Jak zaoferować usługi zintegrowanego bezpieczeństwa dla ... · Jak zaoferować usługi...

Jak zaoferować usługi zintegrowanego bezpieczeństwa dla klientów korporacyjnych i indywidualnych

Fortinet Confidential

March 4, 2012

[email protected]

1. Fortinet jako korporacja

2. Indywidualne usługi dla firm – FortiGate

3. Indywidualne usługi dla abonentów – FortiGate

4. Usługi ochrony poczty elektronicznej - FortiMail

Agenda

Fortinet Confidential2

Fortinet jako korporacja

• Założona w 2000

• Globalna obecność z 30+ biurami wna świecie i 1,500+ pracownikami

– 5,000+ partnerów

– 100,000+ klientów $212

$252

$325

Fortinet Revenue ($MM)


– 100,000+ klientów

– Większość z Fortune Global 100

• Wejście na giełdę listopad 2009

• NASDAQ: FTNT

• Przychód w 2010 $325 milionów

– 29% YoY wzrost

3

20042006

20082010

$13$39

$80

$123$155

The Fortinet SolutionTraditional Network Security Solutions

Koncepcja Firewalla Nowej Generacji


• Real-time, integrated security intelligence

• ASIC-accelerated performance

• Lower total cost of ownership

• Easy to deploy / manage / use

4

• Stand-alone, non-integrated security

• Mix of off the shelf systems and applications

• Higher total cost of ownership

• Difficult to deploy / manage / use

Fortinet – lider na rynku bezpieczeństwa zintegrowanego

Worldwide UTM Market Share

Q4 2010 (1)

UTM Market Competitive Landscape, 2009(3)

High

Magic Quadrant for Unified Threat Management (2)

Rank CompanyMarket

Share (%)

1 16.2

2 Check Point 11.8


Low Market Penetration High

Niche Participant

Specialist

Contender

Challenger

Market Leader

Low

Abilityto

Deliver

5

(1) IDC Worldwide Security Appliances Tracker, March 2011 (market share based on factory revenue)(2) Gartner, Inc., “Magic Quadrant for Unified Threat Management”, October 2010(3) Frost & Sullivan, “World Unified Threat Management, Products Market 2009”, 2010

Notes

3 Juniper 8.4

4 Cisco 6.6

5 SonicWALL 7.8

6 McAfee 6.3

7 WatchGuard 5.2

8 Crossbeam 2.6

9 Other 35.1

Total 100.0

5

Fortinet – portfolio „end to end” w zakresie bezpieczeństwa

Unified Threat Management

FortiGateNetwork SecurityPlatform

FortiAPSecure Wireless

Centralized Management

FortiManagerCentralized DeviceManagement

FortiAnalyzerCentralized Loggingand Reporting

Application Security

FortiMailMessaging Security

FortiWebWeb Application Firewall


Secure Wireless Access

and Reporting Firewall

Data & System Security

Endpoint SecuritySecurity Services

FortiDBDatabase Security

FortiClientEndpoint Security

FortiScanVulnerability Management

FortiGuardReal timeSecurity Services FortiAuthenticator

Remote Access Management

Fortinet – produkty sieciowe

Failover Protection

FortiBridgeFail-to-Wire Bypass

Application Load Balancing

FortiBalancerApplication Delivery Controllers

Web Caching

FortiCacheISP & Enterprise-Class Content Caching


Ethernet Switches

FortiSwitchGigabit Ethernet Switches

VoIP & Analog Telephony

• Application control, Identity-based policy

enforcement, Defense in depth

– Allow but don’t trust any application

– Examine all content

– Continuously enforce policies

Kompletna ochrona kontentu


Specjalizowane procesory FortiASIC

• FortiASIC Content Processor (CP) Series

»Pattern-Match Acceleration

»Encryption / Decryption (e.g. IPSec, SSL-TLS)

• FortiASIC Network Processor (NP) Series

»Firewall Acceleration


»Firewall Acceleration

» IPSec VPN Acceleration

• FortiASIC Security Processor (SP) Series

»Additional IPS Acceleration

»Unicast , Multicast Acceleration

9

FortiOS

• Fully Integrated Technologies

»Manage all policy enforcement from

a central console

• Single Inspection of Packets

»Delivers greater efficiency and


intelligence

• Deployment Ease & Flexibility

»Same console for all FortiGate

platforms, all technologies

»Ability to deploy technologies where

needed

» IPv6 Ready

10

Bramy sieciowe FortiGate

• Integrated security appliance

− Block network & content threats

• Accelerated performance

− 10 GbE support

− Up to 120 Gbps (appliance)

− Up to 480 Gbps (chassis)


− Up to 480 Gbps (chassis)

• Platforms for every market segment

− Carrier to SOHO

− No per-user licensing

11

Globalna baza klientów

7 of the top 10 Fortune companies in Americas

8 of the top 10 Fortune companies in EMEA

9 of the top 10 Fortune companies in APAC

10 of the top 10 Fortune Telecommunications companies


10 of the top 10 Fortune Telecommunications companies

9 of the top 10 Fortune Retail & Commercial Banks

7 of top 10 Fortune Aerospace & Defense

12

Fortinet – niezawodny partner

• Proven Industry Leadership

− Since 2000, Fortinet has received more than 100 product & company awards.


− Since 2000, Fortinet has received more than 100 product & company awards.

▪ IDC: Overall leader in UTM factory revenue for all of 2009

▪ Gartner: Leader in Unified Threat Management Magic Quadrant

▪ Frost & Sullivan: 2010 "Fortinet is the established and undisputed leader" of worldwide UTM market

▪ SC Magazine: 2009 Readers' Trust Award for "Best Integrated Security Solution”

• Certified security

− Five ICSA certifications (Firewall, AV, IPS, IPSec VPN, SSL VPN, Anti-Spam, WAF)

− Government Certifications (FIPS-2, Common Criteria EAL4+, JITC IPv6, SCAP)

− ISO 9001 certification

13

Usługi sieci FortiGuard

� 100+ threat research professionals

� Eight global locations

� Automated updates to Fortinet customers

� Global software updates

� Large knowledgebase of security

� 8 million antivirus signatures, 90 million

URLs for Web filtering

Real-Time Security Protection Global Distributed Network


1

Robust 24 x 7 x 365 Real-Time Global Intelligence

Note

Data as of September 30, 200914





Agenda


Rozwiązania dla operatorów

Protecting the Service Provider’s Infrastructure

Protecting the customer

(Managed Security Service

Provider)

1 2

Two discrete solutions for Service ProvidersTwo discrete solutions for Service Providers


Provider)

Subscriber

Network

Subscriber

Network

Subscriber

Network

MOBILENETWORK

RADIUS SERVER

GGSN

BRAS

16

Zarządzanie w usługach typu „cloud”

Provisioning Billing

NetworkNetworkSelf Service

Portal

Device Group

JSON API

XML API / GUI

MGMT

CUSTOMERS


Troubleshooting Monitoring

NOC / SOC

NetworkNetworkPortal

Device Group

XML API

CLI / SNMP / GUI

LOG / ARCHIVE

QUARANTINE

GUI





Agenda


Dynamic Security Profiles

Applies to two key target service provider markets

RADIUS

SERVER

Radius Accounting Message Dynamic Policy CreatedPortal Provisioning

PORTAL

SERVER


Applies to two key target service provider markets » Managed Security and Mobile

Allows user “Self-Service” automation» RADIUS Accounting Record attributes used to create a context for a source IP address

» Context can associate IP address with any other RADIUS attribute

• Username, MSISDN, Service Name

» Protection Profile also extracted from the RADIUS record

» Assumes an authentication event has occurred within the Carriers network

• Typical in both fixed (DSL) and mobile environments

DYNAMIC

SECURITY PROFILES

DYNAMIC

SECURITY PROFILES

19

Dynamiczne profile ochronne

• RADIUS Record definition is flexible

»Must include a Framed-IP-Address

RADIUS RECORD

(8) Framed-IP-Address

(31) Calling-station–id

Radius Accounting Message Dynamic Policy CreatedPortal Provisioning

RADIUS RECORD



(25) PROFILE=CHILD

End Point Context

End Point

IP address

Protection Profile


»Other attributes are standard and correspond to those

defined on the FortiGate

»Optional Secret, and acknowledgement

»Configurable Port number

• End Point Context Created

» Links IP address to an end point identifier and Protection Profile

DYNAMIC

SECURITY PROFILES

DYNAMIC

SECURITY PROFILES

20

Dynamiczne profile ochronne

optymalizacja wydajności

• Service is defined as a Protection Profile

»URL Filtering, Antivirus, IPS, Application Control, Antispam

• RADIUS Accounting Records are processed

»Optionally encrypted and acknowledged

» Looking to create an end point context

• Protection Profile in RADIUS record identifies service is required for an end

RADIUS RECORD



(25) PROFILE=CHILD


• Protection Profile in RADIUS record identifies service is required for an end point

» If no Protection Profile found for the IP Flow:-

• Session is transferred to firewall fast path in FortiASIC NP

» If Protection Profile is found service is applied

• Log and reporting messages include end point as well as

IP flow information

DYNAMIC

SECURITY PROFILES

DYNAMIC

SECURITY PROFILES

21

Dynamiczne profile ochronneGroup Profile Override*

� Authenticated bypass of the Service Restrictions� Option to override provided as part of block page

� Changing / Overriding Service via Self-servicing� User can authenticate to a higher (or lower) level� Time based override

blockpage


DSL+3G

blockpage

DYNAMIC

SECURITY PROFILES

DYNAMIC

SECURITY PROFILESwww.badsite.com

22

Dynamiczne profile ochronneSelf provisioning

• Per end-point Black / White List

»End points (users) can have their own black white list

»No requirement for end user to access FortiGate infrastructure

• Can be populated on Self Service Portal

• Dynamically configured on FortiGate as end points attach

»RADIUS VSA Extension, no fixed limit for URLs


»RADIUS VSA Extension, no fixed limit for URLs

DSL+3G

DYNAMIC SECURITY PROFILES

DYNAMIC

SECURITY PROFILES

Self ServicePortal

www.badsite.com

23

Indywidualny Firewall

GGSN

Controlled access to local resources

Only authorized mobile or Internet users can access specific network resources: •Web cameras •File servers

•Remote control of garden equipment


Local resouces

RADIUS serverPolicy server

Web Portal

FortiAuthenticator

Indywidualny Firewall

Applies to two key target service provider markets

RADIUS

SERVER

Radius Accounting Message

Dynamic Policy Created

Provisioning Portal

PORTAL

SERVER

DSL+3G


Applies to two key target service provider markets » Managed Security and Mobile

Allows user “Self-Service” automation» RADIUS Accounting Record attributes used to create a context for a source IP address

» Context can associate IP address with any other attributes

• Username, Groupname,

» IP/User/Group context is pushed into FortiGate Identity based Policy

» Assumes an authentication event has occurred within the Carriers network

• Typical in both fixed (DSL) and mobile environments

25

Polityka SSO


Dane autoryzacji po stronie FortiGate

FWF60B (root) # diagnose debug authd fsso list----FSSO logons----

IP: 192.168.1.109 User: SSOMASTER1 Groups: SSOMASTER

IP: 192.168.1.110 User: SSOFTPU1 Groups: SSOFTPGR

Total number of logons listed: 2, filtered: 0

----end of FSSO logons----

FWF60B (root) # diagnose firewall auth list

policy id: 3, src: 192.168.1.110, action: accept, timeout: 254

user: SSOFTPU1, group: SSOFTPGR


user: SSOFTPU1, group: SSOFTPGR

flag (180020): auth timeout_ext fsso, flag2 (40): exact

group id: 7

policy id: 3, src: 192.168.1.109, action: accept, timeout: 69

user: SSOMASTER1, group: SSOMASTER

flag (180020): auth timeout_ext fsso, flag2 (40): exact

group id: 8

----- 2 listed, 0 filtered ------

FWF60B (root) #

Korzyści biznesowe

• Firewall and UTM services for subscribers • AntiVirus• IPS• Application Control • URL filtering


• URL filtering

• Possibility to apply NAT

• Only authorized external users can access specific resources• Alice can only access Bob’s webcam• John can access Bob’s webcam and fileserver





Agenda


Usługi hostingowe e-mail

CONSUMER FIXEDCONNECTIONS

MOBILE: 3G,WIFI HOTSPOTS

MTA

THE MSSP DELIVERS MAIL SERVICES (AV/AS) TO BUSINESS CUSTOMERS. IT IMPLEMENTS FRONT-END MTAs TO HOST ENTERPRISE MX RECORDS AND FILTER INCOMING + EVENTUALLY OUTGOING EMAIL.THE MSSP MAY BE AN ISP; THE ISP MAY DELIVER MANAGED SERVICES TO ENTERPRISES CONNECTED OUTSIDE OF ITS NETWORK.

MUA

MTA


MTAs

HOSTED SERVICES

INTERNET

DOMAIN.COM

ISP NETWORK

ENTERPRISE FIXEDCONNECTIONS

CUSTOMERS FORHOSTED SERVICES

WIFI HOTSPOTS

MAIL SERVER

MUA

IN/OUT MAIL FLOW

MTA

MX: COMPANY.COM

MTA

3G

30

Cel biznesowy: minimalizacja capex i opex

CONSUMER FIXEDCONNECTIONS

MTA

MUA

MTA

MSSP HANDLES MULTIPLE THOUSANDS OF DOMAINS AND CUSTOMER ENVIRONMENTS.1. MANAGEMENT IS A CHALLENGE. PROVISIONING AND CONFIGURATION FLEXIBILITY ARE KEY ELEMENTS. 2. COST EFFICENCY FOR HIGH PROFITABILITY AND FAST ROI IS A MAJOR CONCERN.3. FUTURE PROOFING: EASILY ENROLLING NEW FEATURES WITHOUT ADDING NEW DEVICES➡ LDAP/SQL SUPPORT FOR CUSTOMER PROVISIONING, ROLE-BASED MANAGEMENT AND TIERED ADMINISTRATION ARE KEY DIFFERENTIATIORS OF FORTIMAIL.➡ NO USER LICENCES, PREDICTABLE AND COMPETITIVE APPLIANCE COST➡ SINGLE APPLIANCE AS THE TARGET FOR ANY FUTURE DEVELOPMENT. ALL IN ONE APPROACH



INTERNET

DOMAIN.COM

ISP NETWORK

HOSTED SERVICES

ENTERPRISE FIXEDCONNECTIONS

CUSTOMERS FORHOSTED SERVICES

MAIL SERVER

MUA

MTAs

IN/OUT MAIL FLOW

MTA

MTA

3G

MX: COMPANY.COM

WIFI HOTSPOTS

31

Ograniczenie ryzyka: blacklisting adresów IP


MTA

MUA

1. INFECTED COMPUTERS ARE CONTROLLED BY BOTNETS AND SEND OUT SPAM.2. THE IP ADDRESS IS IDENTIFIED AS A SOURCE OF SPAM AND BLACKLISTED: EITHER THE SENDER IP

ADDRESS IF THE COMPUTER HAS RECEIVED A PUBLIC IP OR THE IP ADDRESS THE FW (NAT OPERATION).3. WHEN PROCESSING AN INCOMING SESSION,4. THE RECIPIENT MTA QUERIES A DNSBL DATABASE.5. THE SESSION IS REJECTED BY THE MTA AS THE SOURCE IP ADDRESS IS A LISTED SPAMMING IP.� ARE IMPACTED: THE INFECTED SUBSCRIBER WHEN SENDING LEGITIMATE EMAIL + ANY SUBSCRIBER THAT WOULD LATER BE ASSIGNED THE SAME IP + ANY SUBSCRIBER NATED BEHIND THE FW IP.

1

14

5

RESIDENTIALCONNECTIONS

3

3


BUSINESSCONNECTIONS

INTERNET

MTADOMAIN.COM

ISP NETWORK

WIFI HOTSPOTS

3G

HOSTED SERVICESHOSTED SERVICES

CUSTOMERS

MAIL SERVER

MUA

MTA

DNSBL

1

1

2

4

5

LEGITIMATE OUTGOING MAIL FLOW

OUTGOING SPAM

DNS QUERY

MTAsIP

IP

IP

3

3

32

CONSUMERS3G WIFIENTERPRISE

Eliminacja ryzyka blacklistingu

MTA

OUTGOING MAIL SERVER(CORPORATE OR

GOOGLE / YAHOO / HOTMAIL…)

FORTIMAIL TRANSPARENTLY INTERCEPTS SESSIONS REGARDLESS OF DESTINATION MTAs.IT DOES NOT REQUIRE ANY NEW CONFIGURATION ON SUBSCRIBER SIDE AND STAYS INVISIBLE FROM THE INTERNET.IT IS ABLE TO TRACK ACTIVITY AND STATISTICS BASED SUBSCRIBER ID# AND NOT ONLY IPs.IT IS ABLE TO CALCULATE SUBSCRIBER REPUTATION AND AUTOMATICALLY ALERT OR BLOCK OFFENDING USERS.IT WOULD NOT QUEUE MAIL IF THE DESTINATION MTA IS NOT AVAILABLE

ISP.COM MAIL SERVER


INTERNET

MTADOMAIN.COM

ISP NETWORK

HOSTED SERVICESHOSTED SERVICES

CUSTOMERS

MAIL SERVER

ISP OUTGOINGRELAY

→ FML DOES NOT INTERFERE IN THE SMTP NEGOTIATION (AUTH).→ FML DOES NOT MODIFY THE DESTINATION IP ADDRESS OF THE CLIENT

SESSIONS.→ FML DOES NOT MODIFY THE SOURCE IP ADDRESS OF THE CLIENT.→ IT DOES NOT ADD ANY HEADER TO THE MAIL.

OUTGOING MAIL FLOW

MTAs

33


Pytania

Jak zaoferować usługi zintegrowanego bezpieczeństwa dla ... · Jak zaoferować usługi...

Documents

Transcript of Jak zaoferować usługi zintegrowanego bezpieczeństwa dla ... · Jak zaoferować usługi...