- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate as a 'nanny'?
Has anyone had experience with using a Fortigate in a home environment to prevent users from getting to those websites used by scammers to take nefarious control of PC?
I'm aware of a situation where an elderly user keeps falling for the 'I'm from Microsoft and need to solve a problem on your PC' callers.
Would Web and DNS filtering prevent this user from getting to those sites?
Thank you in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can adapt the enterprise security features for a home environment, much like you would if you were deploying a FortiGate in a school environment.
At home I have my kids' devices on their own VLAN so I can use more restrictive policies. I use DNS filtering and Web filtering to block things like Adult/Mature Content, Security Risk, and Unrated content (scammers often use pop-up sites to avoid blacklists) and also enforce features like browser Safe Search. I also block access to botnet URLs (WAN interface setting) and botnet IPs (DNS filter).
However, this isn't going to offer 100% protection against "MS" Tech Support phone scammers who direct victims to legitimate sites and legitimate remote control software. For protection against this you'd need to go one step further and use Application Control in the Internet Access policy to block most of the 82 pre-defined Remote Access applications. You can also block things like Tor and Tor2Web here too.
Note that some of the Application Filters require Deep SSL Inspection which involves exporting/importing your FortiGate's CA cert into each device's trusted CA list (covered in several Cookbooks). This is optional but if you want "maximum" protection you should consider Deep SSL inspection.
Hope this helps,
Russ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank, Russ!
That all makes sense, and the additional steps you mentioned goes even further than I had been thinking through.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A combination of url category and app-control would be what I would suggest. In my home parents has one profile and kids on another wit TOD policies. So at 21:00 internet is off until 07:00 and on friday to sun we open the window till 23:00. Also I have static reservation for parents components (Winlaptop, Android, MacBook,etc...)
We also have a explicit proxy off the firewall that requires authentication and wants to goto sites NOT allowed in my URL filter
Ken
PCNSE
NSE
StrongSwan