Hoping for some real world use cases for the following setup where we are protecting a hardened front end web server that sort of proxies connections into our Horizon VDI environment..
We currently have a VIP on TCP.443 that publishes the previously mentioned web server into our VDI environment (Horizon) and we're currently restricting traffic on that corresponding rule by allowing only IP's in the United States and only the users WAN IP address given to them by their ISP but in some cases we're allowing some /16's that would encompass some of the more widely used ISP's within our footprint.
We also use FortiAuthenticator so every VDI user must participate with MFA which is typically done off of FortiToken Mobile App and we run AV Scanning/IPS/etc. on that same rule, but the management of it all is becoming too cumbersome considering we'll have some 500 virtual desktops by the end of 2022 and even more into the coming years. What are some other viable way to restrict the traffic hitting this VIP/Rule?
We have talked about just opening with some GEO-Fencing to only IP's based in the United States and then rely on the web servers hardened configuration to protect us but are just not sure what everyone else is doing out there or what is the "acceptable standard" for this type of setup. We are also a little confused about MAC verification since every time you leave a local switch your MAC gets stripped away but restricting via MAC address (along with everything else) would be great.
Any insights that you may have would be absolutely great and muchly appreciated...
Dave
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Dave
I think Horizon VDI application must come with its security embedded or could be integrated with a special security software that is made especially for Horizon env.
Along my experience I've never seen VDI env protected behind a WAF and I think VDI security goes beyond WAF capabilities.
That said and additionally to this, just one obvious protection that comes to my mind is to use 2FA/MFA for authentication.
Well, to be honest the main concern here is just opening up that 443 to essentially every bad actor in the United States to bang up against us at will from now on is almost too much to bare. I know the vSecurity box that sits in our DMZ in front of Horizon is a very hardened web server as is this new management piece for the 10-zigs, but I've lived in a world for the past 15 years where any rule that has ANY or ALL in it is just another thing to get the Schneider Downs and Dixon Hughes of the world up in your ice hole talking about "findings" and "exceptions" from Executive Management... Oh how the skin crawls!
PS: Please forgive the cold weather fishing reference, it just flowed from my fingers into the keys
For restricting traffic hitting your VIP/Rule, using GEO-Fencing to only allow access from IP's based in the United States is a good start. You may also want to consider implementing a WAF (Web Application Firewall) to add an extra layer of protection to your web server. Regarding your question about MAC verification, it's true that MAC addresses can be stripped away when traffic leaves a local switch. It's generally not recommended to rely solely on MAC address filtering for security purposes. Instead, you may want to consider using IP address filtering, or even better, SSL client certificates for authentication. By the way, if you're looking for private servers for your projects, have you considered checking out "is*hosting"? They offer a variety of options that could work well for your needs. Good luck with your security efforts!
This is a solid setup with strong security layers like geo-fencing, MFA with FortiAuthenticator, and AV/IPS. For managing the increasing load, you might consider implementing zero-trust network access (ZTNA) for tighter control, which could reduce reliance on IP restrictions. Regarding MAC verification, you're right—it’s stripped after the first hop, so focusing on device identity or certificates may offer better security. If you're considering scaling further or optimizing hosting, https://mainvps.net/ could be a reliable option for robust and scalable VPS solutions tailored to such setups. Great work so far!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.