Month: September 2020

VPLS Forigate Banner 1200x628

FortiGate SSL VPN Certificate Vulnerability

Blog Post / By
Return to the VPLS Blog

FortiGate SSL VPN Certificate Vulnerability

Published

Written by

Filed under

A new article detailing an SSL VPN certificate vulnerability in FortiGate firewalls is making its rounds in cybersecurity circles. The article details how a FortiGate, if left with its default settings, could allow a man-in-the-middle attack to take place for SSL VPN users.

The article mentions that potentially 200,000 FortiGates are deployed in the wild with the “major security flaw” that this attack exploits.

Fortinet’s response is that they already provide a warning to IT administrators not to use this default configuration, so they will take no action on their part at this time. As of this blog post, no unique CVE number has been assigned to this vulnerability, and the article itself has drawn criticism for reporting as new an already well-known vulnerability that applies to this default configuration.

ForiGate Settings 591x381

If you are using the default, self-signed certificate for your SSL VPN as shown in the photo above, VPLS recommends purchasing and installing a valid SSL certificate to use for the SSL VPN to mitigate this vulnerability.

Please reach out to us if you would like more information on if this vulnerability applies to your environment and what mitigation steps are required.

Additionally, VPLS would be happy to assist you with the mitigation steps mentioned above, including assistance with purchasing and installing a valid SSL certificate for your VPN, for a $500 flat fee.

Read More from this Author

John Headley
John Headley, CISSP and Fortinet NSE8 #003155, is a Senior Security Engineer at VPLS where he splits his time between both pre-sales and post-sales engagements. His expertise is in security architecture and engineering, security assessment and compliance, and security operations. During his time at VPLS, he has led many security-related professional services projects, including a 35-location international firewall deployment for a publicly-traded social media company.
More from this Author

If you enjoyed this article, you'll probably like:

VPLS SD-WAN Banner 1200x628

Secure SD-WAN for Multi-Cloud & Hybrid Cloud Environments

Blog Post / By
Return to the VPLS Blog

Secure SD-WAN for Multi-Cloud & Hybrid Cloud Environments

Published

Written by

Filed under

The Current State of Multi-Cloud & Hybrid Cloud

The current state of multi-cloud and hybrid cloud can be quickly summarized with these statistics from Flexera:

  • Enterprises have almost entirely embraced multi-cloud
  • 93% of respondents reported having a multi-cloud strategy
  • 87% are taking a hybrid approach, combining the use of both public and private clouds
  • On average, respondents use 2.2 public and 2.2 private clouds

And these numbers from Flexera are not unique. Businesses are rapidly embracing multi-cloud and hybrid cloud environments because of their flexibility. They allow organizations to avoid vendor lock-in and leverage the best and/or most cost-effective cloud services available for a given business need.

However, while businesses are eager to take advantage of the flexibility a multi-cloud or hybrid cloud environment can offer, providing a consistent user experience to cloud environments over an Internet connection can feel like an uphill battle. Much of the connectivity path will be out of your control, and often riddled with many latency-inducing hops.

In addition, securely connecting workloads together between multiple clouds, as well as connecting your on-prem data center and office to these cloud environments, can be complex. Even if you have the staff with cloud networking and security expertise, the lack of end-to-end visibility and centralized management across multiple cloud environments increases the risk of breaches, data loss, and compliance penalties.

Cloud On-Ramps & VPLS CloudHop™

Cloud on-ramps directly address the need for a consistent user experience by bypassing the Internet and instead providing your users with a high speed, low latency connection to a cloud provider. Services like Direct Connect from AWS and ExpressRoute from Azure allow a business, via a service provider like VPLS, to establish these direct links to their cloud environments, bypassing the many hops it would normally take to reach that cloud via the Internet. This dedicated link guarantees a reliable, consistent experience for users and their cloud assets.

However, with multi-cloud architectures, establishing and managing all of these cloud on-ramps can be an administrative burden. In addition, the more cloud on-ramps you have, the less ROI each of these direct links provide. VPLS CloudHop™ solves these challenges by having VPLS do the administrative legwork to maintain these direct links with the cloud providers. Instead, we just provide your business a single, cost-effective connection point that can be provisioned to connect to any and all major public cloud providers.

Combine CloudHop™ with Internet or Ethernet Transport services from VPLS, and we can extend your multi-cloud environment all the way back your offices and existing data centers.

Intelligent Path Selection & Path Redundancy with Secure SD-WAN

Although cloud on-ramps with VPLS CloudHop™ and VPLS Internet and/or Ethernet Transport services will provide the best user experience for your business’ multi-cloud and hybrid cloud environments, there is a possibility that not all of your cloud workloads need this level of performance.

With VPLS’s Managed Secure SD-WAN service, all possible paths become part of a unified SD-WAN “overlay” network, and each path is measured for the current latency, jitter, and packet loss. SD-WAN then, in real-time, can intelligently route traffic across the links that meet your defined SLA for that specific application or traffic flow. VPLS’s Managed Secure SD-WAN service is application aware, powered by a database of known applications, but also supporting custom application signatures. This means traffic can be identified and steered very granularly, but without requiring complex rules to do so.

Multi-Cloud SD-WAN 1282x653

If more than one path meets your SLA, rules can be engineered to favor one link, or load balance traffic across multiple links. This allows you to provision and use a dedicated cloud on-ramp with just the right bandwidth requirements for critical workloads and use the lower cost path over the Internet only when it is performing up to the mark.

All SD-WAN endpoints can be centrally managed and orchestrated in a “single pane of glass”, giving you end-to-end actionable visibility across all cloud environments. With deep cloud-native integrations, VPLS’ Managed Secure SD-WAN service not only provides the performance that you need in multi-cloud and hybrid cloud architectures, but also provides advanced, industry-leading prevention and detection capabilities as your cloud next-gen firewall.

Optimize Your Multi-Cloud and Hybrid Cloud Environments with VPLS

To recap, businesses are rapidly adopting multi-cloud and hybrid cloud environments for their flexibility, but getting blindsided with unnecessary expense, configuration complexities, and unpredictable network performance.

Whether your business is already in this boat, or you are soon to adopt a multi-cloud or hybrid cloud architecture and want to do it right the first time, VPLS can guide your organization to optimize costs, provide a consistent user experience, and secure all of your cloud environments with industry-leading protection managed by a single pane of glass.

With the help of VPLS CloudHop™, our Internet and/or Ethernet Transport services, and our fully-managed Secure SD-WAN-as-a-Service, your business can take charge of this unstoppable industry move towards multi-cloud and hybrid cloud environments, and continue serving your customers in bigger and better ways.

John Headley

Read More from this Author

John Headley
John Headley, CISSP and Fortinet NSE8 #003155, is a Senior Security Engineer at VPLS where he splits his time between both pre-sales and post-sales engagements. His expertise is in security architecture and engineering, security assessment and compliance, and security operations. During his time at VPLS, he has led many security-related professional services projects, including a 35-location international firewall deployment for a publicly-traded social media company.
More from this Author

If you enjoyed this article, you'll probably like:

Enterprise wifi problems

Common Enterprise WiFi Problems and Solutions

Blog Post / By
Return to the VPLS Blog

Common Enterprise WiFi Problems and Solutions

Published

Written by

Filed under

Many organizations frequently experience challenges with their enterprise wifi that, with the right advice, can be resolved in a few simple steps.

Here are some of the most common enterprise wifi problems that the VPLS team has helped our clients solve.

Problem #1

Enterprise Wifi isn't working at my desk even though I'm sitting over it

AP transmit power configuration

In some situations, the Access Point (AP) transmit power is configured too high, which can cause clients to stay connected to an AP while they move further away. When this happens, the client still “sees” their current AP at sufficient signal strength because their device is not roaming properly to the nearest AP.

Use of old legacy rates

Poor wifi can also be caused by using old legacy data rates supported by 802.11b/g. In this case, when a client is further away from the APthey stay connected by having their current data rate change to a lower supported rate. This may also cause another impact on performance which we will discuss in the solution portion of this article. 

Solutions

These solutions can typically be performed on your AP’s management console or wireless LAN controller.

Disable legacy rates

If possible, disable legacy rates. However, when doing so be aware that this may impact clients with older wireless cards. To avoid any issues, check the capabilities of the client first via manufacturer specifications or other resources, and then disable the legacy rates. 

Reduce power on your APs

First, reduce transmit power on your APs and set the 2.4 GHz radio to a lower power level than the 5 GHz radio. This will help clients roam more effectively and let clients find the preferred 5 GHz band where less congested airtime is available. Afterward, remember to validate that this does not cause coverage holes for your clients. 

Problem #2

Enterprise Wifi access is slow even with full bars

Slow legacy data rates

Along with roaming issues, legacy 802.11b/g data rates can cause slow performance on a wireless LAN. Unlike wired, switch networks, wifi is a shared medium and requires that a client wait until the medium is available before it can transmit. In the wireless world, this is known as the Clear Channel Assessment (CCA) process. 

Every client on a wifi network performs this before transmitting data over the air. If a client is connected at slower 802.11b/g data rates, it requires more airtime to transmit data, causing slower performance. A good analogy is when you are on a multi-party conference call. Each party takes turns to speak, waiting for an opportunity to talk. A client communicating at 802.11b speeds is the equivalent of someone speaking very, very slowly. Until that party finishes talking, no one else can talk. The same is true in wifi. 

APs are on the same channel

Access Points located near each other may be set to the same channel, causing co-channel interference (CCI). In this case, clients will contend for available airtime on adjacent APs because they are both configured on the same channel.

AP is at max capacity

If your wifi is slow, it may indicate a capacity issue where too many clients are associated with an AP in each area. Often, access points are not located in high-density client areas like conference rooms, lobby, or employee break rooms. Therefore, in areas where large numbers of clients are located, such as in an open office floor plan, more access points may be needed to provide enough service.

Solutions

Disable legacy rates

Disable legacy rates, as previously mentioned. 

Adjust or re-configure the APs

Adjust or re-configure the channels on the APs so that they do not overlap.

Install or move APs

 Install or move APs in areas of high client density.  Additional APs may be required. 

Is your organization facing any of these issues?  Do you need assistance in applying the solutions described above?  VPLS can assist with troubleshooting and resolving these issues.  We have experienced and trained professionals who can address your wireless LAN needs, including wireless LAN design, site surveys, and assessments.

Read More from this Author

Jericho Gutierrez
Jericho Gutierrez is a Senior Wireless Engineer at VPLS, where he provides wireless support for enterprise wireless environments. Connect with Jericho on LinkedIn or email your feedback to [email protected].
More from this Author

If you enjoyed this article, you'll probably like:

Scroll to Top