1 Netwerkbeveiliging Sven Sanders
2 Gastles 19/4 Peter Van Hemlryck Fortinet Fortigate firewall + praktische voorbeelden Opdracht: 3 lessons learned Wat vind je belangrijk/relevant om te onthouden Wat mag gevraagd worden op het examen Indienen op A4 Onmiddellijk na gastles Inhoud onderdeel van leertof eigen samenvatting
3 Lessons learned encryptie Symmetrische encryptie vs asymmetrische encryptie 1 geheime sleutel vs public-private paar Snelheid vs gemak sleuteluitwisseling SSL verbinding maakt gebruik van beide kwaliteiten: Asymmetrische encryptie voor uitwisselen van symmetrische sleutel Symmetrische encryptie voor datauitwisseling Certificaten bevestigen identiteit eigenaar public key Chain of trust
4 VPN
5 VPN Veilige verbinding over onveilig netwerk Door toepassen encryptie Soorten: Site-to-site dial-in IPsec SSL
6 IPsec Tunnel opbouwen Vertrouwelijkheid: data encrypteren Integriteit: message authentication Authentication: PSK of certificaat Anti-replay: nummering Tunnel modus transport modus ESP - AH
7 IPsec Internet key exchange Phase 1: Veilig kanaal met DH Authenticatie Opzetten veilig kanaal symmetrische encryptie Aggressive of main mode Phase 2: Opzetten van tunnel voor data DH en symmetrische encryptie van data Perfect forward secrecy lifetime
8 Route based site-to-site VPN Alternatief: policy based Niet op palo alto, kan aan ander eindpunt tunnel Routing Table 10.2.0.0/24 > Tunnel.1 Ethernet 1/3 Ethernet 1/8 24.1.1.12 161.10.12.64 IPsec Tunnel 192.168.10.0/24 Tunnel.1 10.2.0.0/24
9 Configuratie VPN Aanmaken tunnel interface IPsec tunnel configureren IPsec tunnel IKE gateway Crypto profiles Statische route toevoegen
10 Tunnel interface Network > Interfaces > Tunnel Tunnel Identifier Adres enkel nodig indien IP verkeer nodig tussen eindpunten tunnel, ihb routing protocol en tunnel monitor
11 IKE gateway Network > Network Profiles > IKE Gateways
12 IKE gateway In passive mode start de firewall het proces niet zelf
13 IKE cryptographic profile Network > Network Profiles > IKE Crypto Asymmetric Key Exchange Symmetric Bulk Data Encryption Authentication supports md5, sh1, sha256, sha384, sha512
14 IPsec tunnel Network > IPSec Tunnel IKE Gateway Phase 2 crypto proposal To confirm route validity (if Tunnel interface has been configured with an IP address)
15 IPsec cryptographic profiles Network > Network Profiles > IPSec Crypto Asymmetric Key Exchange: DH Group 1, 2, 5, 14, nopfs Enable PFS
16 IPsec tunnel Network > IPSec Tunnel Override Default Proxy ID
17 Static route Tunnel interface als exit interface Next hop niet belangrijk
18 Troubleshooting Issue Initiator Error Responder Error Wrong IP / no connection P1 - Timeout P1 - Timeout No matching P1 proposal P1 - Timeout No suitable proposal (P1) Mismatched peer ID P1 - Timeout Peer identifier does not match No matching P2 proposal No proposal chosen No suitable proposal (P2) PFS Group mismatch P2 - Timeout PFS group mismatch Mismatched proxy ID P2 - Timeout Cannot find matching phase-2 tunnel
19 Log messages (system log) peer identifier (type fqdn [bad.peer]) does not match remote Remote2. Name of Local Phase 1 IKE Gateway Object Remote Sides Phase 1 Peer Configuration IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 192.168.41.1/24 type IPv4_subnet protocol 0 port 0, received remote id: 192.168.42.1/24 type IPv4_subnet protocol 0 port 0. The Local Proxy ID from the other side The Remote Proxy ID from the other side
20 GlobalProtect
21 GlobalProtect Dial-in VPN oplossing (+) Host Information Profile (HIP) Beperking ook op basis van AV, OS patches, disk encryption
22 Componenten Portal nt lie C Se cu to re fo In VP N ig nf Co Gateway Gateway Gateway Gateway GP Agent
23 Opbouw verbinding
24 Bepaling intern-extern Reverse DNS Lookup External DNS Server Internal DNS Server Client Reverse DNS Lookup Client
25 Installatie Agent Client downloaden op firewall portal 1 2
26 Simple Topology Single GlobalProtect Gateway/Portal
27 Advanced topology GlobalProtect Gateway VPN GlobalProtect Gateway GlobalProtect Portal VPN GlobalProtect Gateway
28 Large scale VPN
29 configuratie
30 Certificaten CA certificaat Optioneel: self signed/externe CA GlobalProtect Portal certificaat GlobalProtect gateway certificaat Manueel op alle gateways Optioneel: client certificaat
31 Global Protect portal Network > GlobalProtect > Portals Interface hosting the portal Profiles and certificates are created in advance Pages loaded in Device > Response Pages
32 Global protect portal Network > GlobalProtect > Portals CA Certificate
33 Client configuration - general If the hostname resolves to the IP address, then the internal gateway is used
34 Connection methods
35 Client configuration - users Default: any
36 Client configuration - gateways
37 Client configuration agent tab View the Troubleshooting tab in the agent Upgrade Options Client VPN interfaces that take precedence over the GlobalProtect interface
38 Global Protect gateway Network > GlobalProtect > Gateways
39 GP gateway tunnel Network > GlobalProtect > Gateways > Client Configuration This is the default. To make SSL the primary method, uncheck this box. Required for IPsec client connections
40 GP gateway - User
41 GP gateway network settings Network > GlobalProtect > Gateways > Client Configuration > Network Settings 0.0.0.0/0 enforces fixedtunneling IP addresses distributed to clients Routes installed on clients VPN connection
42 GP gateway network services Beschikbaar in tunnel mode Network > GlobalProtect > Gateways > Client Configuration > Network Settings
43 Global protect Agent Can be left blank if using single sign-on Do not include HTTP:// or HTTPS:// in the portal name! Manual gateway selection