Transcript The Fortinet Secured Network

The Fortinet Secured Network
Матенко Александр, 08.10.2015
© Copyright Fortinet Inc. All rights reserved.
About Company FORTINET
Fortinet является глобальным поставщиком устройств сетевой безопасности
и лидером рынка в сегменте унифицированного управления угрозами (UTM).
Штаб квартира Fortinet расположена в Саннивейл, штат Калифорния, США,
кроме этого компания имеет офисы по всему миру.
Fortinet был основан в 2000 Кеном Кси, визионером и бывшим президентом
компании NetScreen (которую в 2004 купил Juniper).
Флагман продуктовой линейки Fortinet - платформы по обеспечению
безопасности FortiGate представляет собой аппаратно-ускоренную
производительность, встроенную систему защиты от множественных угроз,
постоянно обновляющуюся систему глубокого анализа угроз.
2
Complete Network Security Solution
MANAGEMENT
Единая точка управления и отчетности
PLATFORM
USERS
ENDPOINTS
Защита
устройств
ACCESS
Безопасный
доступ
SEGMENTATION
NETWORK
Политики и зоны Балансировка, DDoS
APPLICATION
Почта, Malware,
etc
DATA
SECURITY
SECURITY
THREAT INTELLIGENCE
3
SECURITY OPERATING CENTER
User ID
Mgmt.
Central Log
& report
Central
Device mgmt.
DATA CENTER
File
Analysis
Cloud based
Mgmt.
DB Servers
DB Security
FortiCloud
FortiAuthenticator FortiAnalyzer FortiManager
FortiSandBox
3G/4G
WAN
Network
Tap
FortiTester
FortiExtender
Site-tosite VPN
Secure WiFi
Access
App Servers
FortiDB
Network
Tester
FortiWiFi
FortiTap
Mail Security
Gateway
Mail Servers
Security
gateway
FortiWAN
FortiMail
Link Load
Balancer
Secure Web
Caching server
FortiGate
LAN
REMOTE
FortiCache
L2
Switching
Remote
VPN
WiFi
Access
IP Cam.
Recorder
IP PBX
Web App.
Firewall
Failopen
Device
Load
Balancer
Endpoint
Security
FortiSwitch
FortiAP
FortiRecorder
FortiVoice/
FortiGateVoice
FortiToken
FortiClient
FortiBridge
L7 D/DOS
Mitigator
FortiWeb
FortiADC
Web Servers
2 Factor OTP
Token
MOBILE
FortiCamera
FortiFone
FortiDDoS
4
FortiGate Product Range
Multi
Core
Multi
Core
CPU
SoC
1 Gbps
NP
CP
10 Gbps
CPU
NP
CP
CPU
10 Gbps - 50 Gbps
Multi
Core
Chassis
System
CPU
50 Gbps - 1 Tbps
H/W Dependent
DCFW/CCFW
3000
Series
Personality,
Performance
and
Scalability
ISFW
5000
Series
1000
Series
30-90
Series
100-200
Series
300-900
Series
NGFW/
NGIPS
VM
Series
CFW/
VMFW
UTM
FortiGuard
Security Services
Software &
Services
Product
Range
Entry
Level
Mid Range
FortiOS
Operating System
High End
FortiCare
Support Services
Virtual
Appliances
5
Inside FortiOS
ATP
OSS Support
AAA
Central Mgmt.
Integrations
Configuration
Visibility
Log & Report
Diagnostics
Management
Anti-Malware
IPS
Application
Control
Web
Filtering
Email Filtering
Firewall
VPN
DLP
User & Device
Identity
SSL inspection
Security Functions
Wireless
Controller
Switch
Controller
Endpoint
Manager
Token Server
Vulnerability
Scanner
Extensions
Virtual Systems
:::::::::: Virtual Domains ::::::::::
Routing
QoS
NAT/CGN
L2/Switching
IPv6
Wan
Optimization
WAN Link /
Server LB
High Availability
Network Functions
Network Services
NAT/Route
Transparent
Sniffer
Operating Modes
LAN
WiFi
WAN
Network Interface
Physical Appliance (+ASICS)
Hypervisor
Cloud
Platform
* Features may varied by models
6
FortiGate 300D
1
2
•1
•2
•3
3
2x GE RJ45 Management Ports
4x GE RJ45 Ports
4x GE SFP Slots
Hardware Performance
Firewall Throughput (1518/512/64)
8/8/8 Gbps
IPS Throughput
2.8 Gbps
1.4 Gbps
Firewall Latency
3 μs
Antivirus Throughput (Proxy Based)
Concurrent Sessions
6 Mil
Virtual Domains (Default / Max)
10 / 10
New Sessions/Sec
200,000
Max Number of FortiAPs (Total/Tunnel)
Firewall Policies ( System/VDOM)
10,000
Max Number of FortiTokens
1,000
IPSec VPN Throughput
7 Gbps
Client-to-Gateway IPSec VPN Tunnels
10,000
SSL-VPN Throughput
350 Mbps
Concurrent SSL-VPN Users
(Recommended Max)
512 / 256
500
7
FortiGate 5000-Series Bundles
Chassis-based platforms offer maximum
performance, reliability, and scalability for highspeed service provider, large enterprise or
telecommunications carrier networks.
Fastest chassis-based firewall in the industry
Flexibility enables protection of complex, multitenant cloud-based security-as-a-service and
infrastructure-as-a-service environments.
FG-5060-Base
FG-5060-Full
FG 5144C-Base
FG 5144C-Full
Firewall Throughput
160 Gbps
400 Gbps
160 Gbps
960 Gbps
Concurrent Sessions
46 Million
115 Million
46 Million
276 Million
1.13 Million
2.82 Million
1.13 Million
6.78 Million
36 Gbps
90 Gbps
36 Gbps
216 Gbps
New Sessions/Sec
IPS (HTTP)
* Based on sum of individual Security Blades, not as a controller-based system.
8
FortiOS Software Evolution
New Key
functionalities
2005
2009/Q1
2009/Q3
2010/Q1
2011/Q3
V 2.8
V 3.0
V 4.0
V4.1
V 4.2
V 4.3
•
• SSL VPN
• IM/P2P mgmt
•
•
•
•
• Wireless ctrl
• IPv6 UTM
• SQL Logging
• New GUI
• Network VM
• Token Server
• ICAP
Antispam
2012/Q4
New Key
functionalities
2007
2014/Q2
V 5.0
V 5.2
•
• FortiView
• Deep Flow AV
• Software
performance
optimization
Client
reputation
• Sandbox
integration
• Endpoint
control
• Device based
policy
DLP
WAN Opt.
SSL Proxy
App Control
9
FortiAP Family
802.11ac
FAP-320C
3x3:3
FAP-321C
Dual Radio
Dual Band
Resiliency and
Versatility
FAP-320B
FAP-222C
FAP-221/223C
FAP-224D
FAP-222B
FAP-221/223B
FAP-28C
Single Radio
1x1:1
Value
802.11ac
802.11ac
2x2:2
Performance
802.11ac
FAP-25D
FAP-24D
FAP-21D
FAP-210B
FAP-14C
FAP-11C
Remote
FAP-112D
FAP-112B
Outdoor
Indoor
10
FortiAP 221/223C
•
1 x GE RJ45 Interface
Hardware Performance
Target Environment
Indoor
Number of Antenna
221C :4 Internal
223C :4 External
Number of Radio
Tx / RX Stream (802.11n)
2
Simultaneous SSIDs
Max Transmission Power
PoE Support
8(7 for client access,
1 for monitoring)
17 dBm (50mW)
802.3af
2x2 MIMO with Dual Spatial
streams, 1167 Mbps Total
11
FortiAP 222C
•
1 x GE RJ45 Interface
Hardware Performance
Target Environment
Outdoor
Number of Antenna
4 External
Number of Radio
Tx / RX Stream (802.11n)
2
Simultaneous SSIDs
Max Transmission Power
PoE Support
16 (14 for client access,
2 for monitoring)
26dBm (398mW)
802.3at & proprietary
2x2 MIMO with 2 spatial
streams, 1167 Mbps Total
12
Overview FortiSwitch
Access level Gigabit Switches with ease of use and low
cost of ownership
FSW-28C
FSW-80-POE
FSW-124B-POE
 Outstanding price, performance, and
scalability to organizations with
diverse operational needs.
Primary Benefits:
✓ High Port Density
✓ Integrated Power Over Ethernet
FSW-224B-POE
✓ Connect Access Points, Peripherals,
Cameras, Phones
FSW-324-POE
✓ Create an integrated, secure network
FSW-348B
FSW-448B
13
Overview FortiClient
Comprehensive end-point protection & security
enforcement
Multifunctional Host Security
• Flexibility in deployment
• Fully integrated features, reduce needs for
multiple client solutions
End Point Control
• Enforce compliance and security policies on
mobile hosts
Centralized Logging and Reporting
• Via FortiGate for enterprise requirements
14
Overview FortiToken
Oath Compliant Time Based Hardware One Time Password
Token
Supports Strong Authentication
•
•
•
•
•
•
•
IPSEC VPN
SSL VPN
Administrative Login
Captive Web Portal
802.1x Authentication
Web Application Access
SSO
Authentication Platforms
• FortiGate (FOS4.3 and later)
• FortiAuthenticator (FAC 1.4 and later)
Secure Seed Delivery Options
• Online Via FortiGuard
• Encrypted file on CD (FTK-200S)
• In-house Seed Provisioning Tool (special order)
15
Overview FortiAnalyzer
Logging, reporting and analysis from multiple Fortinet
devices
Aggregated Logging
• Singular View of all Fortinet Devices
• Built-in Content Archiving
• Malicious File Quarantine
Centralized Reporting
• Predefined Summary & Device Reports
• Hundreds of Customizable Charts & Graphs
Analysis & Event Correlation
• Vulnerability Assessment
• Network & Log Analysis
Scalable Solution
• Hardware and VM Versions Available
• Collector/Analyzer Modes for Large
Deployments
• High Performance Logs/Sec Processing
• Support for Internal or External SQL
Databases
16
Overview FortiManager
Tools that effectively manage any size Fortinet security
infrastructure, from a few to thousands of appliances
Administrative Domains (ADOMs)
Locally Hosted Security Content
• Enables the primary ‘admin’ to create Virtual
Management Domains containing devices for other
administrators to monitor and manage
• Allows administrators better control over security
content updates and provides improved response
time for rating databases.
• Run a local copy of AV, IPS, URL, A/S signature
databases.*
Hierarchical Objects & Policy Management
• Create Global Objects and Policies
• Assign to ADOM or groups of ADOMS
• Create device configuration templates to quickly
configure a new Fortinet appliance
Web Portal SDK
• JSON-based API allows MSSPs to offer administrative
web portals to customers
* Capabilities varied by Models
17
Overview FortiMonitor
Unified event correlation and risk management for modern
networks
Unified Risk Management Solution
• Log collection with enterprise performance
• Correlation automatically determines priority
threats
• Assess your network’s Key Risk Indicators
• Manage host assets critical to your network
• Schedule regular vulnerability scans
• Visualize your holistic security with dashboards
and reports
18
Overview FortiSandbox
Advanced Threat Protection solution designed to identify
and thwart the highly targeted and tailored attacks
Advanced Threat Protection
• Multi-layered filtering with Code Emulator, AV
engine, Cloud query and Virtual OS sandbox
• Handles multiple file types, includes files that
are encrypted or obfuscated
• Examine files from various protocols, included
those that uses SSL encryption
4 Latest AV Signature Update
Flexible Operation Modes
• Receives file sample using integration with
FortiGate/FortiMail, sniffer mode and manual
file uploads
• Capture files from remote locations using
deployed FortiGates
3 Malicious
Analysis
output
?
Monitoring and Reporting
• Detailed analysis reports and real-time
monitoring and alerting
1
File Submission
2
Centralized File Analysis
19
Overview FortiDDoS
Hardware Accelerated DDoS Intent Based Defense
Rate Based Detection
• High performance protection using ASIC
Self Learning Baseline
• Ease Maintenance
• Maintain appropriate protection dynamically
ISP 1
Web Hosting Center
FortiDDoS
Signature Free Defense
• Hardware based protection
Inline Full Transparent Mode
• No MAC address changes
Granular Protection
• Multiple thresholds to detect subtle changes
and provide rapid mitigation
Firewall
ISP 2
Legitimate Traffic
Malicious Traffic
20
Introducing FortiMail
Advanced anti-spam and antivirus filtering solution, with
extensive quarantine and archiving capabilities.
Specialized messaging security system
• Advanced, bi-directional filtering prevents
spread of spam, viruses, phishing, worms, and
spyware
Mail
Servers
Flexible deployment options
• Transparent, Gateway, and Server modes that
adapts to organizational needs and budget
FortiMail
Identity based encryption
• Secure, encrypted communication
Email archiving
• On-box archiving facilitates policy and
regulatory compliance requirements
21
Introducing FortiWeb
Web application firewall to protect, balance, and accelerate
web applications.
Web Application Firewall
•
•
•
•
•
Aids in PCI DSS 6.6 compliance
Protection against OWASP Top 10
Application layer DDoS protection
Auto Learn security profiles
Geo IP data analysis and security
Web Application
Servers
Web Vulnerability Scanner
• Scans, analyzes and detects web application
vulnerabilities
FortiWeb
Application Delivery
• Assures availability and accelerates
performance of critical web applications
SQL Injection, XSS…
22
Introducing FortiDB
Database Activity Monitoring and Vulnerability Assessment
solution
Database Activity Monitoring (DAM)
• Real-time monitoring of key users and critical
transactions
• User Activity Base lining
• Block database attacks in real time
FortiDB
Vulnerability Assessment
• Sensitive data discovery in databases
• Vulnerability scanning with remediation advice
Policy Driven Controls
• Automated process of establishing IT controls
Database Audit and Compliance
Database Servers
• For compliance and forensics analysis purpose
Deployment options:
Sniffer, Native Audit and Agents
23
Introducing FortiTester
Network performance tester that aids in infrastructure
optimization and configuration validation
 Affordable appliance that provides
low TCO
 Ability to run 8 types of network
performance tests
 Connections (TCP)
 throughput (TCP)
 PPS (UDP)
 CPS (HTTP/HTTPS)
 RPS (HTTP/HTTPS)
 CAPWAP throughput
 Ease-to-use web-based UI
 History Viewer
 Case Profiles
24
Virtual Appliance Platforms
VMware
Virtual Appliance
Citrix
Open Source
Amazon
vSphere
v4.x
vSphere
v5.x
vSphere
v6.0
Xen
Server
v5.6 SP2
Xen
Server
v6.0
Xen
KVM
AWS
FortiGate-VM*
✔
✔
✔
✔
✔
✔
✔
✔
FortiManager-VM
✔
✔
✔
✔
✔
✔
✔
FortiAnalyzer-VM
✔
✔
✔
✔
✔
✔
✔
FortiWeb-VM
✔
✔
✔
✔
✔
✔
✔
FortiMail-VM
✔
✔
✔
✔
FortiAuthenticator-VM
✔
✔
**
Hyper-V
2008 R2
Hyper-V
2012
Azure
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
FortiADC-VM
FortiCache-VM
✔
**
Microsoft
✔
✔
FortiVoice-VM
✔
✔
✔
✔
✔
FortiRecorder-VM
✔
✔
✔
✔
✔
FortiSandbox-VM
5.1, 5.5
* Also as FortiGate-VMX for VMWare NSX
** Also available as pay-as-you-go licensing option
25