Fortinet black logo

Administration Guide

Network topology best practices

Copy Link
Copy Doc ID 63cab9f6-5858-11ec-bdf2-fa163e15d75b:557405
Download PDF

Network topology best practices

For effective deception, you must also understand the customer's network topology, company security risks, where his most important assets are located, and what kind of attack vectors they face or have concerns.

Several common network topologies require different deception deployment approaches.

This topic provides best practices for the following scenarios:

  1. Network with data center and users at the same location.
  2. Network with a data center, users at the same location, and users at remote offices.
  3. Network with a data center, users at the same location, users at remote offices, and remote OT sites.
Deception deployment in HQ only

A network topology without remote location is less common today. The reasoning might be that the most important assets are in HQ only and there is no need to deploy deception in remote sites.

This scenarios shows deploying deception in the main HQ only even if there are also remote locations.

In this scenario, follow these best practice recommendations:

Deception deployment in HQ and remote offices

Network topology with remote locations is the most common enterprise network topology for installations that want to provide the same security protection across all sites.

The level of connectivity required by remote office users is broader and will lead to a data breach if the security level is not similar to the HQ security.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • Deploy decoys following the best practice recommendation in Deception decoy best practices.
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN.
    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP
      • SMB
      • Cached credentials
      • HoneyDocs
      • SSH (on IT department desktops only)
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.
    • Send SYSLOG to SOAR solution for Deception playbooks. For example, FortiSOAR has pre-built deception playbooks for FortiDeceptor.

Deception deployment in HQ, remote offices, and OT sites

Network topology with remote location (offices + OT sites) is very common for manufacturing, critical infrastructure, and energy companies. The OT site presents a security challenge due to its environmental complexity, such as legacy OSes, non-standard devices and protocols, and so on.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • Deploy decoys following the best practice recommendation in Deception decoy best practices.
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN.
    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP
      • SMB
      • Cached credentials
      • HoneyDocs
      • SSH (on IT department desktops only)
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.
    • Send SYSLOG to SOAR solution for Deception playbooks. For example, FortiSOAR has pre-built deception playbooks for FortiDeceptor.

Network topology best practices

For effective deception, you must also understand the customer's network topology, company security risks, where his most important assets are located, and what kind of attack vectors they face or have concerns.

Several common network topologies require different deception deployment approaches.

This topic provides best practices for the following scenarios:

  1. Network with data center and users at the same location.
  2. Network with a data center, users at the same location, and users at remote offices.
  3. Network with a data center, users at the same location, users at remote offices, and remote OT sites.
Deception deployment in HQ only

A network topology without remote location is less common today. The reasoning might be that the most important assets are in HQ only and there is no need to deploy deception in remote sites.

This scenarios shows deploying deception in the main HQ only even if there are also remote locations.

In this scenario, follow these best practice recommendations:

Deception deployment in HQ and remote offices

Network topology with remote locations is the most common enterprise network topology for installations that want to provide the same security protection across all sites.

The level of connectivity required by remote office users is broader and will lead to a data breach if the security level is not similar to the HQ security.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • Deploy decoys following the best practice recommendation in Deception decoy best practices.
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN.
    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP
      • SMB
      • Cached credentials
      • HoneyDocs
      • SSH (on IT department desktops only)
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.
    • Send SYSLOG to SOAR solution for Deception playbooks. For example, FortiSOAR has pre-built deception playbooks for FortiDeceptor.

Deception deployment in HQ, remote offices, and OT sites

Network topology with remote location (offices + OT sites) is very common for manufacturing, critical infrastructure, and energy companies. The OT site presents a security challenge due to its environmental complexity, such as legacy OSes, non-standard devices and protocols, and so on.

In this scenario, follow these best practice recommendations:

  • Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network VLANs.
  • Deploy decoys following the best practice recommendation in Deception decoy best practices.
    • On data center VLANs: 5-7 decoys per VLAN.
    • On endpoint VLANs: 2-4 decoys per VLAN.
    • Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
      • RDP
      • SMB
      • Cached credentials
      • HoneyDocs
      • SSH (on IT department desktops only)
  • Fabric integration.
    • If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation by isolating the infected machine.
    • Send SYSLOG to SIEM or any logger solution in place.
    • Send SYSLOG to SOAR solution for Deception playbooks. For example, FortiSOAR has pre-built deception playbooks for FortiDeceptor.