Enterprise FW 01 Introduction To Network Security Architecture

Enterprise Firewall
Introduction to Network Security Architecture
FortiOS 7.2
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
January
January
23, 23,
20242024
Objectives
• Describe the enterprise firewall solution
• Explain the network security reference architecture and the Fortinet products it
comprises
• Describe the roles of firewalls and their placement in the network
• Understand FortiOS workspace mode
© Fortinet Inc. All Rights Reserved. 2

Enterprise Firewall Solution Overview
3
Evolution of the Enterprise Network
• Networks are no longer flat and one- • Enterprises must protect against a range
dimensional of constantly evolving threats
Segmentation Protection
Protecting only the perimeter is not enough Zero-day attacks, advanced persistent
threats (APT), polymorphic malware, insider
threats, and much more

Evolution of the Enterprise Network (Contd)
• The enterprise perimeter has been • You must apply the zero-trust model
stretched so far that it’s no longer
recognizable
Hybrid Workforce Zero-trust model
• Working from home The attack can come from anywhere,

• Mobile workforce using any method, and affect anything
• Partners accessing your network
services
• Public and private clouds
• Internet of things (IoT)
• Bring your own device (BYOD)

Fortinet Enterprise Firewall Vision
1 2 3
PROTECT CONVERGE HYPERSCALE
• Manage threats • Implement • Build Hyperscale

across Campus Universal ZTNA Security
and DC • Enable work from • Meet escalating
• Prevent business anywhere business needs
disruptions

Fortinet Enterprise Firewall Solution Overview
Security-Driven Networking
Networking Security
VPN Device ZTNA
WLAN Switch Routing User Content Application

LAN Edge Network Firewall Secure
SD-WAN& 5G
Proxy Location
SWG
A B C 1 2 3
Devices Software

Network Security Reference Architecture
8
Network Segmentation Key Requirements
• Edge threat protection
• Full inspection to prevent security Data Center Deployment
threats
• Network segmentation
• Lateral threats movement with internal Clean traffic Clean traffic
segmentation Network Network

Firewall Firewall
• Scalability and performance Web segment
• Scale up and down growing
businesses App segment
Database segment
Internet
Malicious traffic Malicious traffic
MPLS

Network Segmentation Architecture
Finance Engineering Guest Wireless Corp. Wireless VPN Sales

Today’s Border Security
• The problem: NGFW NGFW
• Protect business from outside attacks Outside
• Protect users from external threats Inside
• Keep users productive
• The solution:
• Apply all security at the internet edge
• Flat network provides no internal
security
• Visibility into the network severely
limited
• Risk of compromise is very high

Use Case—Reducing Attack Surface
• The flat internal network Outside
• Lack of internal visibility Inside
• Weak internal security Zone 1-A Zone 1-B
• The solution:
• Add more enforcement points
• Create containment zones ISFW ISFW
Zone 2-A Zone 2-B
• Perform deep SSL inspection
• Inspect applications
• Check for zero-day malware
• Protect critical assets

Use Case—Trusted Application Integrity
• Secure business-critical applications Outside
• Multiple applications protection Inside
• Users in multiple locations
• The solution:
• Secure applications with solutions that
share security intelligence ISFW ISFW
• Utilize security that works with mobility

and cloud usage
• Inspect SSL to make sure only trusted
transactions take place
• Establish trust with sources inside and
outside the network

Use Case—Achieving Compliance
• The problem NGFW NGFW
• Enforcing regulated access Outside
• Standard network boundaries Inside
• Critical compliance policies
• The solution
• Multiple enforcement point locations
• Endpoint coverage for specific needs ISFW ISFW
• Network coverage for IoT

• Visibility for audits
• Keep critical systems running

Use Case—Tiered Cloud Access
• The problem NGFW NGFW
• Unexpected cloud costs Outside
• Shadow IT Inside
• Lack of cloud data visibility
• The solution
• Combine cloud usage statistics with
local enforcement ISFW ISFW
• Regulate access to cloud resources

from authorized users
• Maintain audit trails of cloud-hosted
data
• Prevent data exfiltration

Roles of Firewalls and Their Placement in the
Network
16
Firewall Roles in the Enterprise Firewall Solution
Firewall Purpose Deployment Target Typical
Role Layer Throughput Features
Deployed
Distributed Branch office Access/Edge Up to 1 Gbps Firewall, App

Enterprise with VPN to (All-in-one) Control, Web
Firewall HQ Filter, IPS,
(DEFW) antivirus &
VPN
Next- Separate Edge or Core 1 – 40 Gbps Firewall, App
Generation private Control, IPS,
- Firewall network from antivirus &
(NGFW) public VPN
networks
Data Center Inbound Distribution 10 Gbps – 1 Firewall, App
Firewall protection Tbps Control & IPS
(DCFW) from internal
and external
threats
Internal Breach Access 1 Gbps – 100 Firewall, App
Segmentatio containment Gbps Control, Web
n Firewall and segment Filter & IPS
(ISFW) isolation

Next-Generation Firewall (NGFW)
• Access to the internet
• Application to access local DC and
cloud with ZTNA
• Protects network from external ACCESS APPLICATION
threats
• Minimizes and contains breach by
implementing dynamic
segmentation
PROTECTS MINIMIZES

Internal Segmentation Firewall (ISFW)
• Reduced attack surface
• Trusted Application access Reduced
• Regulatory compliance Attack
Surface
Regulatory
Compliance
Trusted
Application
Access

Data Center Firewall (DCFW)
• Prevent business operation
disruptions EDGE
PROTECTION
Data Center
• Meet growing business IT and
security requirements
• Present a strong security posture Campus
Internet
• Remain environmentally SCALABILITY
responsible to help customers IPS AMP AV Web

achieve sustainability goals
SIMPLICITY
Servers
SUSTAINABILITY

FortiOS Workspace Mode
21
Workspace Mode
• Start workspace mode:
• execute config-transaction start
• Configuration changes are made in a local CLI Start workspace transaction
process that is not viewable by other
processes
• Abort configuration changes:
Make FortiOS configuration
• execute config-transaction abort changes
• If changes are aborted, no changes are made
to the current configuration
• Commit configuration changes:
Revert/edit FortiOS configuration
• execute config-transaction commit changes
• After committing, the changes are available
for all other processes and the kernel
Commit/abort workspace
transaction

Diagnosing Workspace Mode
# diagnose sys config-transaction status
The CLI is running config transaction (id=1)
Transaction ID
Administrator
# diagnose sys config-transaction show txn-info

txn_id=1, expire=12 seconds, user='admin', userfrom='ssh(10.1.10.1)',
clicmd_fpath='/dev/cmdb/txn/4_Ede9G.conf
Changes are aborted if
config transaction id=1 will expire in 10 seconds they are not committed
config transaction id=1 has expired before the transaction
expires
# diagnose sys config-transaction show txn-cli-commands
config system global
set hostname "NewHostname"
end Changes pending to be
committed

Review
 Describe the enterprise firewall solution
 Explain the network security reference architecture and the Fortinet
products it comprises
 Describe the roles of firewalls and their placement in the network
 Understand FortiOS workspace mode

Lab 1—Introduction to Network Security
Architecture
25
Lab 1—Introduction to Network Security Architecture
• Integrate ISFW port3 to a software switch
• Migrate all port3 settings to the new interface
• Merge NGFW port1 and port2 to SD-WAN
• Enable SD-WAN
• Update firewall objects to point SD-WAN instead

Enterprise FW 01 Introduction To Network Security Architecture

Uploaded by

Copyright:

Available Formats

You might also like

Enterprise FW 01 Introduction To Network Security Architecture

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise FW 01 Introduction To Network Security Architecture

Uploaded by

Copyright:

Available Formats

Enterprise Firewall

Introduction to Network Security Architecture

© Fortinet Inc. All Rights Reserved. 2

© Fortinet Inc. All Rights Reserved. 4

Hybrid Workforce Zero-trust model

• Working from home The attack can come from anywhere,

© Fortinet Inc. All Rights Reserved. 5

PROTECT CONVERGE HYPERSCALE

• Manage threats • Implement • Build Hyperscale

© Fortinet Inc. All Rights Reserved. 6

VPN Device ZTNA

WLAN Switch Routing User Content Application

© Fortinet Inc. All Rights Reserved. 7

segmentation Network Network

© Fortinet Inc. All Rights Reserved. 9

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

© Fortinet Inc. All Rights Reserved. 10

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

© Fortinet Inc. All Rights Reserved. 11

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

© Fortinet Inc. All Rights Reserved. 12

• Utilize security that works with mobility

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

© Fortinet Inc. All Rights Reserved. 13

• Network coverage for IoT

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

© Fortinet Inc. All Rights Reserved. 14

• Regulate access to cloud resources

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

© Fortinet Inc. All Rights Reserved. 15

Distributed Branch office Access/Edge Up to 1 Gbps Firewall, App

© Fortinet Inc. All Rights Reserved. 17

© Fortinet Inc. All Rights Reserved. 18

© Fortinet Inc. All Rights Reserved. 19

• Remain environmentally SCALABILITY

responsible to help customers IPS AMP AV Web

© Fortinet Inc. All Rights Reserved. 20

© Fortinet Inc. All Rights Reserved. 22

# diagnose sys config-transaction show txn-info

© Fortinet Inc. All Rights Reserved. 23

© Fortinet Inc. All Rights Reserved. 24

© Fortinet Inc. All Rights Reserved. 26

You might also like