Tag: VPN

Authenticating SSL VPN users using LDAP

· Leave a comment ·

This example illustrates how to configure a FortiGate to use LDAP authentication to authenticate remote SSL VPN users. With a properly configured LDAP server, user and authentication data can be maintained independently of the FortiGate, accessed only when a remote user attempts to connect through the SSL VPN tunnel.

  1. Downloading and installing FSSO agent in the LDAP server
  2. Registering the LDAP server on the FortiGate
  3. Configuring Single Sign-On on the FortiGate
  4. Importing LDAP users
  5. Creating the SSL VPN user group
  6. Creating the SSL address range
  7. Configuring the SSL VPN tunnel
  8. Creating security policies
  9. Results

capture1

  1. Downloading and installing FSSO agent in the LDAP server

The current Forti OS version which we are using in our firewall is 5.2.5 build 701 (shown below)

Forti OS version.JPG

Download and install FSSO client on your Domain Controller, find a download link here:

https://support.fortinet.com/Download/FirmwareImages.aspx

fsso

Accept the license and follow the Wizard. Enter the Windows AD administrator password.

ca-step1

Click Next, select the Advanced Access method

ca-step2

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

ca-step3

Select the domain you wish to monitor.

ca-step4

Next, select the users you do not wish to monitor.

ca-step5

Under Working Mode, select DC Agent mode.

ca-step6

Reboot the Domain Controller.

ca-step7

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

ca-step8

2. Registering the LDAP server on the FortiGate

Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.

ldap

3.  Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.

sso_fgt

4.  Importing LDAP users

Go to User & Device > User > User Definition, and create a new user, selecting Remote LDAP User.

Choose your LDAP Server from the dropdown list.

You will be presented with a list of user accounts, filtered by the LDAP Filter to include only common user classes.

fsso-1

5.  Creating the SSL VPN user group

Go to User & Device > User > User Groups to create a new FSSO user group.

user-group

6.  Creating the SSL address range

Go to Policy & Objects > Objects > Addresses, and create a new address.

Set the Type to IP Range, and in the Subnet/IP Range field, enter the range of addresses you want to assign to SSL VPN clients. Select Any as the Interface.

Then create another Address for each Subnet or IP Range within your internal network to which remote users will connect.

capture-2

7.  Configuring the SSL VPN tunnel

Go to VPN > SSL > Portals and create the full-access portal or edit the full-access portal

capture-3

Source IP pools > select from the drop down menu > SSL address range created above (point#6)

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 443.

ssl-settings1

Under Authentication/Portal Mapping, select Create New.

capture-4

Assign the LDAP group user group to the full-access portal

8.  Creating security policies

Go to Policy & Objects > Policy >  IPv4 and create an ssl.root – wan1 policy.

policyconfig1

9.  Results

Click on  VPN client > Select SSl-VPN > click on New VPN > Give Connection Name

Type the IP Address of Remote Gateway ( WAN IP Address)

Click customize the port( default port# 443)

Click on Do not Warn Invalid Server Certificate

Click > Apply and close

capture-5

Open the Forticlient >

capture-6

Type your LDAP credentials and click on Connect.

That’s it.

Happy Browsing!!

Check this video for detailed information about installation,

 source: FortiGate

SECURITY+ Acronyms

· 2 Comments ·
Acronym

Stands for
3DES Triple Data Encryption Standard
AAA Authentication, Authorization and Accounting
ACL Access Control List
AES Advanced Encryption Standard
AES 256 Advanced Encryption Standards, 256-bit
AH Authentication Header
ARP Address Resolution Protocol
AUP Acceptable Use Policy
BCP Business Continuity Planning
BIOS Basic Input/Output System
BOTS Network Robots
CA Certificate Authority
CCTV Closed-Circuit Television
CERT Computer Emergency Response Team
CHAP Challenge Handshake Authentication Protocol
CIRT Computer Incident Response Team
CRL Certification Revocation List
DAC Discretionary Access Control
DDOS Distributed Denial of Service
DEP Data Execution Prevention
DES Data Encryption Standard
DHCP Dynamic Host Configuration Protocol
DLL Dynamic Link Library
DLP Data Loss Prevention
DMZ Demilitarized Zone
DNS Domain Name Service
DOS Denial Of Service
DRP Disaster Recovery Plan
DSA Digital Signature Algorithm
EAP Extensible Authentication Protocol
ECC Elliptic Curve Cryptography
EFS Encrypted File System
EMI Electromagnetic Interference
ESP Encapsulated Security Payload
FTP File Transfer Protocol
GPU Graphic Processing Unit
GRE Generic Routing Encapsulation
HDD Hard Disk Drive
HIDS Host-Based Intrusion Detection System
HIPS Host-Based Intrusion Prevention System
HMAC Hashed Message Authentication Code
HSM Hardware Security Module
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol over SSL
HVAC Heating, Ventilation, Air Conditioning
IaaS Infrastructure as a Service
ICMP Internet Control Message Protocol
ID Identification
IKE Internet Key Exchange
IM Internet Messaging
IMAP4 Internet Message Access Protocol v4
IP Internet Protocol
IPSEC Internet Protocol Security
IRC Internet Relay Chat
ISP Internet Service Provider
KDC Key Distribution Center
L2TP Layer 2 Tunneling Protocol
LANMAN Local Area Network Manager
LDAP Lightweight Directory Access Protocol
LEAP Lightweight Extensible Authentication Protocol
MAC Mandatory Access Control / Media Access Control
MAC Message Authentication Code
MBR Master Boot Record
MDS Message Digest 5
MSCHAP Microsoft Challenge Handshake Authentication Protocol
MTU Maximum Transmission Unit
NAC Network Access Control
NAT Network Address Translation
NIDS Network-Based Intrusion Detection System
NIPS Network-Based Intrusion Prevention System
NOS Network Operating System
NTFS New Technology File System
NTLM New Technology LANMAN
NTP Network Time Protocol
OS Operating System
OVAL Open Vulnerability Assessment Language
PAP Password Authentication Protocol
PAT Port Address Translation
PEAP Protected Extensible Authentication Protocol
PGP Pretty Good Privacy
PKI Public Key Infrastructure
PPP Point-to-Point Protocol
PPTP Point-to-Point Tunneling Protocol
PSK Pre-Shared Key
RA Recovery Agent
RADIUS Remote Authentication Dial-in User Server
RAID Redundant Array of Inexpensive Disks
RAS Remote Access Server
RBAC Role Based Access Control
RSA Rivest, Shamir & Adleman
RTP Real-Time Transport Protocol
S/MIME Secure/Multipurpose Internet Mail Extension
SaaS Software as a Service
SCAP Security Content Automation Protocol
SCSi Small Computer System Interface
SDLC Software Development Life Cycle
SDLM Software Development Life Cycle Methodology
SHA Secure Hashing Algorithm
SHTTP Secure Hypertext Transfer Protocol
SIM Subscriber Identity Module
SLA Service Level Agreement
SLE Single Loss Expectancy
SMS Short Message Service
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SSH Secure Shell
SSL Secure Sockets Layer
SSO Single Sign-On
TACACS Terminal Access Controller Access Control System
TCP/IP Transmission Control Protocol/Internet Protocol
TLS Transport Layer Security
TPM Trusted Platform Module
UAT User Acceptance Testing
UPS Uninterrupted Power Supply
URL Universal Resource Locator
USB Universal Serial Bus
UTP Unshielded Twisted Pair
VLAN Virtual Local Area Network
VoIP Voice Over IP
VPN Virtual Private Network
VTC Video Teleconferencing
WAF Web Application Firewall
WAP Wireless Access Point
WEP Wired Equivalent Privacy
WIDS Wireless Intrusion detection System
WIPS Wireless Intrusion Prevention System
WPA Wireless Protected Access
XSRF Cross-Site request Forgery
XSS Cross-Site Scripting

Firewall

· 4 Comments ·

A firewall is defined as a system which is designed to prevent unauthorized access to or from a private network. Claimed to be implemented in both hardware and software, or a combination of both, firewalls are frequently used in order to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets.

Types of firewall techniques:

Packet filter: Each packet entering or leaving the network is checked and based on user-defined rules it is either accepted or rejected. It is said to be fairly effective and transparent to users, but is difficult to configure and is susceptible to IP spoofing.
Application gateway: Security mechanisms are applied to specific applications, such as FTP and Telnet servers. Although this is very effective, performance degradation can be imposed.
Circuit-level gateway: Security mechanisms are applied when a TCP or UDP connection is established. Upon establishing the connection, packets can flow between the hosts without further checking.
Proxy server: All messages are intercepted while entering and leaving the network, while the true network addresses are kept effectively hidden by the proxy server

Principle of a Firewall:

A set of predefined rules constitute a firewall system wherein the system is allowed to:

Authorise the connection (allow)
Block the connection (deny)
Reject the connection request without informing the issuer (drop)

Firewall Management Best Practices:

  • Don’t assume that the firewall is the answer to all your network security needs.
  • Deny all the traffic and allow what is needed and the other way, allowing all and blocking the known vulnerable ports.
  • Limit the number of applications running (Antivirus, VPN, Authentication software’s) in your host based firewalls to maximize the CPU cycles and network throughput.
  • Run the firewall services from unique ID rather than running from generic root/admin id.
  • Follow good password practices

                   – Change the default admin or root passwords before connecting the firewall to the internet

                   – Use long and complex pass phrase difficult to crack and easy to remember

                   – Change the passwords once in 6 months and whenever suspected to be compromised

  • Use features like stateful inspection, proxies and application level inspections if available in the firewalls.
  • Physical Access to the firewall should be controlled.
  • Keep the configurations simple, eliminate unneeded and redundant rules.
  • Audit the firewall rule base regularly.
  • Perform regular security tests on your firewalls for new exploits, changes in rules and with firewall disabled to determine how vulnerable you will be in cased of firewall failures.
  • Enable firewall logging and alerting.
  • Use secure remote syslog server that makes log modification and manipulation difficult for an attacker.
  • Consider outsourcing firewall management to a managed service provider to leverage on their expertise, trend analysis and intelligence.
  • Have strong Change Management process to control changes to firewalls.
  • Try to have personal firewalls/intrusion prevention software’s, as the network firewalls can be easily circumvented when connected through devices like USB modems, ADSL links etc.
  • Backup the firewalls rule base regularly and keep the backups offsite