Embed Size (px)
Citation preview
FortiMail EmailSecurity Appliances
Roberto Naretto
Senior IT Security Eng
FortiMail Overview
FortiMail e-mail and
messaging security
• Industry leading price/performance
• Flexible deployment modes and
architectures support the widest
range of organizations
• Multi-layer threat detection delivers
highest level of user protection
• Scalable solution delivers long
term investment protection
• Data Leak Prevention, and Policy
Based Encryption and Archiving
enable compliance with SOX,
GLBA, HIPAA, PCI DSS
• FortiGuard Threat Research and
Response Network
Summary
Independent Validation
Fortinet email security solutions
trusted by over 50,000 customers
Trusted Solution
The FortiMail Family
FortiMail-200D
FortiMail-400C
FortiMail-5002B
FortiMail-3000D
FortiMail-1000D
Mid-Enterprise� Recommended for up to 3,000 users
� 2 x 1TB HD
� Software RAID Support
Small Deployments� Recommended for up to 500 users
� 1 x 1TB HD
Mid-Enterprise� Recommended for up to 5,000 users
� 2 x 2TB HD (Additional 2 x 2TB optional)
� Hardware RAID Support
Large-Enterprise and Carrier/Service Provider� Recommended for up to 10,000 users
� 2 x 2TB HD (Additional 6 x 2TB optional)
� Hardware RAID Support
Carrier/Service Provider Deployments� ATCA Chassis Form Factor
� 2 x 900GB HD
VM01
1 x vCPU
Virtual Appliances
Supported Hypervisors:
VMWare, Hyper-V (Q2 2014)
Physical Appliances
VM02
2 x vCPU
VM04
4 x vCPU
VM08
8 x vCPU
€40k
(BDL)
€1.9k
€90k
(BDL)
€25k
(BDL)
€8k
(BDL)
€4.5k
(BDL)
€7.4k
€20k
€84k
Deploying FortiMail
Deploy on-site or in the cloud to
relay mail to destination
Gateway
Network and application
transparent
Transparent Inline
Full mail server and groupware
functionality
Server
Full email server at no extra cost
Deployment
Options
Greylisting
SMTP flow limiting
SMTP syntax verification
SMTP error control
SPF/DKIM verification
Antispoofing verification
Recipient address check
Header Analysis
Advanced layered Spam and Anti-Malware Protection
• Multi layer Protection based on:– Local filters
– Central FortiGuard Database
Global FortiGuard IP
Reputation
Global FortiGuard Botnet
Database
Local Dynamic Sender
Reputation
Black/White lists
Global Spam Content
Database
Mail Content URL Filtering –
Adult, SPAM, Malware URLs
Virus/Malware/APT detection
Newsletter Detection
Image Spam detection
Dynamic Heuristic Detection
Dictionary content filter
Bayesian Filtering
Advanced Spam and Anti-Malware Protection
FortiGuard Threat Research
Cloud based antispam and
antimalware serviceVisibility of millions of messages per
day with global feedback
Discovers zero day threats and tracks
global botnets www.fortiguard.com
Security experts working for you 24x7!
Advanced Spam and Anti-Malware Protection
Industry Leading Catch Rate
ICSA Certified Anti-Spam and Anti-
Virus
27 VB100 Awards
21 VB Spam Awards with 99.86%
catch rate*
Common criteria EAL2+ certified for
Government use
Fortinet
* http://www.virusbtn.com/ May 2012 VB Spam Report
Industry validated solution
Excellent spam cath rate and False Positive rate
VBSpam (march 2014)
• FortiGuard Antivirus– Award winning independently verified AV
• Malicious URL Filtering– Detect and block malicious URLs
• Advanced Persistent Threat Detection– Real-time Local sandbox provides On-box behavioural analysis
– FortiSandbox integration for in-depth APT analysis• Provides APT mitigation with file blocking and quarantining
Advanced Multi layered Malware Protection
Advanced Spam and Anti-Malware Protection
Layered Spam Detection
Global FortiGuard IP Reputation
FortiGuard Botnet Tracking Database
Dynamic Sender Reputation
Connection Rate Limiting
Connection Level Filtering:Discard spam as early as possible for greatest performance
Advanced Spam and Anti-Malware Protection
Layered Spam Detection
Recipient verification
RFC Compliancy
SMTP Error Rate Control
Sender White / Black Lists
DHA Protection
SPF/DKIM Support
Greylisting
Header Filtering:Verify valid destinationSupport for latest RFCs
Advanced Spam and Anti-Malware Protection
Layered Spam Detection
FortiGuard Spam DB
Heuristic Detection
Bayesian Filtering
Newsletter Detection
Anti-Malware Detection
Web Content Filtering
Full Content Filtering:Multiple Detection Methods
• All in one – get much more than AV/AS– Embedded IBE encryption at no additional licence cost
• Deliver encrypted email to recipients without plugin requirement– Lower Capex (no dedicated HW, no additional cost/licence)
– Lower Opex (no user management)
– Embedded archiving• Generic compliance policy, Investigation against individual,
Maintain copy of communication to key accounts– Lower Capex (No dedicated HW, no additional cost/licence)
– Embedded quarantine with large disk space
• High availability– Synchronize email: mail queues, mail quarantine
• Transparent failover (better user experience & no loss of data)
• Remove requirement for central quarantine (simplified deployment, lower Capex)
FortiMail differentiators
SpamReport e-Mail Notification
Deploying FortiMail
MSSP Ready Solution
MSSP Service Framework
• FortiMail White Labelling
• Multi Domain support with per
domain quotas
• Mass provisioning for lower
OPEX
• Delegated administration
• User self service
Mail Security Service Provider in a box!
Deployment Mode – Gateway/Relay
Gateway mode deployment
• FortiMail is deployed as a mail relay/gateway on a firewall DMZ
• Gateway mode means:– FortiMail is the destination IP for mail traffic
– It then delivers filtered email to the destination mail server
• Main market:– CPE deployment: SMB to large Enterprise (onsite deployment)
– Cloud-based deployment: MSSP
INTERNET
INTERNAL MAIL
SERVER
INCOMING MAIL
OUTGOING MAIL
GW mode – SMB, Enterprise – Highlights
• Main project requirement– Antispam and antimalware to protect
staff/network
– Optionally: DLP, encryption and archiving• To protect loss of data
• To attain compliance (HIPAA, SOX, PCI, GLBA)
• Typical deployment: GW mode
• Why Fortinet?– Cost effective, non-per seat licensing
– Fully inclusive features with no additional licensing costs
Enterprise protection at competitive price point
GW mode – Mobile Operator case
• MMSC is critical
• MMSC is connected to public networks:
– Internet
– Other Mobile Operators
OTHER MOBILEOPERATOR
MM3 (SMTP)
MMS COMMUNICATIONS
WITH EXTERNAL
NETWORKS
MMS SERVER
MOBILE: 3G
3G MTA
MMS
SERVE
R
INTERNET
GW mode – Enterprise case
SMTP
SMTP COMMUNICATIONS
WITH EXTERNAL
NETWORKS
MOBILE: 3G/WIFI
MTA
SMTP
SERVER
INTERNET
GW mode – Mobile Operator – Highlights
• Typical Requirement– Protect the MMS Center from external threats
– Protect the MSSC from overload with rate limiting (New Year’s Eve / Christmas)
– Queue MMS in case of MMSC unavailability• MMS generate revenue and can not be lost
• Typical deployment: GW mode
• Why Fortinet– Extremely high performant MTA
– Extremely high queueing capabilities
– Advanced routing and ACL capabilities
– Cost effective, no seat licensing
Deployment Mode – Transparent
Transparent mode – ISP case
• FortiMail intercepts mail going out of the ISP network– Even though the destination is elsewhere on the internet
– Thanks to transparent proxying and Policy Based Routing (PBR)
• Market– ISP
– Prevent IP BlackListing by filtering outbound spam
ISP NETWORK DESTINATION
MAIL SERVERINTERNET
PBR
REDIRECTION
Transparent mode – ISP case
• Subscriber hosts (3/4G, ADSL, etc.) are controlled by botnets and send spam
• The source IP of a spam flow is identified and blacklisted by DNSBLs
• Mail servers query DNSBLs before to accept mail – Reject the connection if the originating IP is a listed spamming IP
• Above certain % of spamming IPs DNSBLs blacklist:– The full subnet or the full ISP range (= ASN)
ISP NETWORKMAIL SERVER
IP
IP
BLACKLISTED IP
CAN NOT SEND MAIL
INTERNET
IP BlackListing and Subscriber impact
• Subscribers using a blacklisted IP can not send mail
– Service denied
• Who is impacted?
– The infected subscriber trying to send legitimate email
– A clean subscriber who dynamically receive a BlackListed IP
– All subscribers within a BlackListed subnet
– All subscribers sharing the same BlackListed public IP (NAT)
– All subscribers connected on a BlackListed Autonomous System
• Autonomous System: the collection of the ISP subnets
ISP impact
• Direct cost
– Recurring cost to remove listed IP
• Operation cost
– Subscriber calls to helpdesk
– Collect listed IPs
– Contact DNSBL services
– Justify registration end
• Reputation cost
– Subscriber
disatisfaction
– Poor quality of service
– Subscribers not
renewing
• Network cost
– Traffic spikes during
spam campaign,
DDOS attacks, etc.
– Bandwidth, RAM, CPU
• No impact for subscribers– Does not require any modification of user settings
• Unique level of transparency: from L3 to L7– Higher resistance to BlackListing
• I.E: Fortimail does not expose its own IP address
– Unique design to avoid mail queuing if destination MTA is not available
• Unique outbound filtering techniques – Purpose built filters– Subscriber reputation and blacklisting
– Dynamically scores subscribers and block bot computers
• Reports and statistics based on subscriber IDs– Based on subscriber unique identifier and not just IP addresses
• Top senders, top spam senders, top virus senders, list of bot computers, etc.
Transparent mode – FortiMail key differentiators
Transparent mode – ISP – Highlights
• Requirement
– Outbound spam filtering to prevent blacklisting of IP
ranges and customer dissatisfaction
• Typical deployment: transparent mode
• Why Fortinet?
– Unique transparent proxy implementation
– Efficiency of the dedicated outbound filters
• Usually demonstrated during live POC
– High performance MTA, scalable to millions of emails
per hour
– Cost effective, non-per seat licensing
Deployment Mode – Server
Server mode deployment
• FortiMail acts as a full blown email server
– + the same filtering services as GW mode
– Groupware functionalities
• Address books
• Calendar hosting
• FortiMail can be hosted locally or in a datacenter and shared
amongst multiple companies/domains
• Email migration from existing solutions available
INTERNET
OUTGOING MAIL
SERVER
WEBMAIL
CALENDAR
POP3, IMAP
INCOMING MAIL
Server mode – Market
• Small business– Corporate mailboxes
• Enterprise and Carriers– Business applications communicate together by
– Dedicated mail server are required for security reasons• i.e: Mailboxes used as repository for messages coming from web forms (lottery)
• ISPs– Scalable free mailboxes for Internet subscribers
Server mode – Highlights
• Typical requirement– Mail server with AV/AS filtering capabilities
– Ease of management
• Typical deployment: server mode
• Why Fortinet?– All in one: regular mailbox, filtering services,
quarantine mailbox
– Simple management
– Lower TCO than other vendors or cloud-based mailboxes• Low capex and opex
• No user based licence - Most providers licence per seat
Server mode – 5.0 New features
• File upload enhancements
• Address Book access through LDAP
• Calendar sharing (iCalendar)
• Resource allocation/booking
• Exchange migration tool
Server mode – Address Book 5.0
• Webmail only
• Personal Address Book
• Domain Address book
• Global Address book
Server mode – Calendar Sharing
• Two types of calendar
− Local calendars: stored on my computer
− Online calendars: stored on a server (FortiMail, Gmail)
• FortiMail Calendars – Supported standard formats and protocols
▪ iCalendar (RFC 2445)
▪ HTTP (RFC 2616)
▪ WebDAV (RFC 4918)
▪ CalDAV (RFC 4791)
Server mode – View Shared Calendar (HTTP)
• Calendar is now visible by others using Outlook/Thunderbird Calendar
Server mode – Mobile clients support
• FortiMail Server is compatible with most Smartphones and
Tablets
• iPhone iOS and Android both support standard protocols
and formats for Mail, Calendar and Address Book
iOS Android
Mail: SMTP/POP3/IMAP � �
Calendar Sync: CalDAV � Apps Available
Address book: LDAP � Apps Available
Server mode – Migration Tools 5.0
• Global setting on CLI to turn on/off the email migration feature: config system global
set email-migration-status enable end
• User migration – how to collect username & password:− If the list of usernames & pwd is available in plain text � list import
− Else, username & password are collected via webmail login or SMTP client login▪ An authentication profile is defined in a recipient based policy
▪ FortiMail authenticates with the external server (SMTP, LDAP, IMAP, or POP3) and collects user name and password
• Mail data migration− After collecting, migration can start for part or all users
− FML acts as IMAP client to login to remote mail server through IMAP or IMAPS on each user's behalf, and retrieve mail data
− Remote mail server is configurable under "Mail migration settings" within each domain.
June 25, 2014
Q&A
FAQ 1
Q.: Esistono delle VM evaluation e come funzionano ?
A: Ogni VM Fortinet ha integrato un periodo trial di 15
giorni con funzionalità limitate (limitazione sul numero di
policy e profili creabili). C'è la possibilità, compilando un
apposito modulo, di richiedere a Fortinet attraverso la
nostra struttura commerciale, una evaluation di 30 giorni
con funzionalità full-features, per poter testare anche le
funzionalità UTM aggiornate.
FAQ 2
Q: Come funziona il listino prezzi delle FML-VM ?
A:
FortiMail-VM
UNIT SKU Description Price 1 Yr Contract
FortiMail-VM01 FORFML-VM01
FortiMail-VM software "virtual appliance" designed for virtualization platforms. 1 x vCPU
core € 1.921
FORFC-10-0VM01-965-02-DD 8x5 Bundle Renewal € 570
FORFC-10-0VM01-966-02-DD 24x7 Bundle Renewal € 844
FORFC-10-0VM01-100-02-DD Advanced Threat Protection Services (AV, Sandbox, Botnet Blacklist) € 427
FORFC-10-0VM01-114-02-DD AS Service € 308
FORFC-10-0VM01-851-02-DD 8x5 Enhanced FortiCare € 257
FORFC-10-0VM01-248-02-DD 24x7 Comprehensive FortiCare € 427
Virtual Appliance (equivale all’acquisto dell’hardware nelle appliance fisiche)
Bundle (include FortiCare + AntiVirus + AntiSpam)
FAQ 3
Q.: A cosa serve il FortiCare nelle VM ?
A: Il FortiCare permette non solo la sostituzione
dell’hardware (utile solo con le appliance hardware) ma
permette di usufruire dei firmware upgrade per mantenere
aggiornato il sistema, e per poter ottenere supporto
tecnico da Fortinet mediante apposita piattaforma di
ticketing 8x5 o telefonicamente 24x7. Il supporto è
garantito da Fortinet in lingua inglese e francese.
FAQ 4
Q.: E’ possibile fare HA con FortiMail ?
A: Sì, il FortiMail supporta un HA in Active-Passive Mode.
Analogamente all’HSRP, occorre predisporre tre IP (uno
per unità più un IP aggiuntivo per il clustering).
FAQ 5
Q.: Quale release di firmware è consigliato adottare oggi ?
A:
- 5.0.6 in Gateway e Transparent mode perché garantisce
la massima affidabilità sulle versioni 5.0.
- 5.1.3 in Server mode perché possiamo sfruttare le
ultimissime funzionalità introdotte nel FortiOS 5 per
FortiMail
FAQ 5
Q.: Quale release di firmware è consigliato adottare oggi ?
A:
- 5.0.6 in Gateway e Transparent mode perché garantisce
la massima affidabilità sulle versioni 5.0.
- 5.1.3 in Server mode perché possiamo sfruttare le
ultimissime funzionalità introdotte nel FortiOS 5 per
FortiMail
FAQ 6
Q.: In una delle prime slide si faceva riferimento alle
comparative, da quali link è possibile scaricarle ?
A:
1) VirusBullettin (https://www.virusbtn.com) accesso alle
informazioni a pagamento, comunque il report è quello
mostrato alla slide 8
2) SC Magazine (http://www.scmagazine.com/fortinet-fortimail-
200d/review/3997/)
FAQ 7
Q.: Puoi ripetere i valori medi di spam catch-rate e falsi
positivi misurati nel 2014 da VirusBullettin ?
A:
Spam Catch Rate 99.93%
False Positives Rate 0.02% (1 ogni 5.000 e-mail analizzate)
FAQ 8
Q.: Puoi ripetere dove possiamo trovare la registrazione dellevarie presentazioni Sidin ?
A:
Troverete la registrazione di questo ed altri eventi all’interno delportale www.sidin.it nella Brand Zone Fortinet, sezione VideoFormazione o cliccando su questo link dopo esservi autenticatisul portale www.sidin.it
http://www.sidin.it/priv/marchi/Fortinet/VideoFormazione.html
