Greetings! Welcome to the sixth lesson of the course . On we have mastered the basics of working with NAT technology on , and also released our test user to the Internet. Now it's time to take care of the user's safety in his open spaces. In this tutorial, we'll cover the following security profiles: Web Filtering, Application Control, and HTTPS Inspection.
In order to get started with security profiles, we need to understand one more thing - inspection modes.
The default is Flow Based mode. It checks files as they pass through FortiGate without buffering. Once a packet arrives, it is processed and passed on without waiting for the entire file or web page to arrive. It requires less resources and provides better performance than Proxy mode, but at the same time, not all Security functionality is available in it. For example, Data Leak Prevention (DLP) can only be used in Proxy mode.
Proxy mode works differently. It creates two TCP connections, one between the client and FortiGate'om, the second between FortiGate'om and the server. This allows it to buffer traffic, i.e. receive a complete file or web page. Scanning files for various threats starts only after the entire file has been buffered. This allows you to use additional features that are not available in Flow based mode. As you can see, this mode seems to be the opposite of Flow Based - safety plays a major role here, and performance fades into the background.
We often get asked, which one is better? But there is no general recipe here. Everything is always individual and depends on your needs and tasks. I will try to show the differences between security profiles in Flow and Proxy modes later in the course. This will help you compare features and decide which is best for you.
Let's go directly to the security profiles and first look at Web Filtering. It helps to control or keep track of which web sites users visit. I think it is not worth going deep into explaining the need for such a profile in the current realities. Let's better understand how it works.
After a TCP connection is established, the user requests the content of a specific web site using a GET request.
If the web server responds positively, it sends the website information in response. This is where the web filter comes into play. It checks the content of the given response. During the check, FortiGate sends a real-time query to the FortiGuard Distribution Network (FDN) to determine the category of the given website. After determining the category of a particular website, the web filter, depending on the settings, performs a specific action.
Three actions are available in Flow mode:
- Allow - allow access to the website
- Block - block access to the website
- Monitor - allow access to the website and log it
Two more actions are added in Proxy mode:
- Warning - give the user a warning that he is trying to visit a certain resource and give the user a choice - continue or leave the website
- Authenticate - prompt for user credentials - this allows you to allow certain groups access to restricted categories of websites.
The site you can see all the categories and subcategories of the web filter, as well as find out which category a particular website belongs to. And in general, for users of Fortinet solutions, this is a rather useful site, I advise you to get to know it better in your free time.
Very little can be said about Application Control. As the name implies, it allows you to control the operation of applications. And he does this with the help of patterns of various applications, the so-called signatures. Based on these signatures, it can determine a specific application and apply a specific action to it:
- Allow - allow
- Monitor - allow and log this
- Block - prohibit
- Quarantine - write an event to the logs and block the IP address for a certain time
You can also view existing signatures on the website .
Now let's look at the HTTPS inspection mechanism. According to statistics for the end of 2018, the share of HTTPS traffic exceeded 70%. That is, without using HTTPS inspection, we will be able to analyze only about 30% of the traffic flowing through the network. First, let's look at how HTTPS works in a rough approximation.
The client initiates a TLS request to the web server and receives a TLS response, and also sees a digital certificate that must be trusted for this user. This is the necessary minimum that we need to know about the work of HTTPS, in fact, the scheme of its work is much more complicated. After a successful TLS handshake, encrypted data transfer begins. And this is good. No one can access the data you exchange with the web server.
However, for security companies, this is a real headache, because they cannot see this traffic and check its contents with neither antivirus, nor intrusion prevention system, nor DLP systems, nothing. It also negatively affects the quality of the definition of applications and web resources used within the network - just what is relevant to our topic of the lesson. The HTTPS inspection technology is designed to solve this problem. Its essence is very simple - in fact, the device that is engaged in HTTPS inspection organizes a Man In The Middle attack. It looks something like this: FortiGate intercepts the user's request, organizes an HTTPS connection with it, and on its own raises an HTTPS session with the resource accessed by the user. At the same time, the certificate issued by FortiGate will be visible on the user's computer. It must be trusted for the browser to allow the connection.
In fact, HTTPS inspection is a rather complicated thing and has many limitations, but we will not consider this within the framework of this course. I will only add that the implementation of HTTPS inspection is not a matter of minutes, it usually takes about a month. It is necessary to collect information about the necessary exceptions, make the appropriate settings, collect feedback from users, and adjust the settings.
The above theory, as well as the practical part, are presented in this video lesson:
In the next lesson, we will look at other security profiles: antivirus and intrusion prevention. In order not to miss it, stay tuned for updates on the following channels:
Source: habr.com