Technical Tip: SSL VPN Certificate Man in the Middle (MitM) attack mitigation for SMEs

Description

This article has been raised due to the highlighted problem and complexity of managing SSL certificates referenced in these articles:

Fortinet VPN with Default Settings Leave 200,000 Businesses Open to Hackers.
https://thehackernews.com/2020/09/fortigate-vpn-security.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29
 
Breaching The Fort.
https://securingsam.com/breaching-the-fort/

FortiGate VPN Default Config Allows MitM Attacks.
https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/

When access to Fortinet SSLVPN with a self-signed certificate is made, the user will receive a certificate warning alert to inform the user that the certificate is untrusted or unknown and ask the user to confirm if they would like to accept this certificate.
The common message from FortiClient (Fortinet VPN Client):

The following instructions describe how to mitigate SSL Man in the Middle (MitM) attacks when connecting to SSL VPN and are aimed especially at small-medium businesses who regularly have a work-from-home routine and now require near-enterprise grade security, but unfortunately do not have the resources and expertise to maintain enterprise-level security systems.

The common message in a browser is:

Solution

 

- Select the Server with the account.
- Enter the Unique Location, i.e. the location of the FortiGate, try to use short internal prefixes
- Select 'Apply'.

 

Ref : https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/685361/ddns

 

3) Register your domain e.g. branch.float-zone.com certificate for a verified Certificate Authority (CA)

- Purchase an SSL certificate package from a Certificate Authority (CA). 

 

•  SSL certificate packages can be purchased from any CA, such as Comodo, GoDaddy, or GlobalSign.

 

- To purchase a certificate package:

 

•  Create an account with the chosen vendor, or use the account used to purchase the domain.
• Locate the SSL Certificates page.
• Purchase a basic SSL certificate for domain validation only.
• After purchasing the certificate, the CA will direct to setup the certificate so that it can be verified.

- If the CA needs a Certificate Signing request (CSR),follow these steps, other wise go to Setup the SSL certificate.

 

Some CAs can auto-generate the CSR during the signing process, or provide tools for creating CSRs, such as GlobalSign’s SSL Certificate Signing Request Tool.
If necessary, a CSR can be quickly created from the FortiGate GUI.

 

- Log in to the FortiGate unit and browse to System -> Certificates.
- Select Generate in the toolbar.
- Enter the required information in the Generate Certificate Signing Request screen:

 

•  Ensure that the certificate has a unique name. e.g. branch.float-zone.com-cert
• Select Domain Name in the ID Type field. - branch.float-zone.com
•  Ensure that the Key Size is set to 2048 Bit.
• Set the Enrollment Method to File Based.
• Select OK to create the CSR.

 

 

The CSR will be added to the certificate list with a status of PENDING.

 

- Select the new CSR in the Local Certificates page and select Download to save the CSR to your computer.
The CSR file can be opened in any text editor and should resemble the
following:
-----BEGIN CERTIFICATE REQUEST-----MIIDDjCCAfYCAQAwgZcxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEV
………
WP2WDWfUp8zx1jYQJpgOjBmW
-----END CERTIFICATE REQUEST------

 

Setup the SSL certificate.

 

Note: The following instruction use GoDaddy as an example.

 

- Immediately after purchasing the certificate, you will be taken to your account page.
- Find the newly purchased certificate and select Manage to open the Certificate page.
- Select Setup.
- If a CSR generated by the FortiGate is used:

a. Open the CSR file in a text editor
b. Copy the file contents
c. Paste it into the text box.

- Select a signature algorithm, read and then agree to the subscriber agreement, then select Request Certificate.

 

 

- The Certificate Verification screen opens, the certificate is verified and the user is redirected to the Certificate Management screen.
- Select Download to download the signed certificate, as a Zip file, to your computer. – The server type can be set to Other.

 

4) Import the signed certificate into the FortiGate.

 

- Unzip the file downloaded from the CA.
There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.

 

    - Log in to the FortiGate unit and browse to System - > Certificates.
    - Select Import - > Local Certificate to import the local certificate.

 

The status of the certificate will change from PENDING to OK.

 

    - Import the CA certificate by selecting Import -> CA Certificate. It will be listed in the CA Certificates section of the certificates list.

 

Configure SSL VPN using the signed certificate.

 

5) Configure your FortiGate device to use the signed certificate

 

- Log in to your FortiGate unit and browse to VPN - > SSL - > Settings.
- In the Connection Settings section, locate the Server Certificate field.
- Select the new certificate from the Server Certificate  drop-down menu.
- Select Apply to configure SSL VPN to use the new certificate.

 

Test the SSL VPN connection in a browser e.g. https://branch.float-zone.com

 

The certificate error message should not appear.

 

Note:

Fortinet VPN appliances are designed to work out-of-the-box for customers so that organizations are enabled to set up their appliance customized to their own unique deployment.

Each VPN appliance and the set up process provides multiple clear warnings in the GUI with documentation offering guidance on certificate authentication and sample certificate authentication and configuration examples.

Fortinet strongly recommends adhering to its provided installation documentation and process, paying close attention to warnings throughout that process to avoid exposing the organization to risk.