Fortinet white logo
Fortinet white logo

Administration Guide

Hardening

Appendix C - Hardening

System hardening reduces security risks by eliminating potential attack vectors and shrinking the system's attack surface. This section covers some of the actions that can be used.

Building security into FDC-OS

The FortiDeceptor operating system, FortiDeceptor hardware devices, and FortiDeceptor virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiDeceptor products are developed in a secure manner.

Boot device security

The FortiDeceptor boot device in hardware devices use Fortinet’s customized bootloader which is specifically designed and implemented for the FortiDeceptor product. FortiDeceptor physical devices always boot from this boot device.

FDC-OS kernel and user processes

FortiDeceptor is a multi-process operating system with kernel and user processes. The FortiDeceptor kernel runs in a privileged hardware mode while higher-level applications run in user mode. FortiDeceptor is a closed system that does not allow the loading or execution of third-party code in the FortiDeceptor user space. All non-essential services, packages, and applications are removed.

Physical security

Install the FortiDeceptor in a physically secure location. Physical access to the FortiDeceptor can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

Optionally, disable the maintainer account with CLI command set-maintainer. Note that doing this will make you unable to recover administrator access using a console connection if all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

The FortiGuard Labs Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. Any such findings are fed back to Fortinet's development teams and serious issues are described along with protective solutions. The PSIRT regulatory releases PSIRT advisories when issues are found and corrected. Advisories are listed at https://www.fortiguard.com/psirt.

Firmware

Keep the FortiDeceptor firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

  • Read the release notes. The known issues may include issues that affect your business.
  • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.
  • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SMTPS instead of SMTP, SSH instead of telnet and HTTPS instead of HTTP.

Strong ciphers

FortiDeceptor already sets to use higher levels of encryption and strong ciphers for communications with Fortinet fabric devices.

FortiGuard databases

Ensure that FortiGuard databases, such as Industry Security Signature, Network Alerts Signature, AntiVirus Scanner and Signatures, AI Malware Engine and ARAE Engines are updated punctually.

Trusted Hosts

Limit access to the FortiDeceptor to a management interface on a management network. Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiDeceptor. When authenticating to the FortiDeceptor, implement two-factor authentication (2FA). This makes it significantly more difficult for an attacker to gain access to the FortiDeceptor.

Limit login user’s access right

The features that a login user can access should be limited to the scope of that user's work to reduce possible attack vectors. The admin profile tied to the user account defines the areas on the FortiDeceptor that the user can access, and what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

Administration access security

Secure administrative access features:

  • SSH, Telnet, and SNMP are disabled by default. If required, these admin services must be explicitly enabled on each interface from the GUI or CLI.
  • SSHv1 is disabled by default. SSHv2 is the default version.
  • SSLv3 and TLS1.0 are disabled by default. TLSv1.1 and TLSv1.2 are the SSL versions enabled by default for HTTPS admin access.
  • HTTP is disabled by default, HTTP redirect to HTTPS is enabled by default.
  • The strong-crypto global setting is enabled by default and configures FortiDeceptor to use strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.

Admin administrator account

All FortiDeceptor ship with a default administrator account called admin. By default, this account does not have a password. However, FortiDeceptor uses restricted password policy that enforce the admin account to change the password on the first user login and use a complex password. (This mechanism is enforced across all users upon their first log in.)

Maintainer account

Administrators with physical access to a FortiDeceptor appliance can use a console cable and a special administrator account called maintainer to log into the CLI. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password for the maintainer account is bcpb followed by the FortiDeceptor serial number. An administrator has 60-seconds to complete this login using the CLI command admin-pwd-reset

The only action the maintainer account has permissions to perform is to reset the passwords of super_admin accounts. Logging in with the maintainer account requires a hard boot of the FortiDeceptor.

FortiDeceptor generates event log messages when you log in with the maintainer account and for each password reset.

Non-factory SSL certificates

Non-factory SSL certificates should be used for the FortiDeceptor web management interface.

The default Fortinet factory self-signed certificates are provided to simplify initial installation and testing. Using these certificates leaves you vulnerable to man-in-the-middle attacks, where an attacker spoofs your certificate, compromises your connection, and steals your personal information.

Your administrator web portal should also be configured with a server certificate from a trusted CA.

Other recommended actions user can take

The following general administrative settings are recommended:

  • Set the idle timeout time for login users to a low value, preferably less that ten minutes.
  • In Interfaces page, limit access right for network ports.
  • Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of the FortiDeceptor.
  • For local accounts on the FortiDeceptor, try upgrading to FortiDeceptor to V4.3.0 and later which enforces a default password policy with minimum complexity level.
  • Do not use shared accounts to access the FortiDeceptor. Shared accounts are more likely to be compromised, are more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit access to the FortiDeceptor.

Hardening

Appendix C - Hardening

System hardening reduces security risks by eliminating potential attack vectors and shrinking the system's attack surface. This section covers some of the actions that can be used.

Building security into FDC-OS

The FortiDeceptor operating system, FortiDeceptor hardware devices, and FortiDeceptor virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiDeceptor products are developed in a secure manner.

Boot device security

The FortiDeceptor boot device in hardware devices use Fortinet’s customized bootloader which is specifically designed and implemented for the FortiDeceptor product. FortiDeceptor physical devices always boot from this boot device.

FDC-OS kernel and user processes

FortiDeceptor is a multi-process operating system with kernel and user processes. The FortiDeceptor kernel runs in a privileged hardware mode while higher-level applications run in user mode. FortiDeceptor is a closed system that does not allow the loading or execution of third-party code in the FortiDeceptor user space. All non-essential services, packages, and applications are removed.

Physical security

Install the FortiDeceptor in a physically secure location. Physical access to the FortiDeceptor can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

Optionally, disable the maintainer account with CLI command set-maintainer. Note that doing this will make you unable to recover administrator access using a console connection if all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

The FortiGuard Labs Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. Any such findings are fed back to Fortinet's development teams and serious issues are described along with protective solutions. The PSIRT regulatory releases PSIRT advisories when issues are found and corrected. Advisories are listed at https://www.fortiguard.com/psirt.

Firmware

Keep the FortiDeceptor firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

  • Read the release notes. The known issues may include issues that affect your business.
  • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.
  • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SMTPS instead of SMTP, SSH instead of telnet and HTTPS instead of HTTP.

Strong ciphers

FortiDeceptor already sets to use higher levels of encryption and strong ciphers for communications with Fortinet fabric devices.

FortiGuard databases

Ensure that FortiGuard databases, such as Industry Security Signature, Network Alerts Signature, AntiVirus Scanner and Signatures, AI Malware Engine and ARAE Engines are updated punctually.

Trusted Hosts

Limit access to the FortiDeceptor to a management interface on a management network. Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiDeceptor. When authenticating to the FortiDeceptor, implement two-factor authentication (2FA). This makes it significantly more difficult for an attacker to gain access to the FortiDeceptor.

Limit login user’s access right

The features that a login user can access should be limited to the scope of that user's work to reduce possible attack vectors. The admin profile tied to the user account defines the areas on the FortiDeceptor that the user can access, and what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

Administration access security

Secure administrative access features:

  • SSH, Telnet, and SNMP are disabled by default. If required, these admin services must be explicitly enabled on each interface from the GUI or CLI.
  • SSHv1 is disabled by default. SSHv2 is the default version.
  • SSLv3 and TLS1.0 are disabled by default. TLSv1.1 and TLSv1.2 are the SSL versions enabled by default for HTTPS admin access.
  • HTTP is disabled by default, HTTP redirect to HTTPS is enabled by default.
  • The strong-crypto global setting is enabled by default and configures FortiDeceptor to use strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.

Admin administrator account

All FortiDeceptor ship with a default administrator account called admin. By default, this account does not have a password. However, FortiDeceptor uses restricted password policy that enforce the admin account to change the password on the first user login and use a complex password. (This mechanism is enforced across all users upon their first log in.)

Maintainer account

Administrators with physical access to a FortiDeceptor appliance can use a console cable and a special administrator account called maintainer to log into the CLI. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password for the maintainer account is bcpb followed by the FortiDeceptor serial number. An administrator has 60-seconds to complete this login using the CLI command admin-pwd-reset

The only action the maintainer account has permissions to perform is to reset the passwords of super_admin accounts. Logging in with the maintainer account requires a hard boot of the FortiDeceptor.

FortiDeceptor generates event log messages when you log in with the maintainer account and for each password reset.

Non-factory SSL certificates

Non-factory SSL certificates should be used for the FortiDeceptor web management interface.

The default Fortinet factory self-signed certificates are provided to simplify initial installation and testing. Using these certificates leaves you vulnerable to man-in-the-middle attacks, where an attacker spoofs your certificate, compromises your connection, and steals your personal information.

Your administrator web portal should also be configured with a server certificate from a trusted CA.

Other recommended actions user can take

The following general administrative settings are recommended:

  • Set the idle timeout time for login users to a low value, preferably less that ten minutes.
  • In Interfaces page, limit access right for network ports.
  • Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of the FortiDeceptor.
  • For local accounts on the FortiDeceptor, try upgrading to FortiDeceptor to V4.3.0 and later which enforces a default password policy with minimum complexity level.
  • Do not use shared accounts to access the FortiDeceptor. Shared accounts are more likely to be compromised, are more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit access to the FortiDeceptor.