Hot!Internet Access using FSSO

Author
fmuianga
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/08 09:51:12
  • Status: offline
2018/02/13 04:24:48 (permalink) 5.6
0

Internet Access using FSSO

Good afternoon,
My firewall is giving access to the Internet to machines that receive the IP that the user with permission used, even though it is a local account it goes to the internet because the IP is recognized in the firewall as the IP of a user with Internet access. I tried to diagnose debug authd fsso clear-logons to clear the cache but the problem prevails.
 
Let me list the configurations that i did:
1. I installed de FSSO software in domain controller to sync the AD users groups;
2. I created users groups in firewall maped to AD users groups;
3. I created policy IPv4 with the folow information:
Name: Full_Access_Users
Incoming Interface: Internal (port1)
Outgoing Interface: sd-wan
Source: all & DSI(users group)
Destination: all
Schedule: always
Service: ALL
 
The policy is the second counting from top to bottom.
The machine that is not in domain but have the IP thats is recognized by firewall as IP of user with internet access is going to internet for this policy and in fortiview apear the user and that IP going to internet.
 
I want to block internet access for local users and for users that arent authenticated in my AD.
 
#1

3 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 319
    • Scores: 61
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Internet Access using FSSO 2018/02/13 07:52:37 (permalink)
    0
    Hi,
    so if I summarize your issue, then some users are stealing IP addresses of already authenticated users known through FSSO, and so those impersonate and pass the firewall as someone else misusing the access privileges of original FSSO user.
     
    That is not a fault of FSSO but flaw of the technology itself.
    If you do allow the misuse or have misconfigured DNS, this can happen.
    Keep in mind that FSSO is at the end source IP pre-authorization.
     
    I see two possible scenarios:
    ---
     
    A) original user is logged off and new user was simply provided with IP of the previous user.
    In this case new user get unintentionally access according to old user's access privileges, simply because logoff was not detected, or workstation check failed or was not run fast enough.
    Solutions:
    - retention on DHCP, to keep recently released IPs a bit longer inside and do not provide them back to newcomers so easily
    - shorten workstation checks
    - use WMI logoff detection on standalone Collector Agent (by default is turned on)
     
    B) new user stole IP of previous FSSO user to gain access
    Just a few mitigation hints .. 
    - shorten the workstation checks and so user should not pass verification of his existence in AD
    - secure DHCP so it's not going to assign IPs to everyone
    - split ranges of assigned IPs from DHCP to guests/others and AD computers so then simple source IP in policy will eliminate those out of AD
    - make DHCP semi-static, assign static (always the same) IP per MAC to known workstations and reject others
     
    If you wont a stronger authentication then switch to port based identity .. 802.1x !
     
    King regards,
    Tomas
     

    Kind Regards,
    Tomas
    #2
    fmuianga
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/02/08 09:51:12
    • Status: offline
    Re: Internet Access using FSSO 2018/02/13 09:46:08 (permalink)
    0
    Thank you for analyzing and for sparing me some aspects
     
    Regards,
    Frederico Muianga
    #3
    fmuianga
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/02/08 09:51:12
    • Status: offline
    Re: Internet Access using FSSO 2018/02/14 05:15:04 (permalink)
    0
    Hello Tomas, there is one aspect that I think I have not presented that concerns logout or is one of my concerns beyond that above is that local non-AD accounts should not have access to the internet, when i authenticate with a AD account with internet access and then log off to log in with the local Administrator account i reach internet access with this local account. When I log in with an AD account and log out to enter another AD account there it does replace the user on IP because the two are from AD. What might be causing this problem?
     

    That is, with the two AD accounts it is possible to detect the logoff event, now when you log off with an AD account to sign in with a local account it is as if the AD user had not logged in. I want the firewall to detect the logon of the AD user, however much it is to enter with a local account, it should detect the logoff and not give the internet access to a local account.
     
    Thank you very much for your help, your problem analysis was important.
     
    Regards
    FMuianga
    #4
    Jump to:
    © 2018 APG vNext Commercial Version 5.5