Fortigate worthy changeover to leaving Microsoft Forefront T...

Transcription

1 Sysmagazine geek daily blog Home (/) Categories (/categories/) Companies (/companies/) Contact us (/contact/) Fortigate worthy changeover to leaving Microsoft Forefront TMG MUK (/companies/muk/) Network technologies (/categories/network_technologies/) 9 months, 2 weeks ago For all for a long time already not a secret that the Microsoft company declared termination of the further development of product Forefront TMG ( Thus, the product became inaccessible to acquisition since December, 1st, 2012, its main support will be stopped after April, 14th, 2015, and the expanded support ends on April, 14th, Remained in the help Forefront Unified Access Gateway (UAG) for the publication of web resources such as: MS Exchange, SharePoint, Lync etc., does not provide the safety features given earlier by means of TMG that is represented in the small comparative table of functions: And time came talk about necessary safety features, we mark short out, with what of them TMG was capable to make happy us, users: The internetwork shield; Web proxy; Reverse proxy for the publication of internal resources; Web and an -filtration; Protection against a harmful/spying software; 1 von :26

2 System of preventing of irruptions (IPS); SSL-traffic inspection; Loading equalization; Remote access of users and functional VPN, as a client - server (client-to-site), and between platforms (siteto-site). Thus, before users TMG sooner or later (proceeding from the insonified finite dates of a support) the question on a choice and the subsequent migration on analogous products of indirect vendors appears. So, some of the companies (Sophos, Citrix, Cyberoam, WatchGuards, Kemp, etc.) already began the operating periods (I think, such tautology would be pertinent) on the active advancing of programm and-or apparatus solutions and give full-function alternative smoothly and inevitably leaving notorious TMG. It proves to be true presence in a network of advertizing flyers, actions and other marketing materials in a type ²TMG Replacement Guide, ² {Vendorname} VS. TMG Comparsion etc. The Fortinet company went by same means, as remaining vendory and for today also offers the ² Microsoft TMG Replacement on the basis of a leader of a ruler of own products of network safety FortiGate. As itself TMG (Threat Management Gateway) it was positioned as the solution of unitized control by threats that and to search to it for changeover logically just from among UTM. Therefore, glancing in Kvadrat Gartnera: ( ²magicheski the Fortinet in leadership among UTM-decisions is visible here, and this leadership is already enough long-time almost 6 last years. So, we get down to detailed reviewing of provided functions offered ²alternativnym the solution capable, by words vendora, to render equivalent changeover to our subject. Actually, a Fortinet sentence is migration on FortiGate the following list of functions: Here, first of all, it would be desirable to tell that for the large factories in the presence of a difficult network infrastructure, it is recommended to divide the tasks and to use separate uzkonapravlennye solutions. The Fortinet, in particular, can offer implementation such partite and purposeful, but, at the same time floppy and easily scalable approach by means of rulers of the equipment of Fortinet: FortiWeb Web Application Firewall, the solution for protection of web resources and applications (including implementation Reverse Proxy with the protected publication of web resources); FortiMail, complex antispam-decision for mail protection; FortiBalancer, FortiADC, Coyote Point Equalizer all rulers balansirovshchikov loading and control units of delivery of applications. For support of the full series of measures on the network safety, all is better for adding it and switching-on in an 2 von :26

3 infrastructure most FortiGate, however, the small and average factories can manage only services of this solution in apparatus, or the virtual modification. So, what provides FortiGate in a section analogous with TMG functions? In turn them we will consider through a prism of changeover TMG, and at the same time and in a general way we familiarize with abilities FortiGate. the Internetwork shield The internetwork shield the beginning of the beginnings of a filtering of undesirable connections from the outside, from the Internet in a corporate network. At the same time, it is necessary to keep account, control and demarcation of access of users from within networks to exterior resources. Therefore, besides a package filtering, translation of addresses and ports, a support of deep inspection of packets with check on a fitting to the existing joint (Stateful/Deep Packet Inspection), FortiGate it first of all a platform of complex protection of a network, under control of a uniform operating system FortiOS with a totality of intrinsic functions of safety, such as: an antivirus, antispam, control of applications, system of preventing of irruption, a web filtering, preventing of leak of the data and other. At all wide dial-up of functionality, the standard policy for web access of users from an internal network in the Internet, created in web interface FortiGate, will look so: the Web proxy One of the oldest and most used functions TMG for provision of access of users to the Internet without additional authentification. 3 von :26

4 In FortiGate there is a function ²Explicit web proxy for transmission through a proxy of sessions on HTTP (HTTPS) and FTP, plus a support of an auto-configuration by means of a PAC-file. Also, thanking completely integrated in FortiGate functions Single Sign-On (SSO), possibility to interact with the domain control unit (an Active Directory, Novell edirectory) is accessible and to control access autentifitsirovannyh users, applying to certain groups of the domain the necessary rights and possibilities. In addition to it, functions of virus protection, irruption preventing can be included in such security policies, a web filtering and control of applications. Web proxy switching-on is carried out on demanded (th) interface () ( ²port1 in the upper picture) and creation of an allowing policy (in a picture from below): 4 von :26

5 5 von :26

6 Implementation Single Sign-On can be carried out in several ways: 1. Using the special program-agent on the domain control unit ( DC Agent ) DC Agent a programm component in the form of separate service of tracking loggings in of the users, installed on the domain control unit. It interacts with FortiGate not directly, and through a collecting channel-agent (Collector Agent). Collector Agent it is installed on any server or, besides, on the domain control unit. The agent gains the information on loggings in of users and exchanges it with FortiGate. The amount of the installed agents can be more than one for fail safety. 2. Inquiry Collector Agent а Such method also provides setting of an additional software in the form of Collector Agent, but on the control unit of the domain it is not necessary to install service DC Agent. Collector Agent it is possible to install in any place of a network (it is desirable on any of Windows-servers) and then it can interrogate the domain control unit about events of authentification of users (²logonah ). Inquiry mechanisms are carried out by means of Windows NetAPI or Security event log. 6 von :26

7 3. Inquiry directly with FortGate Since FortiOS versions 5, the inquiry mechanism logonov from the domain control unit has been completely built in in FortGate. Thus, for inquiry it is used only Security event log, and the method of usage is positioned as for small network infrastructures, there where there is no possibility to install Collector Agent on network ambit. However, thus, it is not necessary to forget that FortGate if relieves you of superfluous efforts with software setting that takes loading on storage in storage of structure of the domain and inquiry logonov users on itself. 4. NTLM-autentifikatsija Authentification usage on NTLM, demands for an exchange with FortGate installed Collector Agent on network ambit. At request of the URL-address in the browser of the user, FortGate requests its blast-furnace registration data (login/password), gains them through the browser, checks at Collector Agent a fitting of the user to groups of the domain and gives access to resources according to the group security policy. 7 von :26

8 5. Terminal servers Users who gain access to corporate resources through terminal servers of Microsoft or Citrix, have one general address or a pool instead of own IP address. For application to such users of security policies by means of SSO, the Fortinet have a next programm component Terminal Server Agent (TS Agent), installed on the most terminal server. It selects the given range of ports for each user and exchanges this information with Collector Agent which, in turn knows about a fitting of the user to the blast-furnace groups, and to what groups to give what dial-up of resources and what to apply knows a policy FortiGate. The agent so looks: 8 von :26

9 In completion of the description of implementation SSO it would be desirable to mark also that the vendor is aimed to functionality development even in the most low models UTM. In acknowledging to it, in 2012 the output of cardinally worked overtime version of OS FortiOS 5 from among which developments there was also support Terminal Server Agent, and more correct operation SSO as a whole, with its above described abundance of variations of application and an auxiliary software has been announced. Though check, though muster, and taking the last versions of a software: Collector Agent, DC Agent, TS Agent in a combination with FortiGate on version FortiOS and above all will work like clock-work. And if it will be interesting to comprehend tajnosti SSO and we will be entrained in details about it ²pesat ischo since this subject deserves separate paper. Passing to a part of application of security policies, we look, as it will look on FortiGate at successfully tuned programm components SSO: 9 von :26

10 The applied rule for access of specific group or the user looks so: More differentiated politicians with assemblage of different blast-furnace groups give more possibilities for control of access of users to network resources. 10 von :26

11 Publication OWA/SharePoint The main aspects of a question of the publication of web resources Outlook Web Access or SharePoint is the following: Translation of an exterior IP address; the Exchange of certificates with users from the outside. To begin with we need to import the certificate, it becomes so: From the necessary menu simply select the certificate and push APPRX. Further, for adjustment reverse-proxy it is necessary to adjust loading equalization. We create for this purpose the virtual server: 11 von :26

12 For the virtual server it is necessary to define the real server: Final stage, we create a security policy where we allow the traffic from the outside: 12 von :26

13 The entering interface (Incoming Interface) in that case will be exterior, the start address (Source Address) will be ²all, and the assignment address (Destination Address) just created virtual server. In the capacity of service, we pass HTTPS since the exchange of the traffic will happen only on HTTPS, and bolshego and it is not necessary to us. As well as in a normal proxy, there is a possibility to expand a safety feature, including in a policy profiles: Virus protection; Systems of preventing of irruption (IPS); Control of applications (here we can restrict or trace that except the necessary application others are not used); URL-filtrations. SSL-traffic Inspection One more important function at migration with TMG this inspection of the SSL-traffic. Turnes on as simplis as well as remaining safety features preadjusted by a profile in the politician. 13 von :26

14 As the exchange of certificates is pellucid for the ultimate user in a network, it is possible to use standard built in from vendora and if the internal server will have own self-signed certificate it is possible to include simply ²Allow invalid SSL Certificates, after all they will be perceived as incorrect since do not figure in the list entrusted Certificate Authority (CA). In a section of the publication of web resources on FortiGate, inspection adjustment refers to only to published application and will not touch the remaining traffic, however SSL-inspection function can be used and for more detailed control of the SSL-traffic of ultimate users in corporate security policies. Control of applications To involve function of control of applications it is necessary to create ²sensor applications. It is the same a profile, only in a profile :) We look: 14 von :26

15 In our case, it is possible and it is necessary to select specific application, switching sensor control type on ²Specify Applications and a search method to find the necessary application: System of preventing of irruptions For switching-on in a security policy the sensor control for IPS is again necessary: it that through the web interface it is impossible to create the filter on application, but it it is possible to make the only thing of the CLI-console, executing such commands or copying them as a script: 15 von :26

16 config ips sensor edit "OWA-Publishing" config entries edit 2 end next end next set application IIS MS_Exchange set location server After creation in CLI the filter, in it it is possible to apply any signatures only for IIS and Exchange. One more ²nejavnaja function this writing of the IPS-signature for access blocking at trying to inject the wrong password. For creation that for OWA 2012 it will look as follows: config ips custom edit "MS.OWA.Login. Error" set comment" set signature "F-SBID (- attack_id 3608; - name \" MS.OWA.Login. Error \"; - pr otocol tcp; - service http; - flow from_server, reversed; - pattern \" <div class = 2 2 signinerror role= 22 alert 22 > \"; - context body; - no_case; - pattern! \" < 2F div> \"; - context body; - no_case; - within_abs 20; - rate 3,180;)" next end Here parameter ² - rate 3,180; symbolizes an amount of false errors of password entry (3) and a time of lock of the user on its IP address in seconds (180). Protection against a harmful/spying software The antivirus profile looks so: 16 von :26

17 As we see, besides HTTP there are still other types of the traffic (SMTP, POP3, IMAP, MAPI, FTP). We have enough for the publication only HTTP (S). So, we collect this all together. We create a policy for ours reverse-proxy with the publication, from the outside in a corporate network, to be exact on servers of web applications, plus is included all tuned profiles and sensor controls, including SSL-inspection: 17 von :26

18 Publication Lync Now, when we in details considered the problem publications OWA/SharePoint with the full possible feature set of safety, it is necessary to mark that publication Lync as web applications happens on FortiGate practically under the same circuit (translation of addresses, an exchange of certificates, protection by functions UTM) and on the same protocols, except for necessity appearance to control as well traffic SIP: 18 von :26

19 To consider and such aspect, besides the presented possibilities, in FortiGate support SIP ALG (Application Level Gateway) an application layer gateway which provides detailed inspection and traffic SIP filtering is built in. As well as many functions FortiGate, SIP ALG deserved at the vendor of a separate manual therefore its detailed reviewing also deserves separate paper in the future. Remote access of users and a VPN-network The virtual private networks VPN and the protected scrambled access with their help of remote users to corporate resources of a network or tunnels between the spaced apart platforms of the factories, are very widely used already a time considerable quantity, and TMG here is not unique and unique, providing us the given functional. FortiGate too not panacea but to search for the solution for VPN on the side knowing, as here all of us can already make ²iz boxes it, forgive, moveton. And we made a reservation still in the beginning that the solution our full-function, we will not trick therefore and we will continue with migration of all functions TMG. So, what it is had? We have support L2TP/IPSec and IPsec VPN for so-called ²site-to-site connections and SSL-VPN for remote access from any point that quite approaches for ²client-to-site. 19 von :26

20 For IPsec some variations, a-lja static or ²Dialup -connections (having the static address on one side and dynamic from tunnel remote end), Dynamic DNS are accessible. Tunnels are under construction both between FortiGate ами, and between the PC and FortiGate by means of additional software FortiClient. There is an assemblage of authentifications (local groups of users, identifiers of a local and remote node, certificates X.509, the registration data of groups of an Active Directory). SSL it is presented by two regimes web portal and tunnel. Web portals are intended for sweeping access to corporate resources from a web browser that is especially actual for thin clients and mobile devices. In such regime, FortiGate serves as protected HTTP/HTTPS the gateway, and autentifitsiruet users, giving to them then access to a web portal where resources HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP, SSH and other are accessible. The tunnel regime offers access to any application to a corporate network, but is for this purpose installed FortiClient or its separate part FortiClient SSL VPN application. FortiClient supports many OS: Windows, Mac OS X, Apple ios and Android. One more of types of additional authorization for VPN is two-factor authentication by means of the apparatus oscillator of one-time passwords FortiToken or softvarnogo FortiTokenMobile for mobile devices. In general, the VPN-FUNCTIONAL is besides wide enough and in all beauty is presented on a couple of hundreds pages, but, at the same time, having a little trained (the direct arm) it is possible to be controlled easily with numerous tunnels and web portals. At last, we mark also a support of VPN-tunnels with indirect (third-party) vendors, among which connection possibility to cloudy service Windows Azure from Microsoft which too uses 20 von :26

21 IPSec VPN. At last, summing up all aforesaid, with confidence we say that the Fortinet in the name of the leader rulers of UTM-devices FortiGate can provide with its purchasing very wide dial-up of functionality for creation of system of complex network safety of the factories of any sizes, leaving thus a gap for growth of their quantity. It is impossible to avoid possibility more uzkoprofilno to reinforce protection by means of separate rulers of the equipment of Fortinet, such as: FortiWeb, FortiMail, FortiBalancer, FortiToken and FortiClient, mentioned by us in the capacity of passage from Microsoft TMG, and also remaining grocery rulers: FortiWifi and FortiAP for creation of the protected wireless communication, centralized control FortiManager, the centralized collection and the papework analysis FortiAnalyzer, protection against DDoS-attacks FortiDDoS, protection of databases FortiDB, web cachings FortiCache, the caching DNS-server FortiDNS, the separate solution for authentification of users FortiAuthenticator, operations ²v rupture at falling out of network devices FortiBridge, switching FortiSwitch and it yet the list end The scalability question is necessary for considering depending on demanded functions, before used in TMG. And if to you attracted FortiGate alone or together with other iron from Fortinet that small enterprises (approximately to 100 users) should pay attention to model FortiGate-90D and more low, and to larger organizations on FortiGate-100D and above since a support of some functions (as well as the price) varies depending on model. In end, from itself it would be desirable to underline that about, whether dostoen FortiGate to become for you not only full-function, but also imperceptible and problemless passage from Microsoft TMG to solve, naturally, to you. As on me it is quite implemented. Anzeige Reiseangebote San Francisco Top 2.5* Hotel inkl. Flug. Jetzt günstig buchen! Fehler: Netzwerk- Zeitüberschreitun ab 1013 ab 949 travelscout24.de Günstige Flüge bei Opodo.de! Flug von Berlin nach San Francisco! opodo.de Der Server unter ads.travelaudience.com braucht zu lange, um eine Antwort zu sende Die Website könnte vorübergehend nicht erreichbar sein, versuchen Sie es bitte sp nochmals. Wenn Sie auch keine andere Website aufrufen können, überprüfen Sie bitte die 21 von :26

22 0 Comments sysmagazine! Login Sort by Best Share Favorite Start the discussion ALSO ON SYSMAGAZINE WHAT'S THIS? Notch refused exhaustion Minecraft for Oculus Rift IT daily blog, news, magazine, technologies 1 comment 6 months ago AvatarIT Offshoring this is good that they are trying to make site like facebook. hope they would be able to make it as popular as fb but it wouldn't be that easy to fight with FB.thanks for sharing It are time to pay: non-standard methods of a monetization of a software and numeral content 1 comment 6 months ago AvatarExchange Paypal to Skrill Regardless of what WorldPay forecasts, users will keep relying on credit and debit cards for these kind of transactions between two e-wallet providers Diamond Dash or as it are not necessary to protect the online of application 1 comment 6 months ago AvatarRafhael Henrique B. Araujo what do i need to have all that gold? :O Operation with USB devices in the program on the C in MacOS X IT daily blog, news, magazine, 1 comment 7 technologies months ago Avatarrj HiI'm new to Mac Apps...is that possible to list or access files which is stored on the usb drive using IOKit? any help would be appreciated!thanks 22 von :26