Hoping for some real world use cases for the following setup where we are protecting a hardened front end web server that sort of proxies connections into our Horizon VDI environment..
We currently have a VIP on TCP.443 that publishes the previously mentioned web server into our VDI environment (Horizon) and we're currently restricting traffic on that corresponding rule by allowing only IP's in the United States and only the users WAN IP address given to them by their ISP but in some cases we're allowing some /16's that would encompass some of the more widely used ISP's within our footprint.
We also use FortiAuthenticator so every VDI user must participate with MFA which is typically done off of FortiToken Mobile App and we run AV Scanning/IPS/etc. on that same rule, but the management of it all is becoming too cumbersome considering we'll have some 500 virtual desktops by the end of 2022 and even more into the coming years. What are some other viable way to restrict the traffic hitting this VIP/Rule?
We have talked about just opening with some GEO-Fencing to only IP's based in the United States and then rely on the web servers hardened configuration to protect us but are just not sure what everyone else is doing out there or what is the "acceptable standard" for this type of setup. We are also a little confused about MAC verification since every time you leave a local switch your MAC gets stripped away but restricting via MAC address (along with everything else) would be great.
Any insights that you may have would be absolutely great and muchly appreciated...
Well, to be honest the main concern here is just opening up that 443 to essentially every bad actor in the United States to bang up against us at will from now on is almost too much to bare. I know the vSecurity box that sits in our DMZ in front of Horizon is a very hardened web server as is this new management piece for the 10-zigs, but I've lived in a world for the past 15 years where any rule that has ANY or ALL in it is just another thing to get the Schneider Downs and Dixon Hughes of the world up in your ice hole talking about "findings" and "exceptions" from Executive Management... Oh how the skin crawls!
PS: Please forgive the cold weather fishing reference, it just flowed from my fingers into the keys
For restricting traffic hitting your VIP/Rule, using GEO-Fencing to only allow access from IP's based in the United States is a good start. You may also want to consider implementing a WAF (Web Application Firewall) to add an extra layer of protection to your web server. Regarding your question about MAC verification, it's true that MAC addresses can be stripped away when traffic leaves a local switch. It's generally not recommended to rely solely on MAC address filtering for security purposes. Instead, you may want to consider using IP address filtering, or even better, SSL client certificates for authentication. By the way, if you're looking for private servers for your projects, have you considered checking out "is*hosting"? They offer a variety of options that could work well for your needs. Good luck with your security efforts!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.