Internal Network Firewall (INFW) Protecting your network ... · Multi-Function Gateway Data Center...
Transcript of Internal Network Firewall (INFW) Protecting your network ... · Multi-Function Gateway Data Center...
© Copyright Fortinet Inc. All rights reserved.
Internal Network Firewall (INFW)Protecting your network from the inside out
Ted Maniatis, SE – Central Canada
Fortinet Technologies
Data Connectors 2015
2
Agenda
Internal Security Threats and Challenges
Introducing Internal Network Security
Meeting Customer Requirements – INFW Deployment
Customer Scenario’s
The Fortinet Advantage
3
A Global Leader and Innovator in Network SecurityFortinet Quick Facts
Platform Advantage built on key innovations
• FortiGuard: industry-leading threat research
• FortiOS: tightly integrated network + security OS
• FortiASIC: custom ASIC-based architecture
• Market-leading technology: 196 patents, 162 pending
Founded November 2000, 1st product shipped 2002, IPO 2009
HQ: Sunnyvale, California
Employees: 3000+ worldwide
Consistent growth, gaining market share
Strong positive cash flow, profitable
$13M
$770M
$16M
~$1B
Cash
Revenue
2003 2014
2003 2014
Global presence and customer base
• Customers: 225,000+
• Units shipped: 1.9+ Million
• Offices: 80+ worldwide
Based on Q4 and FY 2014 data
4
Fortinet Advantage - GLOBAL PlatformFortiOS Enables Networking & Security Convergence, Security Consolidation
Firewall
VPN
Application Control
IPS
Web Filtering
Anti-malware
WAN Acceleration
Data Leakage Protection
WiFi Controller
Advanced Threat Protection
SaaS Gateway
Management
� Single management console
� Common platform across all size deployments
� Deploy what you need, where you need it
� Consistent, coordinated policy
� Consolidated infrastructure
� Faster and more robust response to threats, decreased risk exposure
� Lower admin burden, easier to maintain infrastructure
� Frees up IT resources to be reallocated to strategic projects
� Fewer user complaints
5
Advanced Threats Take Advantage of the “Flat Internal” Network
� Existing Firewall’s focused on the border
� Internal network no longer “trusted”
� Many ways into the network
� Once inside threats can spread
6
Time to Discovery of a Breach is Not Keeping Up
� Wide gap between percentages for the two phases
� Time to compromise accelerating faster than Discovery
� Once inside, what can be done to contain and minimize the attack?
*Verizon DBIR 2014
Percent of breaches where time to compromise (red)/time todiscovery (blue) was days or less
100%
75%
50%
25%
20
04
20
05
20
06
20
07
20
08
20
09
20
10
20
11
20
12
20
13
Time to compromise
Time to discovery
7
Internal Security is Integral to a Layered Security Approach
� What is Recommended
» Inside-out visibility
» Internal segmentation
» Easy deployment
and administration
What is Internal Security?
DMZs, firewalls, IDS, gateway AV
Protects attacks from within
Client security controls
8
Business Drivers for Internal Security
Business Driver IT Pain Point
Prevent Business Disruption• Stop spread of malware
• Ensure application and network availability
Revenue & Profitability• Reduce costs associated with recovery and remediation
• Minimize IT activity
Regulatory Compliance • Ensure confidentiality / integrity of information
9
Too Many Ways In…
Endpoint
Multi-FunctionGateway
Data CenterCloud
WAN
External Network(Multi-Megabit)
AV Signature Only Protection
Less Trustworthy Networks/Subsidiary
Security out of your Control
Not every Security App switched on
Internet
More Customer/PartnerAccess
Security Becomes a Bottleneck
Too Many Point Solutions
No Security Agents
“FLAT” InternalNetwork Architecture
Internal Network(Multi-Gigabit)
10
Too Many Ways In… Rethink Your Architecture
Endpoint
Multi-FunctionGateway
Data CenterCloud
WAN
AV Signature Only Protection
Less Trustworthy Networks/Subsidiary
Security out of your Control
Not every Security App switched on
More Customer/PartnerAccess
Security Becomes a Bottleneck
No Security Agents
INFW
INFW
INFW
INFW External Network(Multi-Megabit)
Internal Network(Multi-Gigabit)
Internet
Too Many Point Solutions
Internal Network Firewall� 100G+ Performance� Ease of Deployment
� Protection
11
Introducing: Internal Network Firewall (INFW)
� Complete Protection– Continuous inside-out protection against advanced threats
� Easy Deployment – Default Transparent Mode means no need to re-architect the network
� High Performance – Multi-Gigabit throughput supports wire speed East-West traffic
LOCAL SERVERS USER NETWORKDEVICES
To Internet
Core/Distribution Switch
AccessSwitch/VLAN
DISTRIBUTION/CORE LAYER
ACCESS LAYER
• FortiGate wire intercept using transparent port pair
• High speed interface connectivity
• IPS, ATP & App Control
12
Internal Network Firewall – How is it different?
Deployment INFW NGFW UTM DCFW CCFW
Purpose Visibility & protection for internal segments
Visibility & protection against external threats and internet activities
Visibility & protection against external threats and user activities
High performance, low latency network protection
Network security for Service Providers
Location Access Layer Internet Gateway Internet Gateway Core Layer/DC gateway Various
Network Operation Mode
Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode
Hardware requirements Higher port density to protect multiple assets, hardware acceleration
GbE and GbE/10 port High GbE port density,integrated wireless connectivity and PoE
High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration
High speed (GbE/10 GbE/40 GbE, GbE/100) & high port density, hardware acceleration
Security Components Firewall, IPS, ATP, Application Control
(User-based) Firewall, VPN, IPS, Application Control,
Comprehensive and extensible, client and device integration
Firewall, DDoS protection Firewall, CGN, LTE & mobile security
Other Characteristics Rapid Deployment –near zero configuration
Integration with Advanced Threat Protection (Sandbox)
Broad WAN connectivity options including 3G/4G/LTE
High Availability High Availability
14
Firewall Deployment Modes
Deployment Mode
Deployment Complexity
Network Functions
High Availability
Traffic Visibility
Threat Prevention
Network Routing
High L3 – L7 � � �
Transparent Low L1 – L2 � � �
Sniffer Low � � � �
Transparent mode combines the advantages of Network Routing and Sniffer mode
28
INFW – Customer Scenario’s
Existing FortiGate customers
� Requirements
» Protection against advanced threats
� Benefits
» Multi-layered attack prevention
» Network segmentation prevents spread of malware
» Reduced costs with security management
New customers with legacy firewalls
� Requirements
» Application visibility, address weaknesses in legacy competitive firewalls
� Benefits
» Instant application visibility with default Transparent Mode deployment
» Advanced threat protection
» Network segmentation prevents spread of malware
29
Awards & Certifications Partnerships & Industry
35 Awards
Founded by Fortinet additional members include Palo Alto Networks, McAfee and Symantec
Fortinet Advantage – SECUREFortiGuard Labs Is An Industry Leader in Threat Research
30
Unparalleled Independent 3rd Party Certification
Description Fortinet Check Point CiscoPalo AltoNetworks
Juniper FireEye
NSS - Firewall NGFW Recommended RecommendedRecommended
& Neutral Caution Caution x
NSS - Firewall DC Recommended x x x x x
NSS - Breach Detection Recommended x Recommended x x Caution
NSS - WAF Recommended x x x x x
NSS – Next Gen IPS Recommended x Recommended Neutral x x
NSS - IPS (DC) ✔ ✔ x x Caution x
BreakingPoint Resiliency Record High - 95 x x Poor - 53 x x
ICSA Firewall ✔ ✔ x ✔ ✔ x
ICSA IPS ✔ ✔ x x x x
ICSA Antivirus ✔ x x x x x
ICSA WAF ✔ x x x x x
VB 100 ✔ Caution x x x x
AV Comparative ✔ x x x x x
Common Criteria ✔ ✔ ✔ ✔ ✔ ✔
FIPS ✔ ✔ ✔ ✔ ✔ ✔
Contains results from the latest published NSS Labs reports X = did not participate, not certified
31
NGFW
NSS Labs Validates Our Advantage
�Fortinet is “Recommended” while top competitors are not
X-axis = TCO per protected Mbps Y-axis = Security Effectiveness Upper right quadrant = “Recommended” Lower left quadrant = “Caution”
Breach Detection
32
The Fortinet Secured NetworkBroad Complementary Security Portfolio
FortiDBDatabaseProtection
FortiClientEndpoint Protection, VPN
FortiTokenTwo Factor Authentication
FortiSandboxAdvanced ThreatProtection
FortiClientEndpoint Protection
FortiGateNGFW
FortiAuthenticatorUser Identity Management
FortiManagerCentralized Management
FortiAnalyzerLogging, Analysis,Reporting
FortiADCApplicationDelivery Control
FortiWebWeb Application Firewall
FortiGateDCFW
FortiGateInternal NGFW
FortiDDoSDDoS Protection
FortiMailEmail Security
FortiGateVMXSDN, Virtual Firewall
FortiAPSecure Access Point
DATA CENTER
BRANCHOFFICE
CAMPUS
FortiGateCloud
FortiWiFiUTM
FortiGateTop-of-Rack
FortiCameraIP Video Security
FortiVoiceIP PBX Phone System
FortiGateNext Gen IPS
FortiExtenderLTE Extension
33
Wide Product Range for Every Segments
MSSP ✔ ✔ ✔ ✔ ✔ ✔ ✔
Carrier ✔ ✔ ✔
Data Center / Cloud
✔ ✔ ✔ ✔
Enterprise✔ ✔
(Branch)✔
(Branch)✔
(Branch)✔
(Campus)✔
(Campus)✔
DistributedEnterprise
✔ ✔ ✔ ✔ ✔ ✔ ✔
SMB ✔ ✔ ✔ ✔
Model 20-90 Series
100Series
200Series
300-800Series
1000Series
3000Series
5000Series
Product Range
Entry Level Mid Range High End
*Key Hardware Features
PoE, Switch,
WiFiPoE, High Density GE
High Density
GE
High Density
GE, 10 GE
10 GE, 40 GE
Chassis & Blades
* May be available as hardware variants
34
Per Minute
25,000Spam emails intercepted
390,000Network Intrusion Attempts resisted
83,000Malware programs neutralized
160,000Malicious Website accesses blocked
59,000Botnet C&C attempts thwarted
39 millionWebsite categorization requests
Per Week
47 millionNew & updated spam rules
100Intrusion prevention rules
2 millionNew & updated AV definitions
1.3 millionNew URL ratings
8,000Hours of threat research globally
Total Database
170Terabytes of threat samples
17,500Intrusion Prevention rules
5,800Application Control rules
250 millionRated websites in 78 categories
173Zero-day threats discovered
Based on Q1 2015 data
Image: threatmap.FortiGuard.com
Fortinet Advantage – SECUREFortiGuard Labs Threat Research
35
The Fortinet Advantage
� Best multi-layered protection on the market
� Best performance for internal protection
� Out-of-the-box Transparent Mode for easy deployment