Read an Excerpt
UTM Security with FortinetMastering FortiOS
By Kenneth Tam Martín H. Hoz Salvador Ken McAlpine Rick Basile Bruce Matsugu Josh More
ELSEVIERCopyright © 2013 Elsevier, Inc.
All right reserved.
Chapter OneIntroduction to UTM (Unified Threat Management)
INFORMATION IN THIS CHAPTER:
Basic Network Security Concepts
- Computer and Network Security Concepts and Principles
- Computer and Network Security Technology Concepts
- Network Security Technology Concepts
- Commonly used Computer and Network Security Terms
Unified Threat Management (UTM) Foundations
- The World before UTM
- The History of the Unified Threat Management (UTM) Concept
- UTM vs other Security Architectures
- UTM vs Best-of-Breed
- UTM vs Next-Generation Firewalls
- UTM vs XTM
Solving Problems with UTM
- Consistent Security Policy
- Protecting against Blended Threats
- Implementing Clean Pipes
More Efficient Security
- Higher Performance
Enhancing Operational Response Times (Meeting and Enhancing SLAs)
Getting a Better Support Experience
- Increasing Network Availability
- Easier Investment Justification
- Licensing Simplicity - Lowering Operational Costs
Current UTM Market Landscape
UTM a-lá Fortinet
- Reliable Performance
- Selective Functionality
- Homegrown Technology
- In-house Security Intelligence Unit: FortiGuard Labs
- Single Licensing Cost
- Included Virtualization
Internet and Security
It's 4 PM and you realize you forgot today was your wedding anniversary. Some years ago, this would have meant problems back home with your spouse. Today, you can simply go to a site like Google or Bing and search for something to cover for you missing the occasion: look for recommendations for a good restaurant, book seats for a nice show, send flowers, or even buy a gift you can pick up on your way back home. You don't even need to be at your office: you can do it from a cybercafe, a public kiosk, or conveniently from your smartphone while on the train or bus (never while driving your car!). This wouldn't have been possible back in 1999.
Today we do many activities with computers connected to the Internet, and as new users and generations are brought online, many rely on the fact that computers and the Internet are there and will be there. We go to school, shop, do home banking, chat, and interact on social networks everyday and people think the services must be there. They take that for granted. However, the amount of effort, technology, and skill required to keep all the services on the Internet will be a surprise to many. The worst thing is that many of these newcomers begin their online life with little or no education on how to be a good Internet Citizen (or netizen), and that also means they don't know the minimum measures they need to take to turn their online experience into a safe and pleasant one.
Among all the disciplines that are used to keep the Internet up and running, Internet Security is of special relevance: the day we began trading over the Internet and money began to be represented by bits flowing on wires, it became attractive to professional attackers and criminals to be online as well. Internet Security is what helps to keep the infrastructure up and running, and it is also the discipline that can keep the Internet as a safe place for us, our kids, and future generations.
Basic Network Security Concepts
Several network security books, especially the ones that are dedicated to firewalls, begin explaining technical concepts right at the first chapter. This book can't be an exception. I would say the material below could be too basic if you are already a computer security master and you are looking to get directly into how Fortinet does things differently with FortiGates. If this is the case, it might be a good idea to jump to Chapter 2 FortiGate hardware platform overview of this book. Otherwise, if you are relatively new to computer security or would like to review a different point of view on how to approach the computer and network security challenge, then please keep reading: the author of this chapter enjoyed writing it and tried his best to explain everything in a fun way, whenever possible:-)
But before getting deeper into security, I would like to mention some areas where you might need to get some expertise if you want to really be a network security star. If you are already seasoned, probably this would be a good reminder on areas you should keep updated. If you are new, then this could provide a nice road map to go deeper on the field after you finish reading this book:
Programming: Know at least one third-generation programming language, one fourth-generation programming language, and one script language. The differentiation is made because each one will help you understand different concepts and will teach you to think in different ways when you analyze problems. Some options are C language, SQL, and Korn-shell scripting, but it could also be C#, Ruby or Python, and Oracle SQL. If you want to become a pen-tester, you probably might want to learn a bit of assembler as well. Please note I mentioned "know," which is different from "master." This is important because you probably don't want to become a professional programmer, but you will need to be fluent enough in the language so you can understand code you read (exploit code or source code of Web Applications, for example), modify that to suit your needs or automate tasks.
Operating System: An operating system is the program that is loaded on a device, responsible for hardware and programs management. Every device from a cell phone, to a game console, to a tablet, to a personal computer, has an operating system. You need to understand how it works: memory management; I/O Management in general; processor, disk, and other hardware resources allocation; networking interface management, process management. As with programming, probably you don't need to know how to tune kernel parameters or how to tune the server to achieve maximum performance. However, you need to understand how the operating system works, so you can identify and troubleshoot issues faster, as well as to understand how to secure an environment more effectively. It might not be a must, but experience on at least one of the following operating systems is highly desirable and will always come handy: Microsoft Windows (any version) or a Un*x flavor such as HP-UX, IBM AIX, FreeBSD, OpenBSD, or GNU/Linux.
Networking: One of the reasons why organizations need security is because of the open nature of the Internet, designed to provide robust connectivity using a range of open protocols to solve problems by collaboration. Almost no computer works alone these days. It's quite important to know as much as you can about networking. One example of the networking importance: in the experience of this book authors, at least eighty percent (80%) of the issues typically faced with network security devices (especially devices with a firewall component like the FortiGate) are related to network issues more than to product issues. Due to this, it's important knowing how switching technologies work, how ARP handles conversions between MAC addresses and IP addresses, STP and how it builds "paths" on a switching topology, 802.3AD and interface bindings, 802.1x and authentication, TCP and its connection states, and how static routing and dynamic routing with RIP, OSPF, and BGP work. All those are important, and I would dare to say, almost critical. And on networking, you will need a bit more than just "understanding": real-world experience on configuring switches, routers, and other network devices will save your neck more than one time while configuring network security devices.
Yes, as you can see, being a security professional requires a lot of knowledge on the technical side, but it is rewarding in the sense that you always get to look at the bigger picture and then, by analysis, cover all the parts to ensure everything works smoothly and securely.
Computer and Network Security Concepts and Principles
Having covered all that we will now review security concepts. We won't explain all the details about them here, since they will be better illustrated in the chapters to come, where all the concepts, technologies, and features mentioned are put to practical use. We will offer here definitions in such a way that have meaning through our book and may not necessarily be the same ones commonly used by other vendors.
Computer and Network Security is a complex discipline. In order to walk towards becoming a versed person, you need to truly understand how many things work: from programming, to hardware architectures, to networks, and even psychology. Going through the details of each field necessary to consider yourself a security professional is way beyond the scope of a single book, let alone a section within a book chapter. If you are interested on knowing more about this field, there are many references out there. In general the Common Body of Knowledge (CBK) proposed by organizations like (ISC)2 or ISACA, and certifications like Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), or Certified Information Security Manager (CISM) have good reputation in the industry, and are considered to cover a minimum set of knowledge that put you right on the track to become a security professional.
This book also assumes that you already have some experience with operating systems, computers, and networks. We won't explain here basic concepts and technologies like netmasks, network segment, switch, or router. We will try to cover any of these concepts in the context of an explanation, if they are affected somehow to achieve a result.
Admittedly, even though effort has been done to keep this book fun, the paragraphs below could be a bit boring if you have already worked with computer security for a while. Having said all the above, we will be discussing here some general security concepts in an attempt to standardize the meaning of these concepts and principles in the context of this book.
Probably the first concepts we need to review are those that are related directly to the Computer, Network, or Information Security fields first. It's very hard to say these days if we should be talking about "Internet Security," "Data Security," "Information Security," "Computer Security," or "Network Security" when we are discussing subjects around this matter. However, for the purpose of this book we will use the terms "Network Security," "Computer Security," and "Information Security" more than the others, since this book discusses a technology whose focus is to be a mechanism to protect computer networks and digital information assets.
The order the concepts are presented is relevant because we try to go from the basic to the most complete and specific ones.
Security: Perhaps this must be the very first term we need to define. For the effects of this book, Security will refer to a set of disciplines, processes, and mechanisms oriented to protect assets and add certainty to the behavior of such protected assets, so you can have confidence that your operations and processes will be deterministic. This is, you can predict the results by knowing the actions taken over an asset. It is commonly accepted that Security is an ongoing process, it consists of Processes, People and Mechanisms (Technology), and it should be integrated to business processes. In that regard, the concept of Security is similar to the concept of Quality.
Information Security or Network Security: It is the concept of security applied to Computer Networks. In other words, it is the set of disciplines, processes, and mechanisms oriented to protect computer network assets, such as PCs, Servers, routers, Mobile devices. This includes the intangible parts that keep these physical components operating, such as programs, operating systems, configuration tables, databases, and data. The protection should be against threats and vulnerabilities, such as unauthorized access or modification, disruption, destruction, or disclosure.
Confidentiality: A security property of information; it mandates that information should be known by the authorized entities the information is intended for. So, if a letter or e-mail should be only known by the e-mail's author and recipient, ensuring confidentiality means nobody else should be able to read such letter.
Excerpted from UTM Security with Fortinet by Kenneth Tam Martín H. Hoz Salvador Ken McAlpine Rick Basile Bruce Matsugu Josh More Copyright © 2013 by Elsevier, Inc. . Excerpted by permission of ELSEVIER. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.