- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Proctect VPN gateway
Hello,
On Fortigate we have configured VPN for our users (Tunel mode, web mode) and everything is working.
But we have doubts regarding security level for this VPN gateway.
Is possible to install/ add somethnig more (like some proxy) between VPN gateway and clients ?? to be more secure...
thank you
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Huh? What do you mean? Are firewall policies not enough for your use-case? Are you doing full tunnel or split tunnel?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
yes,
Theoretically everybody in the Internet can try to access to our SSL VPN web page (and try some attacks) - is possible to limit only to authorized device (company devices) ??
For Tunel mode we are not using split tunnel.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using MFA? There are also some device posture checks built into FortiGate to ensure the device meets criteria for your organization. What version of FortiOS are you running? You can also look at FortiNAC to control device posture before providing VPN access.
Do you mean the SSL webpage itself? If so, then frontend the SSL VPN page with a WAF.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey tedew,
it's a bit tricky to protect a VPN gateway from the internet - the whole point is that your VPN users can access the gateway from anywhere, essentially.
That being said, you can do a few things to protect the gateway:
- put a Web Application Firewall in front, as suggested by Adam
- create local-in policies on FortiGate to block certain source addresses/IP blocks (like IP ranges associated with specific geographic locations)
- in the SSLVPN settings, limit access to specific source IPs:
-> this would only be an option if you know the IPs your users will connect with, or at least a broader range your users will utilize
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks for sugestions.
I heard that some organizations put some kind of proxy (server or appliance + yubikey, i don't know exactly) before vpn. So my understanding was that user first authenticate with proxy then in vpn. It looks like layered model of authenticate, did You hear about something like this ??
I will read about FortiNAC.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes but why? What are you trying to solve? Why not just do Yubiey MFA with the FortiClient VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could create a loopback IP address and have the VPN listening on this interface. Now you can create a FW policy from WAN->Loopback interface and apply protection on this policy.
Graham