fortinet

Fortinet Confidential

Affordable Hi-Class UTM

Ronnachit Bunchoo

Networks Consultant

IT Distribution Co., Ltd.


We Pioneered a New Approach

2

The Fortinet SolutionTraditional Network Security Solutions

• Real-time, integrated security intelligence• ASIC-accelerated performance• Lower total cost of ownership• Easy to deploy / manage / use

• Stand-alone, non-integrated security • Mix of off the shelf systems and applications• Higher total cost of ownership• Difficult to deploy / manage / use


UTM Surpassing Traditional Network Security

3

2008 2009 2010 2011 2012 2013

Firewall & VPNFirewall & VPN

UTMUTM

(-0.5%) CAGR

$2.2

$2.1

$ in billions

13.8% CAGR

$1.7

$3.2

Source: IDC “Worldwide Network Security 2008-2012 Forecast and 2007 Vendor Shares: Transitions – Appliances Are More Than Meets the Eye”


Evolution of Firewall Security

Evolution of Firewall Security

4

Complete Protection


FortiGate: Integrated Architecture

Purpose-Built Hardware

Specialized OS

FirewallFully Integrated Security & Networking Technologies

Hardened Platform

High Performance

Real-Time Protection

Traffic ShapingVPN

SSL Insp

DLP WAN Opt

FortiGuard™ Updates

WLAN Authentication

Support and Services FortiCare™ FortiGuard Labs

AV IPS Antispam

Web Filter

App Ctrl

• Purpose-built to deliver overlapping, complementary security

• Provides both flexibility & defense-in-depth capabilities

Load Balancing

Fortinet Confidential6

Disruptive Technology Platform

ASICs accelerate FortiOS security and network functions

Enables faster performance against competitors

Multiple ASICs targeting key functions

Mature design across FortiASICs

Custom built operating system

Architected for security and networking demands

Leverages custom hardware platform

Mature OS - At version 4.0 MR2 today


FortiASIC Specialized Processors

• FortiASIC Content Processor (CP) Series− Pattern-Match Acceleration− Encryption / Decryption (e.g. IPSec, SSL-TLS)

• FortiASIC Network Processor (NP) Series− Firewall Acceleration− IPSec VPN Acceleration

• FortiASIC Security Processor (SP) Series− Additional IPS Acceleration− Unicast , Multicast Acceleration

7


Firewall

Policy Management•Section & Global View•Session Monitor & Widgets•Policy Objects, Object tagging & Coloring•Traffic counters

NAT•Static NAT, Dynamic NAT Support•Central NAT Table

Traffic Support•SCTP, GTP, ICMP•Session helpers & ALGs

Hardware Acceleration*•High performance across all packet size•Ultra-low latency

Innovative features that allows accurate and effective policy setup

Policy Table

*applicable to supported models


Policy Management

FortiGate as Firewall•Rules = Security policies

− Beyond firewall functionality− Includes optional instructions, eg,

scan for viruses, detect hacker attacks, traffic shaping etc

•Control Traffic when they transverse through the device

− Interfaces, zones (group of interfaces), VLANs and SSIDs segments

Firewall

Policy

SRC DST SRV ACT

Profiles

AV IPS WF MF

DLP VM AppCltrEndpt

Cltr


H/W Acceleration Firewall

CPUMemory

InterfacesInterfaces

1GE 1GE

Legacy Security Gateway Appliances

Packet Flow

CPUMemory

InterfacesInterfaces

1GE 1GE

FortiASIC NP

FortiGate Security Gateway Appliances

Low Latency Wire-Speed

throughput


In-box AV functions

FortiGate as AV Gateway•Network based, no agents required on hosts•Can be proxied or flow based•Signature set options: Normal, Extended, Extreme or Flow*•File Quarantine if Local storage is available

Antivirus

* Features subjected to FortiGate Models


FortiGuard AV Service Antivirus

Fortinet


Why firewall is not enough

http://www.freesurf.com/downloads/Gettysburg

Four score and BAD CONTENT our forefathers brou

ght forth upon this continent a new nation,

n liberty, and dedicated to the proposition that all

STATEFUL INSPECTION FIREWALL

Inspects packet headers Inspects packet headers only – i.e. looks at the only – i.e. looks at the

envelope, but not at envelope, but not at what’s contained insidewhat’s contained inside

Packet “headers” (TO, FROM, Packet “headers” (TO, FROM, TYPE OF DATA, etc.)TYPE OF DATA, etc.)

Packet “payload” (data)Packet “payload” (data)

DATA PACKETSDATA PACKETS

OKOKOK

Not ScannedNot Scanned

OK

Antivirus


Flow-based (Stream-based) Inspection


ght forth upon this continent a new nation,


FLOW-BASED INSPECTION

Performs a packet-by-packet inspection of contentsPerforms a packet-by-packet inspection of contentsBut can easily miss complex attacks that span multiple packetsBut can easily miss complex attacks that span multiple packets

OKOK

OK

UndetectedUndetected

Four score and BAD CONTENT our forefathers brou!

• Fragmentation can hide malicious content

• True security relies on multiple security layers

Antivirus


File-based (Complete Content) Inspection

FILE-BASED INSPECTION

1. Reassemble packets into content

!! !!

BAD CONTENT

BAD CONTENT

NASTY THINGS

NASTIER THINGS

DISALLOWED CONTENT

ATTACK SIGNATURES


Four score and BAD CONTENT our forefathers

brou ght forth upon this continent a new nation,


2. Compare against disallowed content and attack lists

Antivirus


File-based Inspection Requires Enormous Processing Power

19901990 20002000

Email SpamEmail Spam

VirusesViruses

TrojansTrojans

WormsWorms

InappropriateInappropriateWeb ContentWeb Content

PR

OC

ES

SIN

G P

OW

ER

RE

QU

IRE

DP

RO

CE

SS

ING

PO

WE

R R

EQ

UIR

ED

Stateful inspectionStateful inspectionSimpleSimpleIntrusionsIntrusions

Denial of ServiceDenial of ServiceAttacksAttacks

Flow-Flow-basedbasedInspectionInspection

File-basedFile-basedInspectionInspection

19951995 TodayToday

Sophisticated Sophisticated ntrusionsntrusions

11

1010

100100

10001000

Antivirus


Overview IPS

IPS Signatures•Over 7,000+ Signatures•Integrated FortiGuard IPS encyclopedia•Zero-day Threat Protection•Custom Signatures•Signature Filtering•User Quarantine•Packet Logging

DOS Protection•Rate based - set thresholds for various types of network operations

Deployment Options•Sniffer Mode•Bypass Interface & FortiBridge

Low latency, superior coverage and cost/performance integrated IPS

2012 NSS Security Value Map


FortiGuard Service

Zero-Day Research• Reported over 153 vulnerabilities, 124 of which have been disclosed and fixed by the

appropriate vendor(s)

IPS

FortiGuard Center•FortiGuard Encyclopedia – detailed description of known threats•IPS Updates log (RSS Feed)•Vulnerability Advisories•Threat Monitor – Top attacks by geographic breakdowns


IPS/IDS - Signature

19

>> Network <<

>> Content <<

• Signature Update

Automaticaly

IPS


Performance IPS

FortiGate 3240C also beats all IPS competition with Lowest Latency


Anti-SPAM

• FortiGuard Anti-SPAM

21

>> Network <<

>> Content <<


Overview Web Filter

URL Filtering•URL, web content, MIME Filtering•Time usage Quota•Transparent Safe Search•Policy Objects, Object tagging & Coloring•Local Rating & Category•User override option

Proxy Avoidance Prevention•Proxy Service Site blocking•Language translation & Cache blocking•Rate site by IP addresses•Application Control – Proxy avoidance category•IPS proxy behavior detection

…

Web Filtering Block Page


Web Content Filtering – HTTP, HTTPs

>> Network <<

>> Content <<

Web Filter


Web Content Filtering - Manual

24

Web Filter


Overview Application Control

Application Control Sensors•Over 2,400+ Signatures, 19 Categories•Advanced IM control•Application Control Traffic Shaping•SSH Inspection•Custom Signatures

More flexible and fine-grained policy control

Increased security

Deeper visibility into network traffic

FortiGuard Application library


Application Sensor

Ease of use•Select applications using filters or search by application names

Flexibility•Applies different profiles to users, IP, IP range and subnets and their respective destinations on the security policies.

Application Control


What is port “80” inside

27

Application Control


Facebook Control Application Control

Facebook Like Facebook Chat Facebook Post Facebook Apps


User based Policy

User Identity based Security Policies•Assign access policy and profiles to each User Groups or Users•Users/Members of user groups can be define locally or integrate with external services•Result: Each user/usergroup will be assigned with respective access list and UTM Profiles

Policy

SRC

User Group #1

User #1User #2

UTM Profile #1

UTM Profile #2

Service Port #1

Service Port #2

User Identity

DST #1

DST #2


Single Sign-On with NTLM•is used when the MS Windows Active Directory (AD) domain controller can not be contacted•browser-based method of authentication•Option for guest or users with unsupported browsers to bypass NTLM on CLI

11

22

33

User attempts access to network and gets prompted by FortiGate for user credential

User attempts access to network and gets prompted by FortiGate for user credential

Credential information is provided by browserCredential information is provided by browser

FGT queries Windows ADFGT queries Windows AD

SSO User Identity


Radius Accounting message with attribute-value pair that refers to usergroup a user belongs, along with IP address info is forwarded to FortiGate

Radius Accounting message with attribute-value pair that refers to usergroup a user belongs, along with IP address info is forwarded to FortiGate

Users get authenticated by Radius Server (eg. access control)

Users get authenticated by Radius Server (eg. access control)

RSSO User Identity

Single Sign-On with Radius (RSSO)

22FortiGate uses listening agent and maps info to its own context table. When a session enters, it looks up to the table to determine its action based on identity based policies configured

FortiGate uses listening agent and maps info to its own context table. When a session enters, it looks up to the table to determine its action based on identity based policies configured

33

IP, usergroup_xIP, usergroup_x

11


Guest Access

Temporary user Provisioning & Access•Allow non-IT staff to create Guest account via web portal

− Specialized admin-id for guest access management

•Assign Time quota, generate temp password,•Distribute guest credentials by printing, email or SMS•Batch guest users creation option

User Identity


Overview Device Identity

Device Identification•Device & OS Fingerprinting•Device Classification & Management•Contextual Device Information

Device Based Policies•Policies using Device/Device Group

Identify device type to add into contextual information for better visibility

Enforce policies based on device types or devices

Allow organization to embrace BYOD environment securely

Device Group List


Device Identification Device Identity

INTERNETDMZ

FC

FC

Agentless

with Agent


Device Management Device Identity

Device Group Management

Manual add/edit Devices

Status

Connection Information

User Information

Device Definition

Multiple MAC address merge


Traffic Status System Administration

Traffic History Widget•Illustrates traffic usage statistics over time – by sessions or volume•Support drill-down at specific time•Rely on traffic logs on Local Storage


Threat Status System Administration


Network Management

sFlow•monitoring the traffic on the network to identify areas on the network that may impact performance and throughput•sFlow Agent is embedded in the FortiGate unit, sends the sampled traffic to an external 3rd party sFlow Collector/Analyzer. •Available on CLI only

System Administration

3rd Party sFlow Analyzer - sFlow Trend


Overview Routing & Network Services

Routing•Link Redundancy and load balancing•Policy Routing•Dynamic Routing Protocol Support: RIP, BGP, OSPF, IS-IS•Multicast Routing

Interface Features•VLANs, 802.3ad port aggregation, STP, redundant interface, loopback, hardware & Software switch, Security Modes•Sniff/One-arm Mode

Network Services•Content Routing – WCCP and ICAP Support•DHCP & DNS Server

Robust L3 and L2 capabilities to facilitated vast variety of network design and setup requirements

Route Monitor

FortiGuard Network Services•Free NTP, DDNS & DNS service


Link Redundancy

ECMP •Source IP Based (Hash)•Weight-based

− Next-hop based on gateway weight

•Spillover, Usage-based− Next-hop based on traffic to gateway

Routing & Network Services

ECMPECMP


Policy Based Routing

Features:•Policy routes are applied before destination routes•Can be used to create multiple routes to the Internet

− Static load-sharing

•Routing decision can be made from:− Source addresses− Protocol, service type, or port range− Incoming interface− ToS


HTTPHTTP

Other TrafficOther Traffic


WCCP ServerWCCP Server

WCCP ClientWCCP Client

WCCP

Features:•Supports WCCPv1, WCCPv2•L2 and GRE Mode•May operate either as Server of Client (per VDOM)•Uses Port 2048•Option for Authentication, GRE Encapsulation6•CLI Commands



Network Services

DHCP Service•DHCP Relay and WINS support•DHCP server

− Multiple IP-pools for each interface− Exclude ranges and IPs− DHCP IP Reservation− DHCP Options support

•IPv6 DHCP•DHCP Monitoring



Network Services

DNS Service•Integrated Basic DNS Server

− Per-Vdom support− in transparent and NAT/Route mode

•Recursive DNS (split DNS)•IPv6 DNS•Dynamic DNS support



Network Services

DDNS Service•FortiGuard DDNS Server

− Provided with valid Forticare contracts− Ease of setup− Suitable for VPN deployment and remote

administration.



Wireless LAN Overview


Ubiquitous Access Unified Access Layer

DIGITAL ASSET • Content Inspection• Attack Mitigation

• User Identification• Access Control


Fortinet Secure WLAN Approach

Corporate Wi-Fi

Captive Portal, 802.1x—Radius /shared key

Assign users and devices to their role

Examine wireless traffic to remove threats

Apply policy to users and applications

Identify applications and destinations

Report on policy violations, application usage, destinations and PCI DSS

Ensure business traffic has priority

No additional licenses needed


Thick vs. Thin Fortinet APs

FortiAP


FortiAP – Simple and Secure

• Traffic flows to controller• Increased control• No trunking• No VLAN management• No Layer-3 roaming, just fast

Layer-2 switching• No need to re-DHCP

• Controller Redundancy

VLANs


Fortinet 802.11n AP family

FAP-221BFAP-222B

FAP-210B

FAP-320B

FAP-223B

FAP-112B

FAP-28C

FAP-14C

FAP-11C


FortiGate + FortiAP = Unified Access Layer

FortiGate

Wi-Fi Controller

Switch

FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN

Single Management System

Lower cost of acquisition Lower cost of ownershipImproves security provisioning

Overlay Wireless Management system

FortiAP


Problem: Poor Business Application Performance

Client #1 Client #2

Priority App

Non-Priority App

Non-Priority App

YouTube

WebEx

• Clients and applications on wireless networks compete with each other for shared bandwidth

• 802.11e, Wireless Multimedia Extensions (WME) doesn't solve this problem, as Business applications like Remote Desktop, VNC, Webex, etc. are not be prioritized differently


Solution: Fortinet Application Control

Application Control uses Layer-7 inspection to ensures bandwidth guarantees are provided for business critical applications

Fortinet Application Control Sensors•Over 2,400+ Signatures, 16 Categories•Advanced IM & P2P control•Application Control Traffic Shaping•SSL Content Inspection

Client #1 Client #2

High Priority App

Priority App

Non-Priority App

Non-Priority App

Priority App

Youtube

Webex


WIDS

Wireless Intrusion Detection System•WiFi protocol & RF level attack detection•Detection includes attacks & vulnerabilities such as:

» Weak WEP Encryption Usage» Null SSID Probes» Deauth Broadcasts» Various Management , EAP, Auth & Beacon floods


24/7 “on-wire” Rogue AP Detection & Suppression

Rogue AP Detection» Determines whether an AP is indeed a Rogue device

connected to your physical wired LAN network

Rogue AP suppression» ‘DeAuthentication Frames’ are sent to render

unauthorized Rogue AP’s unusable by clients


WAN

Headquarters

Internet

• Bridges WiFi trafic to FortiAP Ethernet port

• No u-turn to HQ to access local network

• Resiliency in case of WAN failure

WAN

Remote AP with Local Bridging


Remote Telecommuter / Road Warrior

Headquarters

• Data is encrypted

Internet

• Automatic connection to HQ

• Multiple devices can share WiFi


High Density Features

• AP Handoff• Frequency Handoff (Band Steering)• Auto TX Power Control


Automatic Radio Resource Provisioning

CH 1 CH 6CH 11

• Channel Assignment» Automatically assigns non-

overlapping channels» Selects channels with least

noise and interference» Reduces chatter between

APs

• Auto TX Power » Changes radio

transmission power settings automatically



CH 1CH 6CH 11

• Channel Assignment» Automatically assigns non-

overlapping channels» Selects channels with least

noise and interference» Reduces chatter between

APs

• Auto TX Power » Changes radio

transmission power settings automatically



CH 1CH 6CH 11

• Interference Avoidance» Microwave ovens, cordless

phones, baby monitors, etc. all emit RF interference

» FortiAPs frequently sample RF spectrum for sources of interference

» Changes channel and TX power to avoid RF interference impacting Wireless LAN


Beamforming: FAP-221B/FAP-223B/FAP-320B

• Radio “beams” add at the device to enhances the signal and link-rate

TR S

W

TX

RX

BB/MAC TX TR

SW

RX

TX

RX

Radio

Radio

Radio

TR S

W


Wireless Mesh

• Dynamic Multi-hop Mesh with resiliency• Point-to-point / Multipoint Bridging


Building to building bridging

5Ghz (40Mhz wide) 300Mbps Max rate

Wired PC

2.4Ghz (20Mhz wide)150Mbps max rate

Capwap tunnel

Note: only one of the radios can be used for Mesh, user selectableExternal N type directional antennas supported


BYOD – Device Identification and Policy

Identification•Device•User•Application

Policies•Enforcement on Device/User/App


Granular Visibility and Control Applications


Guest Access to Secure Wireless LAN

• Temporary user Provisioning & Access− Allow non-IT staff to create Guest account via

web portal− Assign time quota− Generate temporary password− Distribute guest credentials:

▪ Print▪ Email ▪ SMS

− Batch guest users creation option

• Enables Guest Access to the Secure WLAN via a Captive Portal.


Questions?


Security Gateway Comparison

72

Partner Supplied Internally Developed Not available


Certifications on the Security Gateway

73

Some products are certifiedPassed Certification not conducted


UTM Market Leadership Across the Board

(1) IDC Quarterly Appliance Tracker, June 2009 (based on revenues)

(2) Gartner, Inc., “1H09 MultiFunction Firewall Magic Quadrant” by G. Young and A. Hils, June X, 2009.

(3) 2007 Frost & Sullivan Award for “Market Leadership in UTM” and “Global Competitive Strategy Leadership of the Year"

Source

Fortinet is the leading vendor in the UTM security appliance market.

“

“

Fortinet is a “Leader” in Gartner’s Multi-Function Firewall Segment

Fortinet Named ONLY “Market Leader” in Frost & Sullivan World UTM Report


NSS Labs 2013 Firewall Security Value Map (SVM)

• The FortiGate-800c was rated by NSS Labs at 9.7 Gbps out of the 20 Gbps claimed by the vendor.1 The 800c scored 100% for Stability, 100% for Evasion, 100% for Leakage, and 100% in the central management review. All of which resulted in a TCO of $4 per protected megabit, and 100% for security and management effectiveness.

• Firewall Security Value Map− 100% Security Effectiveness

− $4 TCO per protected Mbps▪ Juniper, Check Point, Stonesoft 4X+ TCO

• Firewall Comparative Analysis Report− Detailed competitive analysis


Best Protected Throughput and Maximum Security

76

Price per Protected - Mbps

2013 Firewall Security Value Map

En

terp

rise M

an

ag

em

en

t &

Secu

rity

Eff

ecti

ven

ess

Firewall SVM

0%

10%

30%

40%

50%

60%

70%

80%

90%

$1$2

$4

$8

$16

$32

$64

$128

$256

100%

Average

Avera

ge

Fortinet FortiGate 800CJuniper SRX 550

Palo Alto Network PA-5020Dell /SonicWALL E4500

Barracuda F800

Netgear UTM9S

WatchGuard XTM 1050

Cyberoam CR2500i NG

Check Point 12600

Stonesoft 1301

Netsaq 800C

$512$1024$2048$4096$8192

Sophos UTM 425


Predictable Performance for all packet size

• Fortinet’s Fortigate 800c was the only device to demonstrate anything close to line rate capacity with packet sizes from 1514 bytes all the way down to 64 bytes. In addition, it was the only device to consistently demonstrate latency of less than 10 microseconds.

• The competitors cannot compete with our predictable performance.


Latency μs (64 byte packets)


Security & Performance

• The Chart depicts the relationship between protection and performance. Further up indicates better security effectiveness, and further to the right indicates higher throughput.


BreakingPoint Resiliency Score

Others Not Pass

Fortigate เป็�น Firewall หน��งในสอง ที่��ที่ดสอบผ่�าน BreakPoint Firestorm CTM5 ซึ่��งเป็�นชุ�ดที่ดสอบสมรรถนะที่��ยอมร�บที่��วโลก แสดงให"เห#นว�า Fortigate คื%อ Firewall ที่��ที่&างานได"เร#วที่��ส�ดในโลก


Thank you

81

fortinet

Documents