One of the job of a firewall, is for the means of controlling access at the system administrators level. Within the fortigate lineup, you can control what interfaces that you allows for http, https, ssh, snmp, icmp or telnet. These are all management type of services or protocols
To allow just for ssh & ping on the interface named wan1, we will deploy the following configuration;
config system interface
edit "wan1"
set vdom "root"
set dhcp-relay-type ipsec
set ip 12.212.22.77 255.255.255.0
set allowaccess ping ssh <----here
set ident-accept enable
set type physical
set alias "WAN public uplink"
next
You can selectively set what services you allow per interface. On my DMZ interface I have the following ( http-secured ssh and snmp )
config system interface
edit "dmz"
set vdom "root"
set dhcp-relay-type ipsec
set ip 192.168.11.1 255.255.255.192
set allowaccess ping https ssh snmp
set ident-accept enable
set type physical
set alias "DMZ main"
next
Now let's look at some cool tricks within the administrators settings. You can define time-based schedules for when a particular "admin" can actually login .
1st you set a firewall recurring schedule and then apply that per administrator account.
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
next
edit "WORKWEEK"
set day monday tuesday wednesday thursday friday
set end 17:00
set start 09:00
edit "MAINT-WINDOW1"
set day tuesday thursday
set end 03:00
set start 01:00
next
end
Alternatively, you can also create one-time schedules in a similar fashion. Great for a single use or for restricting a contractor access.
config firewall schedule onetime
edit "MYBLOGken"
set end 18:00 2014/12/26
set start 17:00 2014/12/26
next
end
The above will then be applied to a administrator configuration;
config system admin
edit kfelix
set schedule MYBLOGken
set vdom root
set accprofile super_admin
end
So now the user "kfelix" will be impacted by the schedule regardless if it's one-time or occurring. This is great for tech-support access or a contractor that has window for conducting his/her work.
I use the one-time schedule a lot so I can configure and forget. I know after the time window has expired , that the user will not have any further access. Just be very careful on the access you give the user & how you deploy schedules. You don't what a super_admin access having the ability to reconfigure his/her schedule
If the user try to access outside of the scheduled time-window, he/she will be rejected;
Next, let's look at admin profiles. This one can create confusion, but increases the complexity that you many offer for administrator access.
Admin profile are great for assigning read-only access or to allow limited read/write functions within the profile that you assign to the admin. You can only ASSIGNED one profile per user account, but you can define numerous account profiles known as " accprofiles ".
Here's a sample of the options in a profile configuration as shown from the WebGUI;
You control the items above and then apply the profile to the users that your desire. The below profile is what I allow for my security ops team to look at systems statistics alone
you can set administrator profiles to be global or vdom
config system accprofile
edit "tvdom1"
set scope vdpom <---HERE
set sysgrp read
set netgrp read
set loggrp read
set wifi read
next
end
Okay for the last grand finale event, ipv4 or ipv6 trusthost can be applied for each "specific" user account. This allow you to allow remote users access based on the "sourced ip_address"
Look at the following examples for the users;
config sys admin
edit "user1"
set trusthost1 10.10.80.12 255.255.255.255
set accprofile "myadmingroup1"
set vdom "root"
set password blahblahblah
next
edit "user21"
set trusthost1 10.10.80.12 255.255.255.255
set trusthost2 10.10.90.0 255.255.255.0
set accprofile "myadmingroup1"
set vdom "root"
set password blahblahblah
next
edit "socuser1"
set trusthost1 10.10.80.12 255.255.255.255
set trusthost2 10.10.90.0 255.255.255.128
set trusthost3 73.26.220.1 255.255.255.255
set trusthost4 10.10.0.0 255.255.255.248
set accprofile "mysocusers"
set vdom "root"
set password blahblahblah
next
edit "socuser"
set accprofile "limited"
set vdom "root"
set password blahblahblah
next
All of the above users accept the "socuser" will be matched at the L3 source address. If you don't match the trusthost address or range, your login will not succeed. In all case the set accprofile<named> will be applied for each user.
Hands down, the fortinet security appliance works with flexibility and access controls. No other security firewall product allows for controls to this degree.
Key points to take away;
- by the applying administrators account profiles , you can control advance read/write access to various systems objects ( firewall policies, logs, system information, ips, etc....)
- schedule can be crafted but must be applied the CLI level for users ( by default no schedule is applied or the general anytime/always is applied )
- trusthosts or ip6-trusthost (ipv4/ipv6 ) can really help control access at the network layer ( based on source )
with time based schedules make sure you use ntp and ensure that your firewall is ntp synchronize. You can use the get system status and diag sys ntp commands to validate time and if ntp time-sync is enabled
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment