Embed Size (px)
Citation preview
© Copyright Fortinet Inc. All rights reserved.
Fortinet Security Fabric Emeka Mgbeahuru – Inside System Engineer
June 7, 2017
2
Agenda
Introduction
Three Security Challenges Driving Fortinet’s Security Vision Today
How This Vision is Being Realized With FortiOS
Threat Intelligence
Recap & Discussion
3
Cybersecurity is expanding to become Digital Security
Security
Compliance Infrastructure
Cybersecurity at the New Edge
Leadership and Governance
The Evolving Threat Environment
4
Security Life Cycle Management NIST CYBERSECURITY FRAMEWORK
Identify 1
Protect 2
Detect 3
Respond 4
Recover 5
ie. Topology View
ie. Access Control
ie. IPS, AV
ie. Mitigate
ie. Topology View
5
Dissolving Network Perimeter
IoT
Mobile
Windows
Mac
Access
Campus
WAN
Core
Private
Public
No Trust
Trusted
6
1980s
Hardware Theft
Pe
rfo
rma
nce
Deg
rad
atio
n
Layer 1-2: Physical
Layer 3-4:
Layer 5-7: Viruses
& Spyware
Intrusion
& Worms
Malicious
Apps
Advanced
Targeted Attacks
Spam
Today
Malicious
Sites
Machine to
Machine Attacks
Threats (and Technologies To Counter Them) Constantly Evolve
Antimalware
Firewall
Exploits Vulnerability Management
Intrusion Prevention
Secure Email
Gateway
Botnets
Integrated Fabric
Application Control
IP Reputation
URL Filtering
Advanced Threat
Protection
Generation 2
CONTENT
Generation 3
INFRASTRUCTURE
Generation 1
CONNECTION
7
Fortinet’s Vision: Protecting the Borderless Network with a Strong,
Segmented Security Fabric
BROAD
POWERFUL
AUTOMATED
Advanced
Threat
Intelligence
Access
Client Cloud
Partner API
NOC/SOC
Network
Application
BROAD
Deeper visibility and control throughout the Security Fabric
to reduce the attack surface from IoT to Cloud
9
Flexible/Open
Broad – The Fabric Gives You Complete Visibility, Coverage and Flexibility Across The Entire Dynamic Attack Surface
Coverage Visibility
Application Security
Cloud Security
Client/IoT Security
Access Security
Network Security
THE FORTINET SECURITY FABRIC
REALIZED
11
FORTINET SECURITY FABRIC
DDoS Protection
Database
Protection
Web Application
Firewall
Application
Delivery
Controller
Top-of-Rack
BRANCH
OFFICE
Distributed Ent FW
LTE Extension
Endpoint
Protection NGFW Secure Access
Point
IP Video
Security
Server
Web Servers
SDN, Virtual
Firewall
DCFW/
NGFW
Sandbox
Internal
Segmentation
FW
Sandbox
Switching
Internal
Segmentation FW
Security
Internal
Segmentation
FW
CAMPUS
Internal
Segmentation FW
DATA CENTER/PRIVATE CLOUD
Virtual
Firewall
FortiCloud
Client Devices
Client Devices
PUBLIC CLOUD
OPERATIONS CENTER
12
FORTINET SECURITY FABRIC
DDoS Protection
Database
Protection
Web Application
Firewall
Application
Delivery
Controller
Top-of-Rack
BRANCH
OFFICE
LTE Extension
Endpoint
Protection
FortiGate
NGFW Secure Access
Point
IP Video
Security
Server
SDN, Virtual
Firewall
FortiGate
DCFW/
NGFW
Sandbox
FortiGate Internal
Segmentation FW
Sandbox
Switching
FortiGate Internal
Segmentation FW
Security
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
CAMPUS
Client Devices
DATA CENTER/PRIVATE CLOUD
Web Servers
ENTERPRISE
FIREWALL
FortiGate/FortiWiFi
Distributed Ent FW
Client Devices
FortiManager
FortiAnalyzer
FortiSIEM
OPERATIONS CENTER
Virtual
Firewall
FortiCloud
PUBLIC CLOUD
13
FORTINET SECURITY FABRIC
DDoS Protection
Database
Protection
Web Application
Firewall
Application
Delivery
Controller
Top-of-Rack
BRANCH
OFFICE
LTE Extension
CAMPUS
Secure Access
Point
IP Video
Security
Switching
FortiGate
NGFW
FortiGate
DCFW/
NGFW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate VMX
SDN, Virtual
Firewall
DATA CENTER/PRIVATE CLOUD
Web Servers
ENTERPRISE
FIREWALL
Client Devices
CLOUD SECURITY
Client Devices
Endpoint
Protection
Server
Sandbox
Sandbox
Security
OPERATIONS CENTER
Fortinet
Virtual Firewall
FortiManager
FortiAnalyzer
FortiSIEM
FortiCloud
PUBLIC CLOUD
FortiGate/FortiWiFi
Distributed Ent FW
14
FORTINET SECURITY FABRIC
DDoS Protection
Database
Protection
Application
Delivery
Controller
Top-of-Rack
BRANCH
OFFICE
LTE Extension
CAMPUS
FortiClient Secure Access
Point
IP Video
Security
Switching
FortiGate
NGFW
FortiGate
DCFW/
NGFW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate VMX
SDN, Virtual
Firewall
DATA CENTER/PRIVATE CLOUD
Web Servers
CLOUD SECURITY ADVANCED THREAT
PROTECTION
ENTERPRISE
FIREWALL
FortiClient
FortiSandbox
FortiClient
FortiSandbox
FortiMail
Email Security
Server
FortiWeb
Web Application
Firewall
OPERATIONS CENTER
FortiManager
FortiAnalyzer
FortiSIEM
Fortinet
Virtual Firewall
FortiCloud
PUBLIC CLOUD
FortiCloud Sandboxing
FortiGate/FortiWiFi
Distributed Ent FW
15
FORTINET SECURITY FABRIC
Top-of-Rack
BRANCH
OFFICE
LTE Extension
CAMPUS
FortiClient Secure Access
Point
IP Video
Security
Switching
FortiGate
NGFW
FortiGate
DCFW/
NGFW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate VMX
SDN, Virtual
Firewall
FortiDDoS Protection
FortiWeb
Web Application
Firewall
FortiADC
Application
Delivery
Controller
DATA CENTER/PRIVATE CLOUD
Web Servers
FortiGate Internal
Segmentation FW
APPLICATION
SECURITY
ENTERPRISE
FIREWALL
FortiClient
FortiSandbox
FortiClient
FortiSandbox
FortiMail
Email Security
FortiDB
Database
Protection
CLOUD SECURITY ADVANCED THREAT
PROTECTION
Server
OPERATIONS CENTER
FortiManager
FortiAnalyzer
FortiSIEM
Fortinet
Virtual Firewall
FortiCloud
PUBLIC CLOUD
FortiCloud Sandboxing
FortiGate/FortiWiFi
Distributed Ent FW
16
FORTINET SECURITY FABRIC
FortiWeb
Web Application
Firewall
FortiADC
Application
Delivery
Controller
Top-of-Rack
BRANCH
OFFICE
FortiExtender
LTE Extension
CAMPUS
FortiClient Secure Access
Point
IP Video
Security
FortiGate
NGFW
FortiGate
DCFW/
NGFW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate Internal
Segmentation FW
FortiGate VMX
SDN, Virtual
Firewall
FortiDDoS Protection
FortiGate Internal
Segmentation FW
DATA CENTER/PRIVATE CLOUD
Web Servers
SECURE ACCESS APPLICATION
SECURITY
ENTERPRISE
FIREWALL
FortiClient
FortiSandbox
FortiClient
FortiSandbox
FortiMail
Email Security
FortiSwitch
Switching
CLOUD SECURITY ADVANCED THREAT
PROTECTION
FortiSwitch
Switching
Server
FortiDB
Database
Protection
OPERATIONS CENTER
FortiManager
FortiAnalyzer
FortiSIEM
Fortinet
Virtual Firewall
FortiCloud
PUBLIC CLOUD
FortiCloud Sandboxing
FortiCloud AP Management
FortiGate/FortiWiFi
Distributed Ent FW
17
More Security Device Visibility Leads to Improved
Segmentation
NGFW.1 ISFW.1
ISFW.2 Switch.2
Switch.1
Sandbox Analytics
Private Cloud
Public Cloud
New Downstream Device Quarantine
New Devices and Status Visibility
New Aggregate FortiGate View
AWSFW.1
ACI.1
Internet
Now 5 M 1H 24H 7D
500MB
300MB
50MB
Physical Logical
New Historic Trending
Threat Score
18
Better Endpoint Control via the Network for Increased Security
No Agent IoT 0
Fabric Agent Fabric Telemetry
Endpoint Compliance Vulnerability Scan/Remediation
1
Advanced Persistent
Threats
Zero-day, Advanced
Malware Detection and
Remediation 3
Preventive Security
Controls
Anti-malware
App FW, Web Filtering
Single Sign-on 4
Secure Remote Access SSL & IPSec VPN
Two-factor Authentication 2
19
Learn - IoT Manage - IoT
Headless Device Auto Detection
20+ new categories and new devices added
continually and classified
Trusted or Not Trusted
Segmentation Policy
Applied Protections
online Android Android/OS 7.0
“Nougat” Untrusted
online Apple TV Apple TV/iOS
modified (Model 10.0) Untrusted
offline Siemens PLC Siemens PLC/S7 Trusted
online Qardio Qardio/OS Version
01.4.2 Trusted
New IoT Learn and Manage Capabilities to Reduce the
Attack Surface
20
Fabric-ready API’s
Partner Ecosystem to Extend Control Across Your
Infrastructure
Cloud Endpoint
Virtualization/SDN
Management
(FNDN)
Vulnerability
Management
SIEM
POWERFUL
Accelerated cloud-scale and security processor-based appliances
with coordinated logging to enable maximum threat protection
without affecting performance
22
Scaling Security Applications into Multiple Clouds
PLATFORMS PERFORMANCE MANAGEMENT ON-DEMAND ORCHESTRATION
vSphere Hyper-V
XenServer
AUTOSCALING
AUTOSCALING
1-32+ vCPU
1-32+ vCPU
1-8 vCPU
v – series (No VDOM)
NSX
ACI METERING
SECURITY COMPETENCY
SECURITY CENTER
MARKET PLACE
ON-DEMAND
23
Powerful – Increasing Performance
Reducing The Burden On Infrastructure
POWERFUL
Comprehensive Range Parallel Path Processing Security Processors
(SPU’s)
Accelerates
Content Inspection
Optimized
Performance for
Entry Level
Accelerates
Network Traffic
High End
Mid Range
Entry
Level
1 Tbps
Fortinet CP9 Highlight
Fortinet Security Processing Unit
25
The Fortinet CP9 SPU : Ready for SSL Inspection
SSL Boost
Pattern Matching Engine - offload
Suite B Cryptographic Support
CP8 CP9 Intel Xeon
VPN Performance
C9 Xeon
Power Consumption
15x More Efficient and Faster vs Intel !!!
26
Content Processor Comparison
CP8 CP9 (New) Intel Xeon
E5*
Cost $ 7 < $14 $880
Power
Consumption 3.5 W 7 W 95 W
Gate Count
(Transistors) ~ 60 Million ~ 150 Millions 2270 Millions
Technology 90 nm 40 nm 32 nm
Content Processor Advantage: ✔ Superior Cost/Performance
✔ Energy Efficient
CPU
GPU FPGA SPU
27
The Fortinet CP9 SPU
10
44
7
CP 9 CP 8 CPU
SSL VPN (Gbps)
10
20
6
IPS (Gbps)
8
100
13
SSL (Connections/000s Second)
CPU Numbers based on Intel E5 -2640 V2 (8 Core 2Ghz)
Setting the Benchmark Higher
28
The Fortinet CP9 – Supported IPSec VPN Encryption and
Authentication Settings
DES/3DES CBC HMAC-MD5-96 HMAC-SHA1-9 HMAC-SHA256/384/512-96 HMAC-SHA256/384/512-128/192/256 DES/3DES-HMAC-MD5-96 (IPSEC ESP packet level) DES/3DES-HMAC-SHA1-96 (IPSEC ESP packet
level) DES/3DES-HMAC-SHA256/384/512-96 (IPSEC ESP
packet level) DES/3DES-HMAC-SHA256/384/512-128/192/256
(IPSEC ESP packet level) AES in CBC mode (Key length: 128bit/192bit/256bit)
AES-HMAC-MD5-96 (IPSEC ESP packet level) AES-HMAC-SHA1-96 (IPSEC ESP packet level) AES-HMAC-SHA256/384/512-96 (IPSEC ESP packet
level) AES-HMAC-SHA256/384/512-128/192/256 (IPSEC
ESP packet level) ESN mode of all above GCM support for NSA “Suite B" (RFC6379) : GCM-
128/256; GMAC-128/256.
29
The Fortinet CP9 - Support of Industry Mandated Ciphers for SSL
DES/3DES in CBC mode [RFC2405] HMAC-MD5 (MD5 for SSL) HMAC-SHA1 (SHA1 for SSL) DES/3DES-HMAC-MD5 (MD5 for SSL) DES/3DES-HMAC-SHA1 (SHA1 for SSL) AES in CBC mode (Key length: 128bit/192bit/256bit)
AES-HMAC-MD5 (MD5 for SSL) AES-HMAC-SHA1 (SHA1 for SSL) HMAC-SHA256/384/512 (only for TLS) DES/3DES-HMAC-SHA256/384/512 (only for TLS) AES-HMAC-SHA256/384/512 (only for TLS) NSA "Suite B": GCM-128/256(only for TLS) RFC6460
30
Real-World SSL Inspection on all FortiGate Data-
Sheets
Performance
Parameter Fortinet
Palo Alto
Networks Checkpoint
Firewall P
(1518/512 /64B
UDP)
▬
P
(1518/512/64B
UDP)
FW + App
Control P
HTTP 64K
P
HTTP 64K
▬
SSL Inspection
(FW+IPS)
P
TLS 1.2, AES-
SHA, HTTP
100K
▬ ▬
NGFW (FW +
App Control +
IPS)
P Enterprise Mix
▬
P
Unknown
(private mix)
Threat
Prevention (FW +
App Control +
IPS + AV)
P
Enterprise Mix
P
Unknown
(private mix)
▬
Only security vendor to
publish SSL performance
Measured with industry
mandated ciphers AES256-
SHA and TLS 1.2
Measured with IPS enable for
real-world scenario
31
FortiGate 30 – 90 Series FortiGate 100 – 900 Series
System
on a Chip
Accelerated Entry/Mid-range Appliances Enable
Maximum Security at Branch and Campus
Mid-range FortiGate Optimized for NGFW at the Campus
Content
Processor
Network
Processor
FortiGate 80E Series with High IPsec VPN and SSL Performance FortiGate 100E & 200E Series with High Threat Protection and SSL Performance
Entry-level FortiGate Optimized for Branch Office & SD-WAN
CPU
32
FortiGate 1000, 2000 and 3000 Series
Accelerated High-end and Chassis-based Appliances
Enable Maximum Security at the Core and Data Center
FortiGate 7000 Series
Chassis-based FortiGate Optimized for 100+ Gbps of NGFW Performance in the Core Network
High-end FortiGate Optimized for the Data Center with up to 1 Tbps of Firewall Performance
FG-3980E 1 Terabit FW FG-3960E FG-7060E 100 Gbps NGFW
…
… Interface
Cards Processor
Cards
CPU
CPU
AUTOMATED
More efficient operations with new Security Fabric
audit/recommendations, intelligence sharing, and NOC views
34
Automatic setting of all devices for logging
Topology aware – log only what’s needed
Manual setting for each device for logging
Each device sends full logging to FortiAnalyzer
Uncoordinated Coordinated
Fu
ll L
og
gin
g
Coordinated Logging Allows Deep Visibility and Better
Performance
Security Fabric
Fabric Logging
35
Visual Audit Indicator
1
Run Fabric Audit (Priority-based)
Apply Recommendations
Severity Level
Critical
High
Medium
Low
Passed
ISFW.2
Low
1.
2.
3.
4.
Critical
Priority
ISFW.1
7 High
1
NGFW.1
Low 1
1
AWSFW.1
Element Severity No. Common Compliance Areas
Secure the network
Secure the endpoints
Control access
Log and monitor activity
Enforce policy
Security Best Practices
Strong administrative access
Current firmware &
subscriptions
New Security Fabric Audit for Automated Compliances and
Best Practices
36
Rapid Sharing of Global and Local Threat Intelligence
FortiWeb FortiMail
FortiSandbox
(Local)
FortiGate FortiClient
FortiGate
Security Fabric
FortiGuard
(Global)
FortiAnalyzer
Clustered Local Intelligence distributed
throughout the Security Fabric speeds mitigation
Correlation of Global IoCs and networking
logs pinpoints new threats
IoCs IoCs
37
Single Pane of Glass with New NOC Functionality
FortiAnalyzer FortiManager
FortiAP
Manager
FortiClient
Manager
FortiSwitch
Manager
VPN Manager
Unified Management &
Analytics/Reporting in Appliance,
Virtual Machine and Cloud format
Management of Endpoint, Access
Points and Switching added
Upgrades to VPN Manager (Topology
View), FortiView, Event Management
and Reporting
Device
Manager
FortiGuard
FortiView Log View Event Management Reports
38
Summary
More efficient operations
with new Security Fabric
audit/recommendations,
intelligence sharing, and
NOC views
Automated Powerful
Accelerated cloud-scale
and security processor-
based appliances with
coordinated logging to
enable maximum threat
protection without
affecting performance
Broad
Deeper visibility and
control throughout the
Security Fabric to
enhance protection
across the entire attack
surface
FortiOS 5.6 Expands the Security Fabric
