Upload
dangdung
View
303
Download
4
Embed Size (px)
Citation preview
© Copyright Fortinet Inc. All rights reserved.
FortiAuthenticatorUser Authentication and Identity Management
Last Updated: 17th April 2015
2
FortiAuthenticator Overview
Answering your authentication challenges
Authentication and
Authorization• RADIUS, LDAP, 802.1X, Radius
Proxy
• SSO Mobility Agent
• Web based login widget
Two Factor Authentication• FortiToken, physical and mobile
• Tokenless, via SMS and email
Certificate Management• X.509 Certificate Signing, Certificate
Revocation
• Remote Device / Unattended
Authentication
Fortinet Single Sign on• Active Directory
• Agent or agentless
• Third party systems via RADIUS,
Syslog and API Integration
Two-factor Auth
User Identity
FortiAuthenticator
Wireless Auth
FSSO
FortiAuthenticator
FortiAuthenticator FortiGate
FortiGate
FortiAP
FortiAuthenticator
3
User Authentication and Identity
Management
User Identity
Two-factor Authentication
Wireless Authentication
FortiAuthenticator Overview
Secure access to your organizations systems and data
with identity based policy and two-factor authentication
» Control access your intellectual property
Enable secure remote and guest network access whilst
retaining control over security
» Allow business to flourish but not to the detriment of security
Reduce the operational burden of local and guest user
management
» Identify users and apply granular user policy
» Integrate with existing user repositories (AD, LDAP)
» User lifecycle management workflow
Features & Benefits
Confidential
4
FortiAuthenticator Use Cases
Enable strong password
security across your network
and application estate
» Secure remote access to critical
systems
Reduce operational overheads
» Self-service password reset
» Integration with existing LDAP
and AD databases
» Built in lost token workflow
» Migration strategy from third-
party vendor tokens
Two-factor AuthenticationUsername
Password
Token
LDAP/
Active
Directory
Protected
Devices
FortiAuthenticator
5
Support for wide range of secure authentication
methods
Physical
Tokenless
Certificate
(BYOD) API
Mobile
FortiAuthenticator Use Cases
Flexible range of token formats to
suit all deployment requirements
» OATH compatible TOTP (time)
based tokens (FTK200)
» USB certificate tokens (FTK300)
» FortiToken Mobile for Android, iOS
and Windows Mobile
» SMS and Email tokens.
Supports any RADIUS capable
device
» Juniper, Cisco, F5 , Array, Citrix etc
» Microsoft Windows Domain Login
and OWA
Two-factor Authentication
6
FortiAuthenticator Use Cases
FortiToken Mobile: Supports
Android, iOS and Windows Mobile
» 6 or 8 digit passcode, 30 or 60s
refresh
» Free install, supports other TOTP
& HOTP OATH tokens e.g. Google,
Dropbox, Amazon
» QR Code Provisioning support
» PIN protection enforced from FAC
Perpetual license
» Can be reissued if device is lost
» Can be reissued if user leaves the
organization
Two-factor Authentication
7
FortiAuthenticator Use Cases
Centralized WiFi Authentication
Authenticate users (PEAP,
EAP-TTLS) and machines.
Certificate based device
authorization (EAP-TLS) for
BYOD environments
In open guest or visitor
networks, FortiAuthenticator
can provide captive portal
functions
Wireless Authentication
FortiAuthenticator
FortiAP
FortiGate
8
FortiAuthenticator Use Cases
User Self-registration
Collection of user details
Option to SMS login details
(proof of identity)
Receptionist registration option
Time limited accounts
Delete expired accounts
Support multiple locations
Coming soon: Facebook,
Google, Linkedin, Twitter login
Guest Management
FortiAuthenticator
FortiAP
FortiGate
9
FortiAuthenticator Use Cases
Identify users and apply
identity based security policy
» FortiAuthenticator transparent
user identification collects and
embellishes user identity
information
» Allows FortiGate, FortiMail and
FortiCache devices to apply
appropriate policy based on
user identity and role
» Granular control of network and
application access
Fortinet Single Sign-On
Staff Admin Guest
Corporate Resources Guest Access
Define who can access what and when
10
Transparent User Identity
FortiAuthenticator Use Cases
Fortinet Single Sign-On
RADIUS
Accounting
Records
FortiClient
SSO Mobility
Agent
Active
Directory
Polling
Login Portal
& WidgetsREST API Syslog
Kerberos
with NTLM
Fallback
TS and AD
Collector
Agents
AD & Windows Generic Sources
FortiAuthenticator
FortiGate
11
FortiAuthenticator Use Cases
Simplifies the task of certificate
management
Issue certificates for multiple
uses:
» VPN Authentication
» Wireless 802.1X (PEAP, EAP)
» Windows Desktop
Authentication
» Compatible with FTK300 USB
PKI Certificate Store
Certificate Authority
X
REVOKED
12
FortiAuthenticator Use Cases
Strengthen and simplify VPN
security
» Certificate based VPN
enhances traditional pre shared
keys with second factor
» Revoke certificates if device is
lost (OCSP)
» Zero touch certificate
distribution (SCEP)
» Integration with FortiManager to
simplify deployment
Certificate Based VPN
14
FortiAuthenticator Use Cases
Integrates Carrier/ISP
networks with Fortinet RADIUS
Single Sign-on
» Minimises changes needed to
critical business systems
» Takes the additional load by
duplicating RADIUS Packets
RSSO used to apply Identity
Policy for FortiGate, FortiMail
and FortiCache
RADIUS Accounting Proxy
Carrier / ISP
RADIUS Server
RADIUS Accounting
RADIUS Accounting
15
Active-Passive High Availability
» Local sync with failover
» Supports all features
Active-Active Config Sync
Geographic distribution
Load balance across devices
(scalability)
Supports authentication feature
sync (not FSSO)
Can be combined with Active
Passive HA (A-P Master,
standalone slaves)
FortiAuthenticator Use Cases
High Availability and Scalability
Case Studies
17
Case Study: Medium Enterprise Identity Management
Multiple user groups / domains
Online retail organization with mobile
workforce and widespread BYOD adoption.
Incumbent Cisco wireless network,
customer thought Cisco was the only option
for gateway Identity Policy
Organization and Challenge
Why We Won
What They Bought
Ability to consume user identity from Cisco
wireless network (vis RADIUS Accounting)
Fully inclusive guest management and
registration features
2x FortiAuthenticator 200D (HA)
2x FortiGate 600C (HA)
Still in the game for Wifi refresh
Who We Beat
Cisco WAN
Remote Workers Cisco tried to claim that the only
way to perform Identity Based
Firewalling was using their own ISE
and ASA .
FortiAuthenticator proved this
wrong and have kept Fortinet in the
running for the Wifi refresh
FortiAuthenticator
FortiGate
Guests
18
Case Study: Local Government Identity Management
Multiple user groups / domains
Regional govt. requiring transparent identity
aware firewalling
5,000 users with granular permissions
across 3 domain controllers, 2 domains
Organization and Challenge
Why We Won
What They Bought
Multiple identity detection methods
AD Polling combined with RADIUS (VPN) and
guest portal
Fully inclusive guest management and
registration features
2x FortiAuthenticator 1000D (HA)
2x FortiGate 1000D (HA)
Who We Beat
Juniper , CheckPoint, SonicWall WAN
Remote Workers
FAC gathers user
identity and forwards to
FGT
FortiAuthenticator
FortiGate
Guests
19
Case Study: Enterprise Identity Management
90 Remote Sites
Multinational enterprise with 3 Datacenters,
90 branches and 17,000 users throughout
the world.
Mobile workforce means users could be on
any site.
Organization and Challenge
Why We Won
What They Bought
Performance and scalability of user identity
detection
Selective distribution of login events to local
site and core
3 x FortiAuthenticator 3000D
9 x FortiGate 3600C
90 x FortiGate 110C
Who We Beat
PaloAlto, JuniperWAN
FAC gathers user
identity and
selectively forwards
identity to relevant
FGT
……
3 Datacenters
FortiAuthenticator
FortiGate Clusters
Active
Directory
20
Case Study: Enterprise Two-Factor Auth
Network Operations Center
Enterprise organization requiring secure
multi-factor authorization for heterogeneous
range of devices
Integration with existing LDAP/AD
infrastructure
Organization and Challenge
Why We Won
What They Bought
Secure provisioning strategy (CD)
Physical and Soft token support
Support for wide range of client devices and
Windows Desktop login
2 x FortiAuthenticator 400C
100 x FortiToken 200
500 x FortiToken Mobile
Who We Beat
RSA, Safenet
Internet
Multiple Datacenters
FortiAuthenticator
Home Workers
21
Large Enterprise/Service
Provider Deployments
FortiAuthenticator 1000D
• Support up to 10,000 users
• HDD – 2 x 2TB
• 4 x 10/100/1000
• 2 x SFP
• Rack Mountable, 2U
• Dual AC PSU
Large Enterprise/Service
Provider Deployments
FortiAuthenticator 3000D
• Support up to 40,000 users
• HDD – 2 x 2TB
• 4 x 10/100/1000
• 2 x SFP
• Rack Mountable, 2U
• Dual AC PSU
All Sized Deployments from SME to Service
Provider Deployments
FortiAuthenticator VM
• From 100 to 1M+ users
• Unlimited CPU
• Unlimited RAM
Mid Enterprise
Deployments
FortiAuthenticator 400C
• Support up to 2,000 users
• HDD – 1 x 1TB
• 4 x 10/100/1000
• Rack Mountable, 1U
• Single AC PSU
Small / Mid Enterprise
Deployments
FortiAuthenticator 200D
• Support up to 500 users
• HDD – 1 x 1TB
• 4 x 10/100/1000
• Rack Mountable, 1U
• Single AC PSU
FortiAuthenticator Ordering Information
**Fully Stackable User Licensing**
Competitive
23
FortiAuthenticator vs FortiGate
Area Feature FortiGate FortiAuthenticator
Auth Two-factor Auth w. FortiToken
Auth Multiple FortiGate per token
Auth Support third party vendors
Auth User password reset
Auth User self registration
Auth Support multiple realms
FSSO AD Polling
FSSO DC & TS Agent
FSSO Kerberos
FSSO RADIUS Accounting û (FSSO)
(RSSO)
(Both)
FSSO Syslog
Feature Comparison
24
Competitive Landscape
Two-factor Auth
User Identity
FortiAuthenticator
Wireless Auth
25
Feature Comparison – User Identity
Feature FortiAuth PaloAlto
User-ID
Cisco Identity
Services
Engine
Juniper
Pulse UAC
*
Checkpoint
Identity
Awareness
Blade
Identity
Microsoft Windows
Environments
DC Polling
DC Agent
Terminal Services Agent
Kerberos
Microsoft Exchange
Identity
Non-Microsoft Windows
Environments
Endpoint Agent
Captive Portal
Embeddable Widgets
SYSLOG
Open API (IF-MAP)
RADIUS Accounting
Authorization LDAP/AD
Local override
* Note that the Pulse Product line is now owned and supported by Pulse Secure
26
Feature Comparison – Two Factor Auth
Feature Type Feature FortiAuth Safenet RSA Vasco
Deployment Appliance
Software
Virtual Machine
Cloud
Tokens Physical Token ü (Time)
(Event)
ü (USB Cert)
ü (Time)
ü (Event)
ü (USB Cert)
ü (Time)
Mobile Token ü (iOS)
ü (Andriod)
ü (WinMo)
ü (BB)
ü (iOS)
ü (Andriod)
ü (WinMo)
ü (BB)
ü (iOS)
ü (Andriod)
ü (WinMo)
ü (BB)
Desktop Token (Mac)
(Win)
ü (Mac)
ü (Win)
ü (Mac)
ü (Win)
Tokenless ü SMS
ü Email
ü SMS
ü Email
ü GrIDsure
ü SMS
ü Email
Agents Windows Domain 2FA
Outlook Web Access 2FA
Sharepoint Roadmap
Integration Auth Methods ü RADIUS
ü LDAP
SAML
ü API
ü RADIUS
LDAP
ü SAML
ü API
External User repositories ü Local
ü AD
ü LDAP
ü RADIUS
ü AD
ü LDAP
RADIUS
ü MSSQL
ü AD
ü LDAP (Oracle
only)
User Self Service