BASELINE SECURITY MEASURES ONE MUST CONFIGURE
When it comes to securing your network, your FortiGate firewall is your first line of defense. But without proper baseline configurations, even the most advanced firewall can leave your organization vulnerable. Here are some critical security measures you should implement to ensure your FortiGate is locked down:
1. Disable Administrative Access on WAN Ports
- Make sure you turn off the administrative access option for the (HTTP, HTTPS, SSH) protocols by the Firewall for the external facing interfaces.
- Allow the device to be accessed through the dedicated/configured management port
- Configure trusted IPs for management
2. Change Default Ports
Everyone (including hackers) know the default ports of every protocol. So, one should avoid using default ports - changing the default HTTPS 443 TCP port to a non-standard port is a better guess security-wise.
3. Enable Strong Authentication
- Admins should apply multi-factor authentication (MFA) for administrative accounts.
- Use strong passwords and do not use default credentials like "admin."
4. Apply the Principle of Least Privilege
- Not everyone in an organization may require elevated levels of access to perform their duties. Restrict administrative rights to only those who actually need them.
- Define role-based access controls (RBACs), and remember to revoke access when role changes.
5. Keep Firmware Updated
It is important that you update your FortiGate firmware on a regular basis since it is an effective way to fix vulnerabilities and ensure that you have new security features.
6. Enable Logging and Monitoring
Configure logging to a central SIEM or syslog server. Set up real-time alerts for certain activities that seem suspicious or for access attempts that are not authorized.
7. Harden Security Profiles
Turn on and set up security profiles like antivirus, intrusion prevention system (IPS), web filtering, and application control to scrutinize and block the unwanted traffic flowing in the network. Do signature updates for new threats on a regular basis.
8. Allow Only Necessary Services in Firewall Policies
Indeed, one should set up the firewall to let only the necessary services and traffic through, which are paramount for business operations. The rest of the traffic should be blocked by default. Session logging and monitoring should also be applied in the network to see where traffic is flowing and to find out when any unusual traffic appears.
9. Implement Network Segmentation
Introduce VLANs and zones in your network to limit the number of potential breaches and resulting lateral movements.
10. Regularly Review and Audit Configurations
Phase out internal periodic security audits to verify if traffic configurations adhere to the best practices. FortiAnalyzer or similar products are also essential for carrying out a deeper analysis and providing comprehensive reporting.
By implementing these baseline security measures, you can significantly reduce the risk of unauthorized access, data breaches, and other cyber threats. Remember, a firewall is only as strong as its configuration!
Thanks for this.
Can I use other firewalls like Proxy? I mean for small scale business like mine?
Will appreciate your swift response.
You can achieve these baseline security measures on any firewall…
However, Firewall and Proxy are two different things.
Maybe you should give more context
I know of a friend using proxy firewall as a protection?
09057168146
You must be logged in to post a comment.