Why Network Segmentation Is So Important - FortiGate DMZ
HTML-код
- Опубликовано: 18 апр 2020
- Had a question come in asking the importance of network segmentation. The FortiGate is an interface driven firewall. Enabling you to get very granular on your policy set. Use the policies to lock things down tight. Never let Public facing services come straight into your internal network.
Watch the video for a simple example of why it is crucial for your environment.
Buy Hardware: bit.ly/2QZVeqh
Get Consulting: bit.ly/36FinSU
My Other Projects:
Office Of The CISO: bit.ly/3HGMH1o
Packet Llama: bit.ly/3SEX3H4
###### SOCIAL LINKS ######
Twitter: bit.ly/2WXiRAv
Facebook: bit.ly/3eigz4D
Instagram: bit.ly/3cZneAz
######################
Nice video! It would be cool to see a follow-up on securing traffic within VLANs/subnets as well. PVLAN or Access-VLAN as Fortinet calls it.
Nice job and simple explanation, can’t wait to see the configuration video
Makes sense very good.
That is Architypetecture !:)
Thank you,
You're right in the best world the DMZ wouldn't have access to the LAN. However in reality that server in the DMZ require access to ressouces on the LAN, (database, authentification server,....) So frequently you have to open ports to lan. But at least it doesn't allow access to whole ressource on the LAN .
That is where the middle men DMZs come in. Where you place read only LDAP servers that have their configs pushed to them from the inside. A lot of ways to skin the cat. There are means of providing the access though. I usually use a public facing DMZ for the web presence, a DB and Auth DMZ for those resources and only the db or auth could potentially reach in (though usually it's the other way around and internal goes in to those via read only AD etc).
At the end of our day though we are just trying to make the work load necessary to exploit a resource more than the value of the resource to the malicious actor.
I see that Auburn Shirt! Great videos btw - thank you for all of the information #RollTide ;)
Nice video. How would you handle traffic when the 10 subnet needs to access the website? Would they have to go out to the web and back into the website from the outside? I saw your other comme t about middle men DMZs
Great video! Do have a question. At the end of the video you said put web server and db on two separate DMZs. Saying if the web server is compromised and the hacker is able to get the connection string the web server uses to talk to db, does separate DMZs help to make bad guy's life harder in that case?
More steps and hoops to jump through. If they want it bad enough they will eventually make it through. The time investment you have to increase to make them move on.
How do you achieve this with Hyper-Converged Infrastructure?
You are going to either run NSX / VMX configuration or trunk vlans up to the firewall.
@@FortinetGuru If I'm not using a VMware based Hypervisor?