Routing Decisions

Network connectivity from remote sites to HQ_LAN will rely on an IPSec gateway-to-gateway tunnel. You should use an Interface-based IPSec VPN for this as they provide a robust way to scale VPN configuration, access control, and routing capabilities. See Chapter 5 for more information on Interface vs. Policy-based IPSec VPN.

An interface-based IPSec VPN can make routing decisions for both static and dynamic protocols. Generally speaking, unless static routes are unmanageable in your environment (usually due to sheer number of routes), the administrative simplicity of static routing is preferable.

Whether static or dynamic routes are used, you should review the maximum values of your model of FortiGate. As smaller devices support fewer routes, the number of potential remote devices and networks will identify the devices you require. This type of an assessment is part of the sizing requirements covered in Chapter 3. Consider the following:

Access Controls

Tuning the firewall rules requires an understanding of both the network communication and the organization’s security policy. In an enterprise environment, it is common to tune firewalls at layers 3 and 4, but complexity could arise at other layers. A common problem involves the use of application controls, as many network administrators are not application experts. If you are in this situation, it may help to apply the access control discovery process to application control. Typically, you can leave open access but enable logging so applications can be discovered. This is best done by using FortiOS to define rules up to layer 4, so everything can be locked down to the application layer and then tightened as the discovery process allows. Leveraging the FortiAnalyzer to provide historical logging and data mining capabilities, application reports can be generated to help identify which applications are and are not required.

In our example environment, distributed retail processing involves credit card information being transmitted over the network. It is critical to control traffic into and from these cardholder data environments. Firewall rules affecting this traffic require explicit definition of the allowed source, destination, and service. All unspecified traffic would be blocked. Isolating the cardholder data onto its own network segment can help reduce the PCI scope, but is not technically required. For example, if all POS systems are connected to a dedicated subnet and do not mix with other systems, they can be isolated onto their own VLAN or physical connection.

Since FortiOS can define firewall rules based on the direction of VLAN communication, it can be used to manage critical compliance requirements. Since, in this example, there is a need for POS credit card information and data network communication to occur between remote FortiGates and corporate headquarters, the POS traffic must be segregated from other traffic via dedicated IPSec VPN tunnels. When used with interface-based IPSec tunnels, the routing decisions and access controls can be easily configured and controlled based on the direction of flow between tunnel interfaces.

In addition to our example, other types of network segmentation are seen in enterprise and retail environments. These vary from multiple network paths to the use of non-conventional devices with built-in IP stacks. The network communication flows, however, some network access and security protection will be required. Figure 11.2 shows various network devices that can be segmented onto dedicated physical, logical (VLAN or wireless), or VDOMs for further access controls and UTM security protection.

Examples of segmentation access control includes:

The examples provided are not complete, as technology evolves, segmentation access controls will also continue to evolve.

Authentication

Authentication can be considered as another layer defense. In the example environment, remote VPN user authentication would provide an excellent additional protection. This way, if an employee were to leave the company, their login credentials could be easily removed from the supported authentication servers (local database, TACACS+, RADIUS, LDAP, and FortiToken) used for the remote VPN authentication. Without a VPN authentication infrastructure, maintaining users’ VPN access could be unmanageably complex.

Implementation of remote IPSec VPN users’ authentication can be accomplished with the XAuth (Extended Authentication) feature covered in Chapter 5. For remote users using the SSL VPN, the authentication mechanism is built into the web browser or the standalone tunnel application.

For the retail distributed environment that must conform to PCI-DSS, two-factor authentication is required for remote VPN users to access the data network. Two-factor authentication is possible with IPSec VPN using XAuth and the FortiToken solution.

Additionally, PCI requires that administrators follow specific password requirements to access the FortiGate. These include a minimum password length of at least seven characters, passwords that contain both numeric and alphabetic characters, and a password change enforced every 90 days (http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-compliance-40-mr3.pdf).

Splash screen and web page redirects are optional and can be applied during authentication. A splash screen could consist of a list of terms and conditions with acceptance as shown in Figure 11.3. If an end-user does not accept the disclaimer then they will be denied access to the network.

When the wireless feature is used with the FortiGate, a captive portal can be enabled for each SSID, which can provide both terms and conditions and enforce authentication. Figure 11.4 displays an example of a captive portal session.

Web page redirects can be configured so users’ browsers default to the company website instead of the locally defined home page. Web page redirects can be configured without authentication, after accepting disclaimer, or after authentication.

Applying UTM Security Profiles

Consider the differences between the UTM profiles defined in the remote site policy definitions for Remote_LAN to HQ_VPN vs. Remote_LAN to Internet. There is no web filtering profile defined on the rule “to HQ_VPN”. The reason there is no need for a web filtering profile on the “to HQ_VPN” rule is, when Remote_LAN accesses only a handful of company web servers, there is no need to perform this function. Having the web filtering profile on the Remote_LAN to Internet policy makes more sense since there are many web site accesses that need to be controlled and monitored.

Also, consider Anti-virus profiles. Anti-virus inspection is supported for web, email, ftp, nntp, and some IM protocols. Therefore, there is no reason to inspect traffic that does not include these protocols. Additionally, if the Anti-virus services are used in the policy, there are times when virus inspection is not necessary, such as the Remote_LAN to HQ_VPN route.

As noted in the Network Topology infrastructure and communication requirements, Remote_LAN communicates to intranet web servers but only via HTTP/S GETs and POSTs. Now, when the intranet site is used as a file repository, using an Anti-virus profile would be wise. Furthermore, with this same policy, email traffic is expected, but since the company is using a dedicated solution (FortiMail) for Anti-spam/Anti-virus of their email, additional inspection on the FortiGate would be redundant. In scenarios where a third-party Anti-spam solution is used at headquarters, it may make sense to enable Anti-virus inspection and Anti-spam on email protocols to provide a second layer of email security which leverages different Anti-virus and Anti-spam databases.