Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Deployment best practices checklist

This checklist is an example of a deception deployment profiling and sizing. This example is based on a company with one headquarters (HQ) site and two remote sites, one of which is a manufacturing site.

Deception Items

Customer Requirements

Deployment

FortiDeceptor appliance HW/VM

VM

The VM support VMware or KVM.

HQ site installation

Yes

Deploy on the company ESXi where you have access to most of the network VLANs.

Number of remote sites

2

If the primary and remote locations are connected by FortiGate firewall, configure the VXLAN tunnel between firewalls to publish decoys over the L2 tunnel from the HQ to the remote sites. For details on setting up the VXLAN, see https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType= kc&externalId=FD47325&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=163742631&stateId=1%200%20163740760%27.

If the firewalls are different, check with Customer Support on how to configure an L2 Tunnel.

Remote sites are office / OT network

1 remote office + 1 manufacture site

For remote office site, deploy Windows / Linux desktop decoys and deception lures like SMB, RDP and cache credentials.

For remote OT site, deploy Windows / Linux and SCADA decoys.

Number of segments (VLANS) to cover

30

 

Number of DC segments to cover

2

Deploy Windows / Linux server decoys.

Customer's server OS

Windows, Linux

Deploy Windows / Linux server decoys.

Critical services in the DC segments

SAP, web logistic app

Deploy ERP decoy, Windows decoy with a web app.

Number of endpoint segments to cover

25

Deploy Windows / Linux desktop decoys.

Customer's endpoint OS

Windows, MAC

Deploy deception lures such as SMB, RDP, and cache credentials for both Windows and MAC.

Customer's most important asset to protect

SAP

Deploy Windows decoy with SQL that uses SAP fake data.

Attack vectors customer is facing

Phishing, PTH, lateral movement based on AD

Deploy deception lures like SMB, RDP, and cache credentials. Follow cache credentials best practice.

Customer network's IoT devices

Printer, camera, temp sensors

 

Customer network's OT devices

SCADA PLC, HMI

Deploy Windows / Linux and SCADA decoys.

Customer FortiGate firewall solution

Yes

Configure Security Fabric integration for isolation mitigation response.

Customer SIEM solution

Yes

Send SYSLOG from the FDC.

Configure a correlation rule to detect lateral movement based on cache credentials lure.

Deployment best practices checklist

This checklist is an example of a deception deployment profiling and sizing. This example is based on a company with one headquarters (HQ) site and two remote sites, one of which is a manufacturing site.

Deception Items

Customer Requirements

Deployment

FortiDeceptor appliance HW/VM

VM

The VM support VMware or KVM.

HQ site installation

Yes

Deploy on the company ESXi where you have access to most of the network VLANs.

Number of remote sites

2

If the primary and remote locations are connected by FortiGate firewall, configure the VXLAN tunnel between firewalls to publish decoys over the L2 tunnel from the HQ to the remote sites. For details on setting up the VXLAN, see https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType= kc&externalId=FD47325&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=163742631&stateId=1%200%20163740760%27.

If the firewalls are different, check with Customer Support on how to configure an L2 Tunnel.

Remote sites are office / OT network

1 remote office + 1 manufacture site

For remote office site, deploy Windows / Linux desktop decoys and deception lures like SMB, RDP and cache credentials.

For remote OT site, deploy Windows / Linux and SCADA decoys.

Number of segments (VLANS) to cover

30

 

Number of DC segments to cover

2

Deploy Windows / Linux server decoys.

Customer's server OS

Windows, Linux

Deploy Windows / Linux server decoys.

Critical services in the DC segments

SAP, web logistic app

Deploy ERP decoy, Windows decoy with a web app.

Number of endpoint segments to cover

25

Deploy Windows / Linux desktop decoys.

Customer's endpoint OS

Windows, MAC

Deploy deception lures such as SMB, RDP, and cache credentials for both Windows and MAC.

Customer's most important asset to protect

SAP

Deploy Windows decoy with SQL that uses SAP fake data.

Attack vectors customer is facing

Phishing, PTH, lateral movement based on AD

Deploy deception lures like SMB, RDP, and cache credentials. Follow cache credentials best practice.

Customer network's IoT devices

Printer, camera, temp sensors

 

Customer network's OT devices

SCADA PLC, HMI

Deploy Windows / Linux and SCADA decoys.

Customer FortiGate firewall solution

Yes

Configure Security Fabric integration for isolation mitigation response.

Customer SIEM solution

Yes

Send SYSLOG from the FDC.

Configure a correlation rule to detect lateral movement based on cache credentials lure.