Fortinet Security Fabric in Practice. Part 2. FortiSwitch
Hello! In our last article, we described the general concept of building a network on the company’s products Fortinet – Fortinet Security Fabric. We have already described almost all products from this concept. Only FortiSwitch and FortiAP remained unlit. Today we want to tell you about FortiSwitch – a switch from the company Fortinet… In this article, we will look at the possible ways to manage this product, its main functionality, as well as the benefits when using it as part of the Fortinet Security Fabric.
FortiSwitch has two deployment options – Managed and Standalone. In the first case, it is completely controlled through FortiGate and actually serves to increase the number of its physical ports. This allows FortiGate security functionality to be applied across all FortiSwitch interfaces. Information about devices connected to FortiSwitch also becomes available:
If FortiSwitch in this mode is installed at the access level, FortiGate will be able to receive information about each end device that will be connected to the FortiSwitch. It will also automate the blocking of connected devices when a threat is detected.
When deployed in Standalone mode, FortiSwitch is managed through its own GUI or CLI interface. This option is used quite rarely: usually FortiSwitch is used precisely in order to get all the benefits of Fortinet Security Fabric. Therefore, we will not consider this option.
It is also possible to manage FortiSwitch products from the cloud or using the FortiManager product, but we are dealing with one FortiSwitch, and these methods are usually used with a large number of products – therefore we will not consider these possibilities either.
Now let’s discuss the next question – what is FortiSwitch capable of? It has quite a lot of available functions, so we will only touch on the main ones. A complete list of features can be found in the datasheet. There you can also check if a particular model supports specific functionality.
DHCP snooping – allows you to block DHCP traffic inherent in DHCP servers from untrusted sources (for example, from ports connected to user devices), from which attacks or other malicious actions can occur. This is accomplished by selecting trusted and untrusted ports. Trusted ports are those ports that are connected to existing DHCP servers, the rest of the ports are marked as untrusted:
Spanning Tree Protocol (STP) is a link management protocol that builds a loop-free L2 topology by blocking redundant links:
Loop Guard – also helps prevent the formation of loops. When Loop guard is activated on the switch port, it periodically sends out service packets (LGDP – Loop Guard Data Packets). If the switch that sent this packet receives this packet back after some time, then a loop has appeared in the network. Therefore, the port from which the service packet was sent is blocked. This functionality should work with STP, not replace it.
Edge Port – this functionality can be activated on ports that are connected to end devices (user computers, etc.). First, these ports will become operational faster (since they do not need to participate in the STP process). Second, changing the port state will not affect the current state of the STP process.
STP BPDU Guard – protects Edge ports from loops. BPDU Guard disables the port when it receives BPDUs, because receiving BPDUs means that a switch was connected to the port by mistake. This in turn can lead to a loop.
STP Root Guard – Prevents the interface on which it is activated from becoming root. In this case, BPDUs received by this interface are ignored or discarded. Without using this option, any switch participating in STP can become root. This can lead to large volumes of traffic being transmitted over sub-optimal or unsafe channels. Using this option will ensure that the required network topology is observed.
Storm Control is a mechanism designed to detect and block L2 storms on the network. Works by setting maximum values for unknown-unicast, unknown-multicast and broadcast traffic.
FortiSwitch Network Access Control – FortiSwitch allows you to configure access control policies that can check devices against various criteria, membership of a specific user group, or the presence of EMS tags. Devices that meet the terms of these policies are defined in a specific VLAN, or individually configured.
FortiSwitch Security Policies – FortiSwitch also supports IEEE 802.1x authentication for access control. If this mechanism is used, the device connected to the FortiSwitch must be authenticated by the RADIUS server to gain access to the network.
When using FortiSwitch in conjunction with FortiGate, there is one interesting feature – Access VLANs. Access VLAN is a different concept in FortiSwitch terminology. Here it means that all traffic between end devices (even those connected to one FortiSwitch and one VLAN) can communicate with each other only through FortiGate. This allows you to control and inspect traffic between VLANs. When using Access VLANs to allow traffic between VLANs or within the same VLAN, you need to create security policies on FortiGate, where you can apply various security mechanisms (antivirus, IPS, application control, etc.).
As mentioned earlier, using the FortiSwitch as part of the Fortinet Security Fabric can provide visibility to devices running on the network. It looks something like this:
Also, when FortiGate, FortiAnalyzer and FortiSwitch products interact, it becomes possible to add devices to quarantine by MAC address both manually and automatically when malicious activity is detected:
The Security Rating engine can validate the configuration of FortiSwitch included in the Fortinet Security Fabric against best practices. If certain problems are identified, the required settings can be selectively applied from a single window:
FortiSwitch is not limited to these capabilities – we have described only the most basic functionality, as well as what we will touch on in the future. For more information on the capabilities of FortiSwitch, see the datasheets and the admin guide. The next product we’ll look at is the FortiAPs. After that, we can move on to building a secure network based on Fortinet. In order not to miss anything, stay tuned to our resources: