How does a FortiGate protect your network?
The FortiGate firewall protects your network by taking the various components and using them together to build a kind of wall or access control point so anyone that is not supposed to be on your network is prevented from accessing your network in any way other than those approved by you. It also protects your network from itself by keeping things that shouldn’t happen from happening and optimizing the flow of traffic so the network is protected from traffic congestion that would otherwise impede traffic flow.
Most people have at one time or another played with a child’s toy system made up of interlocking blocks. The blocks come in different shapes and sizes so you can build structures to suit your needs. The components of the FortiGate firewall are similar. You are not forced to use all of the blocks all of the time. You mix and match them to get the results that you are looking for. You can build a very basic structure, where its only function is to direct traffic in and out to the correct subnets. You can build a fortress that only allows specific traffic to or from specific hosts at specific times of day and only when credentials that have been pre-approved have been provided. You can also add in that all of the traffic is encrypted, so that even when the traffic is out on the Internet it is private from the world. Just like the interlocking blocks, what you build is up to you, but chances are if you put them together the right way there isn’t much that can’t be built.
Here is one example of how the components could be put together to support the requirements of a network infrastructure design.
- Off the internal interface you could have separate VLANs. One for each department of Sales, Marketing and Engineering so the traffic from the users on one VLAN does not intrude upon the hosts of the other VLANs and each department is isolated from the others for security reasons.
- To ease in the administration, each of the VLAN sub-interfaces is made a member of a zone so security policies that apply to all hosts on all the VLANs can be applied to all of them at once.
- Using the addresses component, each of the IP address ranges could be assigned a user-friendly name so they could be referred to individually. For policies that would refer to them all as a whole, the individual ranges can be made members of an address group.
- Firewall schedules could be created to address the differing needs of each of the groups so that Sales and Marketing could be allowed access to the Internet during regular business hours and the Engineering department could be allowed access during the lunch break.
- By setting up the outgoing policies to use FortiGuard Web-filtering, the employees could be prevented from visiting inappropriate sites and thus enforcing the policies of the HR department.
- A couple of virtual IP addresses with port forwarding could be configured to allow users on the Internet access to a web server on the DMZ subnet using the company’s only Public IP address.This would not affect the traffic that goes to the company’s mail server hosted on a completely different computer.
- Even though the Web server on the same DMZ has an FTP service to allow for the uploading of web pages to the web server from the Marketing and Engineer teams, by placing a DENY policy on any FTP traffic from the Internet, malicious users are prevented from abusing the FTP service.
- By monitoring the traffic as it goes through the policies, you can verify that the policies are in working order.
- By using a combination of ALLOW and DENY policies and placing them in the correct order, you could arrange for an outside contractor to be allowed to update the web site as well.
This list of possible configurations is not extensive, but it does give an idea of how different components can be mixed and matched to build a configuration that meets an organization’s needs and at the same time protect it from security risks.