Technical Tip: FortiNAC Hardening

Hatibi · ‎11-26-2024

Description

This article describes best practices and recommendations for FortiNAC hardening.

Scope

FortiNAC-F v7.4.0 and greater.

Solution

FortiNAC is a Network Access control solution Server that is available in both Hardware and Virtual Machine(VM). Its main function is to detect who and what is connecting to the network and then enforce control based on selected criteria.

As with all servers, it can be vulnerable to exposed services, new vulnerabilities, bad administration, and lack of continuous monitoring of its operability.

The following points provide recommendations and insights to improve the security posture of FortiNAC.

Disable services that are not in use.

FortiNAC can enforce control in multiple ways and some multiple solutions or designs can be leveraged to reach a certain goal.

Depending on the needed ports, protocols, and services, the administrators should first identify what is needed and what should be disabled.

Services can be enabled/disabled for port1 and port2 through CLI:

naclab1 # show system interface
config system interface
    edit port1
        set ip 10.10.10.6/24
        set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius rad ius-acct radius-local radius-local-radsec snmp ssh
    next
    edit port2
        set ip 10.20.20.2/24
        set allowaccess dhcp dns http https nac-agent ping
    next
end

In the above example, there is a large amount of services enabled.

Some of them are important and required for Management purposes and network discovery. However, other services might not be required.

Example: The user is using the Persistent agent to register endpoints and enforce control through CLI. There is no RADIUS configuration in the network infrastructure.

In this case, the NAC-agent (TCP port 4568) is required, but there is no need to leave any related RADIUS services enabled:

radius
radius-acct
radius-local
radius-local-radsec

Different services might have vulnerabilities that can be exploited if left available (listening state). In this step, it is imperative to identify the needed services for FortiNAC to do its duty and then disable everything else that is not required. This will result in a reduced Attack Surface.

Firewall policies should also be in place to deny unused services through the management port.

Firewall logs provide detailed information regarding traffic towards FortiNAC-specific services. These can be analyzed and used to detect any malicious activity.

In FortiNAC it is possible to check port statistics and information about transmission errors. Although not a direct indication of exploit attempts, these should be checked by the network team in case there are errors on relevant interface counters.

diagnose hardware deviceinfo nic port1

Name: port1

Driver: hv_netvsc

Version: N/A

Bus: b3dXXX-ZZZZ-YYYYYYY

Hwaddr: 00:15:5d:XX:XX:XX

State: up

Link: up

Mtu: 1500

Speed: 10000full

Rx packets: 5864

Rx bytes: 966861

Rx dropped: 0

Rx compressed: 0

Rx errors: 0

Rx Length err: 0

Rx Buf overflow: 0

Rx Crc err: 0

Rx Frame err: 0

Rx Fifo overrun: 0

Rx Missed packets: 0

Tx packets: 6568

Tx bytes: 12865145

Tx dropped: 0

Tx compressed: 0

Tx errors: 0

Tx Aborted err: 0

Tx Carrier err: 0

Tx Fifo overrun: 0

Tx Heartbeat err: 0

Tx Window err: 0

Multicasts: 619

Collisions: 0

Check the following documentation for more details on services and ports.

Update FortiNAC software to the latest versions.

Latest versions of FortiNAC will also include the latest security patches for NACOS and its applications. Before upgrading, it is important to check the release notes and verify the "Known Issues" in case an engineering report (ID) might impact the environment.

Other important sections are: Upgrade path, Compatibility, Upgrade considerations, Pre-Upgrade procedures and hardware support for appliance versions.

Many companies might have restrictions on the communication related to download OS updates and auto-definition updates. In an Environment where a FortiNAC Manager is available, it is possible to configure proxy settings where the Manager will direct web traffic to a proxy server in order to download OS updates and auto-definition updates.

Administrator should frequently check for advisories concerning FortiNAC and other Fortinet Products. These advisories are provided by Fortinet Product Security Incident Response Team (PSIRT) and contain the solution on patching the vulnerabilities.

Link to PSIRT Advisories

Backups and VM snapshots.

Having a Backup plan is crucial when dealing with severe cases where FortiNAC services cannot be fixed or restored properly.

Backups should securely stored to a remote location. Ideally these can be 2 different locations in order to ensure availability in case one of these locations is compromised or down (remote site + cloud location).
Use a secure method such as SSH for remote backup management.
Keep VM snapshots to easily restore services in case of issues caused by upgrades or configuration changes
Keep a document with specific steps and procedures on how to restore FortiNAC when the system is corrupted and unresonsive which might require the administrator to Factory reset the server.
The recovery procedure should be tested during a maintenance window and the steps documented on each change. This will ensure the proper steps are included when a real incident occurs.
Using the Backup scheduler, define a Backup plan on how often these should be executed and when to purge local backups.
Use hashing algorithms to validate backup file integrity.
Secure backups through encryption and use Firewall policies to limit access to only responisble users needing that type of access.
Manually uploaded files or images should also be backed up manually through a TFTP or SSH server. These files could be custom created web pages stored in /bsc/Registration/registration/site that are used to redirect hosts when they fail custom scans.

Check this official guide for more details on backup and restore.

Log Monitoring Servers

Configure external logging in order to capture system events or be alerted for specific events that could be an indication of compromise.
External logging will also release FortiNAC resources to focus in control fucntions instead of internal logging.
FortiSIEM, FortiAnalyzer or any other Syslog server can be integrated with FortiNAC for log monitoring.

FortiAnalyzer Device Integration

Troubleshooting Tip: Syslog messages not being sent to syslog server

It is suggested to use a centralized logging solution which can correlate logs from multiple sources and alert or act based on any supported device. FortiSIEM integration guide.
Frequently check Audit logs for changes applied from Administrators and Event logs to identify other performance or system issues.
Create Alerts in FortiNAC for important functions not working.

An example could be creating an Alert when the Automatic backup feature is not working. This will get the attention of the Administrator to check and fix the remote backup failure.

Related Event names:

Database Backup Failure

Systems Backup Failure

List of event and alarms

TLS Certificates for secure communication

Where possible, use TLS certificates for secure communication between Client and servers.

This can be applied in multiple services such as:

It is important to use latest and most secure algorithms when issuing root Certificate Authorities that will issue the Client and Server Certificates.

Example: RADIUS service will fail when the Certificates are issued using weak algorithms such as md5 or sha1.

Error: tls: (TLS) Failed reading certificate file "radius/raddb/certs/certificatetest.pem": error:XXX:SSL routines:SSL_CTX_use_certificate:ca md too weak

Following SSL/TLS versions are considered vulnerable and should not be used:

SSL v2
SSL v3
TLS 1.0
TLS 1.1

This article explains the usage and core concepts of Certificates: Technical Tip: SSL/TLS and the use of Digital Certificates

Following external guides from Microsoft and Digicert, provide requirements and best practices for Certificates.

Performance Issues due to lack of administration.

If FortiNAC is left unchecked and not properly monitored, it can result in performance issues or worse: the System becoming unresponsive, leading to a self-inflicted Denial of Service.

Examples could be SSH/SNMP/REST API failures against network devices or service connectors, which will consume FortiNAC CPU time and memory usage. This will results in delays for specific features such as Polling or VLAN changes.

In large deployments, network administrator in branch offices might remove devices or make changes to the network without informing FortiNAC Administrators. FortiNAC will still keep polling and requesting information from those Network inventory devices as long as they are added in the Database.

The following article provides the steps to identify such issues and resolve performance issues:

Technical Tip: Performance issue and some general recommendations

Restrictions on Administrative Users.

When provisioning Administrator Accounts, it is recommended to apply the principle of least privilege.

By using Administrative profiles, it is possible to limit each account to perform only the tasks that their job role expects and nothing more.

Same concept should be applied to all types of accounts.

Additional recommendations include:

Use strong passwords
Delete unused Accounts or disable them if deletion is not accepted by Company policies.
Apply Role based access(RBAC) for Users.

Auditing/Checking the FortiNAC configuration.

The following documentation provides a list of configuration steps that Administrators can leverage to audit the FortiNAC settings and features.

Relevant documentation: