Fortinet

Affordable Hi-Class UTM
Ronnachit Bunchoo
Networks Consultant
IT Distribution Co., Ltd.
Fortinet Confidential
We Pioneered a New Approach

Traditional Network Security Solutions
Stand-alone, non-integrated security

Mix of off the shelf systems and applications
Higher total cost of ownership
Difficult to deploy / manage / use
The Fortinet Solution
Real-time, integrated security intelligence

ASIC-accelerated performance
Lower total cost of ownership
Easy to deploy / manage / use
UTM Surpassing Traditional Network Security

$ in billions
$3.2
Firewall & VPN
UTM
$2.2
$1.7
2008
(-0.5%)
CAGR
R
AG
C
%
13.8
2009
$2.1
2010
2011
Source: IDC Worldwide Network Security 2008-2012 Forecast and 2007 Vendor Shares: Transitions Appliances Are More Than Meets the Eye
2012
2013
Evolution of Firewall Security

Complete Protection
Evolution of Firewall Security
FortiGate: Integrated Architecture

FortiGuard Updates
Real-Time Protection
Fully Integrated
Security & Networking
Technologies
AV
IPS
Firewall
WLAN
SSL Insp
VPN
DLP
Web Filter
Antispam
WAN Opt
Load Balancing
App Ctrl
Traffic Shaping
Authentication
Hardened Platform
Specialized OS
High Performance
Purpose-Built Hardware
Support and Services
FortiCare
FortiGuard Labs
Purpose-built to deliver overlapping, complementary security

Provides both flexibility & defense-in-depth capabilities
Disruptive Technology Platform
ASICs accelerate FortiOS

security and network functions
Enables faster performance
against competitors
Multiple ASICs targeting key
functions
Mature design across FortiASICs
6
Custom built operating system

Architected for security and
networking demands
Leverages custom hardware
platform
Mature OS - At version 4.0 MR2
today
FortiASIC Specialized Processors

FortiASIC Content Processor (CP) Series
Pattern-Match Acceleration
Encryption / Decryption (e.g. IPSec, SSL-TLS)
FortiASIC Network Processor (NP) Series

Firewall Acceleration
IPSec VPN Acceleration
FortiASIC Security Processor (SP) Series

Additional IPS Acceleration
Unicast , Multicast Acceleration
Firewall
Policy Management
Section & Global View
Session Monitor & Widgets
Policy Objects, Object tagging & Coloring
Traffic counters
NAT
Static NAT, Dynamic NAT Support
Central NAT Table
Traffic Support
SCTP, GTP, ICMP
Session helpers & ALGs
Hardware Acceleration*
High performance across all packet size
Ultra-low latency
*applicable
to supported
models
Policy Table
Innovative features that allows

accurate and effective policy
setup
Policy Management
Firewall
FortiGate as Firewall
Rules = Security policies
Beyond firewall functionality
Policy
SRC
Includes optional instructions, eg,

scan for viruses, detect hacker
attacks, traffic shaping etc
Control Traffic when they transverse

through the device
Interfaces, zones (group of interfaces),
VLANs and SSIDs segments
DST
SRV
ACT
Profiles
AV
IPS
WF
MF
DLP
VM
AppCltr
Endpt
Cltr
Firewall
H/W Acceleration
Legacy Security Gateway Appliances
CPU
Memory
FortiGate Security Gateway Applian
Interfaces
Interfaces
Interfaces
Interfaces
1GE
CPU
Memory
FortiASIC NP
1GE
1GE
Packet Flow
Low Latency
Wire-Speed
throughput
1GE
In-box AV functions
Antivirus
FortiGate as AV Gateway
Network based, no agents required on hosts
Can be proxied or flow based
Signature set options: Normal, Extended, Extreme or Flow*
File Quarantine if Local storage is available
* Features subjected to FortiGate Models
FortiGuard AV Service Antivirus
Fortinet
Why firewall is not enough
Antivirus
STATEFUL INSPECTION FIREWALL
DATA PACKETS
Inspects packet
headers only i.e.
looks at the envelope,
but not at whats
contained inside
http://www.freesurf.com/downloads/Gettysburg
Four score and BAD CONTENT our forefathers brou

ght forth upon this continent a new nation,
n liberty, and dedicated to the proposition that all
OK
OK
OK
OK
Not Scanned
Packet headers (TO, FROM,

TYPE OF DATA, etc.)
Packet payload (data)
Flow-based (Stream-based)
Inspection
Antivirus
FLOW-BASED INSPECTION
Performs a packet-by-packet inspection of contents
But can easily miss complex attacks that span multiple packets
Undetected
OK
!
OK
Fragmentation can hide malicious content
True security relies on multiple security layers
OK
File-based (Complete Content)

Antivirus
Inspection
FILE-BASED INSPECTION
1. Reassemble packets into content

DISALLOWED
CONTENT
BAD CONTENT
BAD CONTENT
NASTY THINGS
NASTIER THINGS
!!
!!
ATTACK
SIGNATURES
2. Compare against disallowed content and attack lists

File-based Inspection Requires

Enormous Processing Power
Antivirus
Email Spam
100
10
1
File-based
Inspection
PROCESSING POWER REQUIRED
1000
Worms
Trojans
Viruses
Flowbased
Inspection
Stateful inspection
1990
Inappropriate
Web Content
1995
2000
Sophisticated
ntrusions
Denial of Service
Attacks
Simple
Intrusions
Today
Overview
IPS
IPS Signatures
Over 7,000+ Signatures
Integrated FortiGuard IPS encyclopedia
Zero-day Threat Protection
Custom Signatures
Signature Filtering
User Quarantine
Packet Logging
DOS Protection
Rate based - set thresholds for various
types of network operations
Deployment Options
Sniffer Mode
Bypass Interface & FortiBridge
2012 NSS Security Value Map
Low latency, superior coverage

and cost/performance integrated
IPS
FortiGuard Service
IPS
Zero-Day Research
Reported over 153 vulnerabilities, 124 of which have been disclosed and fixed by the
appropriate vendor(s)
FortiGuard Center
FortiGuard Encyclopedia detailed description of known threats
IPS Updates log (RSS Feed)
Vulnerability Advisories
Threat Monitor Top attacks by geographic breakdowns
IPS/IDS - Signature
IPS
Signature Update
Automaticaly
>> Network <<
>> Content <<
19 Fortinet Confidential
Performance
IPS
FortiGate 3240C also beats all IPS

competition with Lowest Latency
Anti-SPAM
FortiGuard Anti-SPAM
>> Network <<
>> Content <<
Overview
Web Filter
URL Filtering
URL, web content, MIME Filtering
Time usage Quota
Transparent Safe Search
Policy Objects, Object tagging & Coloring
Local Rating & Category
User override option
Proxy Avoidance Prevention

Proxy Service Site blocking
Language translation & Cache blocking
Rate site by IP addresses
Application Control Proxy avoidance
category
IPS proxy behavior detection
Web Filtering Block

Page
Filter
Web Content Filtering HTTP,Web
HTTPs
>> Network <<
>> Content <<
Web Filter
Web Content Filtering - Manual
Overview
Application Control
Application Control Sensors

Over 2,400+ Signatures, 19 Categories
Advanced IM control
Application Control Traffic Shaping
SSH Inspection
Custom Signatures
More flexible and fine-grained

policy control
Increased security
Deeper visibility into network
traffic
FortiGuard Application
library
Application Sensor
Application Control
Ease of use
Select applications using filters or
search by application names
Flexibility
Applies different profiles to users,
IP, IP range and subnets and their
respective destinations on the
security policies.
What is port 80 inside
Application Control
Facebook Control
Application Control
Facebook
Facebook
Facebook
Facebook
Like
Chat
Post
Apps
User Identity
User based Policy
Policy
SRC
User Group #1
DST #1
Service Port #1
UTM Profile #1
User #1
User #2
DST #2
Service Port #2
UTM Profile #2
User Identity based Security

Policies
Assign access policy and
profiles to each User Groups
or Users
Users/Members of user
groups can be define locally or
integrate with external services
Result: Each user/usergroup
will be assigned with
respective access list and
UTM Profiles
User Identity
SSO
User attempts access to

network and gets prompted
by FortiGate for user
credential
3
Credential information is
provided by browser
FGT queries Windows AD
Single Sign-On with NTLM

is used when the MS Windows Active Directory (AD) domain controller can not be
contacted
browser-based method of authentication
Option for guest or users with unsupported browsers to bypass NTLM on CLI
User Identity
RSSO
Single Sign-On with Radius (RSSO)

IP, usergroup_x
2
Users get
authenticated by
Radius Server (eg.
access control)
Radius Accounting message

with attribute-value pair
that refers to usergroup a
user belongs, along with IP
address info is forwarded
to FortiGate
FortiGate uses listening

agent and maps info to its
own context table. When a
session enters, it looks up
to the table to determine
its action based on identity
based policies configured
Guest Access
User Identity
Temporary user Provisioning & Access

Allow non-IT staff to create Guest
account via web portal
Specialized admin-id for guest access
management
Assign Time quota, generate temp

password,
Distribute guest credentials by printing,
email or SMS
Batch guest users creation option
Device Identity
Overview
Device Identification
Device & OS Fingerprinting
Device Classification & Management
Contextual Device Information
Device Based Policies

Policies using Device/Device Group
Identify device type to add into

contextual information for better
visibility
Enforce policies based on device

types or devices
Allow organization to embrace

BYOD environment securely
Device Group
List
Device Identification
Device Identity
with Agent
FC
FC
DMZ
Agentless
INTERNET
Device Management
Device Definition
Device Identity
Manual add/edit
Devices
Status
Multiple MAC address

merge
Connection
Information
Device Group
Management
User Information
Traffic Status
Traffic History Widget

Illustrates traffic usage statistics
over time by sessions or volume
Support drill-down at specific time
Rely on traffic logs on Local
Storage
System Administration
Threat Status
System Administration
Network Management System Administration

sFlow
monitoring the traffic on the network to identify areas on the network that may impact
performance and throughput
sFlow Agent is embedded in the FortiGate unit, sends the sampled traffic to an
external 3rd party sFlow Collector/Analyzer.
Available on CLI only
3rd Party sFlow Analyzer - sFlow Trend
Overview
Routing & Network Services
Routing
FortiGuard Network Services
Link Redundancy and load balancing

Policy Routing
Dynamic Routing Protocol Support: RIP,
BGP, OSPF, IS-IS
Multicast Routing
Free NTP, DDNS & DNS service
Interface Features
VLANs, 802.3ad port aggregation, STP,
redundant interface, loopback, hardware &
Software switch, Security Modes
Sniff/One-arm Mode
Network Services
Content Routing WCCP and ICAP
Support
DHCP & DNS Server
Route Monitor
Robust L3 and L2 capabilities to

facilitated vast variety of network
design and setup requirements
Link Redundancy
ECMP
Source IP Based (Hash)
Weight-based
Next-hop based on gateway weight
Spillover, Usage-based
Next-hop based on traffic to gateway
ECMP
Policy Based Routing
Features:
Policy routes are applied before destination routes
Can be used to create multiple routes to the Internet
Static load-sharing
Routing decision can be made from:

Source addresses
Protocol, service type, or port range
Incoming interface
ToS
HTTP
Other Traffic
WCCP
Features:
Supports WCCPv1, WCCPv2
L2 and GRE Mode
May operate either as Server of Client
(per VDOM)
Uses Port 2048
Option for Authentication, GRE
Encapsulation6
CLI Commands
WCCP Server
WCCP Client
Network Services
DHCP Service
DHCP Relay and WINS support
DHCP server
Multiple IP-pools for each interface
Exclude ranges and IPs
DHCP IP Reservation
DHCP Options support
IPv6 DHCP
DHCP Monitoring
Network Services
DNS Service
Integrated Basic DNS Server
Per-Vdom support
in transparent and NAT/Route mode
Recursive DNS (split DNS)

IPv6 DNS
Dynamic DNS support
Network Services
DDNS Service
FortiGuard DDNS Server
Provided with valid Forticare contracts
Ease of setup
Suitable for VPN deployment and remote
administration.
Wireless LAN Overview
Ubiquitous Access
Unified Access Layer
User Identificatio
Access Control
DIGITAL ASSET
Content Inspectio
Attack Mitigation
Fortinet Secure WLAN Approach

No additional licenses needed
Captive Portal, 802.1xRadius /shared key

Assign users and devices to their role
Corporate
Wi-Fi
Examine wireless traffic to remove threats

Identify applications and destinations
Apply policy to users and applications
Ensure business traffic has priority
Report on policy violations, application
usage, destinations and PCI DSS
Thick vs. Thin Fortinet APs
FortiAP
FortiAP Simple and Secure
VLANs
Traffic flows to controller

Increased control
No trunking
No VLAN management
No Layer-3 roaming, just fast
Layer-2 switching
No need to re-DHCP
Controller Redundancy
Fortinet 802.11n AP family
FAP-320B
FAP-222B
FAP-28C
FAP-14C
FAP-11C
FAP-223B
FAP-221B
FAP-210B
FAP-112B
FortiGate + FortiAP = Unified Access Layer

Single Management
System
Overlay Wireless
Management
system
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall
FortiGate
FortiAP
Wi-Fi Controller
Switch
Lower cost of acquisition

Lower cost of ownership
Improves security provisioning
Problem: Poor Business Application Performance

Clients and applications on
wireless networks compete with
each other for shared
bandwidth
802.11e, Wireless Multimedia
Extensions (WME) doesn't
solve this problem, as Business
applications like Remote
Desktop, VNC, Webex, etc. are
not be prioritized differently
Priority
App
x
bE
We
Client #1
NonPriority
App
u
Yo
be
Tu
NonPriority
App
Client #2
Solution: Fortinet Application Control

Application Control uses Layer-7
inspection to ensures bandwidth
guarantees are provided for
business critical applications
Fortinet Application Control Sensors
Over 2,400+ Signatures, 16 Categories
Advanced IM & P2P control
Application Control Traffic Shaping
SSL Content Inspection
Priority
App
x
be
We
pp
ty A
ori
i
r
P
Client #1
NonPriority
App
be
utu
Yo
NonPriority
App
Hig
h
Pr
ior
ity
Ap
p
Client #2
WIDS
Wireless Intrusion Detection System
WiFi protocol & RF level attack detection
Detection includes attacks & vulnerabilities such as:
Weak WEP Encryption Usage
Null SSID Probes
Deauth Broadcasts
Various Management , EAP, Auth & Beacon floods
24/7 on-wire Rogue AP Detection & Suppression
Rogue AP Detection
Determines whether an AP is indeed a Rogue device
connected to your physical wired LAN network
Rogue AP suppression
DeAuthentication Frames are sent to render
unauthorized Rogue APs unusable by clients
Remote AP with Local Bridging

Headquarters
Internet
Bridges WiFi trafic to
FortiAP Ethernet port
No u-turn to HQ to
access local network
Resiliency in case of
WAN failure
WAN
Remote Telecommuter / Road Warrior

Automatic connection to HQ
Headquarters
Data is encrypted
Multiple devices can share WiFi
Internet
High Density Features

AP Handoff
Frequency Handoff (Band Steering)
Auto TX Power Control
Automatic Radio Resource Provisioning

Channel Assignment
CH 1
CH 6
CH 11
Automatically assigns nonoverlapping channels

Selects channels with least
noise and interference
Reduces chatter between
APs
Auto TX Power
Changes radio
transmission power
settings automatically

Channel Assignment
CH 1
CH 6
CH 11
Automatically assigns nonoverlapping channels

Selects channels with least
noise and interference
Reduces chatter between
APs
Auto TX Power
Changes radio
transmission power
settings automatically

Interference Avoidance
CH 1
CH 6
CH 11
Microwave ovens, cordless

phones, baby monitors, etc.
all emit RF interference
FortiAPs frequently sample
RF spectrum for sources of
interference
Changes channel and TX
power to avoid RF
interference impacting
Wireless LAN
Beamforming: FAP-221B/FAP-223B/FAP-320B
Radio beams add at the device to enhances the signal and link-rate
RX
TX
Radio
RX
TR SW
BB/
MAC
TX
TR SW
Radio
TX
RX
TR SW
Radio
Wireless Mesh
Dynamic Multi-hop Mesh with resiliency
Point-to-point / Multipoint Bridging
Building to building bridging

5Ghz (40Mhz wide)
300Mbps Max rate
2.4Ghz (20Mhz wide)

150Mbps max rate
Note: only one of the radios can be

used for Mesh, user selectable
External N type directional antennas
supported
Wired PC
Capwap tunnel
BYOD Device Identification and Policy
Identification
Device
User
Application
Policies
Enforcement on Device/User/App
Granular Visibility and Control Applications
Guest Access to Secure Wireless LAN

Temporary user Provisioning & Access
Allow non-IT staff to create Guest account via
web portal
Assign time quota
Generate temporary password
Distribute guest credentials:
Print
Email
SMS
Batch guest users creation option
Enables Guest Access to the Secure

WLAN via a Captive Portal.
Questions?
Security Gateway Comparison
Internally Developed
Partner Supplied
Not available
Certifications on the Security Gateway
Passed
Some products are certified
Certification not conducted
UTM Market Leadership Across the Board
is the leading vendor

Fortinet
in the UTM security appliance
market.
Fortinet is a Leader in
Gartners Multi-Function
Firewall Segment
Source
(1)
IDC Quarterly Appliance Tracker, June 2009 (based on revenues)
(2)
Gartner, Inc., 1H09 MultiFunction Firewall Magic Quadrant by G. Young and A. Hils, June X, 2009.
(3)
2007 Frost & Sullivan Award for Market Leadership in UTM and Global Competitive Strategy Leadership of the Year"
Fortinet Named ONLY Market

Leader in Frost & Sullivan
World UTM Report
NSS Labs 2013 Firewall Security Value Map (SVM)

The FortiGate-800c was rated by NSS Labs at 9.7 Gbps
out of the 20 Gbps claimed by the vendor.1 The 800c
scored 100% for Stability, 100% for Evasion, 100% for
Leakage, and 100% in the central management review.
All of which resulted in a TCO of $4 per protected
megabit, and 100% for security and management
effectiveness.
Firewall Security Value Map
100% Security Effectiveness
$4 TCO per protected Mbps

Juniper, Check Point, Stonesoft 4X+ TCO
Firewall Comparative Analysis Report

Detailed competitive analysis
Best Protected Throughput and Maximum Security
Firewall SVM
Juniper SRX 550 Stonesoft 1301 Fortinet FortiGate 800C

100%
Check Point 12600
Palo Alto Network PA-5020
Dell /SonicWALL E4500
90%
Average
WatchGuard XTM 1050
80%
Barracuda F800
Netsaq 800C
70%
60%
Cyberoam CR2500i NG
Average
50%
Sophos UTM 425
40%
30%
10%
Netgear UTM9S
$8192
$4096
$2048
$1024
$512
$25
6
$12
Price8 per
$6
4
Protected
$3
2
Mbps
$1
6
$
8
$
4
$
2
0%
$1
Enterprise Management & Security Efectiveness
2013 Firewall Security Value Map
Predictable Performance for all packet size

Fortinets Fortigate 800c was
the only device to demonstrate
anything close to line rate
capacity with packet sizes from
1514 bytes all the way down to
64 bytes. In addition, it was the
only device to consistently
demonstrate latency of less
than 10 microseconds.
The competitors cannot
compete with our predictable
performance.
Latency s (64 byte packets)
Security & Performance
The Chart depicts the relationship between protection and performance. Further up indicates better security
effectiveness, and further to the right indicates higher throughput.
BreakingPoint Resiliency Score

Others
Not Pass
Fortigate Firewall

BreakPoint
Firestorm CTM5

Fortigate
Firewall
Thank you
81

Fortinet

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Fortinet

Hochgeladen von

Copyright:

Verfügbare Formate

Affordable Hi-Class UTM

We Pioneered a New Approach

Stand-alone, non-integrated security

The Fortinet Solution

Real-time, integrated security intelligence

UTM Surpassing Traditional Network Security

Evolution of Firewall Security

Evolution of Firewall Security

FortiGate: Integrated Architecture

Support and Services

Purpose-built to deliver overlapping, complementary security

Disruptive Technology Platform

ASICs accelerate FortiOS

Custom built operating system

FortiASIC Specialized Processors

FortiASIC Network Processor (NP) Series

FortiASIC Security Processor (SP) Series

Innovative features that allows

Includes optional instructions, eg,

Control Traffic when they transverse

Legacy Security Gateway Appliances

FortiGate Security Gateway Applian

FortiGuard AV Service Antivirus

Why firewall is not enough

STATEFUL INSPECTION FIREWALL

Four score and BAD CONTENT our forefathers brou

Packet headers (TO, FROM,

Packet payload (data)

Four score and BAD CONTENT our forefathers brou

ght forth upon this continent a new nation,

n liberty, and dedicated to the proposition that all

Fragmentation can hide malicious content

True security relies on multiple security layers

File-based (Complete Content)

Four score and BAD CONTENT our forefathers brou

2. Compare against disallowed content and attack lists

File-based Inspection Requires

PROCESSING POWER REQUIRED

2012 NSS Security Value Map

Low latency, superior coverage

>> Network <<

>> Content <<

FortiGate 3240C also beats all IPS

>> Network <<

>> Content <<

Proxy Avoidance Prevention

Web Filtering Block

>> Network <<

>> Content <<

Web Content Filtering - Manual

Application Control Sensors

More flexible and fine-grained

What is port 80 inside

User based Policy

User Identity based Security

User attempts access to

FGT queries Windows AD

Single Sign-On with NTLM

Single Sign-On with Radius (RSSO)

Radius Accounting message

FortiGate uses listening

Temporary user Provisioning & Access

Assign Time quota, generate temp

Device Based Policies