Beruflich Dokumente
Kultur Dokumente
Ronnachit Bunchoo
Networks Consultant
IT Distribution Co., Ltd.
Fortinet Confidential
$3.2
Firewall & VPN
UTM
$2.2
$1.7
2008
(-0.5%)
CAGR
R
AG
C
%
13.8
2009
$2.1
2010
2011
Source: IDC Worldwide Network Security 2008-2012 Forecast and 2007 Vendor Shares: Transitions Appliances Are More Than Meets the Eye
Fortinet Confidential
2012
2013
Fortinet Confidential
Real-Time Protection
Fully Integrated
Security & Networking
Technologies
AV
IPS
Firewall
WLAN
SSL Insp
VPN
DLP
Web Filter
Antispam
WAN Opt
Load Balancing
App Ctrl
Traffic Shaping
Authentication
Hardened Platform
Specialized OS
High Performance
Purpose-Built Hardware
FortiCare
FortiGuard Labs
Fortinet Confidential
Fortinet Confidential
Firewall
Policy Management
Section & Global View
Session Monitor & Widgets
Policy Objects, Object tagging & Coloring
Traffic counters
NAT
Static NAT, Dynamic NAT Support
Central NAT Table
Traffic Support
SCTP, GTP, ICMP
Session helpers & ALGs
Hardware Acceleration*
High performance across all packet size
Ultra-low latency
*applicable
to supported
Fortinet Confidential
models
Policy Table
Policy Management
Firewall
FortiGate as Firewall
Rules = Security policies
Beyond firewall functionality
Policy
SRC
Fortinet Confidential
DST
SRV
ACT
Profiles
AV
IPS
WF
MF
DLP
VM
AppCltr
Endpt
Cltr
Firewall
H/W Acceleration
CPU
Memory
Interfaces
Interfaces
Interfaces
Interfaces
1GE
CPU
Memory
FortiASIC NP
1GE
1GE
Packet Flow
Fortinet Confidential
Low Latency
Wire-Speed
throughput
1GE
In-box AV functions
Antivirus
FortiGate as AV Gateway
Network based, no agents required on hosts
Can be proxied or flow based
Signature set options: Normal, Extended, Extreme or Flow*
File Quarantine if Local storage is available
* Features subjected to FortiGate Models
Fortinet Confidential
Fortinet
Fortinet Confidential
Antivirus
DATA PACKETS
Inspects packet
headers only i.e.
looks at the envelope,
but not at whats
contained inside
http://www.freesurf.com/downloads/Gettysburg
OK
OK
OK
OK
Not Scanned
Fortinet Confidential
Flow-based (Stream-based)
Inspection
Antivirus
FLOW-BASED INSPECTION
Performs a packet-by-packet inspection of contents
But can easily miss complex attacks that span multiple packets
Undetected
http://www.freesurf.com/downloads/Gettysburg
OK
!
OK
Fortinet Confidential
OK
DISALLOWED
CONTENT
BAD CONTENT
BAD CONTENT
NASTY THINGS
NASTIER THINGS
!!
!!
ATTACK
SIGNATURES
Antivirus
Email Spam
100
10
1
File-based
Inspection
1000
Worms
Trojans
Viruses
Flowbased
Inspection
Stateful inspection
1990
Fortinet Confidential
Inappropriate
Web Content
1995
2000
Sophisticated
ntrusions
Denial of Service
Attacks
Simple
Intrusions
Today
Overview
IPS
IPS Signatures
Over 7,000+ Signatures
Integrated FortiGuard IPS encyclopedia
Zero-day Threat Protection
Custom Signatures
Signature Filtering
User Quarantine
Packet Logging
DOS Protection
Rate based - set thresholds for various
types of network operations
Deployment Options
Sniffer Mode
Bypass Interface & FortiBridge
Fortinet Confidential
FortiGuard Service
IPS
Zero-Day Research
Reported over 153 vulnerabilities, 124 of which have been disclosed and fixed by the
appropriate vendor(s)
FortiGuard Center
FortiGuard Encyclopedia detailed description of known threats
IPS Updates log (RSS Feed)
Vulnerability Advisories
Threat Monitor Top attacks by geographic breakdowns
Fortinet Confidential
IPS/IDS - Signature
IPS
Signature Update
Automaticaly
19 Fortinet Confidential
Performance
IPS
Anti-SPAM
FortiGuard Anti-SPAM
21 Fortinet Confidential
Overview
Web Filter
URL Filtering
URL, web content, MIME Filtering
Time usage Quota
Transparent Safe Search
Policy Objects, Object tagging & Coloring
Local Rating & Category
User override option
Fortinet Confidential
Filter
Web Content Filtering HTTP,Web
HTTPs
23 Fortinet Confidential
Web Filter
24 Fortinet Confidential
Overview
Application Control
Increased security
Deeper visibility into network
traffic
FortiGuard Application
library
Fortinet Confidential
Application Sensor
Application Control
Ease of use
Select applications using filters or
search by application names
Flexibility
Applies different profiles to users,
IP, IP range and subnets and their
respective destinations on the
security policies.
Fortinet Confidential
27 Fortinet Confidential
Application Control
Facebook Control
Application Control
Fortinet Confidential
Facebook
Facebook
Facebook
Facebook
Like
Chat
Post
Apps
29 Fortinet Confidential
User Identity
Policy
SRC
User Group #1
DST #1
Service Port #1
UTM Profile #1
User #1
User #2
DST #2
Service Port #2
UTM Profile #2
Fortinet Confidential
User Identity
SSO
3
Credential information is
provided by browser
Fortinet Confidential
User Identity
RSSO
Fortinet Confidential
Guest Access
User Identity
Fortinet Confidential
Device Identity
Overview
Device Identification
Device & OS Fingerprinting
Device Classification & Management
Contextual Device Information
Device Group
List
Fortinet Confidential
Device Identification
Device Identity
with Agent
FC
FC
DMZ
Agentless
Fortinet Confidential
INTERNET
Device Management
Device Definition
Device Identity
Manual add/edit
Devices
Status
Device Group
Management
User Information
Fortinet Confidential
Traffic Status
Fortinet Confidential
System Administration
Threat Status
Fortinet Confidential
System Administration
Fortinet Confidential
Overview
Routing
Interface Features
VLANs, 802.3ad port aggregation, STP,
redundant interface, loopback, hardware &
Software switch, Security Modes
Sniff/One-arm Mode
Network Services
Content Routing WCCP and ICAP
Support
DHCP & DNS Server
Fortinet Confidential
Route Monitor
Link Redundancy
ECMP
Source IP Based (Hash)
Weight-based
Next-hop based on gateway weight
Spillover, Usage-based
Next-hop based on traffic to gateway
ECMP
Fortinet Confidential
Features:
Policy routes are applied before destination routes
Can be used to create multiple routes to the Internet
Static load-sharing
HTTP
Other Traffic
Fortinet Confidential
WCCP
Features:
Supports WCCPv1, WCCPv2
L2 and GRE Mode
May operate either as Server of Client
(per VDOM)
Uses Port 2048
Option for Authentication, GRE
Encapsulation6
CLI Commands
Fortinet Confidential
WCCP Server
WCCP Client
Network Services
DHCP Service
DHCP Relay and WINS support
DHCP server
Multiple IP-pools for each interface
Exclude ranges and IPs
DHCP IP Reservation
DHCP Options support
IPv6 DHCP
DHCP Monitoring
Fortinet Confidential
Network Services
DNS Service
Integrated Basic DNS Server
Per-Vdom support
in transparent and NAT/Route mode
Fortinet Confidential
Network Services
DDNS Service
FortiGuard DDNS Server
Provided with valid Forticare contracts
Ease of setup
Suitable for VPN deployment and remote
administration.
Fortinet Confidential
Fortinet Confidential
Ubiquitous Access
User Identificatio
Access Control
DIGITAL ASSET
Fortinet Confidential
Content Inspectio
Attack Mitigation
Fortinet Confidential
FortiAP
Fortinet Confidential
VLANs
Fortinet Confidential
FAP-320B
FAP-222B
FAP-28C
FAP-14C
FAP-11C
Fortinet Confidential
FAP-223B
FAP-221B
FAP-210B
FAP-112B
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall
FortiGate
FortiAP
Wi-Fi Controller
Switch
Fortinet Confidential
Priority
App
x
bE
We
Client #1
Fortinet Confidential
NonPriority
App
u
Yo
be
Tu
NonPriority
App
Client #2
Priority
App
x
be
We
pp
ty A
ori
i
r
P
Client #1
Fortinet Confidential
NonPriority
App
be
utu
Yo
NonPriority
App
Hig
h
Pr
ior
ity
Ap
p
Client #2
WIDS
Wireless Intrusion Detection System
WiFi protocol & RF level attack detection
Detection includes attacks & vulnerabilities such as:
Weak WEP Encryption Usage
Null SSID Probes
Deauth Broadcasts
Various Management , EAP, Auth & Beacon floods
Fortinet Confidential
Rogue AP Detection
Determines whether an AP is indeed a Rogue device
connected to your physical wired LAN network
Rogue AP suppression
DeAuthentication Frames are sent to render
unauthorized Rogue APs unusable by clients
Fortinet Confidential
Internet
Bridges WiFi trafic to
FortiAP Ethernet port
No u-turn to HQ to
access local network
Resiliency in case of
WAN failure
Fortinet Confidential
WAN
Headquarters
Data is encrypted
Multiple devices can share WiFi
Internet
Fortinet Confidential
Fortinet Confidential
CH 1
CH 6
CH 11
Auto TX Power
Changes radio
transmission power
settings automatically
Fortinet Confidential
CH 1
CH 6
CH 11
Auto TX Power
Changes radio
transmission power
settings automatically
Fortinet Confidential
CH 1
CH 6
CH 11
Fortinet Confidential
Beamforming: FAP-221B/FAP-223B/FAP-320B
Radio beams add at the device to enhances the signal and link-rate
RX
TX
Radio
RX
TR SW
BB/
MAC
TX
TR SW
Radio
TX
Fortinet Confidential
RX
TR SW
Radio
Wireless Mesh
Dynamic Multi-hop Mesh with resiliency
Point-to-point / Multipoint Bridging
Fortinet Confidential
Wired PC
Capwap tunnel
Fortinet Confidential
Identification
Device
User
Application
Policies
Enforcement on Device/User/App
Fortinet Confidential
Fortinet Confidential
Questions?
Fortinet Confidential
Internally Developed
72 Fortinet Confidential
Partner Supplied
Not available
Passed
73 Fortinet Confidential
Fortinet is a Leader in
Gartners Multi-Function
Firewall Segment
Source
(1)
(2)
Gartner, Inc., 1H09 MultiFunction Firewall Magic Quadrant by G. Young and A. Hils, June X, 2009.
(3)
2007 Frost & Sullivan Award for Market Leadership in UTM and Global Competitive Strategy Leadership of the Year"
74 Fortinet Confidential
Fortinet Confidential
Firewall SVM
90%
Average
WatchGuard XTM 1050
80%
Barracuda F800
Netsaq 800C
70%
60%
Cyberoam CR2500i NG
Average
50%
40%
30%
10%
Netgear UTM9S
$8192
$4096
$2048
76 Fortinet Confidential
$1024
$512
$25
6
$12
Price8 per
$6
4
Protected
$3
2
Mbps
$1
6
$
8
$
4
$
2
0%
$1
Fortinet Confidential
Fortinet Confidential
The Chart depicts the relationship between protection and performance. Further up indicates better security
effectiveness, and further to the right indicates higher throughput.
Fortinet Confidential
Fortinet Confidential
Fortigate Firewall
BreakPoint
Firestorm CTM5
Fortigate
Firewall
Thank you
Fortinet Confidential
81