Good morning ! I've been following you on your channel for a long time and I'm really interested in what you give as concepts, but I have a problem, I would like to implement a network access policy based on ZTNA by integrating fortigate connected to FORTINAC with Active directory data. But I don't really know how to proceed. And especially the test images. I need the test images for some explanation really and thank you very much.
Hey Awesome video, I now conceptually understand how FortiNac works. An example situation that you could explain per flow would have been helpful though!
From a high level: Both are implementations of the Zero Trust principal. FortiNAC protects devices connecting to the network (specifically headless/IoT/OT devices). Fortinet ZTNA is more focused on remote access, and requires an agent (no headless/IoT/OT devices supported). NAC protects network connectivity, ZTNA protects specific applications.
This is good but what kind of policies you are talking about? Lets say one of the employees was pissed off having a problem with his boss and his boss fired him and this employee is a smart ass he mirrored copy his device on a hdd usb or whatever after he leaves the company he will install the mirrord drive on another computer with all the policies and even can copy the MAC address that he had on the old pc so he will have access on the network and screw up everything, what I am pointing here is about the most important thing which is security and we need a kind of security that can’t be accessed in any way, as we know the is a security called ACL access control list that works for MAC address but unfortunately MAC address can be copied and edited, so for me this is not a security anymore but a new security called device serial number which can’t be edited that we can rely on for security, so at least we know no matter what happens its impossible to access a network if a serial number is not found on the switch itself before reaching the server even and searching for the rest of the policies that you implement in your system. The question is that do you think its possible to have a device serial number ACL on installed on the switch itself with the Mac Address ACL to work together in order to have a stronger security?
Sorry, you're not getting it right. FortiNAC takes control of the switches and is able to change the VLAN you're connected to. It also sends CoA or Disconnect messages to the Wireless Controllers to manage wireless connections in the same way. So, let's say a disgruntled employee wants to create havoc on the former employer network and clone his former PC's hard drive: he will not have valid credentials for sure, and one of the enforcments the FortiNAC does is authentication. Even if the hacker wannabe finds his way into the office or connects to the wireless lan just from the other side of a wall, he will end up in one of the protected networks. The real issue is when the disgruntled employee had FortiNAC administrative rights: in that case he would know the policies and therefore he will be probably able to set up hi s PC to resemble a printer or some other device that bypasses the authentication: you want to have LAN segregation in place for this specific scenarios to minimize the attack surface (the hacker will enter a VLAN segregated and protected by a firewall at least so he will be capable of doing a lot less damage than entering the normal clients network).
That's really awesome Samuel, Thank you for your informative and sensitive video that add me real info.
Great Video Man ! very informative
Good morning ! I've been following you on your channel for a long time and I'm really interested in what you give as concepts, but I have a problem, I would like to implement a network access policy based on ZTNA by integrating fortigate connected to FORTINAC with Active directory data. But I don't really know how to proceed. And especially the test images. I need the test images for some explanation really and thank you very much.
Hey Awesome video, I now conceptually understand how FortiNac works. An example situation that you could explain per flow would have been helpful though!
Great video
I would like the book from which you explain this lecture, please
Hi, thanks for the video. I’m working with Cisco ISE and I’m interested about other solutions. How would you compare fortinac with fortinet ztna?
From a high level:
Both are implementations of the Zero Trust principal.
FortiNAC protects devices connecting to the network (specifically headless/IoT/OT devices). Fortinet ZTNA is more focused on remote access, and requires an agent (no headless/IoT/OT devices supported).
NAC protects network connectivity, ZTNA protects specific applications.
Hi Samuel , do you offer full FortiNAC training, thank you
Good video thank you.
Hello Tomball, TX :)
This is good but what kind of policies you are talking about?
Lets say one of the employees was pissed off having a problem with his boss and his boss fired him and this employee is a smart ass he mirrored copy his device on a hdd usb or whatever after he leaves the company he will install the mirrord drive on another computer with all the policies and even can copy the MAC address that he had on the old pc so he will have access on the network and screw up everything, what I am pointing here is about the most important thing which is security and we need a kind of security that can’t be accessed in any way, as we know the is a security called ACL access control list that works for MAC address but unfortunately MAC address can be copied and edited, so for me this is not a security anymore but a new security called device serial number which can’t be edited that we can rely on for security, so at least we know no matter what happens its impossible to access a network if a serial number is not found on the switch itself before reaching the server even and searching for the rest of the policies that you implement in your system.
The question is that do you think its possible to have a device serial number ACL on installed on the switch itself with the Mac Address ACL to work together in order to have a stronger security?
Sorry, you're not getting it right. FortiNAC takes control of the switches and is able to change the VLAN you're connected to. It also sends CoA or Disconnect messages to the Wireless Controllers to manage wireless connections in the same way. So, let's say a disgruntled employee wants to create havoc on the former employer network and clone his former PC's hard drive: he will not have valid credentials for sure, and one of the enforcments the FortiNAC does is authentication. Even if the hacker wannabe finds his way into the office or connects to the wireless lan just from the other side of a wall, he will end up in one of the protected networks.
The real issue is when the disgruntled employee had FortiNAC administrative rights: in that case he would know the policies and therefore he will be probably able to set up hi s PC to resemble a printer or some other device that bypasses the authentication: you want to have LAN segregation in place for this specific scenarios to minimize the attack surface (the hacker will enter a VLAN segregated and protected by a firewall at least so he will be capable of doing a lot less damage than entering the normal clients network).