MULTIFACTOR AUTHENTICATION WITH FORTITOKEN & … Info-Byte... · FortiToken 200 series performing a...
Transcript of MULTIFACTOR AUTHENTICATION WITH FORTITOKEN & … Info-Byte... · FortiToken 200 series performing a...
1CONFIDENTIAL
MULTIFACTOR AUTHENTICATION WITHFORTITOKEN &FORTIAUTHENICATOR
2
BEST PRACTICE SECURITY
“Multi-factor authentication (MFA) is one of the most effective controls an
organisation can implement to prevent an adversary from gaining access to a
device or network and accessing sensitive information.
When implemented correctly, multi-factor authentication can make it significantly
more difficult for an adversary to steal legitimate credentials to facilitate further
malicious activities on a network. Due to its effectiveness, multi-factor authentication
is one of the Essential Eight from the Strategies to Mitigate Cyber Security
Incidents.”
- Australia Signals Directorate, April 2019
3
BEST PRACTICE SECURITY
▪ Access should have at least two of the following:
» Something you know: e.g. a Personal Identification
Number (PIN), a password or a challenge question
response
» Something you have: e.g. a physical token, a smartcard, a
one-time password, or a software certificate
» Something you are: e.g. a fingerprint or an iris scan
▪ If an authentication method at any time offers the user
the ability to reduce the number of methods to a single
factor it is by definition no longer a multi-factor
authentication method. A common example of this is
when a user is offered the ability to “remember this
computer/password”
4
WHAT IS?: OATH, OTP, TOTP AND HOTP GENERATORS
▪ Open Authentication (OATH) compliance means adhering to the standards set out by the
open technology initiative that believe making authentication solutions should be
collaborate amongst security vendors not proprietary
▪ One-Time Password (OTP) is an automatically generated
numeric or alphanumeric string of characters that
authenticates against an algorithm (see below)
synchronization between the authentication server and an
OTP generator for a single transaction or login session
» TOTP: Time-based One-Time Password algorithm
» HOTP: Keyed-hash message authentication code(HMAC)-based One-
time Password algorithm
5
WHAT IS?: ONE-TIME PASSWORD TOKEN GENERATOR
▪ FortiToken 200 series performing a TOTP generation for Multi-Factor Authentication (MFA)
sometimes know as Two-Factor Authentication (2FA)
OTP token
Static Password + OTP
Validation serverTime sync with time server (NTP)
Static Password match
(e.g. Active Directory)OTP match
Algorithm Algorithm
Time TimeSpeed Speed
Same time
Same speed
6
CURRENT LANDSCAPE
▪ Google and Microsoft
Authenticators:
» Linked to staff personal
phones and personal
email address making it
hard to troubleshoot
issues
» Concerns around
harvesting of personal
data
» Limited/no logging and
reporting data to analyse
indicators of compromise
▪ LastPass password
manager:
» A good step in the
direction of credential
management but
becomes an additional
bolt-on product without
much interoperability and
management to rest of IT
» Non-perpetual high cost
subscription per user
starting at $3AUD per
month ($1800 per year
for 50 staff)
▪ Nothing:
» No password policy
means that many
businesses are leaving
the front door to their IP
wide open to attack
» Default admin
credentials, no password
strength enforcement and
staff storing passwords in
word docs on desktop
» Too many passwords to
remember has led staff to
create unsafe habits
7
Fortinet Recognized as a Leader
Marks 10th time in a row that Fortinet is in the Magic Quadrant for Network Firewalls
8
▪ Most recent 2019 test results
9Next-gen Firewall (NGFW)
Next-gen Intrusion Prevention System (NGIPS)
Data Centre IPS
Data Centre Security Gateway (DCSG)
Breach Prevention System (BPS)
Breach Detection System (BDS)
Advanced Endpoint Protection (AEP)
Web Application Firewall (WAF)
Software-Defined Wide Area Network (SD-WAN)
Palo Alto Networks - 4
Check Point - 3
Cisco - 2
NSS LabsRecommendations
NSS Labs 3rd-Party Certifications
9
SINGLE SIGN-ON USER IDENTIFICATION
▪ FortiAuthenticator can identify users through a varied range of methods and integrate with third-party
LDAP or Active Directory systems to apply group or role data to the user and communicate with
FortiGate for use in Identity based policies. FortiAuthenticator is completely flexible and can utilize
these methods in combination:
» Active Directory polling
» FortiAuthenticator SSO Mobility Agent (FSSO)
» Portals and widgets
» RADIUS accounting login
▪ Strengthens enterprise security by simplifying and
centralising the management of user identity
information
▪ Certificate management for enterprise VPN
deployment
10
SINGLE SIGN-ON USER IDENTIFICATION
11
FORTINET SOLUTION FORM FACTORS
Hardware Appliance
» Dedicated processor chips to
process Content and Network
functions separately
» Ruggedized and dual power
supply options
» Australian stock for FortiCare
hardware replacements
Virtual Machine
» Licensed per CPU or log
capacity
» Worry less about projected
growth and throughput sizing
» Deploy in your own AWS or
Azure cloud to apply true cloud
flexibility
Azure/AWS Marketplace
» Auto Scaling functionality
and FortiGate CloudFormation
template configuration
provides automation based on
resource demand
» Deploy native Azure/AWS
scripting to automatically
push malicious IP/DNS
addresses or load balancing
into dynamic FortiGate policies
12
Total users (Local+Remote) User certificates AUD RRP
FAC-200E
500 2,500 ~$8,400
FAC-400E
2,000 10,000 ~$18,000
FAC-1000D
10,000 50,000 ~$38,000
FAC-2000E
20,000 100,000 ~$50,000
FAC-3000E
40,000 200,000 ~$70,000
PRODUCT MATRIX» FortiAuthenticator
13
SKU DESCRIPTION AUD RRP (perpetual)
FortiToken app
FTM-ELIC-5
5 device codes for one-time password
tokens for iOS and Android mobile
devices. Perpetual licenses.~$475 (~$95 ea)
FortiToken physical
FTK-200-5 (keychain)
FTK-220-5 (credit card)
5 one-time password physical token in
keychain style or credit card style.
Perpetual licenses.~$490 (~$98 ea)
FortiToken dongle
FTK-300-5 5 USB dongles for PKI certificate and
client software. Perpetual license~$530 (~$106 ea)
PRODUCT MATRIX» FortiToken
14
Secure Access
Simplified, consolidated
management for your entire
infrastructure
Sales Scenario
“I don’t see what the problem
is, why should I buy this two-
factor stuff when I haven’t
heard staff complain?”
16
Cannot see the use case for MFA and SSO
▪ People usually buy an alarm after they have been robbed the first time
» Prevention is always better than cure
▪ Staff have probably already formed unsafe habits like simple passwords and storing passwords in a
notepad.txt document on the desktop
» Not being able to see air doesn’t mean its not there
▪ Productivity could increase with ease of
secure accessibility to CRM and database
systems
» Many staff keep their notes or communication in
the system that is easiest to access
▪ MFA doesn’t just help to protect from
external hackers, often data leaks are
performed from the enemy within
» MFA alerts notify you if someone has your
password and is attempting to login from a new
device
Sales Scenario
“We looked at your Fortinet
solution but it seems very
expensive when we can use
free tools and update our HR
orientation guide”
18
Using free tools to achieve MFA or some SSO
▪ Security audits from third parties will always ask what your reporting capabilities are and request a
sample report
» Using a mix of free tools will mean a staff member will need to sit and create the reports
▪ Free tools are targeted by hackers due to their popularity
» When an exploit is found it would be like free cheeseburger day at McDonalds as opposed to free pear day at Coles
▪ Bolting on more security tools may
increase safety to that one area but if they
don’t talk to one other you do not have
wide view of all your risk
» Most free tools work as a single point product in
isolation of other tools
▪ Free tools can have their development
stopped/slowed due to lack of volunteers
or popular tools are often bought
» LogMeIn currently own LastPass, what has that
done to its product development since?
Live Demonstration
Multi-factor authentication
with FortiClient VPN for user
logins
20
FGT-MEL-FortiGate60E, user: jzullo
Live Demonstration
Using FortiToken free for
Microsoft365 (or any other
OATH OTP MFA)
22
Microsoft 365 Admin Console and sign-in
Questions?