Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Network topology best practices

For effective deception, you must also understand the customer's network topology, company security risks, where his most important assets are located, and what kind of attack vectors they face or have concerns.

Several common network topologies require different deception deployment approaches.

This topic provides best practices for the following scenarios:

  1. Network with data center and users at the same location.
  2. Network with a data center, users at the same location, and users at remote offices.
  3. Network with a data center, users at the same location, users at remote offices, and remote OT sites.
Deception deployment in HQ only

A network topology without remote location is less common today. The reasoning might be that the most important assets are in HQ only and there is no need to deploy deception in remote sites.

This scenarios shows deploying deception in the main HQ only even if there are also remote locations.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • Deploy decoys following the best practice recommendation in Deception decoy best practices
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN.
    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP.
      • SMB.
      • SSH (on IT department desktops only).
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.
Deception deployment in HQ and remote offices

Network topology with remote locations is the most common enterprise network topology for installations that want to provide the same security protection across all sites.

The level of connectivity required by remote office users is broader and will lead to a data breach if the security level is not similar to the HQ security.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • FortiDeceptor currently does not have central management capability so you must configure the VXLAN tunnel between the HQ firewall and each of the remote office firewall. See https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD47325&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=163742631&stateId=1%200%20163740760%27.
  • These are the requirements for deploying deception lures in remote desktops:
    • No VXLAN tunnel between both firewalls.
    • The remote site has only 1-2 VLANS (risk vs. cost).
  • Deploy decoys following the best practice recommendation in Deception decoy best practices
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN.
    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP.
      • SMB.
      • SSH (on IT department desktops only).
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.
Deception deployment in HQ, remote offices, and OT sites

Network topology with remote location (offices + OT sites) is very common for manufacturing, critical infrastructure, and energy companies. The OT site presents a security challenge due to its environmental complexity, such as legacy OSes, non-standard devices and protocols, and so on.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • FortiDeceptor currently does not have a central management capability so you must configure the VXLAN tunnel between the HQ firewall and each of the remote office firewall. See https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/22733/virtual-wire-pair-with-vxlan.
  • These are the requirements for deploying deception lures in remote desktops:
    • No VXLAN tunnel between both firewalls, that is, no deception lures on OT site desktops.

      If you must install FortiDeceptor at OT sites, you must deploy FortiDeceptor as a standalone device and forward the SYSLOG to a central SIEM or any logger solution.

    • The remote site has only 1-2 VLANS (risk vs. cost).
  • Deploy decoys following the best practice recommendation in Deception decoy best practices
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN on HQ and remote offices.
    • On OT VLANs: 7-10 decoys (OT decoys and IT decoys for HMI/SCADA management systems.

    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP.
      • SMB.
      • SSH (on IT department desktops only).
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.

Network topology best practices

For effective deception, you must also understand the customer's network topology, company security risks, where his most important assets are located, and what kind of attack vectors they face or have concerns.

Several common network topologies require different deception deployment approaches.

This topic provides best practices for the following scenarios:

  1. Network with data center and users at the same location.
  2. Network with a data center, users at the same location, and users at remote offices.
  3. Network with a data center, users at the same location, users at remote offices, and remote OT sites.
Deception deployment in HQ only

A network topology without remote location is less common today. The reasoning might be that the most important assets are in HQ only and there is no need to deploy deception in remote sites.

This scenarios shows deploying deception in the main HQ only even if there are also remote locations.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • Deploy decoys following the best practice recommendation in Deception decoy best practices
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN.
    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP.
      • SMB.
      • SSH (on IT department desktops only).
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.
Deception deployment in HQ and remote offices

Network topology with remote locations is the most common enterprise network topology for installations that want to provide the same security protection across all sites.

The level of connectivity required by remote office users is broader and will lead to a data breach if the security level is not similar to the HQ security.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • FortiDeceptor currently does not have central management capability so you must configure the VXLAN tunnel between the HQ firewall and each of the remote office firewall. See https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD47325&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=163742631&stateId=1%200%20163740760%27.
  • These are the requirements for deploying deception lures in remote desktops:
    • No VXLAN tunnel between both firewalls.
    • The remote site has only 1-2 VLANS (risk vs. cost).
  • Deploy decoys following the best practice recommendation in Deception decoy best practices
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN.
    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP.
      • SMB.
      • SSH (on IT department desktops only).
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.
Deception deployment in HQ, remote offices, and OT sites

Network topology with remote location (offices + OT sites) is very common for manufacturing, critical infrastructure, and energy companies. The OT site presents a security challenge due to its environmental complexity, such as legacy OSes, non-standard devices and protocols, and so on.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • FortiDeceptor currently does not have a central management capability so you must configure the VXLAN tunnel between the HQ firewall and each of the remote office firewall. See https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/22733/virtual-wire-pair-with-vxlan.
  • These are the requirements for deploying deception lures in remote desktops:
    • No VXLAN tunnel between both firewalls, that is, no deception lures on OT site desktops.

      If you must install FortiDeceptor at OT sites, you must deploy FortiDeceptor as a standalone device and forward the SYSLOG to a central SIEM or any logger solution.

    • The remote site has only 1-2 VLANS (risk vs. cost).
  • Deploy decoys following the best practice recommendation in Deception decoy best practices
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN on HQ and remote offices.
    • On OT VLANs: 7-10 decoys (OT decoys and IT decoys for HMI/SCADA management systems.

    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP.
      • SMB.
      • SSH (on IT department desktops only).
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.