BASED
Hardware Theft
Intrusions
Viruses
Trojans
Worms
Banned Content
Spam
SPE
ED
, D
AM
AG
E (
$)
Major Pain Points for Organizations of all Types
Lock & KeyFirewall
IDS
Anti- virus
VPN
Content Filter
Anti-spam
FortiGate - A New Generation of Security Platform
Users
Servers
狀態式防火牆 Granular security policies Authentication enforcement Quality of Service Virutal Firewall
防毒 HTTP, FTP, SMTP, POP3, IMAP Signatures, Heuristics, Activity
入侵偵測 / 防禦 Signature, Anomaly, Activity
Inspection
垃圾郵件過濾 Static list, FortiGuard Antispam,
RBL 不當網頁過濾
Static list, FortiGuard Web Filtering 資料加密
IPSec, SSLvpn 流量管理 (QoS)
Guaranteed rate, Max rate, Traffic priority
FortiNet 原生的內容安全 ASIC 加速
入侵偵測防禦 (IPS) 隔離企圖引起網路攻擊事件的使用者
保障企業網路不受異常侵擾
防 毒 (Antivirus) 阻絶企圖經由網路散佈病毒的使用者與企業原有的 PC 端防毒系統進行交叉防護掃瞄
存取控制 (Acess Control) 可結合 WINDOS AD 認證 , 忠實的以”使用者”為索引的存取紀綠 ( 非 IP 為索引 )
管理監控與稽核 (Monitoring & Audit)•可設定各項網路服務 ( 含 IM/P2P) 可用頻寬•隔離不當使用網路者
FortiNet 特色 : 一次滿足資安的五大需求
中央集中控管 (Central Management)• 統一的管理平台與介面 , 全面掌握網路脈動• 兼具集中與分散之有效網路安全監控
完整的異質網路 VPN 解決方案
POS
Credit Card Holder
VoIP Phone
Wan1
Wan2
Corporate Data Center
Media Center
Service Provider A
FortiGate
Service Provider B
ADSL
ADSL
FTTB
FTTB
IP-VPN
IP-VPN
HU
B/S
witc
h
IPSEC VPN ( Route-Based VPN) (OSPF, RIP /IPSEC VPN)SSL VPN
ADSL
IPSec/SSL VPN
HSPDA
IP-VPN/3.5 G
System Dashboard
System Information
Licensing and Entitlements
Content and Attack Statistics
Menu
Message Console
DHCP Server
A DHCP server may be configured on any interface with a static IP address
Multiple DHCP servers on a single interface
Relay a DHCP request to a remote DHCP server
CLI
Alert E-mail
Generates an e-mail upon detection of a message meeting a defined severity levelor event category type
Up to three recipients on specified mail server
Supports SMTP authentication
Firewall Session Table
View current sessions on the firewall
Filter based on: Protocol Source IP/Port Destination IP/Port Firewall Policy ID
Allows session removal
防火牆運作模式
Internet
Switch
Router
ATU-R
企業內部
Transparent mode
1. 介於 router 和 switch 間 , 或2. 介於 ATU-R 和 Router 間
Fortigate firewall
Fortigate firewall
無論是 Route/NAT 或是 Transparent 模式 , 通過的封包都會被 Fortigate 進行封包檢查
NAT( Network Address Translation) 轉址運作原理
Internet
InternalIP Addresses
PublicIP Address(es)
219.22.165.1
企業網路
192.172.1.1-192.172.1.254
• 將企業內部使用的保留位址轉換為合法位址 隱藏內部主機的真實位址 , 被免遭受攻擊 可以讓企業內部使用更多的主機
NAT ( Network Address Translation) 轉址運作原理
• 防火牆 Policy ( 啓動 NAT). 將內部來源 IP 轉址成 FG 外部網路介面 IP, Fortigate 會記錄 NAT 轉址表 . 將內部來源 IP 轉址成 FG 所定義 IP pool 中的 IP, Fortigate 會記錄 NAT
轉址表 . RFC1918: Indicates Private IP Networks.
Internet
Internet
192.168.1.0.5
.5Http-Server
.1
1.1.1.1 1.1.2.1
SrcIP DstIP Prot SrcPort DstPort Data
192.168.1.5 1.1.2.5 6 12345 80 Get
SrcIP DstIP Prot SrcPort DstPort Data
1.1.1.1 1.1.2.5 6 54321 80 Get
10.0.0.0/8172.16.0.0/12192.168.0.0/16
NAT
Route 路由運作原理
Internet
Internet
1.1.3.0.5
.5Http-Server
.1
1.1.1.1 1.1.2.1
SrcIP DstIP Prot SrcPort DstPort Data
1.1.3.5 1.1.2.5 6 12345 80 Get
SrcIP DstIP Prot SrcPort DstPort Data
1.1.3.5 1.1.2.5 6 12345 80 Get
Route
• 防火牆 policy ( 不啓動 NAT). FG 只檢查路由表 , 根據路由表將封包送往所指定的位址 , 而不變
動來源 IP 或來源埠
Transparent 通透模式運作原理
• 防火牆 policy 沒有 NAT 或路由 ,FG 單純地檢查經過的封包
Internet
Internet
1.1.1.0.5
.5Http-Server
.1
1.1.1.1 1.1.2.1
SrcIP DstIP Prot SrcPort DstPort Data
1.1.1.5 1.1.2.5 6 12345 80 Get
SrcIP DstIP Prot SrcPort DstPort Data
1.1.1.5 1.1.2.5 6 12345 80 Get
Trans
Authentication
A User object is a instance of an authentication method
A User Group object is a container for User objects Identifies group members Protection Profile and Type provides authorization
attributes for members
FortiGate units control access to resources based on group membership The combination of User Group and Firewall Policy defines
the authorization for a particular user Firewall Policy: VPN (SSL/IPSec/PPTP/L2TP), FWUA (firewall
user authentication)
Authentication – User/Server Types
Local password file Username and password prompt
RADIUS Username and password prompt
LDAP / AD Username and password prompt
FSAE / NTLM (AD) Single Sign On based on earlier authentication event
PKI Certificate based authentication
Authentication – Services
Firewall Policies (Firewall User Authentication)
SSL VPN IPSec VPN PPTP and L2TP Admin login FortiGuard Web Filtering Override
Firewall Policies
User Groups linked to Accept Firewall Policies On successful authentication a temporary rule is created If no traffic present rule remove after the ‘authtimeout’
Local, RADIUS, LDAP authentication presents user with a login page On successful authentication the user is redirected to
requested site Windows AD (FSAE and NTLM)
Authentication based on AD Group membership PKI user authenticated on presentation of a valid certificate
HTTPS (and HTTP with redirect to HTTPS)
SSL VPN
User Groups are linked to SSL VPN policies Allows users access to the SSL VPN portal Creates temporary rules based on SSL VPN firewall
policies linked to the User Group
Local, RADIUS, LDAP present user with a login page On successful authentication user is connected to SSL
VPN portal
PKI allows a user to be authenticated on presentation of a valid certificate Users directly connected to portal, no username or
password is required
IPSec VPN
Phase 1 objects authenticate remote gateways using a Peer ID, and a pre-share key or certificate Dynamic IP remote gateways (dial up) configure a
Local ID which will be sent in the clear when using aggressive mode
Xauth is used with Dial Up remote gateways to identify the user using a username and password Xauth links to a User Group object type firewall
PPTP and L2TP
FortiOS terminates the PPTP/L2TP connection and assigns authenticated users an address out of the configured address pool On successful authentication a temporary rule
matching the configured address pool is created
Local, RADIUS and LDAP used to authenticate connecting users
Admin login
Admin account link to a profile defining the users role and VDOM membership
Local and RADIUS If both are configured the RADIUS object is attempted first
and then if no response the Local password is used RADIUS Accounting packets sent for Admin users
PKI allows a user to be authenticated on presentation of a valid certificate Users directly connected to the WebUI, no username or
password is required
RADIUS FortiGate acts as a network access server
(NAS) User information passed to the RADIUS server User authenticated based on the RADIUS
servers response
Object identifies the IP address and shared secret of up to two RADIUS servers
RADIUS object can be used for all services supporting authentication
Radius Accounting for Admin users
LDAP
FortiGate configured as LDAP client for LDAP server or Active Directory
Supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords
FortiOS v3.00 supports three LDAP Auth Types: Simple: provides simple password authentication
without search capabilities (default). Anonymous: binds to the server as an
Anonymous user. It then performs the LDAP search and the secondary bind.
Regular: binds (logs on) to the LDAP server with a user-specified username and password. It then performs the LDAP search and secondary bind.
Types of SSL VPN
Web Application mode Secured access to a portal interface Available via any browser supporting SSL
version 2 or 3
Tunnel mode Virtual IP assignment (Similar to PPP) Uses ActiveX and Java controls Host security is based only on firewall policies
SSL VPN – Configuration
VPN > SSL > Config
SSL VPN – Configuration User > User Group
Thanks