1© Copyright 2013 Fortinet Inc. All rights reserved.

Fortinet @ Data Connectors

Securing the Elastic Data Centre

Rafi Wanounou – Systems Engineering Managerrwanounou@fortinet.com+1.416.907.2096

2

Agenda

• Fortinet Introduction• Threats to the Data Centre• APT’s• BYOD• Virtual Workloads; Clouds; Commodity Clouds• NGFW – Apps and more Apps…• Just a little bragging;• Q&A

3

Fortinet Corporate Overview

$434

$39

$80

$123

$155

$212

$252

$325

FORTINET REVENUE ($MM)

48% CAGR

$13

03 04 05 06 07 08 09 10 11

Market Leader• UTM - Fast-growth security segment

Advanced technology and products• 95+ patents; 115+ pending

Strong global footprint• 1,900+ employees; 30 offices worldwide

Blue chip customer base• 100,000 customers

(incl. majority of Global 100)

Exceptional financial model• FY12 revenues: $534M (24% YoY growth)• Q412 revenues: $155M (25% YoY growth)• Strong balance sheet: $650M+ in cash; no debt• IPO - November 2009

4

Threats to the Data Centre

• APT’s and other sophisticated multi-faceted attacks against Applications.

• Targeted precision strikes – adversaries with customized weapons.• Virtual Workloads in Motion• Unmanaged Devices with corporate information present• The application explosion and what to do with them all??

5

APT’S – So Called Advanced Persistent Threats

• Adversaries with specific goals and objectives.• Custom payloads and weapons designed for a targeted strike.• Can enter via any medium; email; web; unmanaged device; usb key

(stuxnet).• Adversaries have a well established target and map of the datacentre.• Traditional tools such as desktop av becoming of less and less value.• Advanced recon being performed to evade victim specific defenses.

6

Misconception #1

More Signatures = Higher Protection

Reality: # Sigs actually decreasing through consolidationVB RAP Score > 90%1 sig / multiple variants

APT’S – So Called Advanced Persistent Threats

7

Misconception #2

Antivirus Engines are just Pattern Matching

Reality: Fortinet AVEN is highly intelligent, does local ‘Sandbox’Dynamic decryption & execution environmentExample: Botnet server zombie downloadsAfter decrypt: CPRL matching + behavior analysis

APT’S – So Called Advanced Persistent Threats

8

Misconception #3

Sandboxing is the answer to APT

Reality: Malware is VM environment aware -- “VM Evasion”Fortigate AVEN does not use regular VM hooksEven when effective to identify malware, technique still relies on regular pattern

matching signatures.DEAD DATA! – No Feedback Loop!!!!

APT’S – So Called Advanced Persistent Threats

9

The Value of FortiGuard

Suspicious samples sent to cloud Then sandboxed in cloud Results are correlated

• All FortiGuard services• Including AV

Updates then soon available

FortiGuard AnalyticsHarness the Cloud

10

1. New “APT Focused” products are point solutions that are costly and only focus on common ingress points.

2. Fortinet offers complete APT solutions on branch appliances – the only vendor to do this today.

3. The only Tier 1 vendor to provide a complete layered defense in all of our devices.

APT’S – So Called Advanced Persistent Threats

11

1. Unmanaged devices rampant in enterprises.2. Recently a large Fortinet customer in Toronto discovered over

75 Mac Minis, 50 Xboxes and, 100 Magic Jacks in their network (most hidden in locked drawers).

3. MDM a failing technology – you do not have root access to an Android or Apple device.

4. Users at all levels putting pressure on IT to support personal devices.

5. Becoming a human resource issue – people refusing to work if access unavailable for personal devices.

BYOD

12

BYOD Enablement through Network Security

Emily, a customer, needs guest access to Skype on her iPad while visiting your headquarters

Bill’s device is infected with malware and he brings it on the corporate network

Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.

WiFi Guest AccessBandwidth Management

2-Factor AuthenticationVPN Tunneling

Antivirus

13

BYODEnablement through Network Security

Sue is in corporate marketing and should have access to post non-sensitive information to Facebook, but she should not be playing Farmville

Joe started streaming movies while at work through his tablet – this is against corporate policy

Application ControlData Leakage Prevention

Application Control

Ed unintentionally shared a sensitive company presentation via his personal Gmail account on his Android Phone.

Data Leakage Prevention

14

Protecting ALL BYOD Attack Vectors

Email Sent – Contains Sensitive Data

Mail message detected as Data Loss (DLP)

User accesses phishing site, enters credentials

Access to phishing website is blocked

Phishing site sends Bot infection to user disguised as ‘Security Update’ application

Content scanning prevents download

End user executes malware, is infected and now all their data is compromised

Malicious activity is detected and blocked

15

Virtual Workloads; Clouds; Commodity Clouds

Wow how things have changed in the past 12 months!

1. Traditional private cloud – Most common use of cloud and virtualization; numbers don’t lie – consolidation is king to driving down costs.

2. Public Cloud – Services 100% hosted and managed in the cloud; Salesforce.com, Cloudflare, Incapsula, etc.

3. Public/Private clouds where certain portions may be controlled by a third party. Includes traditional managed services like MS Exchange, web and email hosting.

15

16

Virtual Workloads; Clouds; Commodity Clouds

4. Virtual Private Clouds – Virtual slices of service are delivered and managed over a private VPN connection. i.e. Amazon S3, Rackspace Cloud, Bell, Telus, Clouds. Now includes voice services like SIP – traditional voice lines dying a slow death.

5. Directly Connected Clouds – Enterprises directly connected to virtual clouds containing millions of machines where resources are rented or spawned on demand. 10G and higher connections to replace intense enterprise workloads. i.e. Amazon direct connect.

6. Cloud Based resiliency and GSLB – Traditional infrastructure services being pushed out to the cloud.

16

17

Virtual Workloads; Clouds; Commodity Clouds

7. Internal Infrastructure Managed in the Cloud – Management consoles for equipment installed in the datacenter being pushed out to the cloud. Aruba, Meraki, McAfee etc.

8. Fast, Persistent, and long term archival systems in the cloud. Amazon, Rackspace, Joyent now long term keepers of data.

9. Cloud Based Global Networking – Rush is occurring in the area of cloud based wan optimization – companies with Wan-Optimized clouds allowing anyone to plug in and achieve the benefits of global wan-opt over night.

10. Branch Clouds – Mini clouds in the branch that encompass applications, firewalls, wireless AP management, Active Directory, logging etc. on one physical server.

17

18

Traditional Firewalls and the Cloud = Clunky

1. Traditional firewalls are inelastic; difficult in a large environment to upgrade firewalls on the fly; The cloud is elastic - therefore security devices that live in the cloud must also be elastic.

2. Physical access in the cloud is disappearing; any security services must be virtual.

3. The cloud does not make compliance go away. The need to track audit and log remains the same.

4. Physical firewalls protecting clouds present DR challenges. They cannot be moved, copied and spawned on demand. Business Continuity a large driver behind private cloud initiatives.

18

19

Why Fortinet Virtual Firewalls?

1. Virtualized to the core – the only tier 1 vendor that has physical/virtual parity. Every product we sell to the Financial Services market is virtualized.

2. The Cloud is noncontiguous; Tier2 and Tier3 firewalls must be able to support VMWare, Xen, Amazon, etc.

3. 100% feature parity; physical and virtual firewalls are on the same development track and utilize the same development teams.

4. All the elastic features of the cloud – upward/downward scaling and ‘motion.’

5. Most importantly – World Class NGFW features in the cloud!

19

20

NGFW - What’s all the hype about?

The Facts: NGFW is intended to unify firewall policies, application rules, and identity into intelligent security frameworks.

1. Applications running amuck in organization; business leaders need to control and contort them.

2. Traditional firewalls rule sets have become untenable.3. Hooks to identity are mandatory for security, compliance, audit.4. Security teams need knowledge about what applications exist on the network –

YouTube, or Botnets – it’s all valuable information.5. Increase in application layer attacks mandates that security devices function at the

higher layers.

20

21

NGFW – Why have deployments struggled???

1. Legacy vendors have not invested in technology to run NGFW at high speeds.2. “New” vendors have disregarded traditional high speed firewall/filtering only to have

their devices compromised.3. Vendors have lost sight of fundamental network firewall features such as new

connections per second, total sessions, and overall throughput.4. No enterprise will ever be 100% NGFW; they will be an intelligent mix of traditional

firewall and high performance stateful firewall.

21

22

NGFW – Why have Fortinet deployments succeeded??

1. We built NGFW on the worlds fastest and strongest stateful firewall.2. We can turn on what you need when you need. For one part of the network we may be

your super high speed firewall; for another part we may be the Active Directory Integrated NGFW.

3. We have appliances that are proven to work at the Branch or deep inside the data centre at multi-gigabit speed.

4. As an organization we have a proven ability to deploy NGFW quickly in enterprise networks.

5. Remember: NGFW means you can use all the features of the device in any combination your desire – not only the ones that work!

22

23

Some of our Success in Canada

1. Canada’s most demanding NGFW deployments run on FortiGate:I. School Board with 300,000 users

II. Canadian online TV on Demand services

2. The only NGFW to successfully integrate into a Big 5 bank with all features turned on.3. The only NGFW to deploy in the core with all features turned on at Multi-Gig speeds.4. We don’t discriminate – We’ll do NGFW at 60 Gigs or 60 megs;

23

24

Some Chest Pounding

24

25

Some More Chest Pounding

25

26

Some More Chest Pounding

26

27

Some More Chest Pounding

27

28

Finally

28

33

Q&A

www.fortinet.com

34

Thank You

www.fortinet.com