Fortinet black logo

Switching Reference Architecture Guide

Home FortiSwitch 7.2.3 Switching Reference Architecture Guide

Secured LAN

7.2.3
7.4.0
7.2.3
Copy Link
Copy Doc ID 05143578-c74d-11ed-8e6d-fa163e15d75b:378902
Download PDF

Secured LAN

The access layer is where the first security measures get enforced on the end devices when access must be revoked, granted, or restricted. This layer is where it is most important to apply network access control, with or without 802.1X authentication being applied on the access ports. Detection, visibility, and authentication are very important for the security of the organization so that users and devices get categorized and protected, as well as different access rules applied (which can also be tracked in case of an attack), while protecting the LAN edge of the network. A potential attacker might enter a building to plug a device into an enabled network port and try to gain access to the network. Potential attackers might even attack remotely, for example, by using wireless extenders to provide access from the parking lot or from a neighboring building. To get access to resources, you need to require more than just physical connections to the network.

Fortinet recommends using 802.1X authentication for wired and wireless access. 802.1X is an IEEE standard used for restricting unauthorized access to the network by making users (and devices if needed) authenticate before they are allowed onto the network. It relies on an authentication server (usually using RADIUS, such as the FortiAuthenticator server) to validate the credentials based on a local or remote database, which is often linked to Microsoft Active Directory through the Lightweight Directory Access Protocol (LDAP) in typical office environments.

Managed FortiSwitch units support EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5. The FortiSwitch units communicate the user information (credentials or a certificate) from the supplicant on the client device as authenticators through the FortiGate device using FortiLink. The FortiSwitch units open only the limited ports required for such communication and nothing else until the RADIUS/Diameter server confirms the user identity and validates it, usually with an attached VLAN linked to that user in the Access-Accept response. This VLAN can then be shared between wired and wireless access, making it easier to implement segmentation and policies based on the user itself.

When employees change jobs, you change the VLAN associated with the employee as a single point of configuration to inherit the rules defined for the other colleagues in the same department or job role. You can even configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful, leading to very limited network access or a walled garden space. Using VLANs removes the burden and cost of having to deploy a layer-3 infrastructure at the access or aggregation layer in the network and helps simplify applying rules and restrictions in parallel with reducing the broadcast domain per type of user (or per team) instead of geographically.

This design provides location-independent network access with the following advantages:

  • Allows for a simpler design than complex layer-3 infrastructures because a user will be part of the same VLAN wherever they access the network (wired or wireless) across the entire campus without the need to change the userʼs subnet.

  • Provides the necessary secure option of forwarding all user traffic to the firewalls for inspection before the traffic is allowed to communicate with devices and users in the same VLAN (intra-VLAN traffic).

  • Offers real-time updated security with smart application identification (optional) being performed through deep-packet inspection, even for apps that are encrypted (and for several thousands of them).

  • Improves the employee experience and productivity by applying the same set of rules through the network at the intranet level.

Obviously, there could be some endpoints that do not support 802.1X authentication (such as headless devices, IoT, and old endpoints), while still needing network connectivity and being authenticated/placed in their corresponding network segments to operate and develop their functions. To accommodate those, the access layer can be flexible and dynamic enough to accommodate the access for these devices without compromising the security. This balance is achieved through the use of dynamic port policies (DPPs), a native function of FortiSwitch units when managed by a FortiGate device. Features like embedded NAC when managed through FortiLink are also possible, even if the implementation of a full NAC solution is not chosen. MAC-based authentication mechanisms are not recommended because they are less secure, but they are still available.

It is also in the access layer that devices can be prevented from taking over roles of other devices on the network, such as Dynamic Host Configuration Protocol (DHCP) servers, which could greatly disrupt the operations of other endpoints in the same VLAN or, even worse, provide them with the wrong settings and divert the traffic through unsanctioned devices where potential threat actors might try to intercept it.

The FortiSwitch units, managed by a FortiGate device using FortiLink, offer a solution to tackle all access requirements in a seamless, headache-free, and smooth implementation. The following are some of the built-in features on the FortiSwitch units:

  • DHCP snooping to prevent devices from becoming rogue DHCP servers in the network.

  • Dynamic Address Resolution Protocol (ARP) inspection (DAI) and lockdown prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

  • Port flap guard detects how many times a port changes status during a specified number of seconds, and the system shuts down the port if necessary. This helps to avoid unwanted network topology changes and convergence actions due to threat actors trying different things on the port or connecting rogue routing/switching devices that could pose a risk to the network convergence and topology.

  • Storm control uses the data rate (packets/second) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by broadcast, multicast, or unicast storms on a port that could be dropped. When the data rate exceeds the configured threshold, storm control drops excess traffic.

  • A configurable learning limit for dynamic MAC addresses on ports, trunks, and VLANs (port security).

  • A new FortiGuard service identifies IoT devices through an IoT Detection Service license.

  • Static, dynamic, and scheduled access list control (ACL) available to control the traffic flows in very low-level detail. You can use ACL to redirect traffic to different ports, read/mark the quality of service (QoS), rate-limit specific traffic, or even quarantine a device.

Loops in a layer-2 network result in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard and Bridge Data Unit Protocol (BPDU) guard help to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops, for example, if an unmanaged device that does not support the Spanning Tree Protocol (STP) gets connected to the infrastructure.

Ultimately, you can block intra-VLAN traffic (traffic within the same VLAN or broadcast domain) by aggregating traffic using the FortiGate device that exclusively manages the whole fabric of switches. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate firewall. After the client traffic reaches the FortiGate controller, the firewall then determines whether to allow various levels of access to the client by shifting the clientʼs network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled. This is useful in critical or very sensitive environments, such as operational technology (OT) networks, where any potential security breach that might spread easily with lateral movements must be rapidly contained or preferably prevented.

Automation can also play a key role in constraining and remediating security breaches in real time. In that regard, the FortiSwitch units can enforce dynamic and flexible quarantine policies directly from the access ports or WiFi access. From simply isolating a compromised device to rate-limiting its traffic or forwarding its user to a captive portal, an endpoint can be confined for further inspection when it triggers a suspicious activity. Moreover, this quarantine can be automated when the FortiSwitch unit and/or FortiAP unit managed by a FortiGate device works in collaboration with FortiAnalyzer unit. If the FortiAnalyzer unit has a valid license for Indicators of Compromise (IoC), it will inspect the deviceʼs traffic logs and issue a notification to the FortiGate device whenever those IoCs are found on the endpoints. This event can trigger an automatic action on the FortiGate device and place that device into quarantine on the access layer (wired and wireless).

Optionally, FortiSwitch ports can also be shared between virtual domains (VDOMs). VDOMs allow you to divide a FortiGate device with two or more virtual firewalls that create multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations. VDOMs require careful planning, but they allow for designs (out of scope for this guide) with multitenancy in the same building, even when using a common network and security infrastructure. A single company inside a campus can use VDOMs to isolate traffic from independent business units or departments without having to multiply the network security and infrastructure elements. VDOMs allow for greater flexibility in the life cycle of the institution.

Network access control

Using the FortiGate device as a switch controller for the network adds the built-in NAC without the need of any license. The FortiGate device is responsible for assigning a device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. NAC provides a secure way to close down ports and allow ports to pass traffic only after devices get connected. Together, NAC and 802.1X authentication provide the most important part of zero-trust network access (ZTNA) at the access level without requiring a complex and dedicated solution from a third-party vendor and without forcing the use of FortiNAC for extended scenarios (which is primarily used in a multiple-vendor environment). Without FortiGate NAC (such as in competitorsʼ switch deployment recommendations), the on-site access and device layer remains unprotected and an important potential threat.

You can configure a FortiSwitch NAC policy or DPP within FortiOS to match devices automatically based on the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them (such as QoS, LLDP profiles, VLAN policies, and 802.1X profiles).

NAC includes Fortinet access points (FortiAP units), which can be automatically recognized and provisioned through the use of the embedded and free NAC without requiring any external program or license. This greatly simplifies the deployment of Fortinet APs on a FortiSwitch fabric infrastructure.

Moreover, an integrated FortiGate NAC function is also provided to the FortiAP networks; this function uses a shared set of NAC policies with FortiSwitch units to simplify the deployment as a fabric solution. The NAC policy can be applied based on data from the user device list. There is also a wizard to help with configuring FortiGate NAC settings and defining a FortiSwitch NAC VLAN.

The following figure shows examples of patterns in FortiSwitch NAC policies that devices must match.

The following figure shows a list of devices that matched the patterns in FortiSwitch NAC policies.

The following figure shows a NAC policy applied to a FortiSwitch port to which a FortiAP unit is connected.

Previous
Next

Secured LAN

The access layer is where the first security measures get enforced on the end devices when access must be revoked, granted, or restricted. This layer is where it is most important to apply network access control, with or without 802.1X authentication being applied on the access ports. Detection, visibility, and authentication are very important for the security of the organization so that users and devices get categorized and protected, as well as different access rules applied (which can also be tracked in case of an attack), while protecting the LAN edge of the network. A potential attacker might enter a building to plug a device into an enabled network port and try to gain access to the network. Potential attackers might even attack remotely, for example, by using wireless extenders to provide access from the parking lot or from a neighboring building. To get access to resources, you need to require more than just physical connections to the network.

Fortinet recommends using 802.1X authentication for wired and wireless access. 802.1X is an IEEE standard used for restricting unauthorized access to the network by making users (and devices if needed) authenticate before they are allowed onto the network. It relies on an authentication server (usually using RADIUS, such as the FortiAuthenticator server) to validate the credentials based on a local or remote database, which is often linked to Microsoft Active Directory through the Lightweight Directory Access Protocol (LDAP) in typical office environments.

Managed FortiSwitch units support EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5. The FortiSwitch units communicate the user information (credentials or a certificate) from the supplicant on the client device as authenticators through the FortiGate device using FortiLink. The FortiSwitch units open only the limited ports required for such communication and nothing else until the RADIUS/Diameter server confirms the user identity and validates it, usually with an attached VLAN linked to that user in the Access-Accept response. This VLAN can then be shared between wired and wireless access, making it easier to implement segmentation and policies based on the user itself.

When employees change jobs, you change the VLAN associated with the employee as a single point of configuration to inherit the rules defined for the other colleagues in the same department or job role. You can even configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful, leading to very limited network access or a walled garden space. Using VLANs removes the burden and cost of having to deploy a layer-3 infrastructure at the access or aggregation layer in the network and helps simplify applying rules and restrictions in parallel with reducing the broadcast domain per type of user (or per team) instead of geographically.

This design provides location-independent network access with the following advantages:

  • Allows for a simpler design than complex layer-3 infrastructures because a user will be part of the same VLAN wherever they access the network (wired or wireless) across the entire campus without the need to change the userʼs subnet.

  • Provides the necessary secure option of forwarding all user traffic to the firewalls for inspection before the traffic is allowed to communicate with devices and users in the same VLAN (intra-VLAN traffic).

  • Offers real-time updated security with smart application identification (optional) being performed through deep-packet inspection, even for apps that are encrypted (and for several thousands of them).

  • Improves the employee experience and productivity by applying the same set of rules through the network at the intranet level.

Obviously, there could be some endpoints that do not support 802.1X authentication (such as headless devices, IoT, and old endpoints), while still needing network connectivity and being authenticated/placed in their corresponding network segments to operate and develop their functions. To accommodate those, the access layer can be flexible and dynamic enough to accommodate the access for these devices without compromising the security. This balance is achieved through the use of dynamic port policies (DPPs), a native function of FortiSwitch units when managed by a FortiGate device. Features like embedded NAC when managed through FortiLink are also possible, even if the implementation of a full NAC solution is not chosen. MAC-based authentication mechanisms are not recommended because they are less secure, but they are still available.

It is also in the access layer that devices can be prevented from taking over roles of other devices on the network, such as Dynamic Host Configuration Protocol (DHCP) servers, which could greatly disrupt the operations of other endpoints in the same VLAN or, even worse, provide them with the wrong settings and divert the traffic through unsanctioned devices where potential threat actors might try to intercept it.

The FortiSwitch units, managed by a FortiGate device using FortiLink, offer a solution to tackle all access requirements in a seamless, headache-free, and smooth implementation. The following are some of the built-in features on the FortiSwitch units:

  • DHCP snooping to prevent devices from becoming rogue DHCP servers in the network.

  • Dynamic Address Resolution Protocol (ARP) inspection (DAI) and lockdown prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

  • Port flap guard detects how many times a port changes status during a specified number of seconds, and the system shuts down the port if necessary. This helps to avoid unwanted network topology changes and convergence actions due to threat actors trying different things on the port or connecting rogue routing/switching devices that could pose a risk to the network convergence and topology.

  • Storm control uses the data rate (packets/second) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by broadcast, multicast, or unicast storms on a port that could be dropped. When the data rate exceeds the configured threshold, storm control drops excess traffic.

  • A configurable learning limit for dynamic MAC addresses on ports, trunks, and VLANs (port security).

  • A new FortiGuard service identifies IoT devices through an IoT Detection Service license.

  • Static, dynamic, and scheduled access list control (ACL) available to control the traffic flows in very low-level detail. You can use ACL to redirect traffic to different ports, read/mark the quality of service (QoS), rate-limit specific traffic, or even quarantine a device.

Loops in a layer-2 network result in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard and Bridge Data Unit Protocol (BPDU) guard help to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops, for example, if an unmanaged device that does not support the Spanning Tree Protocol (STP) gets connected to the infrastructure.

Ultimately, you can block intra-VLAN traffic (traffic within the same VLAN or broadcast domain) by aggregating traffic using the FortiGate device that exclusively manages the whole fabric of switches. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate firewall. After the client traffic reaches the FortiGate controller, the firewall then determines whether to allow various levels of access to the client by shifting the clientʼs network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled. This is useful in critical or very sensitive environments, such as operational technology (OT) networks, where any potential security breach that might spread easily with lateral movements must be rapidly contained or preferably prevented.

Automation can also play a key role in constraining and remediating security breaches in real time. In that regard, the FortiSwitch units can enforce dynamic and flexible quarantine policies directly from the access ports or WiFi access. From simply isolating a compromised device to rate-limiting its traffic or forwarding its user to a captive portal, an endpoint can be confined for further inspection when it triggers a suspicious activity. Moreover, this quarantine can be automated when the FortiSwitch unit and/or FortiAP unit managed by a FortiGate device works in collaboration with FortiAnalyzer unit. If the FortiAnalyzer unit has a valid license for Indicators of Compromise (IoC), it will inspect the deviceʼs traffic logs and issue a notification to the FortiGate device whenever those IoCs are found on the endpoints. This event can trigger an automatic action on the FortiGate device and place that device into quarantine on the access layer (wired and wireless).

Optionally, FortiSwitch ports can also be shared between virtual domains (VDOMs). VDOMs allow you to divide a FortiGate device with two or more virtual firewalls that create multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations. VDOMs require careful planning, but they allow for designs (out of scope for this guide) with multitenancy in the same building, even when using a common network and security infrastructure. A single company inside a campus can use VDOMs to isolate traffic from independent business units or departments without having to multiply the network security and infrastructure elements. VDOMs allow for greater flexibility in the life cycle of the institution.

Network access control

Using the FortiGate device as a switch controller for the network adds the built-in NAC without the need of any license. The FortiGate device is responsible for assigning a device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. NAC provides a secure way to close down ports and allow ports to pass traffic only after devices get connected. Together, NAC and 802.1X authentication provide the most important part of zero-trust network access (ZTNA) at the access level without requiring a complex and dedicated solution from a third-party vendor and without forcing the use of FortiNAC for extended scenarios (which is primarily used in a multiple-vendor environment). Without FortiGate NAC (such as in competitorsʼ switch deployment recommendations), the on-site access and device layer remains unprotected and an important potential threat.

You can configure a FortiSwitch NAC policy or DPP within FortiOS to match devices automatically based on the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them (such as QoS, LLDP profiles, VLAN policies, and 802.1X profiles).

NAC includes Fortinet access points (FortiAP units), which can be automatically recognized and provisioned through the use of the embedded and free NAC without requiring any external program or license. This greatly simplifies the deployment of Fortinet APs on a FortiSwitch fabric infrastructure.

Moreover, an integrated FortiGate NAC function is also provided to the FortiAP networks; this function uses a shared set of NAC policies with FortiSwitch units to simplify the deployment as a fabric solution. The NAC policy can be applied based on data from the user device list. There is also a wizard to help with configuring FortiGate NAC settings and defining a FortiSwitch NAC VLAN.

The following figure shows examples of patterns in FortiSwitch NAC policies that devices must match.

The following figure shows a list of devices that matched the patterns in FortiSwitch NAC policies.

The following figure shows a NAC policy applied to a FortiSwitch port to which a FortiAP unit is connected.

Previous
Next