Вы находитесь на странице: 1из 25

The Fortinet Secured Network

Матенко Александр, 08.10.2015

© Copyright Fortinet Inc. All rights reserved.


About Company FORTINET

Fortinet является глобальным поставщиком устройств сетевой безопасности


и лидером рынка в сегменте унифицированного управления угрозами (UTM).

Штаб квартира Fortinet расположена в Саннивейл, штат Калифорния, США,


кроме этого компания имеет офисы по всему миру.

Fortinet был основан в 2000 Кеном Кси, визионером и бывшим президентом


компании NetScreen (которую в 2004 купил Juniper).

Флагман продуктовой линейки Fortinet - платформы по обеспечению


безопасности FortiGate представляет собой аппаратно-ускоренную
производительность, встроенную систему защиты от множественных угроз,
постоянно обновляющуюся систему глубокого анализа угроз.

2
Complete Network Security Solution

MANAGEMENT
Единая точка управления и отчетности

PLATFORM

ENDPOINTS ACCESS SEGMENTATION NETWORK APPLICATION


USERS DATA
Защита Безопасный Политики и зоны Балансировка, DDoS Почта, Malware,
устройств доступ etc

SECURITY
SECURITY

THREAT INTELLIGENCE

3
SECURITY OPERATING CENTER DATA CENTER
DB Servers
User ID Central Log Central File
Mgmt. & report Device mgmt. Analysis
Cloud based DB Security
Mgmt.

FortiCloud FortiAuthenticator FortiAnalyzer FortiManager FortiSandBox


App Servers
Network FortiDB
3G/4G Tester
WAN Network
Tap

FortiTester Mail Security Mail Servers


FortiExtender FortiTap Gateway
Site-to-
Secure WiFi site VPN
Access FortiWAN Security
gateway
FortiMail
FortiWiFi Link Load
Balancer
FortiGate Secure Web
Caching server

LAN
REMOTE FortiCache
L2 WiFi IP Cam. Failopen Web App. Load
Remote IP PBX Firewall Balancer
Switching Access Recorder Device
VPN

Endpoint
Security
FortiSwitch FortiAP FortiRecorder FortiVoice/ FortiBridge FortiWeb FortiADC
FortiGateVoice
L7 D/DOS
FortiToken Mitigator Web Servers
2 Factor OTP
FortiClient
Token

MOBILE FortiCamera FortiFone FortiDDoS

4
FortiGate Product Range

Multi Multi Multi


Core Chassis Core
CPU Core
System
SoC NP CP CPU NP CP CPU CPU
1 Gbps 10 Gbps 10 Gbps - 50 Gbps 50 Gbps - 1 Tbps H/W Dependent

DCFW/CCFW
3000
Personality, Series
Performance
and
ISFW
5000 VM
Scalability
Series Series
1000
Series
NGFW/ CFW/
30-90 100-200 300-900
Series Series Series NGIPS VMFW
UTM

Software & FortiGuard FortiOS FortiCare


Services Security Services Operating System Support Services

Product Entry Virtual


Mid Range High End
Range Level Appliances

5
Inside FortiOS

ATP OSS Support AAA Central Mgmt. Integrations


Configuration Visibility Log & Report Diagnostics Management
Application Web
Anti-Malware IPS Email Filtering
Control Filtering

User & Device


Firewall VPN DLP
Identity
SSL inspection Security Functions

Wireless Switch Endpoint Vulnerability


Controller Controller Manager
Token Server
Scanner Extensions

:::::::::: Virtual Domains :::::::::: Virtual Systems


WAN Link /
Routing NAT/CGN L2/Switching High Availability
Server LB
Network Functions
Wan
QoS IPv6 Network Services
Optimization

NAT/Route Transparent Sniffer Operating Modes

LAN WiFi WAN Network Interface

Physical Appliance (+ASICS) Hypervisor Cloud Platform

* Features may varied by models 6


FortiGate 300D

•1 2x GE RJ45 Management Ports


1 2 3
•2 4x GE RJ45 Ports
•3 4x GE SFP Slots

Hardware Performance
Firewall Throughput (1518/512/64) 8/8/8 Gbps IPS Throughput 2.8 Gbps

Firewall Latency 3 μs Antivirus Throughput (Proxy Based) 1.4 Gbps

Concurrent Sessions 6 Mil Virtual Domains (Default / Max) 10 / 10


New Sessions/Sec 200,000 Max Number of FortiAPs (Total/Tunnel) 512 / 256
Firewall Policies ( System/VDOM) 10,000 Max Number of FortiTokens 1,000
IPSec VPN Throughput 7 Gbps Client-to-Gateway IPSec VPN Tunnels 10,000
Concurrent SSL-VPN Users
SSL-VPN Throughput 350 Mbps 500
(Recommended Max)

7
FortiGate 5000-Series Bundles

Chassis-based platforms offer maximum


performance, reliability, and scalability for high-
speed service provider, large enterprise or
telecommunications carrier networks.

Fastest chassis-based firewall in the industry

Flexibility enables protection of complex, multi-


tenant cloud-based security-as-a-service and
infrastructure-as-a-service environments.

FG-5060-Base FG-5060-Full FG 5144C-Base FG 5144C-Full

Firewall Throughput 160 Gbps 400 Gbps 160 Gbps 960 Gbps

Concurrent Sessions 46 Million 115 Million 46 Million 276 Million

New Sessions/Sec 1.13 Million 2.82 Million 1.13 Million 6.78 Million

IPS (HTTP) 36 Gbps 90 Gbps 36 Gbps 216 Gbps

* Based on sum of individual Security Blades, not as a controller-based system.

8
FortiOS Software Evolution

2005 2007 2009/Q1 2009/Q3 2010/Q1 2011/Q3

V 2.8 V 3.0 V 4.0 V4.1 V 4.2 V 4.3


• • SSL VPN • • Wireless ctrl • New GUI • Token Server
functionalities

Antispam DLP
New Key

• IM/P2P mgmt • WAN Opt. • IPv6 UTM • Network VM • ICAP


• SSL Proxy • SQL Logging
• App Control

2012/Q4 2014/Q2

V 5.0 V 5.2
• Client • FortiView
reputation • Deep Flow AV
functionalities

• Sandbox • Software
New Key

integration performance
• Endpoint optimization
control
• Device based
policy

9
FortiAP Family

802.11ac
FAP-320C
3x3:3 802.11ac
Resiliency and FAP-321C
Dual Radio
Dual Band
Versatility FAP-320B

802.11ac 802.11ac
FAP-222C FAP-221/223C
FAP-224D
2x2:2 FAP-222B FAP-221/223B
Performance FAP-28C
Single Radio

FAP-25D FAP-24D
FAP-21D FAP-210B

1x1:1 FAP-14C
FAP-112D
Value FAP-11C FAP-112B

Remote Outdoor Indoor

10
FortiAP 221/223C

• 1 x GE RJ45 Interface

Hardware Performance
8(7 for client access,
Target Environment Indoor Simultaneous SSIDs
1 for monitoring)
221C :4 Internal
Number of Antenna Max Transmission Power 17 dBm (50mW)
223C :4 External

Number of Radio 2 PoE Support 802.3af

2x2 MIMO with Dual Spatial


Tx / RX Stream (802.11n)
streams, 1167 Mbps Total

11
FortiAP 222C

• 1 x GE RJ45 Interface

Hardware Performance
16 (14 for client access,
Target Environment Outdoor Simultaneous SSIDs
2 for monitoring)

Number of Antenna 4 External Max Transmission Power 26dBm (398mW)

Number of Radio 2 PoE Support 802.3at & proprietary

2x2 MIMO with 2 spatial


Tx / RX Stream (802.11n)
streams, 1167 Mbps Total

12
Overview FortiSwitch

Access level Gigabit Switches with ease of use and low


cost of ownership

FSW-28C
 Outstanding price, performance, and
FSW-80-POE scalability to organizations with
diverse operational needs.

Primary Benefits:
FSW-124B-POE
✓ High Port Density
✓ Integrated Power Over Ethernet
FSW-224B-POE
✓ Connect Access Points, Peripherals,
Cameras, Phones
FSW-324-POE ✓ Create an integrated, secure network

FSW-348B

FSW-448B

13
Overview FortiClient

Comprehensive end-point protection & security


enforcement

Multifunctional Host Security


• Flexibility in deployment
• Fully integrated features, reduce needs for
multiple client solutions

End Point Control


• Enforce compliance and security policies on
mobile hosts

Centralized Logging and Reporting


• Via FortiGate for enterprise requirements

14
Overview FortiToken

Oath Compliant Time Based Hardware One Time Password


Token

Supports Strong Authentication


• IPSEC VPN
• SSL VPN
• Administrative Login
• Captive Web Portal
• 802.1x Authentication
• Web Application Access
• SSO

Authentication Platforms
• FortiGate (FOS4.3 and later)
• FortiAuthenticator (FAC 1.4 and later)

Secure Seed Delivery Options


• Online Via FortiGuard
• Encrypted file on CD (FTK-200S)
• In-house Seed Provisioning Tool (special order)

15
Overview FortiAnalyzer

Logging, reporting and analysis from multiple Fortinet


devices

Aggregated Logging
• Singular View of all Fortinet Devices
• Built-in Content Archiving
• Malicious File Quarantine

Centralized Reporting
• Predefined Summary & Device Reports
• Hundreds of Customizable Charts & Graphs

Analysis & Event Correlation


• Vulnerability Assessment
• Network & Log Analysis

Scalable Solution
• Hardware and VM Versions Available
• Collector/Analyzer Modes for Large
Deployments
• High Performance Logs/Sec Processing
• Support for Internal or External SQL
Databases

16
Overview FortiManager

Tools that effectively manage any size Fortinet security


infrastructure, from a few to thousands of appliances

Administrative Domains (ADOMs) Locally Hosted Security Content


• Enables the primary ‘admin’ to create Virtual • Allows administrators better control over security
Management Domains containing devices for other content updates and provides improved response
administrators to monitor and manage time for rating databases.
• Run a local copy of AV, IPS, URL, A/S signature
Hierarchical Objects & Policy Management databases.*
• Create Global Objects and Policies
• Assign to ADOM or groups of ADOMS
• Create device configuration templates to quickly
configure a new Fortinet appliance

Web Portal SDK


• JSON-based API allows MSSPs to offer administrative
web portals to customers

* Capabilities varied by Models

17
Overview FortiMonitor

Unified event correlation and risk management for modern


networks

Unified Risk Management Solution


• Log collection with enterprise performance
• Correlation automatically determines priority
threats
• Assess your network’s Key Risk Indicators
• Manage host assets critical to your network
• Schedule regular vulnerability scans
• Visualize your holistic security with dashboards
and reports

18
Overview FortiSandbox

Advanced Threat Protection solution designed to identify


and thwart the highly targeted and tailored attacks

Advanced Threat Protection


• Multi-layered filtering with Code Emulator, AV
engine, Cloud query and Virtual OS sandbox
• Handles multiple file types, includes files that
are encrypted or obfuscated 4 Latest AV Signature Update
• Examine files from various protocols, included
those that uses SSL encryption

Flexible Operation Modes


• Receives file sample using integration with
FortiGate/FortiMail, sniffer mode and manual
file uploads 3 Malicious
• Capture files from remote locations using Analysis
deployed FortiGates
output
Monitoring and Reporting ?
• Detailed analysis reports and real-time
monitoring and alerting
1 File Submission 2 Centralized File Analysis

19
Overview FortiDDoS

Hardware Accelerated DDoS Intent Based Defense

Rate Based Detection


• High performance protection using ASIC

Self Learning Baseline


• Ease Maintenance
ISP 1 Web Hosting Center
• Maintain appropriate protection dynamically FortiDDoS
Signature Free Defense
• Hardware based protection

Inline Full Transparent Mode


• No MAC address changes Firewall

Granular Protection ISP 2


• Multiple thresholds to detect subtle changes
and provide rapid mitigation
Legitimate Traffic
Malicious Traffic

20
Introducing FortiMail

Advanced anti-spam and antivirus filtering solution, with


extensive quarantine and archiving capabilities.

Specialized messaging security system


• Advanced, bi-directional filtering prevents
spread of spam, viruses, phishing, worms, and
spyware
Mail
Servers
Flexible deployment options
• Transparent, Gateway, and Server modes that
adapts to organizational needs and budget
FortiMail
Identity based encryption
• Secure, encrypted communication

Email archiving
• On-box archiving facilitates policy and
regulatory compliance requirements

21
Introducing FortiWeb

Web application firewall to protect, balance, and accelerate


web applications.

Web Application Firewall


• Aids in PCI DSS 6.6 compliance
• Protection against OWASP Top 10 Web Application
• Application layer DDoS protection Servers
• Auto Learn security profiles
• Geo IP data analysis and security

Web Vulnerability Scanner


• Scans, analyzes and detects web application
vulnerabilities
FortiWeb
Application Delivery
• Assures availability and accelerates
performance of critical web applications
SQL Injection, XSS…

22
Introducing FortiDB

Database Activity Monitoring and Vulnerability Assessment


solution

Database Activity Monitoring (DAM)


• Real-time monitoring of key users and critical
transactions
• User Activity Base lining FortiDB
• Block database attacks in real time

Vulnerability Assessment
• Sensitive data discovery in databases
• Vulnerability scanning with remediation advice

Policy Driven Controls


• Automated process of establishing IT controls

Database Servers
Database Audit and Compliance
• For compliance and forensics analysis purpose
Deployment options:
Sniffer, Native Audit and Agents

23
Introducing FortiTester

Network performance tester that aids in infrastructure


optimization and configuration validation

 Affordable appliance that provides


low TCO
 Ability to run 8 types of network
performance tests
 Connections (TCP)
 throughput (TCP)
 PPS (UDP)
 CPS (HTTP/HTTPS)
 RPS (HTTP/HTTPS)
 CAPWAP throughput

 Ease-to-use web-based UI
 History Viewer
 Case Profiles

24
Virtual Appliance Platforms

VMware Citrix Open Source Amazon Microsoft

Virtual Appliance Xen Xen


vSphere vSphere vSphere Hyper-V Hyper-V
Server Server Xen KVM AWS Azure
v4.x v5.x v6.0 2008 R2 2012
v5.6 SP2 v6.0

FortiGate-VM* ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ** ✔ ✔ ✔

FortiManager-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

FortiAnalyzer-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ** ✔ ✔

FortiWeb-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

FortiMail-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔

FortiAuthenticator-VM ✔ ✔ ✔ ✔

FortiADC-VM ✔

FortiCache-VM ✔ ✔

FortiVoice-VM ✔ ✔ ✔ ✔ ✔

FortiRecorder-VM ✔ ✔ ✔ ✔ ✔

FortiSandbox-VM 5.1, 5.5

* Also as FortiGate-VMX for VMWare NSX


** Also available as pay-as-you-go licensing option

25