1. Fortinet @ Data Connectors
This presentation is designed to act as an introduction to Fortinet.Typical audience is business and technical decision makers in Mid to large enterprise customers. Appropriate for Executive Briefing type situations lasting about an hour.
Securing the Elastic Data Centre
Rafi Wanounou – Systems Engineering Manager

2. Fortinet Introduction Threats to the Data Centre APT’s BYOD
Agenda
Fortinet Introduction
Threats to the Data Centre
APT’s
BYOD
Virtual Workloads; Clouds; Commodity Clouds
NGFW – Apps and more Apps…
Just a little bragging;
Q&A
First, we’ll provide a brief overview of Fortinet and why our approach is different from other security technology vendors.
Next, we’ll show how our technologies can provide solutions to your most pressing business problems.
And finally, we provide a brief overview of Fortinet technologies and products.

3. Fortinet Corporate Overview
Market Leader
UTM - Fast-growth security segment
Advanced technology and products
95+ patents; 115+ pending
Strong global footprint
1,900+ employees; 30 offices worldwide
Blue chip customer base
100,000 customers (incl. majority of Global 100)
Exceptional financial model
FY12 revenues: $534M (24% YoY growth)
Q412 revenues: $155M (25% YoY growth)
Strong balance sheet: $650M+ in cash; no debt
IPO - November 2009
$434
FORTINET REVENUE ($MM)
48% CAGR
$325
$252
First, a brief overview of Fortinet.
$212
$155
$123
$80
$39
$13 3

4. Threats to the Data Centre
APT’s and other sophisticated multi-faceted attacks against Applications.
Targeted precision strikes – adversaries with customized
weapons.
Virtual Workloads in Motion
Unmanaged Devices with corporate information present
The application explosion and what to do with them all??

5. APT’S – So Called Advanced Persistent Threats
Adversaries with specific goals and objectives.
Custom payloads and weapons designed for a targeted strike.
Can enter via any medium; ; web; unmanaged device; usb key (stuxnet).
Adversaries have a well established target and map of the datacentre.
Traditional tools such as desktop av becoming of less and less value.
Advanced recon being performed to evade victim specific defenses.
First, we’ll provide a brief overview of Fortinet and why our approach is different from other security technology vendors.
Next, we’ll show how our technologies can provide solutions to your most pressing business problems.
And finally, we provide a brief overview of Fortinet technologies and products.

6. Misconception #1 More Signatures = Higher Protection
APT’S – So Called Advanced Persistent Threats
Misconception #1
More Signatures = Higher Protection
Reality:
# Sigs actually decreasing through consolidation
VB RAP Score > 90%
1 sig / multiple variants
Role-based policy
control destination & service based on user identity and/or group membership.
WiFi single sign-on
Notifying end user what happened to their traffic
In line tip on browser
RADIUS based group membership (dynamic profile)
Mobile phone based token for two factor authentication

7. Misconception #2 Antivirus Engines are just Pattern Matching
APT’S – So Called Advanced Persistent Threats
Misconception #2
Antivirus Engines are just Pattern Matching
Reality:
Fortinet AVEN is highly intelligent, does local ‘Sandbox’
Dynamic decryption & execution environment
Example: Botnet server  zombie downloads
After decrypt: CPRL matching + behavior analysis
Role-based policy
control destination & service based on user identity and/or group membership.
WiFi single sign-on
Notifying end user what happened to their traffic
In line tip on browser
RADIUS based group membership (dynamic profile)
Mobile phone based token for two factor authentication

8. Misconception #3 Sandboxing is the answer to APT
APT’S – So Called Advanced Persistent Threats
Misconception #3
Sandboxing is the answer to APT
Reality:
Malware is VM environment aware -- “VM Evasion”
Fortigate AVEN does not use regular VM hooks
Even when effective to identify malware, technique still relies on regular pattern matching signatures.
DEAD DATA! – No Feedback Loop!!!!
Role-based policy
control destination & service based on user identity and/or group membership.
WiFi single sign-on
Notifying end user what happened to their traffic
In line tip on browser
RADIUS based group membership (dynamic profile)
Mobile phone based token for two factor authentication

9. FortiGuard Analytics Harness the Cloud 9 The Value of FortiGuard
Suspicious samples sent to cloud
Then sandboxed in cloud
Results are correlated
All FortiGuard services
Including AV
Updates then soon available

10. APT’S – So Called Advanced Persistent Threats
New “APT Focused” products are point solutions that are costly and only focus on common ingress points.
Fortinet offers complete APT solutions on branch appliances – the only vendor to do this today.
The only Tier 1 vendor to provide a complete layered defense in all of our devices.

11. BYOD
Unmanaged devices rampant in enterprises.
Recently a large Fortinet customer in Toronto discovered over 75 Mac Minis, 50 Xboxes and, 100 Magic Jacks in their network (most hidden in locked drawers).
MDM a failing technology – you do not have root access to an Android or Apple device.
Users at all levels putting pressure on IT to support personal devices.
Becoming a human resource issue – people refusing to work if access unavailable for personal devices.

12. BYOD Enablement through Network Security
Emily, a customer, needs guest access to Skype on her iPad while visiting your headquarters
WiFi Guest Access
Bandwidth Management
Bill’s device is infected with malware and he brings it on the corporate network
Here are some real world examples of how a variety of Fortinet technologies can solve everyday problems. Again, the breadth of our solution offers you the customer the most complete approach.
Emily – application policy checking via FortiClient
Bill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might not
Jill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance.
Ed: Detect content with sensitive data
Antivirus
2-Factor Authentication
VPN Tunneling
Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.
1212

13. Data Leakage Prevention Data Leakage Prevention
BYOD
Enablement through Network Security
Sue is in corporate marketing and should have access to post non-sensitive information to Facebook, but she should not be playing Farmville
Application Control
Data Leakage Prevention
Joe started streaming movies while at work through his tablet – this is against corporate policy
Application Control
Ed unintentionally shared a sensitive company presentation via his personal Gmail account on his Android Phone.
Data Leakage Prevention

14. Protecting ALL BYOD Attack Vectors
Sent – Contains Sensitive Data
Mail message detected as Data Loss (DLP)
User accesses phishing site, enters credentials
Access to phishing website is blocked
Phishing site sends Bot infection to user disguised as ‘Security Update’ application
Content scanning prevents download
End user executes malware, is infected and now all their data is compromised
Malicious activity is detected and blocked

15. Virtual Workloads; Clouds; Commodity Clouds
Wow how things have changed in the past 12 months!
Traditional private cloud – Most common use of cloud and virtualization; numbers don’t lie – consolidation is king to driving down costs.
Public Cloud – Services 100% hosted and managed in the cloud; Salesforce.com, Cloudflare, Incapsula, etc.
Public/Private clouds where certain portions may be controlled by a third party. Includes traditional managed services like MS Exchange, web and hosting.

16. Virtual Workloads; Clouds; Commodity Clouds
4. Virtual Private Clouds – Virtual slices of service are delivered and managed over a private VPN connection. i.e. Amazon S3, Rackspace Cloud, Bell, Telus, Clouds. Now includes voice services like SIP – traditional voice lines dying a slow death.
5. Directly Connected Clouds – Enterprises directly connected to virtual clouds containing millions of machines where resources are rented or spawned on demand. 10G and higher connections to replace intense enterprise workloads. i.e. Amazon direct connect.
6. Cloud Based resiliency and GSLB – Traditional infrastructure services being pushed out to the cloud.

17. Virtual Workloads; Clouds; Commodity Clouds
Internal Infrastructure Managed in the Cloud – Management consoles for equipment installed in the datacenter being pushed out to the cloud. Aruba, Meraki, McAfee etc.
Fast, Persistent, and long term archival systems in the cloud. Amazon, Rackspace, Joyent now long term keepers of data.
9. Cloud Based Global Networking – Rush is occurring in the area of cloud based wan optimization – companies with Wan-Optimized clouds allowing anyone to plug in and achieve the benefits of global wan-opt over night.
10. Branch Clouds – Mini clouds in the branch that encompass applications, firewalls, wireless AP management, Active Directory, logging etc. on one physical server.

18. Traditional Firewalls and the Cloud = Clunky
Traditional firewalls are inelastic; difficult in a large environment to upgrade firewalls on the fly; The cloud is elastic - therefore security devices that live in the cloud must also be elastic.
Physical access in the cloud is disappearing; any security services must be virtual.
The cloud does not make compliance go away. The need to track audit and log remains the same.
Physical firewalls protecting clouds present DR challenges. They cannot be moved, copied and spawned on demand. Business Continuity a large driver behind private cloud initiatives.

19. Why Fortinet Virtual Firewalls?
Virtualized to the core – the only tier 1 vendor that has physical/virtual parity. Every product we sell to the Financial Services market is virtualized.
The Cloud is noncontiguous; Tier2 and Tier3 firewalls must be able to support VMWare, Xen, Amazon, etc.
100% feature parity; physical and virtual firewalls are on the same development track and utilize the same development teams.
All the elastic features of the cloud – upward/downward scaling and ‘motion.’
Most importantly – World Class NGFW features in the cloud!

20. NGFW - What’s all the hype about?
The Facts: NGFW is intended to unify firewall policies, application rules, and identity into intelligent security frameworks.
Applications running amuck in organization; business leaders need to control and contort them.
Traditional firewalls rule sets have become untenable.
Hooks to identity are mandatory for security, compliance, audit.
Security teams need knowledge about what applications exist on the network – YouTube, or Botnets – it’s all valuable information.
Increase in application layer attacks mandates that security devices function at the higher layers.

21. NGFW – Why have deployments struggled???
Legacy vendors have not invested in technology to run NGFW at high speeds.
“New” vendors have disregarded traditional high speed firewall/filtering only to have their devices compromised.
Vendors have lost sight of fundamental network firewall features such as new connections per second, total sessions, and overall throughput.
No enterprise will ever be 100% NGFW; they will be an intelligent mix of traditional firewall and high performance stateful firewall.

22. NGFW – Why have Fortinet deployments succeeded??
We built NGFW on the worlds fastest and strongest stateful firewall.
We can turn on what you need when you need. For one part of the network we may be your super high speed firewall; for another part we may be the Active Directory Integrated NGFW.
We have appliances that are proven to work at the Branch or deep inside the data centre at multi-gigabit speed.
As an organization we have a proven ability to deploy NGFW quickly in enterprise networks.
Remember: NGFW means you can use all the features of the device in any combination your desire – not only the ones that work!

23. Some of our Success in Canada
Canada’s most demanding NGFW deployments run on FortiGate:
School Board with 300,000 users
Canadian online TV on Demand services
The only NGFW to successfully integrate into a Big 5 bank with all features turned on.
The only NGFW to deploy in the core with all features turned on at Multi-Gig speeds.
We don’t discriminate – We’ll do NGFW at 60 Gigs or 60 megs;

24. Some Chest Pounding

25. Some More Chest Pounding

26. Some More Chest Pounding

27. Some More Chest Pounding

28. Finally

29. NGFW: Followed The Internet Evolution
APP LAYER ATTACKS
APP CONTROL
SPYWARE
ANTI-SPYWARE
WORMS
ANTI-SPAM
SPAM
Performance - Damage
BANNED CONTENT
WEB FILTER
TROJANS
ANTI-VIRUS
Many new companies have come up with point security solutions to address each new application and attack as the threat landscape has evolved, and the network vendor players like Cisco and Juniper keep buying more point products to add on top of their firewall and VPN, resulting in more and more complex, costly deployments for customers.
VIRUSES
INTRUSIONS
IPS
CONTENT-BASED
VPN
CONNECTION-BASED
FIREWALL
HARDWARE THEFT
HARDWARE THEFT
HARDWARE THEFT
LOCK & KEY
PHYSICAL
1980s
1990s
2000s
Today

30. The Fortinet Solution CONTENT-BASED CONNECTION-BASED PHYSICAL
APP LAYER ATTACKS
APP CONTROL
SPYWARE
ANTI-SPYWARE
WORMS
ANTI-SPAM
SPAM
Performance - Damage
BANNED CONTENT
WEB FILTER
TROJANS
ANTI-VIRUS
Fortinet’s approach was to create Unified Threat Management. The UTM solution, which tightly integrates many functions and point products together into a single platform.
UTM is defined as a device that “Unifies” multiple security features, including firewall/VPN, Intrusion Detection/Prevention and gateway antivirus, at a minimum, Fortinet offer s all these plus much more features.
We also leverage our FortiASIC to accelerate performance, and, as we discussed, we utilize our FortiGuard Labs for real-time global update service, this solution effectively protects our customers in today’s challenging network environment
VIRUSES
INTRUSIONS
IPS
CONTENT-BASED
VPN
CONNECTION-BASED
FIREWALL
HARDWARE THEFT
LOCK & KEY
PHYSICAL
1980s
1990s
2000s
Today

31. The Result: Market Leadership
Worldwide UTM Market Share Q
Worldwide Security Appliance
Market Share Q
Rank
Company
Market
Share (%) 1
18.0 2
Check Point
14.0 3
SonicWALL
8.3 4
Juniper
7.9 5
Cisco
6.5 6
WatchGuard
4.7 7
McAfee
4.0 8
Crossbeam
3.0 9
Other
33.6
Total
100.0
Rank
Company
Market
Share (%)
Growth YoY 1
Cisco
15.9 6% 2
Check Point
12.4 5% 3
6.4
16% 4
Juniper
6.2
(16%) 5
Palo Alto Networks
5.3
46% 6
McAfee
5.1 2% 7
Blue Coat
4.6 8
Barracuda
2.9 9
Other
41.8
Total
100.0
And – our strategy is paying off! Numerous awards and industry recognition for our success.
IDC Worldwide Security Appliances Tracker, Sept 2011 (market share based on factory revenue)
IDC Worldwide Security Appliances Tracker, December 2013 (market share based on factory revenue) 31

32. The Result: Market Leadership
Magic Quadrant for Unified Threat Management1
Leader for the 5th Year in a row
And – our strategy is paying off! Numerous awards and industry recognition for our success. )
Gartner, Inc., “Magic Quadrant for Unified Threat Management”, July 2013 32

33. Q&A

34. Thank You