ebook img

UTM security with Fortinet : Mastering FortiOS PDF

485 Pages·2013·15.565 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview UTM security with Fortinet : Mastering FortiOS

UTM Security with Fortinet Mastering FortiOS This page is intentionally left blank UTM Security with Fortinet® Mastering FortiOS Kenneth Tam Martín H. Hoz Salvador Ken McAlpine Rick Basile Bruce Matsugu Josh More AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an Imprint of Elsevier Acquiring Editor: Steve Elliot Project Manager: Mohanambal Natarajan Designer: Joanne Blank Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2013 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experi- ence broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of p roducts liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-747-3 Printed in the United States of America 13 14 15 16 17 10 9 8 7 6 5 4 3 2 1 For information on all Syngress publications visit our werbsite at www.syngress.com The statements made herein are not statements made by Fortinet and cannot be construed as a warranty, guarantee, or commitment on behalf of Fortinet. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all representations, warranties, or guarantees whatsoever, whether express or implied. Nothing herein shall be considered a waiver by Fortinet of any rights and Fortinet reserves all rights. Dedications Kenneth Tam would like to dedicate his work on this book to his wife Lorna for her patience and support throughout this project. Along with his kids Jessica, Brandon, Ethan, and Sophia for the everyday inspiration that gets him through those stressful days and time away on business trips throughout his career. Martin would like to dedicate his work on this book to his mother Micaela and grandma Guadalupe for the values, education and life example received from both, to his wife Diana for the understanding and support especially while working at nights and weekends on this project, to his daughter Isabella for the inspiration, and to his brothers in arms (the Fortinet Latin American team) for making work a pleasure that he enjoys every day. In-memoriam: Wolfgang Gonzalez. Bruce would like to dedicate his work on this book to M, R and Y, and to the early inhabitants of the Fortiverse Rick would like to dedicate his contributions on this book to his wife Lizette for all the sacrifices she has made over the years supporting his career and and to his children who he hopes will learn from his successes and his failures. v This page is intentionally left blank Contents Dedications ................................................................................................................v Acknowledgements ..................................................................................................xv About the Author ....................................................................................................xvii Foreword .................................................................................................................xix Preface .....................................................................................................................xxi SECTION I GENERAL INTRODUCTIONS CHAPTER 1 Introduction to UTM (Unified Threat Management) ......3 Introduction .....................................................................................4 Internet and Security .................................................................4 Basic Network Security Concepts ............................................4 Unified Threat Management (UTM) Foundations ........................14 The World before UTM ..........................................................14 The History of the Unified Threat Management (UTM) Concept ...............................................................................16 UTM vs Other Security Architectures ....................................17 Solving Problems with UTM ........................................................20 Better Security ........................................................................20 More Efficient Security ...........................................................23 Enhancing Operational Response Times (Meeting and Enhancing SLAs) ................................................................24 Getting a better Support Experience .......................................24 Cost Effectiveness ...................................................................26 Current UTM Market Landscape ..................................................28 UTM a-lá Fortinet ...................................................................28 Other Vendors .........................................................................33 Evolution and Future of UTM ......................................................34 CHAPTER 2 FortiGate Hardware Overview .............................................35 FortiGate Hardware Overview ......................................................36 The Fortinet Way ....................................................................36 Evolution of FortiGate ............................................................39 Current FortiGate Solutions ....................................................40 Virtualized Appliances ............................................................41 FortiGate Custom Hardware Accelerations Overview..................41 Features of the Last Four Generations of Content Processor (CP) ASIC Functionalities ..................................42 vii viii Contents Features of the Network Processor (NP) ASIC Functionalities .....................................................................43 FortiGate Hardware Accelerations Behaviors ........................45 The ‘Black Art’ of FortiGate Sizing .............................................50 Sizing Data Gathering .............................................................51 Assessing the Recommended FortiGate Solution ...................54 Centralized Management Platform Overview ..............................57 Fortinet Product Portfolio .............................................................59 FortiGuard ...............................................................................59 FortiCarrier .............................................................................59 FortiBridge ..............................................................................59 FortiAP....................................................................................60 FortiToken ...............................................................................60 FortiAuthenticator ...................................................................61 FortiMail .................................................................................61 FortiWeb .................................................................................61 FortiScan .................................................................................61 FortiDB ...................................................................................62 FortiBalancer ..........................................................................62 FortiClient ...............................................................................62 References .....................................................................................63 CHAPTER 3 FortiOS Introduction ...............................................................65 FortiOS Architecture .....................................................................65 Multiple Image Support ..........................................................67 Firmware Image Versions .......................................................67 FortiOS Operational Modes ....................................................68 Packet Flow Handling .............................................................69 WebUI Management Interface ................................................70 CLI Management Interface .....................................................71 System Options .............................................................................73 Recommended Configuration Options ...................................73 Dealing with Administrative Operations ................................83 Enabling VDOMS ...................................................................92 SECTION II UTM TECHNOLOGIES EXPLAINED CHAPTER 4 Connectivity and Networking Technologies ..................95 Operating Modes ..........................................................................96 Layer 2 (Transparent) .............................................................96 Layer 3 (NAT/Route) ..............................................................97 Contents ix Connectivity ..................................................................................97 Dynamically Addressed Interfaces .........................................97 VLAN Interfaces.....................................................................97 802.3AD ..................................................................................99 Redundant Interfaces ............................................................101 Wireless.................................................................................102 Modems ................................................................................102 IPv6 Interfaces ......................................................................103 Routing .......................................................................................104 Static Routing .......................................................................104 Policy-Based Routing ...........................................................106 Dynamic Routing ..................................................................109 Servicing users ............................................................................116 DHCP ....................................................................................117 DNS Server ...........................................................................118 Virtual Domains (VDOM) ..........................................................118 High Availability .........................................................................118 CHAPTER 5 Base Network Security........................................................123 Firewall .......................................................................................125 Interface-Based Rules ...........................................................127 Building Blocks of a Rule .....................................................129 Multicast Rules .....................................................................137 IPv6 Rules .............................................................................139 Local-In Firewall Rules ........................................................140 Miscellaneous Firewall Settings ...........................................140 Identity-Based Authentication ..............................................152 VPN ......................................................................................162 Traffic Shaping .....................................................................187 SSL Inspection ......................................................................190 Two-Factor User Authentication ...........................................193 Load-Balancing Capabilities ................................................196 CHAPTER 6 Application Security ............................................................201 FortiGuard ...................................................................................203 Introduction to FortiGuard ....................................................203 FortiGuard Licensing ............................................................205 Configuring FortiGuard on the FortiGate .............................207 Doing UTM Analysis: Concepts ...........................................213 Troubleshooting the FortiGuard Distribution Network (FDN) Connectivity ..............................................................218

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.