We have recently undergone a network topology change and reduction of onsite equipment and infrastructure. What we have in place now:
HPE switching: all L2, as most L3 is handed off to the Fortigates
Fortigate: handles DHCP, some VLAN’s DNS, firewall, and L3 routing duties (for all VLAN’s). At our largest campus this is a 100E unit, at our other two campuses it’s 30E’s. Site to Site VPN is configured between sites. We have a consistent VLAN and subnetting strategy (10.campus.vlid.client in /24’s for ‘private’, and each campus has a 172.16.x.x/22 for guest)
PBX: only at the main site. SIP phones at other sites use the site-to-site vpn
Print Server: Each campus has a print server (Windows server 2019) that also runs the appropriate PaperCut roles: Print Provider & Mobility Print Server. The smaller campuses are ‘site servers’ in PaperCut terminology. The largest campus handles Appplication Server responsibilities and Web Print server responsibilities also
Azure: There is a site-site VPN between the fortigate(s) and azure. It’s architected by our IT Services MSP.
NVR server: Blue Iris for security cameras (all at the main campus)
87% of clients are ChromeOS, 12% are MacOS (MDM managed), and 1% are Windows (AzureAD + Intune managed)
Challenge I’m thinking through:
We’re not running significant DNS server structures internally. What the fortigate is capable of is all we have (or really want at this point)
I have some systems I trust (such as the PBX) to use standard port forwarding and NAT for providing access to the system when someone is offsite
I would prefer that access to the PaperCut user portal “just works”. However, that (realistically) means exposing it in some way, shape or form externally.
I’m not sure I trust the security of the PaperCut MF system as much as I would Fortigate/Windows/PBX. I believe it runs some version of java for it’s web server, but it only gets updated after our copiers are certified (which sometimes takes a long time.
Is something like a basic reverse proxy an easy way to expose services (such as PaperCut MF) while not taking stupid risks? My googling says that Fortigates can often do this for you to a certain extent.
Other suggestions on how to enable access for the PaperCut portal, but not make unnecessary security risks?
I wouldn’t mind having a ‘better security’ solution I can throw in front of things that need some kind of external accessibility but are out of the norm (like PaperCut and the NVR server)
We’re trying to do as many things as we can that are ZeroTrust/BeyondCorp style (reasonably)
So, this is a relatively complicated answer but here goes…
A reverse proxy will protect you from *protocol *level attacks - things
like double headers, syn floods, etc. A web application firewall (WAF) will
protect you from application level attacks (like struts vulnerabilities,
SQL Injection, etc.). There are good WAFs and cheap WAFs, and never shall
the two meet. Your FortiGate does have a basic WAF available ( Cookbook | FortiGate / FortiOS 5.4.0 | Fortinet Documentation Library) but for
TLS protected applications I found configuring it to be quite difficult
(this config will need to be stacked with a reverse proxy load balancing
configuration with TLS Offload so the Fortigate can see the clear-text
version of the traffic) SSL/TLS offloading
).
There are plenty of other vendors out there, but without a pretty
significant (time and money) investment it’s probably unlikely you’ll get
better protection. That said, at the end of the day you do have to decide
“do I trust this application enough to be Internet facing?” Security tools
exist to mitigate risk, but they don’t eliminate it.
Since you mention Azure - have you looked at the Azure App Proxy? Relatively lightweight, stupid simple service you install internally on some Windows device and then it can reverse proxy to other systems. No port forwarding/NAT/etc required at all. Magic. You can even load your SSL cert up in Azure and secure the entire path.
Not familiar w/ scale, etc. for other applications
Standard port-forwarding/NAT/firewall topology, exposing the Papercut server (or other systems) to the general web
Definitely not as robust as other options (not ‘identity aware’)
Existing knowledge, fast to setup (we already do this for a couple things)
Exposure/security risk is higher?
I have definitely been intrigued by a zero-trust/BeyondCorp style model (which some of these are closer to than others). But at the same time I question what risk is there in exposing via traditional NAT? How much effort is involved in building and maintaining that lower risk model of the zero-trust/BeyondCorp model?
Identity Aware Proxies are definitely “the way of the future” for apps that
aren’t built for Internet-direct connectivity. To add to your list,
Cloudflare does have a hosted IAP product called “Access https://teams.cloudflare.com/access/index.html” at $5 /user/month.
Oh, also Cloudflare’s WAF is an additional fee above and beyond the basic
free product, I think it’s $20 /domain/month for a basic level of
protection and more fine-grained protection goes up from there - although
the protection never really gets very granular.