Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
knowles13088
New Contributor

Liberal policy

Hello, all:

 

This question is against the very grain of my soul, but I have to ask.

 

In all cases (except this one), I setup very strict security rules to keep the networks I manage safe: very limited ports and services allowed, using web and DNS filters, etc.

 

I am asked to put in a Fortigate without knowing very little about the network. As best I can describe what I am being told, it should have the look and feel of two residential networks sharing one ISP. I can't make any other assumptions. I really cannot rule out things like custom apps or communications that have the look/feel of a game potentially.

 

I've started by just allowing all services in the IP4 policies, with AV, default DNS and SSL set (see attachment)

 

 

I will not have any easy access to this location should I need to adjust or correct for anything. And the location owner would be very demanding in something being addressed with all haste (this is as diplomatically as I can put that). They have absolutely no concepts of networks, much less network security.

 

Can anyone take pity on me (  ) and offer some suggestions of things to deny? Or should I just leave then to their own devices?

1 Solution
ede_pfau
Esteemed Contributor III

I was surprised that you didn't use the 'any' interface for that policy...really, seen this more than once. It degrades a firewall to a piece of wire. An expensive one, though.

 

But, this is not a technical problem. As far as I can read between the lines, it's about your responsibility and the lack of means to achieve a certain level of it.

 

My point of view is that the customer and I work together in a team. In particular, we share common beliefs and goals. One of them is that security comes at a price, and another that we will do whatever it takes to make the network secure. This might encompass stricter rules on the customer's side, banning applications etc. It's not a one-way street.

 

If that (non-technical) part is clear, we go ahead. If it is not, I refuse the job. From experience, the consultant is very often used to transfer blame from the customer to someone external. And I won't take the blame if I was not entitled to prevent it in the first place.

Not every opportunity is a good job.

 

Just my 2 cents (Euro cents :)


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
3 REPLIES 3
lobstercreed
Valued Contributor

Hey Peter,

 

Would you have any ability to log or remotely monitor the traffic from these firewalls?  When my mandate is simply to "make it work", I build at least 2 rules; one or more rules for known good/safe traffic, and catch-all rule for all other traffic like you made here.  I monitor all the traffic hitting the catch-all (log to FortiAnalyzer if at all possible) and then dig through logs when I have time to better define needed traffic.  This assumes you have a FortiAnalyzer and that you can periodically manage the config of the firewalls, which it sounds like might be an issue.

 

Beyond that I just have a *very* limited list of things that my predecessor blocked before we went to a default-deny configuration.  I could pass that along, but it's mostly obvious stuff like MS-SQL, RDP, TFTP, SMB, LPD, etc.

 

- Daniel

rwpatterson
Valued Contributor III

Refuse the job. Sounds like more trouble than it's worth unless you're getting paid a boat load of money... This is the type of install where you get calls all hours of the night for something that gets you very little in return.

 

My two cents, not knowing the big picture.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
Esteemed Contributor III

I was surprised that you didn't use the 'any' interface for that policy...really, seen this more than once. It degrades a firewall to a piece of wire. An expensive one, though.

 

But, this is not a technical problem. As far as I can read between the lines, it's about your responsibility and the lack of means to achieve a certain level of it.

 

My point of view is that the customer and I work together in a team. In particular, we share common beliefs and goals. One of them is that security comes at a price, and another that we will do whatever it takes to make the network secure. This might encompass stricter rules on the customer's side, banning applications etc. It's not a one-way street.

 

If that (non-technical) part is clear, we go ahead. If it is not, I refuse the job. From experience, the consultant is very often used to transfer blame from the customer to someone external. And I won't take the blame if I was not entitled to prevent it in the first place.

Not every opportunity is a good job.

 

Just my 2 cents (Euro cents :)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors