Security Profiles Flashcards
Secure Method Versions
TLS 1.2 is recommended for broad compatibility
TLS 1.3 is for improved security and faster connections times.
SSL 2.0/3.0 and TLS 1.0/1.1 are all deprecated and should not be used.
Command to change supported SSL versions
config system global
set admin-https-ssl-versions <version> Ex. tlsv1 tlsv1-3</version>
Command to display all TLS commands
show full | grep -f tls
Security in TCP Packet Analysis
TCP Header - Transport layer, contains essential fields for data transmission, such as dst port, src port, window size, etc. Control the connection, flow, and integrity of the data.
TLS Header - Payload opens in the security layer
HTTP Header - Encrypted information and opens in application layer
TCP to TLS Handshakes
the TCP three-way handshake (SYN,SYN-ACK, ACK) is completed before the TLS handshake begins.
Once the TCP connection is established between client and server, the TLS handshake follows this sequence and creates the security layer:
Client Hello -> Server
Server Hello -> Client
Server Certificate -> Client
Server Hello Done -> Client
Client Key Exchange -> Server
Change Sipher spec -> Server
Finished -> Server
Finished -> Client
Cipher suite TLS 1.2:
TLS_ECDHE_RSA_WITH_AES_128GCM_SHA256
Protocol_Key Exchange Algorithm_Authentication Algorithm Encryption Algorithm_Hash Algorithm
TLS with HTTP/3
Protocol Layering evolution
Faster Connection setup
Certificate VS Full Inspection
Certificate limitations:
Does not do Traffic Decryption, Encrypted Payload Inspection, SSL Proxying, URL Extraction from Certificate (only if SNI is not present), and has limited Protection from HTTPS-based attacks
SNI Check Feature
Server Name Indication, enables a server to offer multiple certificates on a single IP address, allowing various secure websites or services to share the address without needing a common certificate. Useful for Cloud computing environments
Within TLS Handshake:
Client Hello includes SNI and sent to the server
Server received and replies with Server Hello which may initially include empty info in the SNI response
Server send authentication details required by the SNI request
Server sends server hello done
SAN in secure Connections
Subject Alternative Name
An extension of SSL/TLS
During SSL/TLS Handshake
Single certificate, multiple domains
SAN cuts complexity
Supports wildcards
Protocol Port Mapping
Standard Service on Alternative Port
Deep Inspection
Enabled with Outbound policy
Security Profiles > SSL/SSH Inspection > Create New
Increases system resource usage
Blocking Unsupported TSL versions
In outbound policy:
config https
set unsupported-ssl-version block
set min-allowed-ssl-version tls-1.2
end
Security Profile: Web Filter
Domains and URLs
Flow and Proxy Based
Internet Policies
Limit access to specific website URLs
FortiGuard Dependency - Query FDS for rating lookups on-demand
conf webfilter profile
Security Profile: Application Control
Layer 7 OSI
Flow-Based
Internet Policies
Traffic Shaping Policy
LimitAccess to non-URL software handling
FortiGuard Dependency - diagnose autoupdate versions (Application Definitions)
conf application list
Policy & object: ISDB
Layer 3 and 4 OSI
No Inspection
Internet Policies
SD WAN rules
FortiGuard Dependencies - diagnose autoupdate versions (Internet-service Standard Database)
conf firewall internet-service-name
Ethical Attack Simulation
Comprehensive Security Auditing Software
Open-source
hping3 network tool examples
Ping using TCP SYN packets:
hping3 -S -p 80 -c 5 www.example.com
Run a traceroute using UDP packets:
hping3 –traceroute -V -l -p 33434 www.example.com
Perform Firewall testing(checking for open ports)
hping3 -S -p 22 -c 1 www.example.com
Protect Server and Client Targets
IPS Profile
Type: Filter
Action: Block
Target: Server and Client
All severity levels, protocols, and OS are blocked
Risk of False Positives
Know network protocols and workflows
Handling False Positives
Normal event is identified as malicious
Type: Signature
Action: Monitor
PHP Code Injection in HTTP
Type: Filter
Action: Monitor
Detect before Blocking
Certificate-inspection mode
FortiGuard Encyclopedia
Simulate an attack and then use its signature to add an Block entry
PHP Code Injection in HTTPS
Sufficient for HTTPS? Not unless you Enable Protecting SSL Server
Normal log traffic, no IPS logs until you enable it.
FGT self-signed certificate
DNS Exfiltration
Steal Information
UDP
FGT has a signature for this to detect and prevent it. Must enable SSL/SSH Inspection with multiple clients connecting to multiple servers and using full inspection.
DNS over TLS
UTM Profiles
UTMs are deployed in NGFW
ISFW and DCFW may serve as NGFW
DEFW does not need NGFW under native function
UTM profiles are based on operational needs.
