A Fortune 500 warehouse club operator faced challenges in enhancing their security design and best practices within their AWS infrastructure. They turned to Fortinet Cloud Consulting Services for strategic development of a comprehensive security design tailored to their needs.
Expertise in Selecting the Right Cloud Architecture
Fortinet Cloud Consulting Services team initiated a detailed consultation process, expertly building an architecture that flawlessly incorporated the FortiGate Next Generation Firewall into a central network Security Virtual Private Cloud (VPC) for deep packet inspection. The designed architecture emphasized scalability, reliability, cybersecurity, and robustness. Fortinet architects thoroughly analyzed the existing environment and requirements to develop solution options.
A notable aspect of this collaboration was the comprehensive evaluation of diverse architectural designs. The Fortinet consultants outlined multiple options, highlighting their unique benefits and potential challenges. This in-depth analysis enabled the customer to make informed decisions, ensuring their infrastructure not only satisfied current needs but was also adaptable for future advancements, facilitating a smooth migration. The recommendations for the customer in subsequent phases are three-fold:
- Leverage AWS services in operations.
- Perform ongoing security posture assessments to validate that the computer, network, and storage in AWS follow best practices. Should alerts be flagged as deviations, initiate actions to investigate and if necessary, remediate.
- For externally facing web servers, investigate protection of web applications through purpose-built Web Application Firewalls (WAF) that can detect and prevent web application attacks.
Centralized Firewall Policy Management and Full Visibility of Network Traffic
A pivotal aspect of the Fortinet solution was the integration of FortiGate-VMs with the Gateway Load Balancer (GWLB) in combination with Transit Gateway (TGW), which was instrumental in achieving granular inspection of all the flows in the customer environment, north-south and east-west traffic inspection. Customer had public-facing workloads fronted by AWS Application Load Balancer, private workloads without an elastic IP that still needed to access the Internet, inter-VPC flows, and traffic between their on-premise data center and AWS. All these flows are now inspected by FortiGate for compliance with business policies. This setup not only enhanced the security posture but also improved network visibility, offering a scalable and resilient architecture that could adapt to the evolving demands of the digital landscape.
Further enhancing the security solution, Fortinet Cloud Consulting Service also facilitated the deployment of a centralized firewall policy management through FortiManager. This integration allowed for streamlined and consistent policy administration across the customer's entire network landscape, significantly simplifying the management of security policies.
Additionally, with the integration of FortiAnalyzer, the customer gained full visibility into network traffic. This tool provided comprehensive logging, analysis, and reporting capabilities, enabling the customer to monitor, understand, and respond to network activities effectively. These additions were crucial in achieving a holistic security stance, offering the customer an unparalleled level of control and insight into their network security.
The figure below shows the architectural implementation.
Security Hub provides threat intelligence for FortiGate
The AWS Security Hub functions as a cloud security posture management solution, consolidating security alerts (known as findings) into a uniform structure. This facilitates customers in enhancing, exploring, and resolving these alerts more efficiently. Fortinet Cloud Consulting developed a Lambda script named 'aws-lambda-securityhub'. This script retrieves the count of high severity issues, and tags the EC2 instance using a lambda function according to predefined thresholds, and enables FortiGate to filter traffic based on these tags. To enable this integration, customer needs to enable the following AWS services:
- GuardDuty,
- Inspector,
- Security Hub,
- CloudWatch.
The figure below shows the architectural diagram of the integration.
Leverage AWS services in Operations
Fortinet Consulting Services assisted the customer in leveraging AWS services, enhancing their operational efficiency and security measures. The following AWS services were covered for posture management, compliance, and risk mitigation:
- AWS Config enables us to monitor and record AWS resource configurations continuously, ensuring compliance and facilitating audits.
- IAM Access Analyzer helps identify and mitigate unintended external access to our resources, enhancing our security posture.
- IAM Access Advisor provides detailed access information, allowing us to enforce a least privilege strategy effectively.
- S3 Access Analyzer assesses data accessibility in our S3 buckets, ensuring data security.
- Network Access Analyzer identifies unintended network access within our VPC, safeguarding our network paths.
- AWS CloudTrail offers a comprehensive event history of account activities, aiding in detailed audits and tracking.
- CloudWatch monitors our workload performance, alerting us to any issues that require attention.
- VPC Flow Logs capture IP traffic data, providing insights into network traffic within our VPC.
- Amazon GuardDuty continuously monitors for malicious activities, offering alerts on potential security threats.
- Amazon Inspector automates vulnerability management, keeping our EC2 and container workloads secure from known vulnerabilities.
- AWS Security Hub centralizes security alerts, giving us a comprehensive view of our security status.
Furthermore, the Fortinet Cloud Consulting Services team took a hands-on approach to ensure a smooth transition. They built all necessary deployment scripts, which streamlined the migration process and minimized potential disruptions. Recognizing the importance of ongoing knowledge and self-sufficiency, Fortinet’s experts provided comprehensive training on all components of the solution. This educational effort ensured that the customer's engineering staff were not just passive recipients of a new system but active participants in its operation and future development.
