1 / 31

Fortigate 防火牆 管理系統 / 應用

Fortigate 防火牆 管理系統 / 應用. 主講人: 臺大資工網管室 陳鴻偉 2012/05/15. 何謂防火牆 ?. Internet. “允許資料往 Internet”. “拒絕來自 Internet 的資料”. 防火牆 : 兩個不同網路間的安全閘道 追蹤及控制網路的連線 可以對每一個網路連線選擇 允許 , 拒絕 , 丟棄 , 加密 , 紀錄 等動作. 企業網路. CONTENT-BASED. CONNECTION-BASED. Major Pain Points for Organizations of all Types. PHYSICAL.

badru
Download Presentation

Fortigate 防火牆 管理系統 / 應用

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fortigate防火牆 管理系統/應用 • 主講人: • 臺大資工網管室 陳鴻偉 • 2012/05/15

  2. 何謂防火牆? Internet “允許資料往Internet” “拒絕來自Internet 的資料” • 防火牆 : • 兩個不同網路間的安全閘道 • 追蹤及控制網路的連線 • 可以對每一個網路連線選擇允許,拒絕,丟棄,加密,紀錄等動作 企業網路

  3. CONTENT-BASED CONNECTION-BASED Major Pain Points for Organizations of all Types PHYSICAL 當今網路安全威脅已遠超過防火牆的防禦能力 Anti-spam Spam Banned Content Content Filter Worms Anti- virus Trojans SPEED, DAMAGE ($) Viruses IDS VPN Intrusions Firewall Lock & Key Hardware Theft 1970 2000 1990 1980

  4. 狀態式防火牆 Granular security policies Authentication enforcement Quality of Service Virutal Firewall 防毒 HTTP, FTP, SMTP, POP3, IMAP Signatures, Heuristics, Activity 入侵偵測/防禦 Signature, Anomaly, Activity Inspection 垃圾郵件過濾 Static list, FortiGuard Antispam, RBL 不當網頁過濾 Static list, FortiGuard Web Filtering 資料加密 IPSec, SSLvpn 流量管理 (QoS) Guaranteed rate, Max rate, Traffic priority FortiGate - A New Generation of Security Platform Servers Users

  5. FortiNet 原生的內容安全ASIC加速

  6. FortiNet特色:一次滿足資安的五大需求 • 入侵偵測防禦(IPS) • 隔離企圖引起網路攻擊事件的使用者 • 保障企業網路不受異常侵擾 防 毒(Antivirus) 阻絶企圖經由網路散佈病毒的使用者 與企業原有的PC端防毒系統進行交叉防護掃瞄 存取控制 (Acess Control) 可結合WINDOS AD 認證, 忠實的以”使用者”為索引的存取紀綠 (非IP為索引) • 管理監控與稽核(Monitoring & Audit) • 可設定各項網路服務(含IM/P2P)可用頻寬 • 隔離不當使用網路者 • 中央集中控管(Central Management) • 統一的管理平台與介面,全面掌握網路脈動 • 兼具集中與分散之有效網路安全監控

  7. 完整的異質網路 VPN 解決方案 IPSEC VPN ( Route-Based VPN) (OSPF, RIP /IPSEC VPN) SSL VPN Service Provider A IP-VPN POS Corporate Data Center ADSL FortiGate Wan1 FTTB HUB/Switch Credit Card Holder Wan2 HSPDA ADSL Service Provider B FTTB Media Center IP-VPN IP-VPN/3.5 G ADSL VoIP Phone IPSec/SSL VPN

  8. System Dashboard System Information Message Console Licensing and Entitlements Menu Content and Attack Statistics

  9. DHCP Server • A DHCP server may be configured on any interface with a static IP address • Multiple DHCP servers on a single interface • Relay a DHCP request to a remote DHCP server

  10. CLI

  11. Alert E-mail • Generates an e-mail upon detection of a message meeting • a defined severity level or • event category type • Up to three recipients on specified mail server • Supports SMTP authentication

  12. Firewall Session Table • View current sessions on the firewall • Filter based on: • Protocol • Source IP/Port • Destination IP/Port • Firewall Policy ID • Allows session removal

  13. 防火牆運作模式 Transparent mode 1. 介於router和switch間, 或 2. 介於ATU-R和Router間 無論是Route/NAT或是Transparent 模式, 通過的封包都會被Fortigate進行封包檢查

  14. NAT( Network Address Translation) 轉址運作原理 192.172.1.1-192.172.1.254 219.22.165.1 PublicIP Address(es) InternalIP Addresses Internet 企業網路 • 將企業內部使用的保留位址轉換為合法位址 • 隱藏內部主機的真實位址,被免遭受攻擊 • 可以讓企業內部使用更多的主機

  15. NAT ( Network Address Translation) 轉址運作原理 Internet 1.1.2.1 1.1.1.1 NAT .1 .5 Http-Server .5 192.168.1.0 • 防火牆Policy (啓動NAT). • 將內部來源IP轉址成FG外部網路介面IP, Fortigate會記錄NAT 轉址表. • 將內部來源IP轉址成FG所定義IP pool中的IP, Fortigate會記錄NAT轉址表. • RFC1918: Indicates Private IP Networks. 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

  16. Route 路由運作原理 Internet 1.1.2.1 1.1.1.1 Route .1 .5 Http-Server .5 1.1.3.0 • 防火牆policy (不啓動NAT). • FG只檢查路由表,根據路由表將封包送往所指定的位址,而不變動來源IP或來源埠

  17. Transparent 通透模式運作原理 Internet 1.1.2.1 1.1.1.1 Trans .1 .5 Http-Server .5 1.1.1.0 • 防火牆policy • 沒有NAT或路由,FG單純地檢查經過的封包

  18. Authentication • A User object is a instance of an authentication method • A User Group object is a container for User objects • Identifies group members • Protection Profile and Type provides authorization attributes for members • FortiGate units control access to resources based on group membership • The combination of User Group and Firewall Policy defines the authorization for a particular user • Firewall Policy: VPN (SSL/IPSec/PPTP/L2TP), FWUA (firewall user authentication)

  19. Authentication – User/Server Types • Local password file • Username and password prompt • RADIUS • Username and password prompt • LDAP / AD • Username and password prompt • FSAE / NTLM (AD) • Single Sign On based on earlier authentication event • PKI • Certificate based authentication

  20. Authentication – Services • Firewall Policies (Firewall User Authentication) • SSL VPN • IPSec VPN • PPTP and L2TP • Admin login • FortiGuard Web Filtering Override

  21. Firewall Policies • User Groups linked to Accept Firewall Policies • On successful authentication a temporary rule is created • If no traffic present rule remove after the ‘authtimeout’ • Local, RADIUS, LDAP authentication presents user with a login page • On successful authentication the user is redirected to requested site • Windows AD (FSAE and NTLM) • Authentication based on AD Group membership • PKI user authenticated on presentation of a valid certificate • HTTPS (and HTTP with redirect to HTTPS)

  22. SSL VPN • User Groups are linked to SSL VPN policies • Allows users access to the SSL VPN portal • Creates temporary rules based on SSL VPN firewall policies linked to the User Group • Local, RADIUS, LDAP present user with a login page • On successful authentication user is connected to SSL VPN portal • PKI allows a user to be authenticated on presentation of a valid certificate • Users directly connected to portal, no username or password is required

  23. IPSec VPN • Phase 1 objects authenticate remote gateways using a Peer ID, and a pre-share key or certificate • Dynamic IP remote gateways (dial up) configure a Local ID which will be sent in the clear when using aggressive mode • Xauth is used with Dial Up remote gateways to identify the user using a username and password • Xauth links to a User Group object type firewall

  24. PPTP and L2TP • FortiOS terminates the PPTP/L2TP connection and assigns authenticated users an address out of the configured address pool • On successful authentication a temporary rule matching the configured address pool is created • Local, RADIUS and LDAP used to authenticate connecting users

  25. Admin login • Admin account link to a profile defining the users role and VDOM membership • Local and RADIUS • If both are configured the RADIUS object is attempted first and then if no response the Local password is used • RADIUS Accounting packets sent for Admin users • PKI allows a user to be authenticated on presentation of a valid certificate • Users directly connected to the WebUI, no username or password is required

  26. RADIUS • FortiGate acts as a network access server (NAS) • User information passed to the RADIUS server • User authenticated based on the RADIUS servers response • Object identifies the IP address and shared secret of up to two RADIUS servers • RADIUS object can be used for all services supporting authentication • Radius Accounting for Admin users

  27. LDAP • FortiGate configured as LDAP client for LDAP server or Active Directory • Supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords • FortiOS v3.00 supports three LDAP Auth Types: • Simple: provides simple password authentication without search capabilities (default). • Anonymous: binds to the server as an Anonymous user. It then performs the LDAP search and the secondary bind. • Regular: binds (logs on) to the LDAP server with a user-specified username and password. It then performs the LDAP search and secondary bind.

  28. Types of SSL VPN • Web Application mode • Secured access to a portal interface • Available via any browser supporting SSL version 2 or 3 • Tunnel mode • Virtual IP assignment (Similar to PPP) • Uses ActiveX and Java controls • Host security is based only on firewall policies

  29. SSL VPN – Configuration • VPN > SSL > Config

  30. SSL VPN – Configuration • User > User Group

  31. Thanks

More Related