1CONFIDENTIAL

SSL-VPN TUNNELS USING FORTIGATE AND FORTICLIENT

2

WHAT IS?: VIRTUAL PRIVATE NETWORK (VPN)

▪ A VPN creates a tunnel that extends a private network across the public network (internet)

to your corporate network

▪ Designed to safely transmit data:

» Tamper-proof to stop messages/files from changing

» Encrypted so unauthorized users cannot eavesdrop or read

» Requires authentication so that only known users send/receive

▪ SSL and TLS are commonly used to encapsulate

and secure online banking; they reside higher up

on the network stack than IP and therefore usually

require more identification (bits/bandwidth) in their

protocol headers and can only be established

between a computer and vendor specific software

3

WHAT IS?: VIRTUAL PRIVATE NETWORK (VPN)

▪ Examples of workers in a private network:

» Branch offices connecting to central HQ (even

on the other side of the world

» Workers using hotspot (3/4G) on the road

» Workers travelling on hotel internet/laptop

» Workers on home internet/PC

» Hackers also attempt to hijack these virtual

private networks

4

BEST PRACTICE SECURITY

“Virtual Private Network (VPN) connections can be an effective means of providing

remote access to a network; however, VPN connections can be abused by an

adversary to gain access to a network without relying on malware and covert

communication channels.

If a device using a VPN connection is compromised there is the security risk it could

be used to compromise connected networks. Because of this, all VPN traffic should

be treated as untrusted, potentially malicious and subjected to the same scrutiny as

any external communications.”

- Australia Signals Directorate, April 2020

5

BEST PRACTICE SECURITY

▪ VPNs should be configured to have the following:

» VPN termination points with DMZ security access rules

» Multi-factor authentication and device/operating system

restrictions for user logins

» Enforcing a host-check for anti-virus and geo-location

(Aust. IP address)

» Effective logging and log analysis

▪ If split-tunnel (directing only corporate destined traffic

trough the VPN) is to be used, you must use the

configuration methods above as a user who is

compromised during a split-tunnel VPN session could

create a breach tunnel into your corporate network

6

CURRENT LANDSCAPE

▪ ID and password to the

remote-controlled PC:

» Usually installed on

domain server to access

Active Directory

» Not often updated as

server is not accessed

daily, sometimes not for

months

» Hackers regularly exploit,

last major was admin

password in clear text [1]

▪ External IP address

and username/pass:

» Workers connect to a

terminal server to access

their sharedrive and

office apps

» Part of VM farm which

resides on the physical

business server that

usually hosts other

important apps

» Hackers brute force a

log-on session then

perform a survey

▪ Ports are opened to the

internet to allow IT

equipment to work:

» Phone and video

conferencing open ports

to communicate with

branch systems,

make/receive calls

» Some equipment open

ports to allow for auto-

updates and remote

settings administration

» Hackers test for port then

try default credentials

7

Fortinet Recognized as a Leader

Marks 10th time in a row that Fortinet is in the Magic Quadrant for Network Firewalls

8

▪ Most recent 2019 test results

9Next-gen Firewall (NGFW)

Next-gen Intrusion Prevention System (NGIPS)

Data Centre IPS

Data Centre Security Gateway (DCSG)

Breach Prevention System (BPS)

Breach Detection System (BDS)

Advanced Endpoint Protection (AEP)

Web Application Firewall (WAF)

Software-Defined Wide Area Network (SD-WAN)

Palo Alto Networks - 4

Check Point - 3

Cisco - 2

NSS LabsRecommendations

NSS Labs 3rd-Party Certifications

9

VPN

Web

Filtering

IPS

Application

Control

Wi-Fi Controller

Advanced

Threat

Protection

Antivirus

Firewall

Management

Switching

Complexity is the Enemy

▪ Multiple point solutions

▪ Multiple platforms

▪ Multiple management consoles

▪ Inconsistent policy and networking

▪ Varying upgrade cycles

▪ Slow and porous threat response

▪ Resources strained to maintain

▪ Prone to configuration complexity

Traditional access layer approach = Complexity

10

Management

Fortinet Security Fabric = Simplicity

FortiGate

FortiGate consolidates

▪ One UI to learn

▪ Single platform to manage

▪ Single place for security polices

▪ Reduced chance of config error

▪ Lower CAPEX, OPEX, Training,

Personnel

11

FORTINET SOLUTION FORM FACTORS

Hardware Appliance

» Dedicated processor chips to

process Content and Network

functions separately

» Ruggedized and dual power

supply options

» Australian stock for FortiCare

hardware replacements

Virtual Machine

» Licensed per CPU or log

capacity

» Worry less about projected

growth and throughput sizing

» Deploy in your own AWS or

Azure cloud to apply true cloud

flexibility

Azure/AWS Marketplace

» Auto Scaling functionality

and FortiGate CloudFormation

template configuration

provides automation based on

resource demand

» Deploy native Azure/AWS

scripting to automatically

push malicious IP/DNS

addresses or load balancing

into dynamic FortiGate policies

12

Concurrent SSL-VPNs AUD RRP (H/W inc 1YR subscription)

FGT-30E

100 ~$1,000

FGT-50E-60E-80E

200 ~$1,300 - ~$2,500

FGT-100E-200E

500 ~$5,000 - ~$9,000

FGT-300E

5,000 ~$15,000

FGT-VM01

1,000 ~$3,600

PRODUCT MATRIX» FortiGate

13

SKU DESCRIPTION AUD RRP (1YR subscription)

FCT-VPN

N/A

Download from forticlient.com, gives

SSL-VPN access with a quick install for

the max client limit of your FGT~$ FREE

FCT-FortiClient

FC1-15-EMS01-297-01-12

25 devices (computer, server or mobile)

and will unlock the logon at start-up and

auto reconnect features as well all AV

features and tech support

~$420 (~$1.40 per

device per month)

FGT-FortiClient Cloud

FC1-15-EMS01-302-01-12

25 devices with the features of the FCT

license above but no need for central

management program on your network,

Fortinet hosted EMS

~$1,050 (~$3.50 per

device per month)

PRODUCT MATRIX» FortiClient

14

SKU DESCRIPTION AUD RRP (1YR subscription)

FortiToken app

FTM-ELIC-5

5 device codes for one-time password

tokens for iOS and Android mobile

devices. Perpetual licenses.~$475 (~$95 ea)

FortiToken physical

FTK-200-5 (keychain)

FTK-220-5 (credit card)

5 one-time password physical token in

keychain style or credit card style.

Perpetual licenses.~$490 (~$98 ea)

FortiToken dongle

FTK-300-5 5 USB dongles for PKI certificate and

client software. Perpetual license~$530 (~$106 ea)

PRODUCT MATRIX» FortiToken

15

Secure Access

Simplified, consolidated

management for your entire

infrastructure

16

Improper remote access Proper remote access

Live Demonstration

VPN termination points with

DMZ security access rules

18

FGT-MEL-FortiGate60E

Live Demonstration

Multi-factor authentication

and device/operating system

restrictions for user logins

20

FGT-MEL-FortiGate60E, user: jzullo

Live Demonstration

Enforcing a host-check for

anti-virus and geo-location

(Aust. IP address)

22

FGT-MEL-FortiGate60E

Live Demonstration

Effective logging and log

analysis

24

FGT-MEL-FortiGate60E

Live Demonstration

Split-tunnel

26

FGT-MEL-FortiGate60E

Questions?