© Copyright Fortinet Inc. All rights reserved.

Building Secure Access SolutionComo crear una estrategia de acceso seguro

▪ 2017

Ricardo Guzman – Systems Engineer Caribbean

2

Borderless Attack Surface

Clinics Hospitals

Data Center

Remote Office

Mobile

PoS

IoT

There’s more ways in

More ways out

3

[Digital Transformation]

DXis the integration of digital technology into all

areas of a business, resulting in fundamental

changes to how businesses operate and how

they deliver value to customers

4

The Cybersecurity Problem…TODAY 2020

1.5BILLION

PEOPLE

Breaches will

affect over

6.9BILLION

Connected “things” on business

networks

256DAYS

To detect an external breach

11MILLION

Records compromised

in June 2017

2.4BILLION

Connected “things” on business

networks

THE TRUE

CHALLENGE = 1

UNCONTAINED

THREAT

OPEN

NETWORK

PORT

UNKNOWN

DEVICE

NoDECLINE No decline in sight

IT ONLY TAKES

ONE

5

[Security Transformation]

SXis the integration of security into all areas of

digital technology, resulting in a Security

Architecture that provides a Continuous

Trust Assessment

6

Device Domain — Where Vulnerability Starts

SECURITY MUST START at the Network Domain and Continue in the Service and Application Domains

Lack of

Standardization

Headless

Cost

GTMDevices

Vendors

Security

7

El Primer Reto: Conectividad

Network Admin en su estado natural

8

A super-fast network without control and security

9

El Segundo Reto: Seguridad

10

When Security Interrupts Business

11

The Solution: Integrated Secure Access

SECURE ACCESS SOLUTION

12

SECURE ACCES BUILDING BLOCKS

13

Medio de acceso?

14

Donde?

https://krebsonsecurity.com/2014/02/target-hackers-broke-

in-via-hvac-company/comment-page-3/

15

3 Steps for a better network

Learn

Trusted or Not Trusted

Segment

Define a Policy

Control & Protect

Everything

Reducing the Attack Surface

16

Fortinet Secure Access Approach

Captive Portal, 802.1x—Radius /shared key

Assign users and devices to their role

Examine traffic to remove threats

Apply policy to users and applications

Identify applications and destinations

Reports on policy violations, application usage, destinations and PCI DSS

Ensures Business traffic has priority

Corporate Wi-Fi

17

PRIMEROS PASOS

18

Autenticación

Original Standard - 1997 WEP Protection802.11i – 2004

WPA2

WPA 3

Wi-Fi security through the years…

19

Secure Wireless LAN Guest Access

Temporary user provisioning

and guest WLAN access

▪ Allow non-IT staff to create

Guest account via web portal

▪ Assign time quota

▪ Generate temporary password

▪ Distribute guest credentials:

▪ Print

▪ Email

▪ SMS

▪ Batch guest users

creation option

20

Identificación: Misma red pero diferentes perfiles

Colaboradores Gerentes

EjecutivosVisitantes

21

Internal Segmentation

WAN

Internet

Cloud

Home

Office

Internal

Segmentation

(ISFW)

Internal

Network(100 Gbps+)

Branch

Office

Private

Cloud

Edge

Gateway

Data Center

ISFW

ISFWISFW

ISFWISFW

ISFW

External

Internal

22

Application & Bandwidth Control

Bandwidth Control

▪ Uses Layer-7 inspection

▪ Ensures business critical applications are prioritized

▪ Ensures bandwidth allocation is fair

▪ Critical for optimization of WAN links

Fortinet Application Control Sensors

▪ Over 3,000+ Apps Identified, 16 Categories

▪ Advanced IM & P2P control

▪ Application Control Traffic Shaping

▪ SSL Content Inspection

Client #1 Client #2

Priority

App

Non-

Priority

App

Non-

Priority

App

INTERNET

FortiGate

FortiAP

23

Visibility: Who, What, Where, When

SCHOOL 3

LIVE INVENTORY OF

NETWORK

CONNECTIONS

(LINC)

SCHOOL 2

SCHOOL 1

24

Visibility

25

Central monitoring of the Fabric

26

Respond

27

▪ How it works» A devices is detected as compromised by

one element of the fabric

» Switches and APs can automatically quarantine the device at the access layer

▪ Why it’s important» Compromised IoT devices are no longer a

threat to the wider network

» Guest devices (if infected) will be dealt with automatically

Automated response to compromised devices

28

Security Fabric and NAC

Switch

Firewall

Access

Point

Router SIEM IDS/IPS

Challenges▪ Connected “things” on business networks

▪ Lack of Network Visibility

▪ Regulation & Audit

29

Security Fabric and NACChallenges▪ Connected “things” on business networks

▪ Lack of Network Visibility

▪ Regulation & Audit

Switch FirewallAccess

Point

Router SIEM IDS/IPS

Network Sentry

Protocols:

SNMP CLI Radius Syslog API

SolutionFortiNAC

Visibility: Discover all endpoints

▪ Identify and profile every endpoint

▪ Multi-vendor wired & wireless connectivity

▪ Self-registration to simplify guest management

Control

▪ Automated Authentication & Authorization

▪ Dynamic network access control

▪ Enable network micro-segmentation

Automated Response

▪ Bridge the SOC & NOC

▪ Rapid security event triage

▪ Accelerate threat investigations

▪ Granular containment options

30

▪ Device Classification» Automatic or Manual

▪ Sponsor Notification

» Device Type

» Confirm on Connect

» Disable if Confirmation Fails

▪ 13 Profiling Methods» More Methods =

Higher Trust

Visibility: Endpoint Identification

31

Continuous device profiling

1. Printer connected

to network

2. MAC notification

trap triggers

FortiNAC

1. User brings

infected laptop to

work

3. FortiNAC

Profiles device as

printer

2. FGT sends event

to FortiNAC

3. FortiNAC

quarantines the laptop

at access layer

4. Virus contained

at switch node

4. FortiNAC

Informs Fabric to allow

Printer-type access to network

Containment of lateral threats at Edge

32

Que mas necesitamos

33

Educación

34

Mejora Continua