fortigateantivirusfirewalloverview. 2 fortinet technologies network security network security can be...

FortiGate FortiGate Antivirus Antivirus FirewallFirewall

OverviewOverview

2

Fortinet Technologies

Network Security

Network security can be viewed from three perspectives:

controlling access to the inside of the network from outside the network

controlling access to the outside of the network from inside the network

controlling access between networks

3


The Nature of the Threat Has Evolved…

4


Fueling an Explosion of Point “Solutions”

5


FortiGate Antivirus Firewall

Network-level Services Firewall Intrusion prevention and detection VPN Traffic shaping

Application-level Services Firewall Intrusion prevention and detection Virus protection Content filtering for web connections and email

6


Secure Installation, Configuration, and Management

Secure management of your FortiGate unit can be assured in a number of ways:

IP/MAC binding HTTPS for browser connections SSH for command line connections (up to a

maximum of 5 connections) individual management accounts

separate user names and passwords read-only write-only

7


Web-based Manager

HTTP or HTTPS Web browser

Windows Mac Linux

Configure and monitor a FortiGate unit Configuration changes effective immediately Download, save, and restore configurations

8


Command Line Interface

Serial port RS232

Network Telnet SSH

Same configuration capabilities as the web-based manager

Advanced configuration capabilities

9


Firewall

set of related programs located at a network gateway server

protects the resources of a private network from users on other networks

10


NAT/Route and Transparent Modes

NAT/Route mode the FortiGate unit is visible to the network all interfaces are on different subnets policies control communications through the unit the FortiGate unit acts as a gateway between

private and public networks

Transparent mode the FortiGate unit is invisible to the network policies control communications through the unit

11


NAT/Route Mode

Hide your internal addressing scheme behind a firewall

12


Transparent Mode

The firewall acts as a bridge and requires an IP address for management and updates

The FortiGate unit is invisible to the network

13


Firewall Problem!

14


Antivirus Protection

Antivirus protection falls under two categories: host-based

a class of program that searches your hard drive or floppy disks for any known or potential viruses

network-based resides on a server and has certain traffic at the

gateway directed to it for antivirus scanning

Your FortiGate antivirus firewall identifies and blocks viruses at the network’s edge

15


Web Content Filtering

Control network usage by blocking access to categories of web sites (URL, FortiGuard) particular web sites (URL) any page that contains banned words or phrases

Systems are policy-based can associate a user or group of users with a list

of prohibited URLs can block by time of day, keeping working hours

more productive

Script filter to block Java Applets, cookies, and ActiveX

16


Spam Filtering

Scans IMPA, POP3, and SMTP content Blocks

IP addresses Email addresses MIME headers Banned words and phrases

Checks RBL and ORDBL SMPT, POP3, IMAP

Exempt lists to override block lists

17


Intrusion Prevention System (IPS)

real-time network intrusion detection sensor attack signatures block more than 1400 attacks user-defined signatures configurable thresholds policy-based

18


Static Routing

Configure routing to add static routes to control the destination of traffic exiting the FortiGate unit

Configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses

19


Policy Routing

Policy routing extends the functions of destination routing by routing traffic based on:

destination address source address protocol, service type, or port range incoming interface IP address

Routing table independent

20


Routing Information Protocol (RIP)

distance-vector routing protocol FortiGate implementation supports both RIP v1

(RFC 1058) and RIP v2 (RFC 2453) RIP

uses hop count as its routing metric where each network is usually counted as one hop

network diameter is limited to 15 hops

RIP v2 enables RIP messages to carry more information supports simple authentication and subnet masks

21


VLANs

Highly flexible, efficient network segmentation Supported on models 60 and higher IEEE 802.1Q Segregate devices logically instead of physically

by adding 802.1Q VLAN tags to all packets sent and received by the devices

A single FortiGate unit can provide security services and control connections between multiple security domains

NAT/Route and Transparent modes

22


Virtual Domains

ease of management lower costs – one system with multiple firewalls each virtual domain functions like a single

FortiGate unit exclusive firewall and routing services to multiple

networks traffic from each network is effectively separated

for every other network packets never cross virtual domain borders NAT/Route and Transparent modes

23


Virtual Private Networks (VPN)

a private data network that uses the public telecommunication infrastructure

maintains privacy through the use of a tunneling protocol and security procedures

24


VPN

The FortiGate unit supports the following types of VPN:

PPTP and L2TP IPSec

NAT traversal DPD

IPSec redundancy site-to-site tunnels

Hub and spoke topology DHCP over IPSec

25


High Availability

provides fail-over between two or more FortiGate units

provides fail-over between links achieved using redundant hardware

matching FortiGate models running in NAT/Route mode

FortiGate units can be configured for either active-passive (A-P) or active-active (A-A)

supported on FortiGate models 60 and higher

26


Logging and Reporting

The FortiGate unit supports logging for various categories of traffic and configuration changes

You can configure logging to report: traffic that connects to the firewall network services used traffic that was permitted by firewall policies traffic that was denied by firewall policies events such as configuration changes and other

management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking

attacks detected by the IPS virus incidents, intrusions, and firewall or VPN

events or violations to system administrators using alert email

27


Updates and Support

antivirus and anomaly definitions are updated regularly

your FortiGate unit can be configured to: accept push updates from the FortiResponse

Distribution Network (FDN) check the FDN regularly for updates following a

schedule

28


FortiProtect Bulletins

emailed whenever updates are made to the antivirus or IPS databases

specifies the latest release numbers so you can confirm your FortiGate unit is up to date

distributed free of charge sign up at www.fortinet.com

29


Online Help

Online help is available through the web-based manager screens

Access help through: contents index search

30


Documentation

In addition to online help, Fortinet offers a number of publications to assist you in maximizing the effectiveness of your FortiGate unit

Most of these publications are on the CD accompanying your FortiGate unit

fortigateantivirusfirewalloverview. 2 fortinet technologies network security network security can be...

Documents