Why Network Segmentation Is So Important - FortiGate DMZ

Поділитися
Вставка
  • Опубліковано 7 лис 2024

КОМЕНТАРІ • 14

  • @pace1134
    @pace1134 4 роки тому +3

    Nice job and simple explanation, can’t wait to see the configuration video

  • @haraldk6828
    @haraldk6828 4 роки тому +5

    Nice video! It would be cool to see a follow-up on securing traffic within VLANs/subnets as well. PVLAN or Access-VLAN as Fortinet calls it.

  • @foxxrider250r
    @foxxrider250r 2 роки тому

    Nice video. How would you handle traffic when the 10 subnet needs to access the website? Would they have to go out to the web and back into the website from the outside? I saw your other comme t about middle men DMZs

  • @Dawnofthedead001
    @Dawnofthedead001 2 роки тому

    Makes sense very good.

  • @blissfulrelaxation2152
    @blissfulrelaxation2152 2 роки тому +1

    I see that Auburn Shirt! Great videos btw - thank you for all of the information #RollTide ;)

  • @LucPaulin
    @LucPaulin 4 роки тому +2

    You're right in the best world the DMZ wouldn't have access to the LAN. However in reality that server in the DMZ require access to ressouces on the LAN, (database, authentification server,....) So frequently you have to open ports to lan. But at least it doesn't allow access to whole ressource on the LAN .

    • @FortinetGuru
      @FortinetGuru  4 роки тому +4

      That is where the middle men DMZs come in. Where you place read only LDAP servers that have their configs pushed to them from the inside. A lot of ways to skin the cat. There are means of providing the access though. I usually use a public facing DMZ for the web presence, a DB and Auth DMZ for those resources and only the db or auth could potentially reach in (though usually it's the other way around and internal goes in to those via read only AD etc).
      At the end of our day though we are just trying to make the work load necessary to exploit a resource more than the value of the resource to the malicious actor.

  • @Dawnofthedead001
    @Dawnofthedead001 2 роки тому

    That is Architypetecture !:)

  • @fredwh09
    @fredwh09 3 роки тому

    Great video! Do have a question. At the end of the video you said put web server and db on two separate DMZs. Saying if the web server is compromised and the hacker is able to get the connection string the web server uses to talk to db, does separate DMZs help to make bad guy's life harder in that case?

    • @FortinetGuru
      @FortinetGuru  3 роки тому

      More steps and hoops to jump through. If they want it bad enough they will eventually make it through. The time investment you have to increase to make them move on.

  • @Mark-cw6wb
    @Mark-cw6wb 4 роки тому +2

    Thank you,

  • @phillipdesuze1801
    @phillipdesuze1801 3 роки тому

    How do you achieve this with Hyper-Converged Infrastructure?

    • @FortinetGuru
      @FortinetGuru  3 роки тому

      You are going to either run NSX / VMX configuration or trunk vlans up to the firewall.

    • @phillipdesuze1801
      @phillipdesuze1801 3 роки тому

      @@FortinetGuru If I'm not using a VMware based Hypervisor?