Fortinet Recommended Security Best Practices
Fortinet RecommendedSecurity Best PracticesV1.2 February 20181
Table of Contents1.What is the Security Fabric32.What is the Security Rating Feature?33.Why would I use this Feature?33.1Security Rating Model53.2Security Rating Feature Common Use Cases64.Recommended Security Best Practices85.Appendix A: Security Rating Model18Version historyApril 2017: V1.0 Initial security checks available with FortiOS 5.6.0.February 2018: V1.2 Renamed Security Fabric Audit to Security Rating. Added a new security category - SH09 Access Control and Authentication. Security checks available with FortiOS 6.0.0.V1.2 February 20182
1 What is the Security Fabric?The Security Fabric provides an intelligent architecture that interconnects discrete security solutions into an integrated whole todetect, monitor, block, and re-mediate attacks across the entire enterprise surface area.2 What is the Security Rating Feature?The Security Fabric gives a 360 degree continuous view of assets, networks and data movement within the organization. Withdynamic business changes and increasing demand from on-net/off-net devices, IoT and other applications, organizations need amethod to continuously monitor the effectiveness of their Security Fabric configuration.The Security Rating feature provides a method to continually take a pulse of the current security posture, compare againstindustry peers, and assess the effectiveness in managing security risks to critical networks and enterprise assets.3 Why would I use this Feature?As the complex enterprise network shifts to meet evolving business needs, configurations and policies need to be dynamicallychanged and enforced. As a result, security measures and countermeasures need to be provisioned and tuned over in a rapidfashion which adds to the ongoing pressure on network and security teams. Inevitable errors and mis-configurations areintroduced, which fail to provide the trust and assurance that critical assets are being protected.Based on Security Best Practices and Standards, the capabilities of the Security Fabric can be further leveraged through theSecurity Rating feature. This feature provides a mechanism to continually assess the Security Fabric, validate that configurationsare working effectively, and provide awareness of risks and vulnerabilities which may impact daily business operations.The diagram below shows the security rating reporting process flow. The Security Rating checks are performed on the SecurityFabric enabled network and provide scoring and recommendations to operations teams. The Score Card can be used to gaugeadherence to various internal and external organizational policy, standards and regulation requirements and ranking againstindustry peers through the FortiGuard Security Rating Service.V1.2 February 20183
Key features Provides up to date risk andvulnerability data in the contextof what is important to thebusiness.IndustryStandards &Practices Network and security teams cancoordinate and prioritize fixes ina timely manner.SecurityFabric As Security Fabric featuresand security audit checks areupdated to match evolvingvulnerability exploits and attacks,Security and Network teams canidentify opportunities to improvesystems configurations andautomate processes. This resultsin improved network and securityoperations. Helps to keep pace with evolvingcompliance and regulatorystandards. Provides a ranking againstindustry peers through theFortiGuard Security RatingService.V1.2 February nSecurity ConfigurationCheckRepeat asrequired FortiGuardSecurityRatingService Scorecard andindustry rankingIT/SecurityTeams Risk and VulnerabilityAssessmentSecurity Best PracticesOT Business Continuity RequirementsEnterprise Security ComplianceRequirementsExternal Regulatory ComplianceSecurity Policy Requirements4
3.1 Security Rating ModelThe Security Rating Model depicted in Appendix A, illustrates how industry-standard based Security Checks can guide customerstowards achieving their target security posture.Using this integrated security controls framework, customers can tailor security checks to suit their unique security, risk andcompliance goals.Value to the Business Keeps customers on track with respect to their Security Roadmap and Target Security Maturity level. Provides Measurable and Meaningful feedback in the form of actionable Configuration Recommendations, and Key Performance/Risk Indicators. Helps build Senior Management Confidence by demonstrating effective business asset protection.Value to Additional Critical ProcessesThis structured approach for configuration monitoring and tuning brings value to additional critical processes. Supports quicker Incident Response and Remediation decisions in data breach situations. The status of 3rd party asset compliance can be monitored to ensure they are adhering to Enterprise Security Policies. Risk management teams can pro-actively monitor the status of security controls against compliance and regulatory standards. Brings value to Operations Teams (OT), through early awareness of potentially non-compliant assets, unstable system configurationstates, and data flow anomalies.V1.2 February 20185
3.2 Security Rating Feature Common Use CasesThe Security Rating Feature helps deal with complex demands common across many customers.Use Case #1 Security Configuration Self-AssessmentGoal: NOC/SOC teams need an ongoing technical view and risk impact of configuration issues and vulnerabilities that could lead tobreaches and service disruption.How this is achieved:1. From a single pane, the entire Security Fabric configuration can be assessed.2. Identifies configuration weaknesses in the Security Fabric and guides best practice recommendations.Use Case #2 Security Assurance – CISO DashboardGoal: CISO needs to answer the tough questions Senior Management and the Board is asking. CISO needs an overall sense of howwell critical business assets are protected.How this is achieved:1. Highlights the effectiveness of security investments.2. Provides indicator of security posture against industry peers.Use Case #3 Audit and ComplianceGoal: Provide the Auditor with irrefutable evidence that the network is designed and operating according to required standards, andcan allow them to confidently attest that business data is protected.How this is achieved:1. Integrated Security and Compliance Framework, based on industry-wide accepted standards.2. Bridges the gap between technical configurations and audit control requirements.3. Customizable security checks against specific security and regulatory standards.4. Generate audit-ready reports for senior management and IT auditors.V1.2 February 20186
4 Recommended Security Best PracticesThese practices and standards and are intended to be a trusted source to guide customers to design, implement and continuallymaintain a target Security Fabric security posture suited for their organization. The Security Fabric is fundamentally built onsecurity best practices. By running these security checks, security teams will be able to identify critical vulnerabilities andconfiguration weaknesses in their Security Fabric setup, and implement best practice recommendations.The following security category checks are currently available as of the release of FortiOS 6.0.0. Additional security checks andassociated recommendation will be added with future FortiOS releases.V1.2 February 20187
FIRMWARE ANDSUBSCRIPTIONS (FS)FSBP ID (FORTINETSECURITYBEST PRACTICES)FS01FS02V1.2 February 2018Maintaining the latest software, firmware and updates on systems ensures the network is operating effectively and maintainsthe organization target security posture. Performing regular system configuration checks and updates allows optimalperformance of the network and security devices’ intended functions.SECURITY CONTROLCompatible Firmware. Ensure that the latestcompatible software and firmware is installed onall members of the Security Fabric.Vendor Support. Ensure a current supportcontract with the vendor is in place to obtainthe latest security notifications, updates andconfiguration management best practices.TESTING PROCEDURESFrom the Security Fabric root, verify that allfirewalls in the Security Fabric are running aversion of firmware that is compatible with theSecurity Fabric root.From the Security Fabric root, verify that allaccess layer devices (Wireless & Switch)are running a version of firmware that isrecommended for the firewall that they aremanaged by.From the Security Fabric root, verify that everyfirewall in the Security Fabric has a valid supportcontract and is registered with the vendor.From the Security Fabric root, verify thatevery firewall in the Security Fabric has a validsubscription to receive anti-malware and threatsecurity check updates.GUIDANCEFor any firewalls in the Security Fabric which are notrunning a compatible version of firmware with theSecurity Fabric root, upgrade them to a version offirmware that is compatible with the Security Fabricroot.For any access layer devices in the Security Fabricwhich are not running the recommended versionof firmware, upgrade them to the recommendedversion of firmware.Use the published Security Fabric document tovalidate compatible firmware versions.If any firewalls in the Security Fabric don’t havea valid support/subscription contract or aren’tregistered with the vendor, then contact the vendorsupport center to renew/update the support andsubscriptions contracts.8
NETWORK DESIGNAND POLICIES (ND)Design a business and risk driven network security architecture to ensure that only authorized business users and trafficare permitted to access network resources. Configuration design should take in account enterprise security and compliancerequirements, as well as industry accepted standards for enterprise security.FSBP IDSECURITY CONTROLTESTING PROCEDURESGUIDANCEND01Unauthorized access layerdevices.All access layer devices such aswireless access points and networkswitches should be identified andvalidated. Unauthorized devicesshould be immediately disabled.From the Security Fabric root,verify that every access layerdevice detected behind a firewallin the Security Fabric is authorizedto communicate with the firewall,or explicitly disabled from doingso.Review the unauthorized access layer devices to determine if they shouldjoin the Security Fabric, and if so, authorize them from the Security Fabricroot. For any unauthorized access layer devices which should not be partof the Security Fabric, explicitly disable them so that no communicationtakes place. Continue to log and monitor for unauthorized communicationto the Security Fabric. Periodically review the logs for persistent traffic fromunauthorized devices.ND02Secure Wireless Connections.Wireless networks should not permitinsecure protocols such as WEP orother less secure algorithms.Future ReleaseImplementationUnsecured wireless communications are more susceptible to attacks thanphysical networks. An attacker need only be in the vicinity of a location withwireless access, and can use a variety of readily available and low costtools to ease drop on wireless communications to extract sensitive systemauthentication or other critical corporate information.ND03Review unused policies.All firewall policies should be reviewedevery 3 months to verify the businesspurpose. Unused policies should bedisabled and logged.From the Security Fabricroot, verify that every firewallin the Security Fabric has noconfigured policies which have notforwarded/blocked any traffic inthe last 90 days.Review the policies to determine if they serve a valid business purpose. Ifnot, remove and log the policies from the firewall. Each policy and log entryshould include a business and technical owner. Review all policies on aquarterly basis or monthly if frequent policies changes are required.ND04Segregation of Traffic.Separate servers from end userdevices.From the Security Fabric root,verify that every firewall in theSecurity Fabric has no serversdetected in a segment that alsocontains end user devices.End user devices should be separated from internal servers by placing themin a different segment from the server. Firewall interfaces should be labeledwith a Security Profile and business purpose description. Publicly accessibleservers should be placed behind an interface which is classified as “DMZ” tolimit the inbound traffic to only those authorized servers.VLAN Change Management.VLAN changes should be updated toall firewalls in the Fabric.From the Security Fabric root,identify any interfaces on aSecurity Fabric firewall that aredirectly connected to 3rd partyswitches.Any changes to internal VLAN configurations on 3rd party switches must bemanually updated on any applicable firewalls in the security fabric. Updatescan be automated by replacing the 3rd party switch with a FortiSwitch andattaching it to a suitable firewall though a dedicated switch managementport. All VLAN and port assignments on that switch can be performed fromwithin Fabric and then updated to all firewall members.ND05V1.2 February 20189
NETWORK DESIGNAND POLICIES (ND)Design a business and risk driven network security architecture to ensure that only authorized business users and trafficare permitted to access network resources. Configuration design should take in account enterprise security and compliancerequirements, as well as industry accepted standards for enterprise security.FSBP IDSECURITY CONTROLTESTING PROCEDURESGUIDANCEND06Third Party Router & NATDevices. Third party router or NATdevices should be detected in thenetwork.From the Security Fabric root,identify third party router or NATdevices that are detected onany “LAN” or “DMZ” segmentsfor every firewall in the SecurityFabric.For any 3rd party router or NAT devices that are detected, ensure they arecompatible with the Security Fabric in order to provide greater visibility andcontrol user and device traffic.ND07Device Discovery. Ensure that allsystems are detected and logged oninternal networks, including DMZ.From the Security Fabric root,verify that for every firewall inthe Security Fabric, any networkinterfaces classified as “LAN” or“DMZ” has device identificationenabled, so that network topologyand device movement can bemonitored and reported.For any “LAN” or “DMZ” segments which do not identify and log connectedsystems, update the configuration by enabling device detection on eachinterface of each member of the Security Fabric.ND08Interface Classification.All network interfaces should beassigned a defined and configuredbased on the security risk profile ofthe segments and systems beingprotected.From the Security Fabric root,verify that for every firewall inthe Security Fabric, all networkinterfaces are classified as either“WAN”, “LAN”, or “DMZ”.All interfaces should be defined according to the security profile desired forthe protection of the systems placed behind them, and labeled accordingto the business function those systems serve. For each interface on eachfirewall in the fabric, assign the appropriate security profile (“WAN”, “LAN” or“DMZ”) and label its business function using the Alias description.ND09Detect Botnet Connections.Ensure all networks including wiredand wireless access points areconfigured to detect Botnet activity,including any similar suspicious trafficentering and leaving the network.From the Security Fabric root,verify that for every firewall inthe Security Fabric, all networkinterfaces classified as “WAN”are configured to detect outgoingbotnet connections.Enable the botnet detection and blocking of those Command and Controlconnections on the “WAN” interface to protect the endpoint and segmentfrom being further compromised. Enable logging and monitoring on thoseinterfaces, and review WAN traffic logs on a regular basis to look forsuspicious patterns and external IP addresses.V1.2 February 201810
NETWORK DESIGNAND POLICIES (ND)Design a business and risk driven network security architecture to ensure that only authorized business users and trafficare permitted to access network resources. Configuration design should take in account enterprise security and compliancerequirements, as well as industry accepted standards for enterprise security.FSBP IDSECURITY CONTROLTESTING PROCEDURESGUIDANCEND10Explicit Interface Policies. Securitypolicies should permit only authorizedleast privilege and least required trafficto/from authorized systems.From the Security Fabric root,verify that for every firewall in theSecurity Fabric, all configuredfirewalls policies do not permittraffic to and from multipleinterfaces.Firewall policies should be as explicit as possible when defining how trafficcan flow through the firewall. Any policies that are configured with multiplesource or destination interfaces should be broken up into individual policieswhich match specific traffic to and from single interfaces only.ND11Secure Remote Access.All remote access included site-to-siteand personal VPN should require at aminimum 2-Factor authentication.Future ReleaseImplementationRemote connection initiated over untrusted networks are susceptible toease dropping, session hijacking and other credential stealing attacks. Alongwith strong encryption for sessions, VPN remote users and device shoulduse authentication means, such as tokens or digital certificates, in addition tousername and password.ND12Double-NAT. Identify if the SecurityFabric is performing Network AddressTranslation multiple times to any trafficpathway.Future ReleaseImplementationIn the use case where an Internal Segmentation Firewall (ISFW) is deployed,both the ISFW and Perimeter Firewall should consistently enforce securitypolicies. Ensure the function, performance and security requirements of allbusiness applications are met. Security policies depend on the data accessand security classification requirements.V1.2 February 201811
FABRIC SECURITYHARDENING (SH)Vendor default configurations should be removed, including all default accounts, passwords and management settings. Allunnecessary and insecure services and protocols should be disabled. Only business justified services and protocols shouldbe permitted, logged and reviewed on a regular basis.FSBP IDSECURITY CONTROLTESTING PROCEDURESGUIDANCESH01Unsecure ManagementProtocols. All unsecure and nonbusiness justified firewall managementprotocols should be removed.From the Security Fabric root,verify that for every firewall in theSecurity Fabric, an administratorcan connect and manage thefirewall through encryptedprotocols only.Disable any unsecure protocols such as TELNET or HTTP that are allowedfor firewall management purposes. Limit the number of ManagementInterfaces on each firewall. Enable only secure encrypted managementprotocols such as HTTPS or SSH.SH02Change the Admin Account.The default super admin andadmin administrator accounts arewell known administrator names.If this account is available it couldbe easier for attackers to accessthe FortiGate unit because theyknow they can log in with thisname and only have to determinethe password. You can improvesecurity by changing this name toa more difficult one for an attackerto guess.Consider also only using thesuper admin account for addingor changing administrators.The less this account is used,the less likely that it could becompromised. You could alsostore the account name andpassword for this account in asecure location in case for somereason the account name orpassword is forgotten.V1.2 February 2018The default super admin and admin administrator accounts are wellknown administrator names. If this account is available it could be easierfor attackers to access the FortiGate unit because they know they canlog in with this name and only have to determine the password. You canimprove security by changing this name to a more difficult one for anattacker to guess.Consider also only using the super a
4 Recommended Security Best Practices These practices and standards and are intended to be a trusted source to guide customers to design, implement and continually maintain a target Security Fabric security posture suited for their organization. The Security Fabric is fundamentally built on security best practices.
Registering your Fortinet product Before you begin, take a moment to register yo ur Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard
Train employees with a guided security training program. Created by the Fortinet Training Institute, the Fortinet Security Awareness and Training service helps IT, Security, and Compliance leaders build a cyber-aware culture where employees recognize and avoid falling victim to cyberattacks. The Fortinet Security Awareness and Training service is
DATA SHEET FortiGate/FortiWiFi 30E Coyright 221 Fortinet Inc ll rights reserve Fortinet FortiGate FortiCare an FortiGuard an certain other marks are registere traemarks of Fortinet Inc an other Fortinet names herein may also be registere anor common law traemarks of Fortinet ll other rouct or comany names may be traemarks of their resectie owners Performance an other metrics containe .
PROGRAM OVERVIEW An incentive program for Partners to earn on your deals, the FortiRewards Program enables you to earn points for approved Fortinet activities. The FortiRewards program is integrated into the Fortinet Partner Portal and tied directly to your Fortinet
Fortinet Product Life Cycle Information Page 1/41 Fortinet Product Life Cycle Information Publication Date: 23 November 2016 Fortinet suggests that customers familiariz
Splunk Configuration 1. To install Splunk Apps, click the gear. 2. To install Splunk Apps, click the gear. Click Browse more apps and search for "Fortinet" 3. Install the Fortinet FortiGate Add-On for Splunk. Enter your splunk.com username & password. 4. Then install the Fortinet FortiGate App for Splunk. Enter your splunk.com username .
critical security challenges, whether in networked, application, cloud, or mobile environments. Fortinet ranks #1 in the most security appliances shipped worldwide, and provides the broadest protection on the market from IoT to the cloud. As the leading security innovator, Fortinet holds more patents than any other vendor.
dispenser control, car wash control, and fast food transactions. Like the Ruby SuperSystem and the Topaz, the Ruby2 accepts and processes all payment options, including cash, checks, credit and debit cards, coupons, and various prepaid cards. The Ruby2 has a 15-inch touch screen and a color display. Online help is
