Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
September 13, 2013
Novità Soluzioni Wireless Fortinet
Dr Aldo Di Mattia, CISSP
Systems Engineer
Fortinet
Webinar Fortinet Italia 12/09/2013
2
Introduzione:
- FortiGate Wireless Controller
- Implementazione soluzione wireless
Mai Wireless più sicuro:
- Rilevazione, classificazione e risoluzione attacchi rogue
- Wireless Intrusion Detection System
- UTM completo
Dall'AntiVirus alla nuova Protezione Avanzata delle minacce:
- Nuovo sistema ATP (Advanced Threat Protection)
- Sandbox Locale e in Cloud
Autenticazione:
- WPA, WPA2, 802.1X, PSK
- Single Sign On, NTLM e portale autenticazione
- Gestioni utenti Guest
Modelli Access Point Fortinet:
- Per uso interno ed esterno
- Per l'accesso da remoto
Agenda
3
Fortigate
4
Ubiquitous Access
Wireless Access
Wired Access
Remote Access
(RAP, VPN Client)
Unified Access Layer
DIGITAL ASSET • Content Inspection
• Attack Mitigation
• User Identification
• Access Control
5
Wireless Solutions: Thick vs. Thin Fortinet APs
FortiWifi
FortiAP
6
FortiGate Wireless Controller
20+ FortiGate Platforms
5 AP/100user to 10,000 AP / 32K user capacity
7
Adding Access Points
8
Create New SSIDs
9
Automatic Interface creation per SSID
10
Edit Access Points and SSID association
11
FortiAP – CAPWAP & CAPWAP encrypted
• Traffic flows to controller
• Increased control
• No trunking
• No VLAN management
• No Layer-3 roaming, just fast
Layer-2 switching
• No need to re-DHCP
• Controller Redundancy
12
Headquarter
• Bridges WiFi trafic to
FortiAP Ethernet port
• No u-turn to HQ to
access local network
• Resiliency in case of
WAN failure
WAN
FortiAP – Bridging (Local and Remote application)
Internet Branch
13
Signal optimizations
• AP Handoff oBalancing Access point
• Frequency Handoff oBalancing between Radio
• Auto TX Power Control oChanges radio transmission power settings automatically
• Automatic Radio Resource Provisioning oAutomatically assigns non-overlapping channels
oChanges channel and TX power to avoid RF interference impacting Wireless LAN
oSelects channels with least noise and interference
• Beamforming (FAP-221B/FAP-223B/FAP-320B)
oRadio “beams” add at the device to enhances the signal and link-rate
14
Wireless Mesh
• Dynamic Multi-hop Mesh with resiliency
• Point-to-point / Multipoint Bridging
15
Introduzione:
- FortiGate Wireless Controller
- Implementazione soluzione wireless
Mai Wireless più sicuro:
- Rilevazione, classificazione e risoluzione attacchi rogue
- Wireless Intrusion Detection System
- UTM completo
Dall'AntiVirus alla nuova Protezione Avanzata delle minacce:
- Nuovo sistema ATP (Advanced Threat Protection)
- Sandbox Locale e in Cloud
Autenticazione:
- WPA, WPA2, 802.1X, PSK
- Single Sign On, NTLM e portale autenticazione
- Gestioni utenti Guest
Modelli Access Point Fortinet:
- Per uso interno ed esterno
- Per l'accesso da remoto
Agenda
16
Fortinet Secure WLAN Approach
Corporate
Wi-Fi
Captive Portal, 802.1x—Radius /shared key
Assign users and devices to their role
Examine wireless traffic to remove threats
Apply policy to users/devices and applications
Identify applications and destinations
Report on policy violations, application usage, destinations and PCI DSS
Ensure business traffic has priority
No additional licenses needed
17
Layer 1: Rogue AP Detection & Suppression
Rogue AP Detection » Determines whether an AP is indeed a Rogue
device connected to your physical wired LAN
network
Rogue AP suppression » ‘DeAuthentication Frames’ are sent to render
unauthorized Rogue AP’s unusable by clients
18
Layer 2: WIDS
Wireless Intrusion Detection System
• WiFi protocol & RF level attack detection
• Detection includes attacks & vulnerabilities
such as:
» Weak WEP Encryption Usage
» Null SSID Probes
» Deauth Broadcasts
» Various Management , EAP, Auth & Beacon floods
19
Layer 3-7: FortiGate UTM features
Firewall VPN IPS App. Ctrl AntiVirus Web Filter
AntiSpam DLP NAC Vuln Mgmt Traffic Shaping WAN opt.
2,500+ Application
control signatures
70 Terabytes Of Threat Samples
12,000 Vulnerability
management signatures
250 Million Rated websites in
78 categories
900 Web application firewall
attack signatures
20
Layer 3-7: Traffic prioritization and performance
Client #1 Client #2
• Clients and applications on
wireless networks compete
with each other for shared
bandwidth
• 802.11e Wireless Multimedia
Extensions (WME) doesn't
solve this problem, as
Business applications like
Remote Desktop, VNC,
Webex, etc. are not be
prioritized differently
• FortiGate with Traffic Shaping
Policy solve this problem
Identify
Applications
Policy Marking of
TOS/DSCP
Rate Limit
Unwanted Apps
21
Introduzione:
- FortiGate Wireless Controller
- Implementazione soluzione wireless
Mai Wireless più sicuro:
- Rilevazione, classificazione e risoluzione attacchi rogue
- Wireless Intrusion Detection System
- UTM completo
Dall'AntiVirus alla nuova Protezione Avanzata delle minacce:
- Nuovo sistema ATP (Advanced Threat Protection)
- Sandbox Locale e in Cloud
Autenticazione:
- WPA, WPA2, 802.1X, PSK
- Single Sign On, NTLM e portale autenticazione
- Gestioni utenti Guest
Modelli Access Point Fortinet:
- Per uso interno ed esterno
- Per l'accesso da remoto
Agenda
22
From AV to ATP (Advanced Threat Protection)
FortiOS AV
Engine Provides
Local Sandbox
Still Suspicious
Samples Sent for
Cloud Sandbox
Analysis
Results are correlated
across all FortiGuard
Services
Updates pushed out by
FortiGuard Network
Botnet blacklist IP
DB Behavior / Attribute
based Heuristic
detection
Antivirus flow &
proxy mode
23
• Fighting Advanced Persistent
Threats
• >25 VB100 Awards, VB100
RAP Leaders
• >96% Reactive and Proactive
Detection
• 100% In the Wild Detection
APT Reactive & Proactive
24
Introduzione:
- FortiGate Wireless Controller
- Implementazione soluzione wireless
Mai Wireless più sicuro:
- Rilevazione, classificazione e risoluzione attacchi rogue
- Wireless Intrusion Detection System
- UTM completo
Dall'AntiVirus alla nuova Protezione Avanzata delle minacce:
- Nuovo sistema ATP (Advanced Threat Protection)
- Sandbox Locale e in Cloud
Autenticazione:
- WPA, WPA2, 802.1X, PSK
- Single Sign On, NTLM e portale autenticazione
- Gestioni utenti Guest
Modelli Access Point Fortinet:
- Per uso interno ed esterno
- Per l'accesso da remoto
Agenda
25
Guest User Management Portal - login
26
Guest User Management Portal - New user
27
Guest Access to Secure Wireless LAN
• Temporary user Provisioning & Access
oAllow non-IT staff to create Guest account via
web portal
oAssign time quota
oGenerate temporary password
oDistribute guest credentials:
• SMS
oBatch guest users creation option
• Enables Guest Access to the Secure
WLAN via a Captive Portal
28
Local users, remote and Single Sign On
Local Users
Remote
Single Sign On:
• Microsoft Active Directory
• Novel eDirectory
• Citrix
• FortiAuthenticator
• Radius SSO
• NTLM
29
BYOD – Device Identification and Policy
Identification • Device
• User
• Application
Policies • Enforcement on Device/User/App
30
Granular Visibility and Control Applications
31
Introduzione:
- FortiGate Wireless Controller
- Implementazione soluzione wireless
Mai Wireless più sicuro:
- Rilevazione, classificazione e risoluzione attacchi rogue
- Wireless Intrusion Detection System
- UTM completo
Dall'AntiVirus alla nuova Protezione Avanzata delle minacce:
- Nuovo sistema ATP (Advanced Threat Protection)
- Sandbox Locale e in Cloud
Autenticazione:
- WPA, WPA2, 802.1X, PSK
- Single Sign On, NTLM e portale autenticazione
- Gestioni utenti Guest
Modelli Access Point Fortinet:
- Per uso interno ed esterno
- Per l'accesso da remoto
Agenda
32
Headquarter
Remote Telecommuter / Road Warrior
Internet
• Data is encrypted
• Automatic connection to HQ
• Multiple devices can share WiFi
Hotel
33
FAP-11C
34
Fortinet 802.11n AP family
3x3
Versatility
D
ual R
adio
Dual B
and
802.1
1A
C
802.1
1n
2x2 Performance
Sin
gle
Radio
802.1
1n
1x1
Value
Remote Outdoor Indoor
FAP-221B FAP-222B
FAP-210B
FAP-320B
FAP-223B
FAP-112B
FAP-28C
FAP-14C
FAP-11C
35
Download from:
http://planner.fortinet.net/update/publish.htm
• Planning tool
» Up to 50 APs (Free)
» Unlimited (Pro license)
• Dynamic Heat Map
• Site-Survey (Upgrade License)
FortiPlanner
36
Why Fortinet, Why Now!
• Use existing FortiGate, No additional Licenses
• Well rounded wireless features
• Less devices to manage Lower TCO
Sensible
Sophisticated Simplicity
•Unified global management
•All-in-one appliance
•Business controls
High Security
•UTM cleansing of wireless
•Rogue AP control for PCI
•In-House Security Experts
37
September 13, 2013
Dr Aldo Di Mattia, CISSP
Systems Engineer
Fortinet
Webinar Fortinet Italia 12/09/2013
Grazie