FortiGate Virtual Machine

Network security layer for IEC 61850 substations

Introduction

More and more complex applications are realized with virtualization host platforms carrying multiple virtual machines. For securing the communication, hardware-based firewalls installed in addition to the virtualization host platforms are used. These hardware-based firewalls can monitor and control the traffic coming out of/going into the virtualization host’s ethernet interfaces.

Each virtual machine in such a virtual environment has its own very specific task. This leads to different requirements when it comes to communication protocols/services. With a firewall capable only to monitor/control traffic running through the host systems interfaces, it is impossible to define rules for specific traffic for each single virtual machine. The necessary protocols and services can only be defined for the external interfaces, which in most cases will be used by several different virtual machines. Furthermore, controlling the traffic between the virtual machines inside of a virtual environment is not possible on a protocol or service basis.

We extend the virtualization host system by a specialized firewall-based security layer to be able to control and monitor traffic more specific.

Realization

A FortiGate-VM appliance installed in a virtualized environment on a Welotec RSAPC shall be used to monitor and
control the whole network-based communication.

We want to prove that the virtualized firewall is capable to control the network-communication covering the
following areas:

1. Virtual Machine <-> External networks attached to hostsystem’s ethernet ports (e.g. Internet Access)
2. Virtual Machine <-> Virtual Machine
3. Virtual Machine <-> Hostsystem (applications)
4. Hostsystem <-> External networks attached to hostsystem’s ethernet ports (e.g. Internet Access)
5. External devices <-> External Devices (traditional hardware based firewall)

Want to read more? Register below.