user authentication and identity managementbasys-bremen.de/index_htm_files/event20150611e.pdf ·...

© Copyright Fortinet Inc. All rights reserved.

FortiAuthenticatorUser Authentication and Identity Management

Last Updated: 17th April 2015

2

FortiAuthenticator Overview

Answering your authentication challenges

Authentication and

Authorization• RADIUS, LDAP, 802.1X, Radius

Proxy

• SSO Mobility Agent

• Web based login widget

Two Factor Authentication• FortiToken, physical and mobile

• Tokenless, via SMS and email

Certificate Management• X.509 Certificate Signing, Certificate

Revocation

• Remote Device / Unattended

Authentication

Fortinet Single Sign on• Active Directory

• Agent or agentless

• Third party systems via RADIUS,

Syslog and API Integration

Two-factor Auth

User Identity

FortiAuthenticator

Wireless Auth

FSSO

FortiAuthenticator

FortiAuthenticator FortiGate

FortiGate

FortiAP

FortiAuthenticator

3

User Authentication and Identity

Management

User Identity

Two-factor Authentication

Wireless Authentication

FortiAuthenticator Overview

Secure access to your organizations systems and data

with identity based policy and two-factor authentication

» Control access your intellectual property

Enable secure remote and guest network access whilst

retaining control over security

» Allow business to flourish but not to the detriment of security

Reduce the operational burden of local and guest user

management

» Identify users and apply granular user policy

» Integrate with existing user repositories (AD, LDAP)

» User lifecycle management workflow

Features & Benefits

Confidential

4

FortiAuthenticator Use Cases

Enable strong password

security across your network

and application estate

» Secure remote access to critical

systems

Reduce operational overheads

» Self-service password reset

» Integration with existing LDAP

and AD databases

» Built in lost token workflow

» Migration strategy from third-

party vendor tokens

Two-factor AuthenticationUsername

Password

Token

LDAP/

Active

Directory

Protected

Devices

FortiAuthenticator

5

Support for wide range of secure authentication

methods

Physical

Tokenless

Certificate

(BYOD) API

Mobile


Flexible range of token formats to

suit all deployment requirements

» OATH compatible TOTP (time)

based tokens (FTK200)

» USB certificate tokens (FTK300)

» FortiToken Mobile for Android, iOS

and Windows Mobile

» SMS and Email tokens.

Supports any RADIUS capable

device

» Juniper, Cisco, F5 , Array, Citrix etc

» Microsoft Windows Domain Login

and OWA


6


FortiToken Mobile: Supports

Android, iOS and Windows Mobile

» 6 or 8 digit passcode, 30 or 60s

refresh

» Free install, supports other TOTP

& HOTP OATH tokens e.g. Google,

Dropbox, Amazon

» QR Code Provisioning support

» PIN protection enforced from FAC

Perpetual license

» Can be reissued if device is lost

» Can be reissued if user leaves the

organization


7


Centralized WiFi Authentication

Authenticate users (PEAP,

EAP-TTLS) and machines.

Certificate based device

authorization (EAP-TLS) for

BYOD environments

In open guest or visitor

networks, FortiAuthenticator

can provide captive portal

functions

Wireless Authentication

FortiAuthenticator

FortiAP

FortiGate

8


User Self-registration

Collection of user details

Option to SMS login details

(proof of identity)

Receptionist registration option

Time limited accounts

Delete expired accounts

Support multiple locations

Coming soon: Facebook,

Google, Linkedin, Twitter login

Guest Management

FortiAuthenticator

FortiAP

FortiGate

9


Identify users and apply

identity based security policy

» FortiAuthenticator transparent

user identification collects and

embellishes user identity

information

» Allows FortiGate, FortiMail and

FortiCache devices to apply

appropriate policy based on

user identity and role

» Granular control of network and

application access

Fortinet Single Sign-On

Staff Admin Guest

Corporate Resources Guest Access

Define who can access what and when

10

Transparent User Identity


Fortinet Single Sign-On

RADIUS

Accounting

Records

FortiClient

SSO Mobility

Agent

Active

Directory

Polling

Login Portal

& WidgetsREST API Syslog

Kerberos

with NTLM

Fallback

TS and AD

Collector

Agents

AD & Windows Generic Sources

FortiAuthenticator

FortiGate

11


Simplifies the task of certificate

management

Issue certificates for multiple

uses:

» VPN Authentication

» Wireless 802.1X (PEAP, EAP)

» Windows Desktop

Authentication

» Compatible with FTK300 USB

PKI Certificate Store

Certificate Authority

X

REVOKED

12


Strengthen and simplify VPN

security

» Certificate based VPN

enhances traditional pre shared

keys with second factor

» Revoke certificates if device is

lost (OCSP)

» Zero touch certificate

distribution (SCEP)

» Integration with FortiManager to

simplify deployment

Certificate Based VPN

14


Integrates Carrier/ISP

networks with Fortinet RADIUS

Single Sign-on

» Minimises changes needed to

critical business systems

» Takes the additional load by

duplicating RADIUS Packets

RSSO used to apply Identity

Policy for FortiGate, FortiMail

and FortiCache

RADIUS Accounting Proxy

Carrier / ISP

RADIUS Server

RADIUS Accounting

RADIUS Accounting

15

Active-Passive High Availability

» Local sync with failover

» Supports all features

Active-Active Config Sync

Geographic distribution

Load balance across devices

(scalability)

Supports authentication feature

sync (not FSSO)

Can be combined with Active

Passive HA (A-P Master,

standalone slaves)


High Availability and Scalability

Case Studies

17

Case Study: Medium Enterprise Identity Management

Multiple user groups / domains

Online retail organization with mobile

workforce and widespread BYOD adoption.

Incumbent Cisco wireless network,

customer thought Cisco was the only option

for gateway Identity Policy

Organization and Challenge

Why We Won

What They Bought

Ability to consume user identity from Cisco

wireless network (vis RADIUS Accounting)

Fully inclusive guest management and

registration features

2x FortiAuthenticator 200D (HA)

2x FortiGate 600C (HA)

Still in the game for Wifi refresh

Who We Beat

Cisco WAN

Remote Workers Cisco tried to claim that the only

way to perform Identity Based

Firewalling was using their own ISE

and ASA .

FortiAuthenticator proved this

wrong and have kept Fortinet in the

running for the Wifi refresh

FortiAuthenticator

FortiGate

Guests

18

Case Study: Local Government Identity Management

Multiple user groups / domains

Regional govt. requiring transparent identity

aware firewalling

5,000 users with granular permissions

across 3 domain controllers, 2 domains


Why We Won

What They Bought

Multiple identity detection methods

AD Polling combined with RADIUS (VPN) and

guest portal

Fully inclusive guest management and

registration features

2x FortiAuthenticator 1000D (HA)

2x FortiGate 1000D (HA)

Who We Beat

Juniper , CheckPoint, SonicWall WAN

Remote Workers

FAC gathers user

identity and forwards to

FGT

FortiAuthenticator

FortiGate

Guests

19

Case Study: Enterprise Identity Management

90 Remote Sites

Multinational enterprise with 3 Datacenters,

90 branches and 17,000 users throughout

the world.

Mobile workforce means users could be on

any site.


Why We Won

What They Bought

Performance and scalability of user identity

detection

Selective distribution of login events to local

site and core

3 x FortiAuthenticator 3000D

9 x FortiGate 3600C

90 x FortiGate 110C

Who We Beat

PaloAlto, JuniperWAN

FAC gathers user

identity and

selectively forwards

identity to relevant

FGT

……

3 Datacenters

FortiAuthenticator

FortiGate Clusters

Active

Directory

20

Case Study: Enterprise Two-Factor Auth

Network Operations Center

Enterprise organization requiring secure

multi-factor authorization for heterogeneous

range of devices

Integration with existing LDAP/AD

infrastructure


Why We Won

What They Bought

Secure provisioning strategy (CD)

Physical and Soft token support

Support for wide range of client devices and

Windows Desktop login

2 x FortiAuthenticator 400C

100 x FortiToken 200

500 x FortiToken Mobile

Who We Beat

RSA, Safenet

Internet

Multiple Datacenters

FortiAuthenticator

Home Workers

21

Large Enterprise/Service

Provider Deployments

FortiAuthenticator 1000D

• Support up to 10,000 users

• HDD – 2 x 2TB

• 4 x 10/100/1000

• 2 x SFP

• Rack Mountable, 2U

• Dual AC PSU

Large Enterprise/Service




• HDD – 2 x 2TB

• 4 x 10/100/1000

• 2 x SFP


• Dual AC PSU

All Sized Deployments from SME to Service


FortiAuthenticator VM

• From 100 to 1M+ users

• Unlimited CPU

• Unlimited RAM

Mid Enterprise

Deployments

FortiAuthenticator 400C


• HDD – 1 x 1TB

• 4 x 10/100/1000


• Single AC PSU

Small / Mid Enterprise

Deployments


• Support up to 500 users

• HDD – 1 x 1TB

• 4 x 10/100/1000


• Single AC PSU

FortiAuthenticator Ordering Information

**Fully Stackable User Licensing**

Competitive

23

FortiAuthenticator vs FortiGate

Area Feature FortiGate FortiAuthenticator

Auth Two-factor Auth w. FortiToken

Auth Multiple FortiGate per token

Auth Support third party vendors

Auth User password reset

Auth User self registration

Auth Support multiple realms

FSSO AD Polling

FSSO DC & TS Agent

FSSO Kerberos

FSSO RADIUS Accounting û (FSSO)

(RSSO)

(Both)

FSSO Syslog

Feature Comparison

24

Competitive Landscape

Two-factor Auth

User Identity

FortiAuthenticator

Wireless Auth

25

Feature Comparison – User Identity

Feature FortiAuth PaloAlto

User-ID

Cisco Identity

Services

Engine

Juniper

Pulse UAC

*

Checkpoint

Identity

Awareness

Blade

Identity

Microsoft Windows

Environments

DC Polling

DC Agent

Terminal Services Agent

Kerberos

Microsoft Exchange

Identity

Non-Microsoft Windows

Environments

Endpoint Agent

Captive Portal

Embeddable Widgets

SYSLOG

Open API (IF-MAP)

RADIUS Accounting

Authorization LDAP/AD

Local override

* Note that the Pulse Product line is now owned and supported by Pulse Secure

26

Feature Comparison – Two Factor Auth

Feature Type Feature FortiAuth Safenet RSA Vasco

Deployment Appliance

Software

Virtual Machine

Cloud

Tokens Physical Token ü (Time)

(Event)

ü (USB Cert)

ü (Time)

ü (Event)

ü (USB Cert)

ü (Time)

Mobile Token ü (iOS)

ü (Andriod)

ü (WinMo)

ü (BB)

ü (iOS)

ü (Andriod)

ü (WinMo)

ü (BB)

ü (iOS)

ü (Andriod)

ü (WinMo)

ü (BB)

Desktop Token (Mac)

(Win)

ü (Mac)

ü (Win)

ü (Mac)

ü (Win)

Tokenless ü SMS

ü Email

ü SMS

ü Email

ü GrIDsure

ü SMS

ü Email

Agents Windows Domain 2FA

Outlook Web Access 2FA

Sharepoint Roadmap

Integration Auth Methods ü RADIUS

ü LDAP

SAML

ü API

ü RADIUS

LDAP

ü SAML

ü API

External User repositories ü Local

ü AD

ü LDAP

ü RADIUS

ü AD

ü LDAP

RADIUS

ü MSSQL

ü AD

ü LDAP (Oracle

only)

User Self Service

user authentication and identity managementbasys-bremen.de/index_htm_files/event20150611e.pdf ·...

Documents