vectorusa and fortinet: next generation network security
TRANSCRIPT
Next Generation Network Security and why you need it for your business!
Patrick Luce, CISSP, CISMDirector of Consultative Services, VectorUSA
August 18, 2016
What is Next Generation Security?
Why is it important for your organization?
How is Next Generation Security evolving?
How does Fortinet approach protecting customers from emerging threats?
Agenda
Next Generation Security - History
To have a next generation, there needs to be a previous generation.
OUTSIDE (INTERNET)
INSIDE
Inside Computer
10.0.X.X (Internal)
150.151.X.X (Internet)
www.yahoo.com206.190.36.105
Port 80
Network Address Translation (NAT)
Stateful Packet Inspection Outside Computer
Virtual Private Networking (VPN)
“First Generation” Firewalls – Three Features
www.yahoo.com206.190.36.105Port 80
Outside Computer
OUTSIDE (INTERNET)
Inside Computer
INSIDE
10.0.X.X (Internal)
150.151.X.X (Internet)
Hackers expose all kinds of security flaws…
Application port designations become unreliable.
No control over where inside computers choose to connect to the outside world.
No control over the payload that outside computers deliver.
Weak security practices when configuring inside workstations and servers.
OUTSIDE (INTERNET)
INSIDE
Inside Computer
www.yahoo.com206.190.36.105
Port 80
Firewall
Intrusion Prevention System (IPS)
Web (URL Filter)
Mail Filter (antispam, antivirus)
Basic Application Inspection
(FTP, SMTP, HTTP)
INSIDE
OUTSIDE (INTERNET)
Inside Computer
www.yahoo.com206.190.36.105Port 80
Here comes the calvary…
New technologies require upkeep of signatures. - This costs money…forever…
Traffic delays from processing packet streams multiple times.
- When life was web, file transfer and mail, no problem.- With live video and audio, big problem.
Questions about real need, compliance, etc.
Now we have new problems…
Enter, Unified Threat Management (UTM)
FortiGate UTMApplication
Control Antivirus
AntiSpamWeb Filtering
Next Generation Firewall
WAN AccelerationTraffic Optimization
VPNIPSDLP
WiFi Controller↑
↑↑
↑↑
↑↑
↑↑
↑↑
According to Gartner…(sigh)…
“Non-disruptive in-line bump-in-the-wire configuration”
“Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.”
“Integrated signature-based IPS engine”
Enter, Next Generation Firewall NGFW??
“Application awareness, full stack visibility and granular control”
“Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.”
“Upgrade path to include future information feeds and security threats”
“SSL decryption to enable identifying undesirable encrypted applications”
Now we had new problems continued …
What’s the difference?
Brilliant marketing.(image via https://blog.anitian.com.)
Security Control NGFW/UTM Feature
PCI-DSS Requirement
HIPAA Requirement California Civil Code
Install and maintain a stateful inspection firewall
Firewall 1.1 (All), 1.3.6,1.4
Implement Perimeter Intrusion Prevention
IPS 11.4A § 164.312(c)(1)
Implement Antivirus/Antimalware Antivirus 5.1-5.4 § 164.308(a)(5)(ii)(B)
Explicitly authorize outbound traffic to Internet
Web Filtering 1.3.5 § 164.312(c)(1)
Enforce encryption of sensitive data DLP 4.1 § 164.312(e)(2)(ii) § 164.312(a)(2)(iv)
1798:29FIPS 140-2
Secure end user messaging technologies
Application Control
4.1.1 1798:29
Retain and review audit logs Logging/Reporting
10 (all) § 164.308(a)(1)(ii)(D)
Current Compliance Requirement and NGFW/UTM
Common Sense NGFW Applications
Sandbox Inspection- Code emulation, OS sandboxing
Reputation Analysis- IP and Domain
Mobile Security
Embedded Vulnerability Assessment
Coming to a NGFW near you (or already here)
