Fine-tuning & best practices : Hardening security
 
Hardening security
This section lists tips to further enhance security.
Topology
To protect your servers, install the FortiADC appliance or appliances between the servers and a general purpose firewall such as a FortiGate. FortiADC complements, and does not replace, general purpose firewalls.
Make sure web traffic cannot bypass the FortiADC appliance in a complex network environment.
Disable all network interfaces that should not receive any traffic.
For example, if administrative access is typically through port1, the Internet is connected to port2, and servers are connected to port3, you would disable (“bring down”) port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it.
Administrator access
As soon as possible during initial FortiADC setup, give the default administrator, admin, a password. This super-administrator account has the highest level of permissions possible, and access to it should be limited to as few people as possible.
Change all administrator passwords regularly. Set a policy — such as every 60 days — and follow it. (Mark the Change Password check box to reveal the password dialog.)
Instead of allowing administrative access to the FortiADC appliance from any source, restrict it to trusted internal hosts. See “Trusted hosts”. On those computers that you have designated for management, apply strict patch and security policies. Always password-encrypt any FortiADC configuration backup that you download to those computers to mitigate the information that attackers can gain from any potential compromise.
Do not use the default administrator access profile for all new administrators. Create one or more access profiles with limited permissions tailored to the responsibilities of the new administrator accounts. See “Restricting permissions”.
By default, an administrator login that is idle for more than 30 minutes times out. You can change this to a longer period in Timeout, but Fortinet does not recommend it. Left unattended, a web UI or CLI session could allow anyone with physical access to your computer to change FortiADC settings. Small idle timeouts mitigate this risk.
Administrator passwords should be at least 8 characters long and include both numbers and letters.
Figure 17: Strengthening the idle timeout System > Admin > Settings
Restrict administrative access to a single network interface (usually port1), and allow only the management access protocols needed.
Figure 18: Restricting accepted administrative protocols in the Edit Interface dialog in System > Network > Interface
Use only the most secure protocols. Disable PING, except during troubleshooting. Disable HTTP, SNMP, and TELNET unless the network interface only connects to a trusted, private administrative network. See “Configuring the physical network interfaces”.
Disable all network interfaces that should not receive any traffic.
For example, if administrative access is typically through port1, the Internet is connected to port2, and servers are connected to port3, you would disable (“bring down”) port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it.
Immediately revoke certificates that have been compromised. If possible, automate the distribution of certificate revocation lists (see “Revoking certificates”).