Shulou(Shulou.com)06/01 Report--

Based on how to deploy FortiGate on ZStack cloud platform, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Preface

With the continuous improvement and development of cloud computing technology, cloud computing has been widely recognized and accepted, and many organizations have or are about to build cloud computing systems. At the same time, the information service-centric model is deeply rooted in the hearts of the people, a large number of applications are springing up like bamboo shoots after a spring rain, and organizations begin to migrate traditional applications to the cloud.

Cloud computing technology not only brings revolutionary changes to the traditional IT infrastructure, applications, data and IT operation and management, but also brings problems and challenges to the improvement and upgrade of security measures, the design and implementation of security applications, security operation and management, and promotes the innovation and development of security service content, implementation mechanism and delivery methods.

By storing data uniformly in the cloud computing server, the cloud computing model adds a virtualization layer on the basis of the traditional IT technology, and has the characteristics of resource pooling, on-demand allocation, flexible deployment, high reliability and so on. But this also leads to better protection in the virtual network, such as internal interaction with the traffic of the same network segment and traffic monitoring. Traffic from different networks of the same tenant may not pass through the physical firewall and cannot be audited.

In the cloud computing environment, in order to adapt to the virtualized environment, and to monitor and control the traffic between virtual machines and traffic across security domain boundaries, security devices have undergone certain changes in product form and deployment mode on the basis of maintaining the architecture and function.

In terms of product form, it is mainly reflected from hardware to software. In the deployment mode, mainly through the reasonable design of the virtual network logic structure, the virtual security devices will be deployed in a reasonable logical location, while ensuring that with the dynamic migration of the virtual host, the security measures and policies can be followed.

On the ZStack cloud platform, we can deploy security devices in the form of virtual machines very quickly. This paper takes FortiGate as an example.

1 introduction to ZStack

ZStack is the next generation of open source cloud computing IaaS (Infrastructure as a Service) software. It is mainly oriented to the intelligent data center of the future, through flexible and comprehensive APIs to manage data center resources, including computing, storage and network. Users can use ZStack to quickly build their own intelligent cloud data center, and they can also build flexible cloud application scenarios on top of a stable ZStack.

ZStack functional architecture

ZStack product advantages:

ZStack is the next generation cloud platform IaaS software based on the standard of proprietary cloud platform 4S (Simple simple, Strong robust, Scalable resilient, Smart intelligent).

1) simple (Simple)

Simple installation and deployment, stand-alone POC,30 minutes to complete the installation, full UI interface

2) robust (Strong)

Stable and efficient system architecture design, supporting highly concurrent API requests and stringent requirements of HA

3) elasticity (Scalable)

The scale of physical machines can reach tens of thousands, and virtual machines support horizontal and vertical scale-up.

4) Intelligence (Smart)

Automatic operation and maintenance management, 5-minute key upgrade, real-time global monitoring

2 introduction to FortiGate

FortiGate is Fortinet's UTM solution, which can effectively defend against network layer and content layer attacks. FortiGate solutions can detect and eliminate multiple layers of attacks, such as viruses, worms, intrusions, and real-time applications such as Web malicious content, without causing network performance degradation. It involves a comprehensive security architecture that covers anti-virus, anti-spam, firewall, VPN, intrusion detection and prevention, and traffic optimization.

FortiGate product advantages:

With the ever-changing network environment, usage patterns and threats, enterprises are facing a variety of challenges. The FortiGate next-generation firewall module can help enterprises solve these challenges. It provides rich features, proven security, and easy to use. Administrators can also gain critical real-time visibility into the state of the network and threats, enabling them to act quickly and effectively.

Security Gateway for the Future

The FortiGate extensible architecture allows enterprises to easily activate security modules without the need for complex licensing and hardware modules.

Industry-proven security

Compared with other competitive products, FortiGate has more industry certificates, which can guarantee the functional quality of the product and provide first-class protection for customers.

Simple and easy to use

Intuitive single-pane management ensures consistent policy creation and enforcement, helping administrators minimize deployment and configuration challenges.

Comprehensive visibility

FortiGate provides better traffic visibility and more consistent, fine-grained control of users, devices, applications, and sensitive data.

Extensive network support

FortiGate supports a variety of network design requirements and is interoperable with other network devices.

Implement policies based on identity

FortiGate supports both local and remote authentication services, such as LDAP, Radius, and TACACS+, to identify users and to deploy appropriate access policies and security profiles.

Advanced intrusion protection

Fortinet's next-generation IPS technology can protect the network at the application layer and help protect against advanced attacks that can circumvent security technologies.

3 deploy FortiGate

3.1 Architecture introduction

Security protection is essential in the network environment. The traditional means of security protection is to deploy a series of physical security devices such as physical firewall, IPS and virus wall at the network exit. There is also a virtual firewall in the cloud network, but the virtual firewall of the cloud platform has few functions and can only support layer 4 packet filtering, lack of intrusion detection, intrusion protection, virus protection and other functions. Can you combine the equipment of professional security manufacturers with the cloud platform? The answer is to use virtual devices from security manufacturers. All kinds of products of Fortinet provide virtual machine deployment. This paper introduces the deployment method of firewall FortiGate.

FortiGate is deployed using a CVM. The CVM has two network cards, which connect the public network and the private network respectively. The physical network devices are connected through the public network, and the VPC is connected to the business virtual machine as the gateway of the business virtual machine.

Ospf is launched on FortiGate, and the network segment of the virtual machine is announced to the physical switch neighbors, which is advertised to the whole network, so that the whole network can access the business virtual machine. The traffic accessing the business virtual machine is first security audited by FortiGate, and then sent to the business virtual machine.

3.2 preparation of cloud platform environment

For more information on the deployment steps of ZStack cloud platform, please see the official document: https://www.zstack.io/help/product_manuals/user_guide/3.html#c3

Create a CVM

Select "Cloud Resource Pool" à click "CVM" à click "create CVM button" to open the CVM creation page

To create a CVM:

1) Select the add method to create a single virtual machine

2) set the CVM name to FortiGate

3) Select the calculation specification

4) Select FortiGate image template

5) Select layer 3 network; when configuring the network, you need to note that the VPC needs to reserve an IP for FortiGate, because the cloud platform virtual machine cannot directly configure the gateway IP, for example, the gateway is 10.20.0.1, 10.20.0.254 is reserved for FortiGate, 10.20.0.254 is directly specified when the FortiGate virtual machine is created, and then log in to the FortiGate virtual machine to modify the IP to 10.20.0.1.

6) Click "OK" to start creation after confirming that the configuration is correct.

4 configure FortiGate

4.1 basic configuration

Open the FortiGate virtual machine console, default user name admin, default password is empty, log in to the FortiGate CLI terminal

Configure Port IP

Config system interface

Edit port1

Set mode dhcp

Set allowaccess ping https ssh snmp http

Next

Edit port2

Set ip 10.20.0.1 255.255.255.0

Set allowaccess ping https ssh snmp http

Next

End

4.2 Log in to the web management side

Enter the ip,172.32.1.240 of port1 in the browser to go to the login page

Enter the default user name admin. The password is empty. Click to log in.

4.3 configure Port Policy

Select Policy & object-> IPv4 Policy in the left navigation bar

Click the "New" button to configure the traffic policy from external to internal, and click OK when you are finished.

Click the "New" button again to configure the traffic policy from the inside to the outside, and click OK when you are finished.

4.4 configure a dynamic routing protocol

Select Network-> OSPF in the left navigation bar

Configure the appropriate area and network publishing

Make corresponding configuration on the physical switch side, establish OSPF neighbors with FortiGate and exchange routing information

4.5 Connectivity Test

Create a virtual machine using VPC, and the gateway is set to port2 ip of FortiGate

Use other machines to ping externally. This virtual machine can ping.

4.6 modify policy

Modify the entry policy so that only TCP packages can pass through the

When testing ping, I found that I could no longer communicate with ping.

5 introduction to other features of FortiGate

5.1 single page full policy configuration

FortiGate supports putting all policy-related configurations in one configuration page, which makes it convenient for users to configure, reducing the complexity of constantly redirecting pages, and the configuration order is also very logical.

The first is the connectivity configuration, so to configure the inbound and outbound interfaces, it is natural to configure the enabling time of the policy, the services involved and the actions that need to be performed. For example: 9-18:00, FTP service, allowed.

After solving the connectivity problem, the next step is security protection, such as intrusion protection, anti-virus, web protection and so on. The configuration of FortiGate is very simple, just click the button where you need to enable the functions, and then select the appropriate configuration file. For example, if I want to enable application control and IPS, just highlight the gray OFF to the red ON, and then you can select the corresponding security profile in the drop-down list box. If not, you can directly create a new one on this page. Then there are additional features, such as speed limit and bandwidth guarantee, logging and so on. At this point, a complete policy is configured.

5.2 Policy Statistics hit

With the growth of network equipment usage time, there are a large number of policy rules in a variety of network devices. A big challenge faced by network administrators is to maintain these policies and rules so that the business can be protected continuously. However, with the change of rules, administrators will add and modify policies back and forth on the firewall, and over time there will be a lot of useless policies, which not only affect the performance of the firewall, but also not conducive to administrator management.

For next-generation firewalls, it is necessary to be able to track the use of these policies in real time in order to give guidance to administrators and help delete useless and redundant policies. In the graphical management interface of FortiGate, the hit usage of each policy can be clearly displayed, and it is convenient for the administrator to determine whether the rule still needs to be used and whether it can be deleted.

5.3 Application layer security

Traditional stateful inspection firewalls allow, reject or forward network traffic through firewall policies defined by IP quintuple by checking packet headers, stateful inspection firewalls, analyzing and monitoring network layer (L3) and protocol layer (L4). However, with the development of network and application, its functional weakness is becoming more and more obvious, which can not guarantee the security of the network. The weakness of traditional stateful inspection firewall is mainly shown in the following aspects:

Only know IP and port, but do not recognize the application. For example, port 80 of TCP may be either HTTP protocol, IM such as QQ or P2P download tools such as Xunlei. The current technical means can encapsulate any application and transmit it in port TCP 80, which cannot be judged by the firewall at all.

Only the packet header is checked, but the packet payload (payload) cannot be scanned, so it is impossible to determine whether network access is secure or there are security threats (such as network intrusion, viruses, bad content, spam, data leakage …... ).

In addition to the traditional firewall function, FortiGate can also detect and filter a variety of security threats and abuses from the network layer to the application layer. This kind of product is currently called NGFW (next Generation Firewall) or UTM (Unified threat Management).

More advanced features of FortiGate are as follows:

5.4 Application layer Gateway

For H.323, SIP, RTSP, MMS, MGCP and other multimedia protocols, FTP, Oracle and other special applications, it is necessary to open the data port randomly according to the session process. FortiGate supports ALG of more than 20 network applications, which can recognize these protocols and dynamically open and close ports during session control. In NAT mode, the payload of data packets needs to be modified to maximize the availability of applications.

5.5 VPN-IPSec & & SSL

With the increasing variety of cyber threats, protecting corporate networks, businesses and partners, and the security of communications between companies and mobile employees has become more important than ever. The destruction of data, the leakage of information, and the infection of networks and systems cost companies and governments a lot of money every year.

Fortinet VPN technology allows enterprises to use IPSec and SSL VPN protocols to establish secure communication and data privacy between multiple networks and hosts. Once traffic is decrypted, multiple threat monitoring-including antivirus, intrusion prevention, application control, email filtering and web filtering-can be used for all content passing through the VPN tunnel.

IPSec VPN tunnels typically operate at layer 3 or lower of the OSI network mode. To enable remote access, FortiGate establishes an encrypted network connection between the remote node and the internal network. SSL VPN configurations are easier to install and configure because they provide the highest level of communication in OSI mode, independent of the underlying network architecture. Since the SSL protocol has been built into most web browsers for HTTPS, no additional endpoint configuration is required.

Fortinet's IPSec and SSL VPN technologies on the FortiGate platform are closely integrated with other security functions, such as firewall, antivirus, web filtering and intrusion prevention, which can provide more comprehensive protection than individual VPN security devices.

6 Summary

Based on ZStack cloud platform, you can quickly deploy FortiGate for CVM security protection. The configuration of FortiGate is no different from the physical environment, and deployment is faster. For the CVM, the deployment of FortiGate not only provides firewall protection, but also has perfect protection features such as IPS, antivirus, WEB protection. Compared with the cloud platform, which only provides layer 4 packet filtering protection, FortiGate protection is more comprehensive and reliable, making the business system more secure and reliable.

This is the answer to the question about how to deploy FortiGate based on ZStack cloud platform. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.