The new FortiOS 5.6 brings new features

I have been writing recently about how to deploy the “new” FortiOS 5.4 into VMware. However, although the deployment method is the same, we can already deploy the new beta FortiOS 5.6 as well for testing environments. Today, the recommended firmware for production firewalls is FortiOS 5.4.4 but if we are wondering what's new in FortiOS 5.6 and we would like to test it, we can already download it for playing in a laboratory.

FortiOS 5.6 Dashboard

One of the new and enhanced features is Security Fabric integration with FortiView. What the hell is this? If we have several Fortinet devices, we can have a much better visibility into our network traffic because we can have the physical and logical topology of our organization from one and unique dashboard, where we can also search for users, vulnerabilities, usage links, etc. These allow us to identify issues quickly and intuitively.

FortiView Physical Topology

Another new and powerful feature is Security Fabric Audit which is an easy way to know if you are doing well. This new feature help us to apply security recommendations to our Fortinet devices such as upgrading firmware, disabling insecure protocols, moving servers to DMZ, applying updates to Windows devices and many more security recommendations. Therefore, these allow us to apply best practices for compliance and identify vulnerabilities quickly for getting a network more secure over time.

Security Audit Fabric

From time to time customers ask me to apply firewall policies by applications, which is a common practice in another firewalls like Palo Alto. The new FortiOS 5.6 allow us to configure firewall policies to deny or allow traffic by applications like Skype, YouTube, etc. In addition to this new way of application control, we can also configure firewall policies by URL category. These are features very demanded by users where application control and web filtering are part of firewall policies and they are a conditional to deny or allow network traffic.

NGFW Policy

I think, Virtual Extensible LAN (VXLAN) support is a good news by FortiOS 5.6, which means we will be able to configure Layer 2 VPN over a layer 3 network. This feature, although it's only configured through CLI right now, is interesting and useful because we don't need a high-end and powerful firewall to deploy VXLAN technology but entry-level firewalls will be enough to enjoy with this new Layer 2 VPN technology.

On the other hand, WAN link load balancing has been enhanced to SD-WAN or Software Defined WAN. Although it's still a small module inside FortiOS, it allows us to balance access links by users or applications, which makes bandwidth management a must for most organizations.

SD-WAN

 

Last but not least, security subscriptions have been modified to introduce Industrial Signatures for IPS and Application Control. What's more, Application Control Signatures are downloaded free with support contract FortiCare, and Anti-Botnet is now part of AntiVirus license in FortiOS 5.6.

FortiOS 5.6 Security Subscriptions

Regards my friends; new firewall operating system, new features, go ahead.

Alienvault: Deploying a virtual SIEM

Last week, we see how to deploy a virtual firewall in VMware infrastructure to test new features and learning about FortiOS 5.4. However, this method of deploying virtual machines into VMware infrastructure is also a good way to learn how other products work, such as load balancers, routers, switches, SIEM, etc. Therefore, this time, we are going to see how to deploy Alienvault USM Appliance, which can be useful to compare with the free Alienvault OSSIM. In addition, we'll see the commercial edition has more security directives than the free edition, even for detecting last Apache Struts attacks.

The first step is to register for downloading the USM Appliance (On-Premises) Free Trial to deploy into our virtual infrastructure. We shouldn't confuse it with USM Anywhere (In the Cloud), which is a another product where the intelligence, events and information is in the cloud, and we only have to deploy sensors throughout the organization.

Next, I have deployed the OVF template called VMWARE-AlienVault_USM_All-in-One_5.3.6.ova as a new virtual machine into VMware infrastructure. We'll realise that USM Appliance needs a lot of resources; 8 CPU, 16 GB RAM and 1 TB of disk.

Alienvault USM Appliance

Once the virtual SIEM is imported into VMware, there will be some basic configuration like IP address for management and DNS, which have to be done through a wizard from console. Since then, everything is done from web interface.

Nevertheless, Alienvault has Quick Start Guide and Deployment Guide to help us deploy and configure their appliances in an easy way.

Alienvault Deployment Guide

If we are going to test, for instance, last security directives like the recently Apache Struts Vulnerability, we would have to upgrade the Threat Intelligence signatures, which is not possible from Free Trial. If we want to have USM Free Trial updated, we have to download security directives from commercial version and imported into USM Free Trial.

Correlation Directives

We are on time to create threat intelligence policies. I have created a new policy for alerting by email when something goes wrong like traffic scan, web attacks, malware infection, etc. What's more, we can also configure to execute an external program when something wrong is happening.

USM Policies

It's time to attack and check if USM is detecting malicious activity or we are bypassing security protections. This can be done watching security events and alarms.

Apache Struts Alarms

Regards my friends and remember, play and test with your toys to know how they work.

FortiGate: Deploying a virtual firewall

From time to time we have to test our IT infrastructure against attacks to know if we are protected enough. A good way to play with firewalls is with a virtual infrastructure where we can deploy our own laboratory. This is not only useful for testing our configuration in a laboratory without changing the production environment but it is also useful for testing new features and learning without taking any risks. This time, we are going to see how to deploy a new virtual firewall and how to protect a web application.

The first step is to download a virtual firewall to deploy into our virtual infrastructure. For instance, I have downloaded the last firmware version of FortiGate VM64 for VMware infrastructure. Next, I have decompressed the small file of 35 MB approximately, called FGT_VM64-v5-build7605-FORTINET.out.ovf.zip, and I have imported as a new virtual machine into VMware infrastructure. It is important to download the right virtual machine for our infrastructure, VMware in this case, and not other version like FortiGate VMX for integration with VMware NSX and protection of virtual machines.

FortiGate Virtual Machine

Once the virtual firewall is imported into VMware, we have to configure some basic things like IP address for management and the timezone from the virtual console:

# config system interfaces

# edit port1

# set ip 172.16.14.2 255.255.255.0

# set allowaccess ping http https

# end

# config system global

# set timezone 28

# end

Nevertheless, firewall manufactures usually have installation guides to help us deploy their firewalls in an easy way.

FortiGate Install Guide

If we are going to test, for instance, last IPS signatures like the recently Apache Struts Vulnerability, maybe we'll have to upgrade the IPS engine and IPS definitions. This time, I have downloaded manually the attack definition for FortiGate VM00. This can be downloaded from Fortinet Partner Portal, if you need it ask your reseller.

Apache Struts IPS signature

We are on time to create new firewall policies. I have created a new policy for protecting a web application, which is running Apache Struts over tcp/8080, and I have applied an IPS profile with a custom Proxy Options where I have added tcp/8080 to HTTP protocol.

Firewall Policy

It's time to attack and check if firewall is blocking the malicious activity or we are bypassing security protections. This can be done watching firewall logs:

Intrusion Protection Logs

Regards my friends and remember, play and test with your toys before going to production.

Cyber rights from the new GDPR

Once, I read that big companies like Google, Facebook or Amazon were hiring more lawyers than IT engineers because they store lots of personal information and they have to know how they can move this personal information from one country to another without facing fines. Lawyers have to know all personal data protection laws of all countries and, therefore, international laws to avoid fines against these big companies and, also, to know where is the best place to build new CPDs for moving personal data.

 

Today, most Spanish people know about LOPD which is a Spanish law mandatory for all companies who handle, manipulate and store personal information. However, the new regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data is going to change the paradigm of personal data protection when it's applied next May 2018. Since then, all companies and public authorities of the European Union should follow the same rules, which are more strict and decisive than our LOPD but better and useful for all citizens. 

An important change is the new role of the Data Protection Officer or DPO who will inform and advise the controller about his obligations, will monitor the compliance, will provide advice as regards the data protection impact and monitor its performance, will cooperate with the supervisory authority, and will act as the contact point for the supervisory authority on issues relating to processing. Therefore, DPO should be someone with specialized knowledge in law, data protection and security information. This new role will be mandatory for all public authorities and for companies with a large scale of personal data processing. 

Another thing to mention is the incident management and incident response where the controller has to notify to the supervisory authority when has been a personal data breach. This notification should be done within 72 hours after having become aware of the data breach, and if the data breach could affect adversely to the privacy of someone, the incident management process also must notify to affected people. Therefore, this is a good way for citizens to know if our personal information has been compromised, which is useful to take measures and, why not?, stop trusting some companies. This is a challenge as well for companies if they don't want to be punished and they want to keep their reputation. 

The new role of the DPO and the incident management process are only some things of the new regulation because we'll also have to take account Privacy Impact Assessments (PIA) to know the risk and impact of personal data breaches as if it was a Business Impact Analysis but for personal information. As a result, a Risk Management Process will be useful for companies and public authorities. By last, the International Association of Privacy Professionals has released a Privacy Impact Assessment (APIA) System to help us to make PIA. 

Regards my friends and remember, there are standards like ISO 27000 and ISO 31000 which help us to comply this new regulation.