Design Concept & Considerations
In an enterprise network where various IoT/IIoT/OT devices are able to connect to the network, visibility and control are crucial to building a secure network with limited privileges for each endpoint device. By adding FortiNAC to you network, and allowing FortiNAC to communicate with your network devices such as firewalls, routers, switches, access points, SIEM, EMS and MDMs, you will be able to build a comprehensive visualization of your network, users and devices.
Using the FortiNAC to profile endpoint devices enables it to intelligently group devices into logical networks. For instance, devices that are identified as belonging to an IP camera vendor can be placed into the IP camera logical network.
To control access for the detected devices, FortiNAC can apply segmentation by informing each managed device to assign a corresponding VLAN ID to the logical network. IoT/IIoT/OT endpoint devices can then be segmented according to their logical network groups and allowed access to resources that only their group can access. For instance, an IP camera connected to a port on the switch will be grouped into the IP camera network. This port will be assigned to the VLAN associated with IP camera, and subsequently allow access only to resources that have rules allowing this VLAN.
Design considerations
-
FortiNAC solution are based in two main components, the FortiNAC Control & Application Appliance and the FortiNAC Manager. Both components are available in Virtual and Physical form factors.
-
FortiNAC Control & Application is the component that will be managing the network devices like Routers, Switches, Wireless Lan Controllers, Firewalls, etc.
-
In most cases, the connection between the FortiNAC and the managed device is based on SNMP and CLI (SSH/Telnet). In some cases, however, the connection is handled by Rest API or Radius for the Wireless LAN Controllers. Essentially, the communication protocol depends on the managed network device capabilities.
-
All the deployments are out-of-band, so the FortiNAC can manage all the devices over routing connections. It’s not required that FortiNAC is deployed in the same Layer 2 network of the managed device.
-
The FortiNAC offers three types of licensing tiers, as Base, Plus and Pro. This guide is aimed at customers who have purchased the Plus license.