Presentation on theme: "This presentation is designed to act as an introduction to Fortinet"— Presentation transcript:
1 Fortinet @ Data Connectors This presentation is designed to act as an introduction to Fortinet.Typical audience is business and technical decision makers in Mid to large enterprise customers. Appropriate for Executive Briefing type situations lasting about an hour.Securing the Elastic Data CentreRafi Wanounou – Systems Engineering Manager
2 Fortinet Introduction Threats to the Data Centre APT’s BYOD AgendaFortinet IntroductionThreats to the Data CentreAPT’sBYODVirtual Workloads; Clouds; Commodity CloudsNGFW – Apps and more Apps…Just a little bragging;Q&AFirst, we’ll provide a brief overview of Fortinet and why our approach is different from other security technology vendors.Next, we’ll show how our technologies can provide solutions to your most pressing business problems.And finally, we provide a brief overview of Fortinet technologies and products.
3 Fortinet Corporate Overview Market LeaderUTM - Fast-growth security segmentAdvanced technology and products95+ patents; 115+ pendingStrong global footprint1,900+ employees; 30 offices worldwideBlue chip customer base100,000 customers (incl. majority of Global 100)Exceptional financial modelFY12 revenues: $534M (24% YoY growth)Q412 revenues: $155M (25% YoY growth)Strong balance sheet: $650M+ in cash; no debtIPO - November 2009$434FORTINET REVENUE ($MM)48% CAGR$325$252First, a brief overview of Fortinet.$212$155$123$80$39$133
4 Threats to the Data Centre APT’s and other sophisticated multi-faceted attacks against Applications.Targeted precision strikes – adversaries with customizedweapons.Virtual Workloads in MotionUnmanaged Devices with corporate information presentThe application explosion and what to do with them all??
5 APT’S – So Called Advanced Persistent Threats Adversaries with specific goals and objectives.Custom payloads and weapons designed for a targeted strike.Can enter via any medium; ; web; unmanaged device; usb key (stuxnet).Adversaries have a well established target and map of the datacentre.Traditional tools such as desktop av becoming of less and less value.Advanced recon being performed to evade victim specific defenses.First, we’ll provide a brief overview of Fortinet and why our approach is different from other security technology vendors.Next, we’ll show how our technologies can provide solutions to your most pressing business problems.And finally, we provide a brief overview of Fortinet technologies and products.
6 Misconception #1 More Signatures = Higher Protection APT’S – So Called Advanced Persistent ThreatsMisconception #1More Signatures = Higher ProtectionReality:# Sigs actually decreasing through consolidationVB RAP Score > 90%1 sig / multiple variantsRole-based policycontrol destination & service based on user identity and/or group membership.WiFi single sign-onNotifying end user what happened to their trafficIn line tip on browserRADIUS based group membership (dynamic profile)Mobile phone based token for two factor authentication
7 Misconception #2 Antivirus Engines are just Pattern Matching APT’S – So Called Advanced Persistent ThreatsMisconception #2Antivirus Engines are just Pattern MatchingReality:Fortinet AVEN is highly intelligent, does local ‘Sandbox’Dynamic decryption & execution environmentExample: Botnet server zombie downloadsAfter decrypt: CPRL matching + behavior analysisRole-based policycontrol destination & service based on user identity and/or group membership.WiFi single sign-onNotifying end user what happened to their trafficIn line tip on browserRADIUS based group membership (dynamic profile)Mobile phone based token for two factor authentication
8 Misconception #3 Sandboxing is the answer to APT APT’S – So Called Advanced Persistent ThreatsMisconception #3Sandboxing is the answer to APTReality:Malware is VM environment aware -- “VM Evasion”Fortigate AVEN does not use regular VM hooksEven when effective to identify malware, technique still relies on regular pattern matching signatures.DEAD DATA! – No Feedback Loop!!!!Role-based policycontrol destination & service based on user identity and/or group membership.WiFi single sign-onNotifying end user what happened to their trafficIn line tip on browserRADIUS based group membership (dynamic profile)Mobile phone based token for two factor authentication
9 FortiGuard Analytics Harness the Cloud 9 The Value of FortiGuard Suspicious samples sent to cloudThen sandboxed in cloudResults are correlatedAll FortiGuard servicesIncluding AVUpdates then soon available
10 APT’S – So Called Advanced Persistent Threats New “APT Focused” products are point solutions that are costly and only focus on common ingress points.Fortinet offers complete APT solutions on branch appliances – the only vendor to do this today.The only Tier 1 vendor to provide a complete layered defense in all of our devices.
11 BYODUnmanaged devices rampant in enterprises.Recently a large Fortinet customer in Toronto discovered over 75 Mac Minis, 50 Xboxes and, 100 Magic Jacks in their network (most hidden in locked drawers).MDM a failing technology – you do not have root access to an Android or Apple device.Users at all levels putting pressure on IT to support personal devices.Becoming a human resource issue – people refusing to work if access unavailable for personal devices.
12 BYOD Enablement through Network Security Emily, a customer, needs guest access to Skype on her iPad while visiting your headquartersWiFi Guest AccessBandwidth ManagementBill’s device is infected with malware and he brings it on the corporate networkHere are some real world examples of how a variety of Fortinet technologies can solve everyday problems. Again, the breadth of our solution offers you the customer the most complete approach.Emily – application policy checking via FortiClientBill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might notJill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance.Ed: Detect content with sensitive dataAntivirus2-Factor AuthenticationVPN TunnelingJill is at Starbucks and needs to communicate and be protected as if she was at HQ.1212
13 Data Leakage Prevention Data Leakage Prevention BYODEnablement through Network SecuritySue is in corporate marketing and should have access to post non-sensitive information to Facebook, but she should not be playing FarmvilleApplication ControlData Leakage PreventionJoe started streaming movies while at work through his tablet – this is against corporate policyApplication ControlEd unintentionally shared a sensitive company presentation via his personal Gmail account on his Android Phone.Data Leakage Prevention
14 Protecting ALL BYOD Attack Vectors Sent – Contains Sensitive DataMail message detected as Data Loss (DLP)User accesses phishing site, enters credentialsAccess to phishing website is blockedPhishing site sends Bot infection to user disguised as ‘Security Update’ applicationContent scanning prevents downloadEnd user executes malware, is infected and now all their data is compromisedMalicious activity is detected and blocked
15 Virtual Workloads; Clouds; Commodity Clouds Wow how things have changed in the past 12 months!Traditional private cloud – Most common use of cloud and virtualization; numbers don’t lie – consolidation is king to driving down costs.Public Cloud – Services 100% hosted and managed in the cloud; Salesforce.com, Cloudflare, Incapsula, etc.Public/Private clouds where certain portions may be controlled by a third party. Includes traditional managed services like MS Exchange, web and hosting.
16 Virtual Workloads; Clouds; Commodity Clouds 4. Virtual Private Clouds – Virtual slices of service are delivered and managed over a private VPN connection. i.e. Amazon S3, Rackspace Cloud, Bell, Telus, Clouds. Now includes voice services like SIP – traditional voice lines dying a slow death.5. Directly Connected Clouds – Enterprises directly connected to virtual clouds containing millions of machines where resources are rented or spawned on demand. 10G and higher connections to replace intense enterprise workloads. i.e. Amazon direct connect.6. Cloud Based resiliency and GSLB – Traditional infrastructure services being pushed out to the cloud.
17 Virtual Workloads; Clouds; Commodity Clouds Internal Infrastructure Managed in the Cloud – Management consoles for equipment installed in the datacenter being pushed out to the cloud. Aruba, Meraki, McAfee etc.Fast, Persistent, and long term archival systems in the cloud. Amazon, Rackspace, Joyent now long term keepers of data.9. Cloud Based Global Networking – Rush is occurring in the area of cloud based wan optimization – companies with Wan-Optimized clouds allowing anyone to plug in and achieve the benefits of global wan-opt over night.10. Branch Clouds – Mini clouds in the branch that encompass applications, firewalls, wireless AP management, Active Directory, logging etc. on one physical server.
18 Traditional Firewalls and the Cloud = Clunky Traditional firewalls are inelastic; difficult in a large environment to upgrade firewalls on the fly; The cloud is elastic - therefore security devices that live in the cloud must also be elastic.Physical access in the cloud is disappearing; any security services must be virtual.The cloud does not make compliance go away. The need to track audit and log remains the same.Physical firewalls protecting clouds present DR challenges. They cannot be moved, copied and spawned on demand. Business Continuity a large driver behind private cloud initiatives.
19 Why Fortinet Virtual Firewalls? Virtualized to the core – the only tier 1 vendor that has physical/virtual parity. Every product we sell to the Financial Services market is virtualized.The Cloud is noncontiguous; Tier2 and Tier3 firewalls must be able to support VMWare, Xen, Amazon, etc.100% feature parity; physical and virtual firewalls are on the same development track and utilize the same development teams.All the elastic features of the cloud – upward/downward scaling and ‘motion.’Most importantly – World Class NGFW features in the cloud!
20 NGFW - What’s all the hype about? The Facts: NGFW is intended to unify firewall policies, application rules, and identity into intelligent security frameworks.Applications running amuck in organization; business leaders need to control and contort them.Traditional firewalls rule sets have become untenable.Hooks to identity are mandatory for security, compliance, audit.Security teams need knowledge about what applications exist on the network – YouTube, or Botnets – it’s all valuable information.Increase in application layer attacks mandates that security devices function at the higher layers.
21 NGFW – Why have deployments struggled??? Legacy vendors have not invested in technology to run NGFW at high speeds.“New” vendors have disregarded traditional high speed firewall/filtering only to have their devices compromised.Vendors have lost sight of fundamental network firewall features such as new connections per second, total sessions, and overall throughput.No enterprise will ever be 100% NGFW; they will be an intelligent mix of traditional firewall and high performance stateful firewall.
22 NGFW – Why have Fortinet deployments succeeded?? We built NGFW on the worlds fastest and strongest stateful firewall.We can turn on what you need when you need. For one part of the network we may be your super high speed firewall; for another part we may be the Active Directory Integrated NGFW.We have appliances that are proven to work at the Branch or deep inside the data centre at multi-gigabit speed.As an organization we have a proven ability to deploy NGFW quickly in enterprise networks.Remember: NGFW means you can use all the features of the device in any combination your desire – not only the ones that work!
23 Some of our Success in Canada Canada’s most demanding NGFW deployments run on FortiGate:School Board with 300,000 usersCanadian online TV on Demand servicesThe only NGFW to successfully integrate into a Big 5 bank with all features turned on.The only NGFW to deploy in the core with all features turned on at Multi-Gig speeds.We don’t discriminate – We’ll do NGFW at 60 Gigs or 60 megs;
29 NGFW: Followed The Internet Evolution APP LAYER ATTACKSAPP CONTROLSPYWAREANTI-SPYWAREWORMSANTI-SPAMSPAMPerformance - DamageBANNED CONTENTWEB FILTERTROJANSANTI-VIRUSMany new companies have come up with point security solutions to address each new application and attack as the threat landscape has evolved, and the network vendor players like Cisco and Juniper keep buying more point products to add on top of their firewall and VPN, resulting in more and more complex, costly deployments for customers.VIRUSESINTRUSIONSIPSCONTENT-BASEDVPNCONNECTION-BASEDFIREWALLHARDWARE THEFTHARDWARE THEFTHARDWARE THEFTLOCK & KEYPHYSICAL1980s1990s2000sToday
30 The Fortinet Solution CONTENT-BASED CONNECTION-BASED PHYSICAL APP LAYER ATTACKSAPP CONTROLSPYWAREANTI-SPYWAREWORMSANTI-SPAMSPAMPerformance - DamageBANNED CONTENTWEB FILTERTROJANSANTI-VIRUSFortinet’s approach was to create Unified Threat Management. The UTM solution, which tightly integrates many functions and point products together into a single platform.UTM is defined as a device that “Unifies” multiple security features, including firewall/VPN, Intrusion Detection/Prevention and gateway antivirus, at a minimum, Fortinet offer s all these plus much more features.We also leverage our FortiASIC to accelerate performance, and, as we discussed, we utilize our FortiGuard Labs for real-time global update service, this solution effectively protects our customers in today’s challenging network environmentVIRUSESINTRUSIONSIPSCONTENT-BASEDVPNCONNECTION-BASEDFIREWALLHARDWARE THEFTLOCK & KEYPHYSICAL1980s1990s2000sToday
31 The Result: Market Leadership Worldwide UTM Market ShareQWorldwide Security ApplianceMarket Share QRankCompanyMarketShare (%)118.02Check Point14.03SonicWALL8.34Juniper7.95Cisco6.56WatchGuard4.77McAfee4.08Crossbeam3.09Other33.6Total100.0RankCompanyMarketShare (%)Growth YoY1Cisco15.96%2Check Point12.45%36.416%4Juniper6.2(16%)5Palo Alto Networks5.346%6McAfee5.12%7Blue Coat4.68Barracuda2.99Other41.8Total100.0And – our strategy is paying off! Numerous awards and industry recognition for our success.IDC Worldwide Security Appliances Tracker, Sept 2011 (market share based on factory revenue)IDC Worldwide Security Appliances Tracker, December 2013 (market share based on factory revenue)31
32 The Result: Market Leadership Magic Quadrant for Unified Threat Management1Leader for the 5th Year in a rowAnd – our strategy is paying off! Numerous awards and industry recognition for our success.)Gartner, Inc., “Magic Quadrant for Unified Threat Management”, July 201332