This is part two of our look at the User layer, which focuses on user authentication. If you missed it, make sure to read part 1 to find about how you can protect your network from your users’ own actions.
Also, you can catch up on the entire Layered Security series by either reading my past blog posts or checking out the PDF version, which will be updated to include the User Layer soon.
Last time we talked about user education, as well as a range of FortiOS security features that you can use to protect your network from threats that occur because of internal behavior. This time, the focus is authenticating your users, to make sure that you know who each user is and that you have control over what they’re able to do on the network.
User authentication has many benefits. It helps you make certain that only the right people are allowed to access your network and increases network visibility by adding user information to your logs. It also can give your users the freedom to use different devices to access your network - though if you aren’t comfortable with that, remember that in FortiOS 5.2 you can mix user authentication with a BYOD policy (if you don’t know what that is, go back to part 1).
Once you’ve decided to add user authentication to your network, there are many options available for you and a lot of decisions to make. Do you need an authentication server, or will your FortiGate do the trick? Do you want to use two-factor authentication, or maybe certificate authentication? And what the heck is single sign-on anyway?
Local vs external authentication
Unless you have a lot of users who use their credentials to log into multiple resources, you can probably use local authentication, with usernames and passwords stored directly on your FortiGate.
However, if you’re running the network for a large organization, especially those with multiple office sites, you may find it easier to use an external authentication server, such as a FortiAuthenticator, to set up a single repository for user credentials.
In the age of data breaches, sometimes a password alone may not be secure enough. When necessary, you can add an additional step to the sign-in process and use two-factor authentication.
Two-factor authentication combines something a user knows (their password) with something they have (an app or device that generates a temporary code, such as FortiToken). This makes it less likely that user credentials can be stolen and used successfully, as an attacker would also need both parts in order to successfully sign in.
In certificate authentication, the same certificate must be installed on the FortiGate and on a user’s device. Each user should have a unique user certificate for authenticating, so that changes can be made on a user-by-user basis.
While the following recipe doesn’t actually involve using certificate authentication (though there is at least one recipe for that currently in-the-works), it does show how to get a CA-signed certificate, which you can use for authentication, onto your FortiGate. For more information about certificate authentication, please refer to the resources listed at the end of this article.
If your network includes a number of resources that all require user authentication, you may want to look into using Single Sign-On (SSO). SSO allows users to only enter their credentials once. This information is then saved and automatically re-used if additional authentication is required.
As you can imagine, authentication is a topic that is full of options and variations and we’ve only just scratched the surface. For more information, check out the following resources: