Fortinet white logo
Fortinet white logo

Hardening

Hardening

System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface. This section covers some actions that can be used.

Building security into FortiSandbox

The FortiSandbox firmware, FortiSandbox hardware devices, and FortiSandbox virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiSandbox products are developed in a secure manner.

Physical security

Install the FortiSandbox in a physically secure location. Physical access to the FortiSandbox can allow it to be bypassed, or other firmware could be loaded after a manual reboot. Optionally, disable the maintainer account with CLI command set-maintainer. Note that doing this will make you unable to recover administrator access using a console connection as all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

Firmware

Keep the FortiSandbox firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

  • Read the release notes. The known issues may include issues that affect your business.
  • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.
  • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SMTPS instead of SMTP, ICAP over SSL instead of ICAP, SSH instead of telnet,HTTPS instead of HTTP for Webpage visit and JSON API calls, and encrypted logging instead of TCP.

Strong ciphers

Force higher levels of encryption and strong ciphers for HTTPS access to web site and JSON API calls:

set-tlsver -e3

FortiSandbox already sets to use higher levels of encryption and strong ciphers for communications with Fortinet fabric devices.

FortiGuard databases

Ensure that FortiGuard databases and engines, such as AntiVirus, Network Alerts, Rating and Tracer, are updated punctually.

Penetration testing

Test your FortiSandbox to try to gain unauthorized access, or hire a penetration testing company to verify your work.

Trusted Hosts

Limit access to the FortiSandbox to a management interface on a management network. Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiSandbox. When authenticating to the FortiSandbox, implement two-factor authentication (2FA). This makes it significantly more difficult for an attacker to gain access to the FortiSandbox.

Limit login user’s access right

The features that a login user can access should be limited to the scope of that user's work to reduce possible attack vectors. The admin profile tied to the user account defines the areas on the FortiSandbox that the user can access, and what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

Other recommended actions user can take

The following general administrative settings are recommended:

  • Set the idle timeout time for login users to a low value, preferably less than ten minutes.
  • In Interfaces page, limit access rights for network ports.
  • Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of the FortiSandbox.
  • Do not use shared accounts to access the FortiSandbox. Shared accounts are more likely to be compromised, are more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit access to the FortiSandbox.
  • Set an encryption key for backed up configuration files with CLI command set-cfg-backup-key.

Hardening

Hardening

System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface. This section covers some actions that can be used.

Building security into FortiSandbox

The FortiSandbox firmware, FortiSandbox hardware devices, and FortiSandbox virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiSandbox products are developed in a secure manner.

Physical security

Install the FortiSandbox in a physically secure location. Physical access to the FortiSandbox can allow it to be bypassed, or other firmware could be loaded after a manual reboot. Optionally, disable the maintainer account with CLI command set-maintainer. Note that doing this will make you unable to recover administrator access using a console connection as all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

Firmware

Keep the FortiSandbox firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

  • Read the release notes. The known issues may include issues that affect your business.
  • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.
  • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SMTPS instead of SMTP, ICAP over SSL instead of ICAP, SSH instead of telnet,HTTPS instead of HTTP for Webpage visit and JSON API calls, and encrypted logging instead of TCP.

Strong ciphers

Force higher levels of encryption and strong ciphers for HTTPS access to web site and JSON API calls:

set-tlsver -e3

FortiSandbox already sets to use higher levels of encryption and strong ciphers for communications with Fortinet fabric devices.

FortiGuard databases

Ensure that FortiGuard databases and engines, such as AntiVirus, Network Alerts, Rating and Tracer, are updated punctually.

Penetration testing

Test your FortiSandbox to try to gain unauthorized access, or hire a penetration testing company to verify your work.

Trusted Hosts

Limit access to the FortiSandbox to a management interface on a management network. Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiSandbox. When authenticating to the FortiSandbox, implement two-factor authentication (2FA). This makes it significantly more difficult for an attacker to gain access to the FortiSandbox.

Limit login user’s access right

The features that a login user can access should be limited to the scope of that user's work to reduce possible attack vectors. The admin profile tied to the user account defines the areas on the FortiSandbox that the user can access, and what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

Other recommended actions user can take

The following general administrative settings are recommended:

  • Set the idle timeout time for login users to a low value, preferably less than ten minutes.
  • In Interfaces page, limit access rights for network ports.
  • Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of the FortiSandbox.
  • Do not use shared accounts to access the FortiSandbox. Shared accounts are more likely to be compromised, are more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit access to the FortiSandbox.
  • Set an encryption key for backed up configuration files with CLI command set-cfg-backup-key.