Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © Copyright 2013 Fortinet Inc. All rights reserved. Data Connectors Securing the Elastic Data Centre Rafi Wanounou – Systems Engineering Manager.

Similar presentations

Presentation on theme: "1 © Copyright 2013 Fortinet Inc. All rights reserved. Data Connectors Securing the Elastic Data Centre Rafi Wanounou – Systems Engineering Manager."— Presentation transcript:

1 1 © Copyright 2013 Fortinet Inc. All rights reserved. Data Connectors Securing the Elastic Data Centre Rafi Wanounou – Systems Engineering Manager

2 2 Agenda Fortinet Introduction Threats to the Data Centre APT’s BYOD Virtual Workloads; Clouds; Commodity Clouds NGFW – Apps and more Apps… Just a little bragging; Q&A

3 3 Fortinet Corporate Overview $434 $39 $80 $123 $155 $212 $252 $325 FORTINET REVENUE ($MM) 48% CAGR $ Market Leader UTM - Fast-growth security segment Advanced technology and products 95+ patents; 115+ pending Strong global footprint 1,900+ employees; 30 offices worldwide Blue chip customer base 100,000 customers (incl. majority of Global 100) Exceptional financial model FY12 revenues: $534M (24% YoY growth) Q412 revenues: $155M (25% YoY growth) Strong balance sheet: $650M+ in cash; no debt IPO - November 2009

4 4 Threats to the Data Centre APT’s and other sophisticated multi-faceted attacks against Applications. Targeted precision strikes – adversaries with customized weapons. Virtual Workloads in Motion Unmanaged Devices with corporate information present The application explosion and what to do with them all??

5 5 APT’S – So Called Advanced Persistent Threats Adversaries with specific goals and objectives. Custom payloads and weapons designed for a targeted strike. Can enter via any medium; ; web; unmanaged device; usb key (stuxnet). Adversaries have a well established target and map of the datacentre. Traditional tools such as desktop av becoming of less and less value. Advanced recon being performed to evade victim specific defenses.

6 6 Misconception #1 More Signatures = Higher Protection Reality: # Sigs actually decreasing through consolidation VB RAP Score > 90% 1 sig / multiple variants APT’S – So Called Advanced Persistent Threats

7 7 Misconception #2 Antivirus Engines are just Pattern Matching Reality: Fortinet AVEN is highly intelligent, does local ‘Sandbox’ Dynamic decryption & execution environment Example: Botnet server  zombie downloads After decrypt: CPRL matching + behavior analysis APT’S – So Called Advanced Persistent Threats

8 8 Misconception #3 Sandboxing is the answer to APT Reality: Malware is VM environment aware -- “VM Evasion” Fortigate AVEN does not use regular VM hooks Even when effective to identify malware, technique still relies on regular pattern matching signatures. DEAD DATA! – No Feedback Loop!!!! APT’S – So Called Advanced Persistent Threats

9 9 The Value of FortiGuard Suspicious samples sent to cloud Then sandboxed in cloud Results are correlated All FortiGuard services Including AV Updates then soon available FortiGuard Analytics Harness the Cloud

10 10 1.New “APT Focused” products are point solutions that are costly and only focus on common ingress points. 2.Fortinet offers complete APT solutions on branch appliances – the only vendor to do this today. 3.The only Tier 1 vendor to provide a complete layered defense in all of our devices. APT’S – So Called Advanced Persistent Threats

11 11 1.Unmanaged devices rampant in enterprises. 2.Recently a large Fortinet customer in Toronto discovered over 75 Mac Minis, 50 Xboxes and, 100 Magic Jacks in their network (most hidden in locked drawers). 3.MDM a failing technology – you do not have root access to an Android or Apple device. 4.Users at all levels putting pressure on IT to support personal devices. 5.Becoming a human resource issue – people refusing to work if access unavailable for personal devices. BYOD

12 12 BYOD Enablement through Network Security Emily, a customer, needs guest access to Skype on her iPad while visiting your headquarters Bill’s device is infected with malware and he brings it on the corporate network Jill is at Starbucks and needs to communicate and be protected as if she was at HQ. WiFi Guest Access Bandwidth Management 2-Factor Authentication VPN Tunneling Antivirus

13 13 BYOD Enablement through Network Security Sue is in corporate marketing and should have access to post non-sensitive information to Facebook, but she should not be playing Farmville Joe started streaming movies while at work through his tablet – this is against corporate policy Application Control Data Leakage Prevention Application Control Ed unintentionally shared a sensitive company presentation via his personal Gmail account on his Android Phone. Data Leakage Prevention

14 14 Protecting ALL BYOD Attack Vectors Sent – Contains Sensitive Data Mail message detected as Data Loss (DLP) User accesses phishing site, enters credentials Access to phishing website is blocked Phishing site sends Bot infection to user disguised as ‘Security Update’ application Content scanning prevents download End user executes malware, is infected and now all their data is compromised Malicious activity is detected and blocked

15 15 Virtual Workloads; Clouds; Commodity Clouds Wow how things have changed in the past 12 months! 1.Traditional private cloud – Most common use of cloud and virtualization; numbers don’t lie – consolidation is king to driving down costs. 2.Public Cloud – Services 100% hosted and managed in the cloud;, Cloudflare, Incapsula, etc. 3.Public/Private clouds where certain portions may be controlled by a third party. Includes traditional managed services like MS Exchange, web and hosting. 15

16 16 Virtual Workloads; Clouds; Commodity Clouds 4. Virtual Private Clouds – Virtual slices of service are delivered and managed over a private VPN connection. i.e. Amazon S3, Rackspace Cloud, Bell, Telus, Clouds. Now includes voice services like SIP – traditional voice lines dying a slow death. 5.Directly Connected Clouds – Enterprises directly connected to virtual clouds containing millions of machines where resources are rented or spawned on demand. 10G and higher connections to replace intense enterprise workloads. i.e. Amazon direct connect. 6.Cloud Based resiliency and GSLB – Traditional infrastructure services being pushed out to the cloud. 16

17 17 Virtual Workloads; Clouds; Commodity Clouds 7.Internal Infrastructure Managed in the Cloud – Management consoles for equipment installed in the datacenter being pushed out to the cloud. Aruba, Meraki, McAfee etc. 8.Fast, Persistent, and long term archival systems in the cloud. Amazon, Rackspace, Joyent now long term keepers of data. 9.Cloud Based Global Networking – Rush is occurring in the area of cloud based wan optimization – companies with Wan-Optimized clouds allowing anyone to plug in and achieve the benefits of global wan-opt over night. 10.Branch Clouds – Mini clouds in the branch that encompass applications, firewalls, wireless AP management, Active Directory, logging etc. on one physical server. 17

18 18 Traditional Firewalls and the Cloud = Clunky 1.Traditional firewalls are inelastic; difficult in a large environment to upgrade firewalls on the fly; The cloud is elastic - therefore security devices that live in the cloud must also be elastic. 2.Physical access in the cloud is disappearing; any security services must be virtual. 3.The cloud does not make compliance go away. The need to track audit and log remains the same. 4.Physical firewalls protecting clouds present DR challenges. They cannot be moved, copied and spawned on demand. Business Continuity a large driver behind private cloud initiatives. 18

19 19 Why Fortinet Virtual Firewalls? 1.Virtualized to the core – the only tier 1 vendor that has physical/virtual parity. Every product we sell to the Financial Services market is virtualized. 2.The Cloud is noncontiguous; Tier2 and Tier3 firewalls must be able to support VMWare, Xen, Amazon, etc % feature parity; physical and virtual firewalls are on the same development track and utilize the same development teams. 4.All the elastic features of the cloud – upward/downward scaling and ‘motion.’ 5.Most importantly – World Class NGFW features in the cloud! 19

20 20 NGFW - What’s all the hype about? The Facts: NGFW is intended to unify firewall policies, application rules, and identity into intelligent security frameworks. 1.Applications running amuck in organization; business leaders need to control and contort them. 2.Traditional firewalls rule sets have become untenable. 3.Hooks to identity are mandatory for security, compliance, audit. 4.Security teams need knowledge about what applications exist on the network – YouTube, or Botnets – it’s all valuable information. 5.Increase in application layer attacks mandates that security devices function at the higher layers. 20

21 21 NGFW – Why have deployments struggled??? 1.Legacy vendors have not invested in technology to run NGFW at high speeds. 2.“New” vendors have disregarded traditional high speed firewall/filtering only to have their devices compromised. 3.Vendors have lost sight of fundamental network firewall features such as new connections per second, total sessions, and overall throughput. 4.No enterprise will ever be 100% NGFW; they will be an intelligent mix of traditional firewall and high performance stateful firewall. 21

22 22 NGFW – Why have Fortinet deployments succeeded?? 1.We built NGFW on the worlds fastest and strongest stateful firewall. 2.We can turn on what you need when you need. For one part of the network we may be your super high speed firewall; for another part we may be the Active Directory Integrated NGFW. 3.We have appliances that are proven to work at the Branch or deep inside the data centre at multi-gigabit speed. 4.As an organization we have a proven ability to deploy NGFW quickly in enterprise networks. 5.Remember: NGFW means you can use all the features of the device in any combination your desire – not only the ones that work! 22

23 23 Some of our Success in Canada 1.Canada’s most demanding NGFW deployments run on FortiGate: I.School Board with 300,000 users II.Canadian online TV on Demand services 2.The only NGFW to successfully integrate into a Big 5 bank with all features turned on. 3.The only NGFW to deploy in the core with all features turned on at Multi-Gig speeds. 4. We don’t discriminate – We’ll do NGFW at 60 Gigs or 60 megs; 23

24 24 Some Chest Pounding 24

25 25 Some More Chest Pounding 25

26 26 Some More Chest Pounding 26

27 27 Some More Chest Pounding 27

28 28 Finally 28



31 31 The Result: Market Leadership (1) IDC Worldwide Security Appliances Tracker, Sept 2011 (market share based on factory revenue) (2) IDC Worldwide Security Appliances Tracker, December 2013 (market share based on factory revenue) RankCompany Market Share (%) Check Point SonicWALL 8.3 4Juniper 7.9 5Cisco 6.5 6WatchGuard 4.7 7McAfee 4.0 8Crossbeam 3.0 9Other 33.6 Total Worldwide UTM Market Share Q Worldwide Security Appliance Market Share Q RankCompany Market Share (%) Growth YoY 1 Cisco15.96% 2Check Point12.45% % 4Juniper6.2(16%) 5Palo Alto Networks 5.346% 6McAfee5.12% 7Blue Coat 4.66% 8Barracuda 2.916% 9Other 41.8 Total 100.0

32 32 The Result: Market Leadership ) (1) Gartner, Inc., “Magic Quadrant for Unified Threat Management”, July 2013 Magic Quadrant for Unified Threat Management 1 Leader for the 5 th Year in a row

33 33 Q&A

34 34 Thank You

Download ppt "1 © Copyright 2013 Fortinet Inc. All rights reserved. Data Connectors Securing the Elastic Data Centre Rafi Wanounou – Systems Engineering Manager."

Similar presentations

Ads by Google