Jak zaoferować usługi zintegrowanego bezpieczeństwa dla klientów korporacyjnych i indywidualnych
Fortinet Confidential
March 4, 2012
1. Fortinet jako korporacja
2. Indywidualne usługi dla firm – FortiGate
3. Indywidualne usługi dla abonentów – FortiGate
4. Usługi ochrony poczty elektronicznej - FortiMail
Agenda
Fortinet Confidential2
Fortinet jako korporacja
• Założona w 2000
• Globalna obecność z 30+ biurami wna świecie i 1,500+ pracownikami
– 5,000+ partnerów
– 100,000+ klientów $212
$252
$325
Fortinet Revenue ($MM)
Fortinet Confidential
– 100,000+ klientów
– Większość z Fortune Global 100
• Wejście na giełdę listopad 2009
• NASDAQ: FTNT
• Przychód w 2010 $325 milionów
– 29% YoY wzrost
3
20042006
20082010
$13$39
$80
$123$155
The Fortinet SolutionTraditional Network Security Solutions
Koncepcja Firewalla Nowej Generacji
Fortinet Confidential
• Real-time, integrated security intelligence
• ASIC-accelerated performance
• Lower total cost of ownership
• Easy to deploy / manage / use
4
• Stand-alone, non-integrated security
• Mix of off the shelf systems and applications
• Higher total cost of ownership
• Difficult to deploy / manage / use
Fortinet – lider na rynku bezpieczeństwa zintegrowanego
Worldwide UTM Market Share
Q4 2010 (1)
UTM Market Competitive Landscape, 2009(3)
High
Magic Quadrant for Unified Threat Management (2)
Rank CompanyMarket
Share (%)
1 16.2
2 Check Point 11.8
Fortinet Confidential
Low Market Penetration High
Niche Participant
Specialist
Contender
Challenger
Market Leader
Low
Abilityto
Deliver
5
(1) IDC Worldwide Security Appliances Tracker, March 2011 (market share based on factory revenue)(2) Gartner, Inc., “Magic Quadrant for Unified Threat Management”, October 2010(3) Frost & Sullivan, “World Unified Threat Management, Products Market 2009”, 2010
Notes
3 Juniper 8.4
4 Cisco 6.6
5 SonicWALL 7.8
6 McAfee 6.3
7 WatchGuard 5.2
8 Crossbeam 2.6
9 Other 35.1
Total 100.0
5
Fortinet – portfolio „end to end” w zakresie bezpieczeństwa
Unified Threat Management
FortiGateNetwork SecurityPlatform
FortiAPSecure Wireless
Centralized Management
FortiManagerCentralized DeviceManagement
FortiAnalyzerCentralized Loggingand Reporting
Application Security
FortiMailMessaging Security
FortiWebWeb Application Firewall
Fortinet Confidential6
Secure Wireless Access
and Reporting Firewall
Data & System Security
Endpoint SecuritySecurity Services
FortiDBDatabase Security
FortiClientEndpoint Security
FortiScanVulnerability Management
FortiGuardReal timeSecurity Services FortiAuthenticator
Remote Access Management
Fortinet – produkty sieciowe
Failover Protection
FortiBridgeFail-to-Wire Bypass
Application Load Balancing
FortiBalancerApplication Delivery Controllers
Web Caching
FortiCacheISP & Enterprise-Class Content Caching
Fortinet Confidential7
Ethernet Switches
FortiSwitchGigabit Ethernet Switches
VoIP & Analog Telephony
• Application control, Identity-based policy
enforcement, Defense in depth
– Allow but don’t trust any application
– Examine all content
– Continuously enforce policies
Kompletna ochrona kontentu
Fortinet Confidential8
Specjalizowane procesory FortiASIC
• FortiASIC Content Processor (CP) Series
»Pattern-Match Acceleration
»Encryption / Decryption (e.g. IPSec, SSL-TLS)
• FortiASIC Network Processor (NP) Series
»Firewall Acceleration
Fortinet Confidential
»Firewall Acceleration
» IPSec VPN Acceleration
• FortiASIC Security Processor (SP) Series
»Additional IPS Acceleration
»Unicast , Multicast Acceleration
9
FortiOS
• Fully Integrated Technologies
»Manage all policy enforcement from
a central console
• Single Inspection of Packets
»Delivers greater efficiency and
Fortinet Confidential
intelligence
• Deployment Ease & Flexibility
»Same console for all FortiGate
platforms, all technologies
»Ability to deploy technologies where
needed
» IPv6 Ready
10
Bramy sieciowe FortiGate
• Integrated security appliance
− Block network & content threats
• Accelerated performance
− 10 GbE support
− Up to 120 Gbps (appliance)
− Up to 480 Gbps (chassis)
Fortinet Confidential
− Up to 480 Gbps (chassis)
• Platforms for every market segment
− Carrier to SOHO
− No per-user licensing
11
Globalna baza klientów
7 of the top 10 Fortune companies in Americas
8 of the top 10 Fortune companies in EMEA
9 of the top 10 Fortune companies in APAC
10 of the top 10 Fortune Telecommunications companies
Fortinet Confidential
10 of the top 10 Fortune Telecommunications companies
9 of the top 10 Fortune Retail & Commercial Banks
7 of top 10 Fortune Aerospace & Defense
12
Fortinet – niezawodny partner
• Proven Industry Leadership
− Since 2000, Fortinet has received more than 100 product & company awards.
Fortinet Confidential
− Since 2000, Fortinet has received more than 100 product & company awards.
▪ IDC: Overall leader in UTM factory revenue for all of 2009
▪ Gartner: Leader in Unified Threat Management Magic Quadrant
▪ Frost & Sullivan: 2010 "Fortinet is the established and undisputed leader" of worldwide UTM market
▪ SC Magazine: 2009 Readers' Trust Award for "Best Integrated Security Solution”
• Certified security
− Five ICSA certifications (Firewall, AV, IPS, IPSec VPN, SSL VPN, Anti-Spam, WAF)
− Government Certifications (FIPS-2, Common Criteria EAL4+, JITC IPv6, SCAP)
− ISO 9001 certification
13
Usługi sieci FortiGuard
� 100+ threat research professionals
� Eight global locations
� Automated updates to Fortinet customers
� Global software updates
� Large knowledgebase of security
� 8 million antivirus signatures, 90 million
URLs for Web filtering
Real-Time Security Protection Global Distributed Network
Fortinet Confidential
1
Robust 24 x 7 x 365 Real-Time Global Intelligence
Note
Data as of September 30, 200914
1. Fortinet jako korporacja
2. Indywidualne usługi dla firm – FortiGate
3. Indywidualne usługi dla abonentów – FortiGate
4. Usługi ochrony poczty elektronicznej - FortiMail
Agenda
Fortinet Confidential15
Rozwiązania dla operatorów
Protecting the Service Provider’s Infrastructure
Protecting the customer
(Managed Security Service
Provider)
1 2
Two discrete solutions for Service ProvidersTwo discrete solutions for Service Providers
Fortinet Confidential
Provider)
Subscriber
Network
Subscriber
Network
Subscriber
Network
MOBILENETWORK
RADIUS SERVER
GGSN
BRAS
16
Zarządzanie w usługach typu „cloud”
Provisioning Billing
NetworkNetworkSelf Service
Portal
Device Group
JSON API
XML API / GUI
MGMT
CUSTOMERS
Fortinet Confidential17
Troubleshooting Monitoring
NOC / SOC
NetworkNetworkPortal
Device Group
XML API
CLI / SNMP / GUI
LOG / ARCHIVE
QUARANTINE
GUI
1. Fortinet jako korporacja
2. Indywidualne usługi dla firm – FortiGate
3. Indywidualne usługi dla abonentów – FortiGate
4. Usługi ochrony poczty elektronicznej - FortiMail
Agenda
Fortinet Confidential18
Dynamic Security Profiles
Applies to two key target service provider markets
RADIUS
SERVER
Radius Accounting Message Dynamic Policy CreatedPortal Provisioning
PORTAL
SERVER
Fortinet Confidential
Applies to two key target service provider markets » Managed Security and Mobile
Allows user “Self-Service” automation» RADIUS Accounting Record attributes used to create a context for a source IP address
» Context can associate IP address with any other RADIUS attribute
• Username, MSISDN, Service Name
» Protection Profile also extracted from the RADIUS record
» Assumes an authentication event has occurred within the Carriers network
• Typical in both fixed (DSL) and mobile environments
DYNAMIC
SECURITY PROFILES
DYNAMIC
SECURITY PROFILES
19
Dynamiczne profile ochronne
• RADIUS Record definition is flexible
»Must include a Framed-IP-Address
RADIUS RECORD
(8) Framed-IP-Address
(31) Calling-station–id
Radius Accounting Message Dynamic Policy CreatedPortal Provisioning
RADIUS RECORD
(8) Framed-IP-Address
(31) Calling-station–id
(25) PROFILE=CHILD
End Point Context
End Point
IP address
Protection Profile
Fortinet Confidential
»Other attributes are standard and correspond to those
defined on the FortiGate
»Optional Secret, and acknowledgement
»Configurable Port number
• End Point Context Created
» Links IP address to an end point identifier and Protection Profile
DYNAMIC
SECURITY PROFILES
DYNAMIC
SECURITY PROFILES
20
Dynamiczne profile ochronne
optymalizacja wydajności
• Service is defined as a Protection Profile
»URL Filtering, Antivirus, IPS, Application Control, Antispam
• RADIUS Accounting Records are processed
»Optionally encrypted and acknowledged
» Looking to create an end point context
• Protection Profile in RADIUS record identifies service is required for an end
RADIUS RECORD
(8) Framed-IP-Address
(31) Calling-station–id
(25) PROFILE=CHILD
Fortinet Confidential
• Protection Profile in RADIUS record identifies service is required for an end point
» If no Protection Profile found for the IP Flow:-
• Session is transferred to firewall fast path in FortiASIC NP
» If Protection Profile is found service is applied
• Log and reporting messages include end point as well as
IP flow information
DYNAMIC
SECURITY PROFILES
DYNAMIC
SECURITY PROFILES
21
Dynamiczne profile ochronneGroup Profile Override*
� Authenticated bypass of the Service Restrictions� Option to override provided as part of block page
� Changing / Overriding Service via Self-servicing� User can authenticate to a higher (or lower) level� Time based override
blockpage
Fortinet Confidential
DSL+3G
blockpage
DYNAMIC
SECURITY PROFILES
DYNAMIC
SECURITY PROFILESwww.badsite.com
22
Dynamiczne profile ochronneSelf provisioning
• Per end-point Black / White List
»End points (users) can have their own black white list
»No requirement for end user to access FortiGate infrastructure
• Can be populated on Self Service Portal
• Dynamically configured on FortiGate as end points attach
»RADIUS VSA Extension, no fixed limit for URLs
Fortinet Confidential
»RADIUS VSA Extension, no fixed limit for URLs
DSL+3G
DYNAMIC SECURITY PROFILES
DYNAMIC
SECURITY PROFILES
Self ServicePortal
www.badsite.com
23
Indywidualny Firewall
GGSN
Controlled access to local resources
Only authorized mobile or Internet users can access specific network resources: •Web cameras •File servers
•Remote control of garden equipment
Fortinet Confidential24
Local resouces
RADIUS serverPolicy server
Web Portal
FortiAuthenticator
Indywidualny Firewall
Applies to two key target service provider markets
RADIUS
SERVER
Radius Accounting Message
Dynamic Policy Created
Provisioning Portal
PORTAL
SERVER
DSL+3G
Fortinet Confidential
Applies to two key target service provider markets » Managed Security and Mobile
Allows user “Self-Service” automation» RADIUS Accounting Record attributes used to create a context for a source IP address
» Context can associate IP address with any other attributes
• Username, Groupname,
» IP/User/Group context is pushed into FortiGate Identity based Policy
» Assumes an authentication event has occurred within the Carriers network
• Typical in both fixed (DSL) and mobile environments
25
Polityka SSO
Fortinet Confidential
Dane autoryzacji po stronie FortiGate
FWF60B (root) # diagnose debug authd fsso list----FSSO logons----
IP: 192.168.1.109 User: SSOMASTER1 Groups: SSOMASTER
IP: 192.168.1.110 User: SSOFTPU1 Groups: SSOFTPGR
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----
FWF60B (root) # diagnose firewall auth list
policy id: 3, src: 192.168.1.110, action: accept, timeout: 254
user: SSOFTPU1, group: SSOFTPGR
Fortinet Confidential
user: SSOFTPU1, group: SSOFTPGR
flag (180020): auth timeout_ext fsso, flag2 (40): exact
group id: 7
policy id: 3, src: 192.168.1.109, action: accept, timeout: 69
user: SSOMASTER1, group: SSOMASTER
flag (180020): auth timeout_ext fsso, flag2 (40): exact
group id: 8
----- 2 listed, 0 filtered ------
FWF60B (root) #
Korzyści biznesowe
• Firewall and UTM services for subscribers • AntiVirus• IPS• Application Control • URL filtering
Fortinet Confidential28
• URL filtering
• Possibility to apply NAT
• Only authorized external users can access specific resources• Alice can only access Bob’s webcam• John can access Bob’s webcam and fileserver
1. Fortinet jako korporacja
2. Indywidualne usługi dla firm – FortiGate
3. Indywidualne usługi dla abonentów – FortiGate
4. Usługi ochrony poczty elektronicznej - FortiMail
Agenda
Fortinet Confidential29
Usługi hostingowe e-mail
CONSUMER FIXEDCONNECTIONS
MOBILE: 3G,WIFI HOTSPOTS
MTA
THE MSSP DELIVERS MAIL SERVICES (AV/AS) TO BUSINESS CUSTOMERS. IT IMPLEMENTS FRONT-END MTAs TO HOST ENTERPRISE MX RECORDS AND FILTER INCOMING + EVENTUALLY OUTGOING EMAIL.THE MSSP MAY BE AN ISP; THE ISP MAY DELIVER MANAGED SERVICES TO ENTERPRISES CONNECTED OUTSIDE OF ITS NETWORK.
MUA
MTA
Fortinet Confidential
MTAs
HOSTED SERVICES
INTERNET
DOMAIN.COM
ISP NETWORK
ENTERPRISE FIXEDCONNECTIONS
CUSTOMERS FORHOSTED SERVICES
WIFI HOTSPOTS
MAIL SERVER
MUA
IN/OUT MAIL FLOW
MTA
MX: COMPANY.COM
MTA
3G
30
Cel biznesowy: minimalizacja capex i opex
CONSUMER FIXEDCONNECTIONS
MTA
MUA
MTA
MSSP HANDLES MULTIPLE THOUSANDS OF DOMAINS AND CUSTOMER ENVIRONMENTS.1. MANAGEMENT IS A CHALLENGE. PROVISIONING AND CONFIGURATION FLEXIBILITY ARE KEY ELEMENTS. 2. COST EFFICENCY FOR HIGH PROFITABILITY AND FAST ROI IS A MAJOR CONCERN.3. FUTURE PROOFING: EASILY ENROLLING NEW FEATURES WITHOUT ADDING NEW DEVICES➡ LDAP/SQL SUPPORT FOR CUSTOMER PROVISIONING, ROLE-BASED MANAGEMENT AND TIERED ADMINISTRATION ARE KEY DIFFERENTIATIORS OF FORTIMAIL.➡ NO USER LICENCES, PREDICTABLE AND COMPETITIVE APPLIANCE COST➡ SINGLE APPLIANCE AS THE TARGET FOR ANY FUTURE DEVELOPMENT. ALL IN ONE APPROACH
MOBILE: 3G,WIFI HOTSPOTS
Fortinet Confidential
INTERNET
DOMAIN.COM
ISP NETWORK
HOSTED SERVICES
ENTERPRISE FIXEDCONNECTIONS
CUSTOMERS FORHOSTED SERVICES
MAIL SERVER
MUA
MTAs
IN/OUT MAIL FLOW
MTA
MTA
3G
MX: COMPANY.COM
WIFI HOTSPOTS
31
Ograniczenie ryzyka: blacklisting adresów IP
MOBILE: 3G,WIFI HOTSPOTS
MTA
MUA
1. INFECTED COMPUTERS ARE CONTROLLED BY BOTNETS AND SEND OUT SPAM.2. THE IP ADDRESS IS IDENTIFIED AS A SOURCE OF SPAM AND BLACKLISTED: EITHER THE SENDER IP
ADDRESS IF THE COMPUTER HAS RECEIVED A PUBLIC IP OR THE IP ADDRESS THE FW (NAT OPERATION).3. WHEN PROCESSING AN INCOMING SESSION,4. THE RECIPIENT MTA QUERIES A DNSBL DATABASE.5. THE SESSION IS REJECTED BY THE MTA AS THE SOURCE IP ADDRESS IS A LISTED SPAMMING IP.� ARE IMPACTED: THE INFECTED SUBSCRIBER WHEN SENDING LEGITIMATE EMAIL + ANY SUBSCRIBER THAT WOULD LATER BE ASSIGNED THE SAME IP + ANY SUBSCRIBER NATED BEHIND THE FW IP.
1
14
5
RESIDENTIALCONNECTIONS
3
3
Fortinet Confidential
BUSINESSCONNECTIONS
INTERNET
MTADOMAIN.COM
ISP NETWORK
WIFI HOTSPOTS
3G
HOSTED SERVICESHOSTED SERVICES
CUSTOMERS
MAIL SERVER
MUA
MTA
DNSBL
1
1
2
4
5
LEGITIMATE OUTGOING MAIL FLOW
OUTGOING SPAM
DNS QUERY
MTAsIP
IP
IP
3
3
32
CONSUMERS3G WIFIENTERPRISE
Eliminacja ryzyka blacklistingu
MTA
OUTGOING MAIL SERVER(CORPORATE OR
GOOGLE / YAHOO / HOTMAIL…)
FORTIMAIL TRANSPARENTLY INTERCEPTS SESSIONS REGARDLESS OF DESTINATION MTAs.IT DOES NOT REQUIRE ANY NEW CONFIGURATION ON SUBSCRIBER SIDE AND STAYS INVISIBLE FROM THE INTERNET.IT IS ABLE TO TRACK ACTIVITY AND STATISTICS BASED SUBSCRIBER ID# AND NOT ONLY IPs.IT IS ABLE TO CALCULATE SUBSCRIBER REPUTATION AND AUTOMATICALLY ALERT OR BLOCK OFFENDING USERS.IT WOULD NOT QUEUE MAIL IF THE DESTINATION MTA IS NOT AVAILABLE
ISP.COM MAIL SERVER
Fortinet Confidential
INTERNET
MTADOMAIN.COM
ISP NETWORK
HOSTED SERVICESHOSTED SERVICES
CUSTOMERS
MAIL SERVER
ISP OUTGOINGRELAY
→ FML DOES NOT INTERFERE IN THE SMTP NEGOTIATION (AUTH).→ FML DOES NOT MODIFY THE DESTINATION IP ADDRESS OF THE CLIENT
SESSIONS.→ FML DOES NOT MODIFY THE SOURCE IP ADDRESS OF THE CLIENT.→ IT DOES NOT ADD ANY HEADER TO THE MAIL.
OUTGOING MAIL FLOW
MTAs
33
Fortinet Confidential34
Pytania
Top Related