In this post, I would like to bring to the attention one of the key features in FortiManager 6.4 release which has considerably improved the workflow for IPS Administrator for organizations that are following the consolidation of function by eliminating the need for a dedicated standalone Intrusion prevention system(IPS) by turning on IPS capability in their existing FortiGate network firewall.
Restricted IPS Admin Profile
The restricted IPS admin profile feature helps customers who are transitioning from dedicated IPS solutions to Fortinet products. This feature provides replacement functions for IPS administrations
Let's look at the problem of what this feature is trying to solve for our customers and build our case from there.
Traditionally most enterprises deployed dedicated IPS systems that were managed by the security teams. The security teams responsible for creating the security policy and posture would wield the control over the IPS console to create a new policy, add or modify signatures based on the threat assessment and turn on signatures to protect against new threats and turn off signatures on obsolete systems to preserve precious inspection capacity.
With the turn of the NGFW evolution, most NGFW vendors started implementing strong IPS capabilities in their platform. The majority suffered from poor results due to the resource and compute-intensive tasks like IPS can slow down the network firewall considerably.
Challenge facing the security teams:
- Reduce Cost and Complexity
The evolution of network infrastructure resulted in an explosion of tools and products that enterprises use to deliver security across their hybrid infrastructure. With the advent of Cloud computing enterprises started the process of "Consolidation of Functions" or "Consolidation of Products" to maximize their investment and stay competitive on the on-premise security infrastructure. One of the major drivers of the consolidation wave across enterprises big and large is to reduce the cost spend on point functions and eliminate complexity by virtue of consolidating multiple security/networking functions into a single appliance.
Consolidation of IPS into NGFW:
The most visible and most effective consolidation trend that has had a significant impact on the network landscape is the consolidation of the dedicated IPS function into the NGFW. The NGFWs have been able to absorb the IPS capability and reduce the complexity by eliminating the need to install a dedicated IPS when that same function with similar security effectiveness results can now be implemented in the network firewall which is an essential networking appliance but has not become the converged platform for networking and security capabilities for the enterprise.
The rise of the consolidation trend has resulted in a significant issue for the security team:
- How to minimize operational friction between network and security operations teams
Traditionally in the enterprise, the role of the network team relates to keeping the network up and managing all the appliances that are in the network, and the security teams were responsible for managing security devices and security policies. With the consolidation drive, security policies now need to be managed over the networking devices which have been under the control of the network team and is often reluctant to share control, for the fear of network disruption resulting in friction between the two teams on when to push IPS policy and how frequently to push IPS updates on the NGFW.
Fortinet FortiGate delivers a comprehensive network security platform that provides unparalleled IPS inspection without impacting the network. This is enabled FortiGate's unique architecture, using specialized processor units(SPUs) to distribute network and security operations to dedicated SPUs thereby resulting in superior performance.
FortiManager has been at the forefront of Fortinet's solution to reducing complexity by delivering a single pane of glass to manage the entire Fortinet Security Fabric. By enabling the networking team to create a restricted IPS admin profile they are able to enable the security team to be able to work independently without impacting the networking capabilities of functions thereby minimizing operational friction between the two teams.
How does this feature work?
To learn how to create a Restricted IPS Admin Profile please see the instructions below or click on the link below to see it in action in a video.
How to Video Link: https://www.youtube.com/watch?v=NUAA0w9GeZ8
To setup a Restricted IPS Admin Profile:
- Go to System Settings. In the tree menu, select Profile. Click Create New to create an admin profile with its type as Restricted Admin.
- Now, select the admin profile and click Edit from the toolbar. Alternatively, you can double-click on the admin profile to edit.
The Edit Profile pane is displayed.
Toggle ON/OFF Allow to Install to enable or disable "Install" permission for the restricted admin. Click OK.
By default, Allow to Install is ON. When it is OFF, IPS admin can only make IPS config changes and has no permission to push config changes down to FortiGate.
- In the tree menu, select Administrators. Click Create New from the toolbar to create an administrator.
- Select the administrator and click Edit from the toolbar. Alternatively, you can double-click on the administrator to edit.
The Edit Administrator pane opens.
- In the Edit Administrator window, select profiles for permissions and click OK.
- Log in with your IPS admin credentials. Go to Intrusion prevention> Profiles and Custom Signatures.
IPS admin is able to create, edit, or delete IPS profiles and custom signatures.
- Select a profile and right-click, select either Install or Where Used.