With cloud services becoming the norm, more and more users are starting to have the expectation of accessing their application/services from anywhere.
From a business point of view, the cloud is perfect. The infrastructure costs can be significantly less, and the users often get a better user experience. Access to your own cloud is often very controlled from a security point of view.
When it isn’t your infrastructure though, it can be hard work keeping up with the vendor and allows your users to access the services without opening up the firewall. Microsoft for instance has hundreds of IPs, URLs and ports that need to be lifted on the FW in order to use the O365 service. These can be found here: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
The problem is, these often change and if you aren’t keeping up, something will eventually get break. For the team looking after the FW, this can be a real pain and if you aren’t using a helpful service such as Zscaler. Zscaler basically handle the traffic on their end so you don’t have to manage the IPs/URLs on the firewall. Details on this can be found here:
The good news is that if you are running Fortinet Firewalls, there is a cool feature that can handle all of this for you. They call it the Internet Service Database and it basically handles all the entries for you and keeps them up to date.
Looking at Microsoft, you can see how many entries they keep up to date for you.
This can really help you out from a security point of view as you aren’t having to wildcard everything using Web Filters or keeping IP ranges up to date. There isn’t anything wrong with this method but from my experience, it can become a real drag. More and more requirements come from the business and that Web Filter that started small can start growing and growing. The other thing is that you will often have to apply a block to the bottom of your Web Filter. This can cause problems if not done correctly or if it’s applied to your user VLAN and someone moves it up (Sequencing). It’s happened…..
The potential downside to this that you rely on Fortinet. What about if the ISDB was updated incorrectly? You are putting a lot of trust in Fortinet to get these URLs/ Ports right and not opening unnecessary access. This is something that you can control if you do it yourself.
It might put you at ease knowing that the ISDB is stored locally which means even if something did occur on the Fortinet side, users wouldn’t be affected. That means the only incident that could occur is if they didn’t update the ISDB in time after a vendor has added new IPs/URLs. This wouldn’t affect the whole service though so it’s pretty low risk. Below is how often the ISDB is updated:
Version 5.6 – Daily
Version 5.4 – Weekly
Find out more here: https://fortiguard.com/updates/isdb
One to note is that It’s not all about ‘Allow’ rules. They also provide update malicious IPs which you can use to protect your environment: