Novità Soluzioni Wireless Fortinetsidin.it/upload/workdoc/12_09_13_Le novità delle Soluzioni Wireless.pdfIntroduzione: - FortiGate Wireless Controller - Implementazione soluzione

1

September 13, 2013

Novità Soluzioni Wireless Fortinet

Dr Aldo Di Mattia, CISSP

Systems Engineer

Fortinet

Webinar Fortinet Italia 12/09/2013

2

Introduzione:

- FortiGate Wireless Controller

- Implementazione soluzione wireless

Mai Wireless più sicuro:

- Rilevazione, classificazione e risoluzione attacchi rogue

- Wireless Intrusion Detection System

- UTM completo

Dall'AntiVirus alla nuova Protezione Avanzata delle minacce:

- Nuovo sistema ATP (Advanced Threat Protection)

- Sandbox Locale e in Cloud

Autenticazione:

- WPA, WPA2, 802.1X, PSK

- Single Sign On, NTLM e portale autenticazione

- Gestioni utenti Guest

Modelli Access Point Fortinet:

- Per uso interno ed esterno

- Per l'accesso da remoto

Agenda

3

Fortigate

4

Ubiquitous Access

Wireless Access

Wired Access

Remote Access

(RAP, VPN Client)

Unified Access Layer

DIGITAL ASSET • Content Inspection

• Attack Mitigation

• User Identification

• Access Control

5

Wireless Solutions: Thick vs. Thin Fortinet APs

FortiWifi

FortiAP

6

FortiGate Wireless Controller

20+ FortiGate Platforms

5 AP/100user to 10,000 AP / 32K user capacity

7

Adding Access Points

8

Create New SSIDs

9

Automatic Interface creation per SSID

10

Edit Access Points and SSID association

11

FortiAP – CAPWAP & CAPWAP encrypted

• Traffic flows to controller

• Increased control

• No trunking

• No VLAN management

• No Layer-3 roaming, just fast

Layer-2 switching

• No need to re-DHCP

• Controller Redundancy

12

Headquarter

• Bridges WiFi trafic to

FortiAP Ethernet port

• No u-turn to HQ to

access local network

• Resiliency in case of

WAN failure

WAN

FortiAP – Bridging (Local and Remote application)

Internet Branch

13

Signal optimizations

• AP Handoff oBalancing Access point

• Frequency Handoff oBalancing between Radio

• Auto TX Power Control oChanges radio transmission power settings automatically

• Automatic Radio Resource Provisioning oAutomatically assigns non-overlapping channels

oChanges channel and TX power to avoid RF interference impacting Wireless LAN

oSelects channels with least noise and interference

• Beamforming (FAP-221B/FAP-223B/FAP-320B)

oRadio “beams” add at the device to enhances the signal and link-rate

14

Wireless Mesh

• Dynamic Multi-hop Mesh with resiliency

• Point-to-point / Multipoint Bridging

15

Introduzione:






- UTM completo




Autenticazione:







Agenda

16

Fortinet Secure WLAN Approach

Corporate

Wi-Fi

Captive Portal, 802.1x—Radius /shared key

Assign users and devices to their role

Examine wireless traffic to remove threats

Apply policy to users/devices and applications

Identify applications and destinations

Report on policy violations, application usage, destinations and PCI DSS

Ensure business traffic has priority

No additional licenses needed

17

Layer 1: Rogue AP Detection & Suppression

Rogue AP Detection » Determines whether an AP is indeed a Rogue

device connected to your physical wired LAN

network

Rogue AP suppression » ‘DeAuthentication Frames’ are sent to render

unauthorized Rogue AP’s unusable by clients

18

Layer 2: WIDS

Wireless Intrusion Detection System

• WiFi protocol & RF level attack detection

• Detection includes attacks & vulnerabilities

such as:

» Weak WEP Encryption Usage

» Null SSID Probes

» Deauth Broadcasts

» Various Management , EAP, Auth & Beacon floods

19

Layer 3-7: FortiGate UTM features

Firewall VPN IPS App. Ctrl AntiVirus Web Filter

AntiSpam DLP NAC Vuln Mgmt Traffic Shaping WAN opt.

2,500+ Application

control signatures

70 Terabytes Of Threat Samples

12,000 Vulnerability

management signatures

250 Million Rated websites in

78 categories

900 Web application firewall

attack signatures

20

Layer 3-7: Traffic prioritization and performance

Client #1 Client #2

• Clients and applications on

wireless networks compete

with each other for shared

bandwidth

• 802.11e Wireless Multimedia

Extensions (WME) doesn't

solve this problem, as

Business applications like

Remote Desktop, VNC,

Webex, etc. are not be

prioritized differently

• FortiGate with Traffic Shaping

Policy solve this problem

Identify

Applications

Policy Marking of

TOS/DSCP

Rate Limit

Unwanted Apps

21

Introduzione:






- UTM completo




Autenticazione:







Agenda

22

From AV to ATP (Advanced Threat Protection)

FortiOS AV

Engine Provides

Local Sandbox

Still Suspicious

Samples Sent for

Cloud Sandbox

Analysis

Results are correlated

across all FortiGuard

Services

Updates pushed out by

FortiGuard Network

Botnet blacklist IP

DB Behavior / Attribute

based Heuristic

detection

Antivirus flow &

proxy mode

23

• Fighting Advanced Persistent

Threats

• >25 VB100 Awards, VB100

RAP Leaders

• >96% Reactive and Proactive

Detection

• 100% In the Wild Detection

APT Reactive & Proactive

24

Introduzione:






- UTM completo




Autenticazione:







Agenda

25

Guest User Management Portal - login

26

Guest User Management Portal - New user

27

Guest Access to Secure Wireless LAN

• Temporary user Provisioning & Access

oAllow non-IT staff to create Guest account via

web portal

oAssign time quota

oGenerate temporary password

oDistribute guest credentials:

• Print

• Email

• SMS

oBatch guest users creation option

• Enables Guest Access to the Secure

WLAN via a Captive Portal

28

Local users, remote and Single Sign On

Local Users

Remote

Single Sign On:

• Microsoft Active Directory

• Novel eDirectory

• Citrix

• FortiAuthenticator

• Radius SSO

• NTLM

29

BYOD – Device Identification and Policy

Identification • Device

• User

• Application

Policies • Enforcement on Device/User/App

30

Granular Visibility and Control Applications

31

Introduzione:






- UTM completo




Autenticazione:







Agenda

32

Headquarter

Remote Telecommuter / Road Warrior

Internet

• Data is encrypted

• Automatic connection to HQ

• Multiple devices can share WiFi

Hotel

http://www.crunchbase.com/product/ipad

33

FAP-11C

34

Fortinet 802.11n AP family

3x3

Versatility

D

ual R

adio

Dual B

and

802.1

1A

C

802.1

1n

2x2 Performance

Sin

gle

Radio

802.1

1n

1x1

Value

Remote Outdoor Indoor

FAP-221B FAP-222B

FAP-210B

FAP-320B

FAP-223B

FAP-112B

FAP-28C

FAP-14C

FAP-11C

35

Download from:

http://planner.fortinet.net/update/publish.htm

• Planning tool

» Up to 50 APs (Free)

» Unlimited (Pro license)

• Dynamic Heat Map

• Site-Survey (Upgrade License)

FortiPlanner

36

Why Fortinet, Why Now!

• Use existing FortiGate, No additional Licenses

• Well rounded wireless features

• Less devices to manage Lower TCO

Sensible

Sophisticated Simplicity

•Unified global management

•All-in-one appliance

•Business controls

High Security

•UTM cleansing of wireless

•Rogue AP control for PCI

•In-House Security Experts

37

September 13, 2013

Dr Aldo Di Mattia, CISSP

Systems Engineer

Fortinet

Webinar Fortinet Italia 12/09/2013

Grazie

Documents

Novità Soluzioni Wireless Fortinetsidin.it/upload/workdoc/12_09_13_Le novità delle Soluzioni Wireless.pdfIntroduzione: - FortiGate Wireless Controller - Implementazione soluzione