Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal,...
Transcript of Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal,...
© Copyright Fortinet Inc. All rights reserved.
Building Secure Access SolutionComo crear una estrategia de acceso seguro
▪ 2017
Ricardo Guzman – Systems Engineer Caribbean
2
Borderless Attack Surface
Clinics Hospitals
Data Center
Remote Office
Mobile
PoS
IoT
There’s more ways in
More ways out
3
[Digital Transformation]
DXis the integration of digital technology into all
areas of a business, resulting in fundamental
changes to how businesses operate and how
they deliver value to customers
4
The Cybersecurity Problem…TODAY 2020
1.5BILLION
PEOPLE
Breaches will
affect over
6.9BILLION
Connected “things” on business
networks
256DAYS
To detect an external breach
11MILLION
Records compromised
in June 2017
2.4BILLION
Connected “things” on business
networks
THE TRUE
CHALLENGE = 1
UNCONTAINED
THREAT
OPEN
NETWORK
PORT
UNKNOWN
DEVICE
NoDECLINE No decline in sight
IT ONLY TAKES
ONE
5
[Security Transformation]
SXis the integration of security into all areas of
digital technology, resulting in a Security
Architecture that provides a Continuous
Trust Assessment
6
Device Domain — Where Vulnerability Starts
SECURITY MUST START at the Network Domain and Continue in the Service and Application Domains
Lack of
Standardization
Headless
Cost
GTMDevices
Vendors
Security
7
El Primer Reto: Conectividad
Network Admin en su estado natural
8
A super-fast network without control and security
9
El Segundo Reto: Seguridad
10
When Security Interrupts Business
11
The Solution: Integrated Secure Access
SECURE ACCESS SOLUTION
12
SECURE ACCES BUILDING BLOCKS
13
Medio de acceso?
14
Donde?
https://krebsonsecurity.com/2014/02/target-hackers-broke-
in-via-hvac-company/comment-page-3/
15
3 Steps for a better network
Learn
Trusted or Not Trusted
Segment
Define a Policy
Control & Protect
Everything
Reducing the Attack Surface
16
Fortinet Secure Access Approach
Captive Portal, 802.1x—Radius /shared key
Assign users and devices to their role
Examine traffic to remove threats
Apply policy to users and applications
Identify applications and destinations
Reports on policy violations, application usage, destinations and PCI DSS
Ensures Business traffic has priority
Corporate Wi-Fi
17
PRIMEROS PASOS
18
Autenticación
Original Standard - 1997 WEP Protection802.11i – 2004
WPA2
WPA 3
Wi-Fi security through the years…
19
Secure Wireless LAN Guest Access
Temporary user provisioning
and guest WLAN access
▪ Allow non-IT staff to create
Guest account via web portal
▪ Assign time quota
▪ Generate temporary password
▪ Distribute guest credentials:
▪ SMS
▪ Batch guest users
creation option
20
Identificación: Misma red pero diferentes perfiles
Colaboradores Gerentes
EjecutivosVisitantes
21
Internal Segmentation
WAN
Internet
Cloud
Home
Office
Internal
Segmentation
(ISFW)
Internal
Network(100 Gbps+)
Branch
Office
Private
Cloud
Edge
Gateway
Data Center
ISFW
ISFWISFW
ISFWISFW
ISFW
External
Internal
22
Application & Bandwidth Control
Bandwidth Control
▪ Uses Layer-7 inspection
▪ Ensures business critical applications are prioritized
▪ Ensures bandwidth allocation is fair
▪ Critical for optimization of WAN links
Fortinet Application Control Sensors
▪ Over 3,000+ Apps Identified, 16 Categories
▪ Advanced IM & P2P control
▪ Application Control Traffic Shaping
▪ SSL Content Inspection
Client #1 Client #2
Priority
App
Non-
Priority
App
Non-
Priority
App
INTERNET
FortiGate
FortiAP
23
Visibility: Who, What, Where, When
SCHOOL 3
LIVE INVENTORY OF
NETWORK
CONNECTIONS
(LINC)
SCHOOL 2
SCHOOL 1
24
Visibility
25
Central monitoring of the Fabric
26
Respond
27
▪ How it works» A devices is detected as compromised by
one element of the fabric
» Switches and APs can automatically quarantine the device at the access layer
▪ Why it’s important» Compromised IoT devices are no longer a
threat to the wider network
» Guest devices (if infected) will be dealt with automatically
Automated response to compromised devices
28
Security Fabric and NAC
Switch
Firewall
Access
Point
Router SIEM IDS/IPS
Challenges▪ Connected “things” on business networks
▪ Lack of Network Visibility
▪ Regulation & Audit
29
Security Fabric and NACChallenges▪ Connected “things” on business networks
▪ Lack of Network Visibility
▪ Regulation & Audit
Switch FirewallAccess
Point
Router SIEM IDS/IPS
Network Sentry
Protocols:
SNMP CLI Radius Syslog API
SolutionFortiNAC
Visibility: Discover all endpoints
▪ Identify and profile every endpoint
▪ Multi-vendor wired & wireless connectivity
▪ Self-registration to simplify guest management
Control
▪ Automated Authentication & Authorization
▪ Dynamic network access control
▪ Enable network micro-segmentation
Automated Response
▪ Bridge the SOC & NOC
▪ Rapid security event triage
▪ Accelerate threat investigations
▪ Granular containment options
30
▪ Device Classification» Automatic or Manual
▪ Sponsor Notification
» Device Type
» Confirm on Connect
» Disable if Confirmation Fails
▪ 13 Profiling Methods» More Methods =
Higher Trust
Visibility: Endpoint Identification
31
Continuous device profiling
1. Printer connected
to network
2. MAC notification
trap triggers
FortiNAC
1. User brings
infected laptop to
work
3. FortiNAC
Profiles device as
printer
2. FGT sends event
to FortiNAC
3. FortiNAC
quarantines the laptop
at access layer
4. Virus contained
at switch node
4. FortiNAC
Informs Fabric to allow
Printer-type access to network
Containment of lateral threats at Edge
32
Que mas necesitamos
33
Educación
34
Mejora Continua