• No results found

FortiAuthenticator. User Authentication and Identity Management. Last Updated: 17 th April Copyright Fortinet Inc. All rights reserved.

N/A
N/A
Protected

Academic year: 2021

Share "FortiAuthenticator. User Authentication and Identity Management. Last Updated: 17 th April Copyright Fortinet Inc. All rights reserved."

Copied!
26
0
0

Loading.... (view fulltext now)

Full text

(1)

FortiAuthenticator

User Authentication and Identity Management

(2)

FortiAuthenticator Overview

Answering your authentication challenges Authentication and

Authorization

• RADIUS, LDAP, 802.1X, Radius Proxy

• SSO Mobility Agent • Web based login widget

Two Factor Authentication

• FortiToken, physical and mobile • Tokenless, via SMS and email

Certificate Management

• X.509 Certificate Signing, Certificate Revocation

• Remote Device / Unattended Authentication

Fortinet Single Sign on

• Active Directory • Agent or agentless

• Third party systems via RADIUS, Syslog and API Integration

Two-factor Auth User Identity FortiAuthenticator Wireless Auth FSSO FortiAuthenticator

FortiAuthenticator FortiGate FortiGate FortiAP

(3)

User Authentication and Identity Management User Identity Two-factor Authentication Wireless Authentication

FortiAuthenticator Overview

Secure access to your organizations systems and data

with identity based policy and two-factor authentication

»Control access your intellectual property

Enable secure remote and guest network access whilst

retaining control over security

»Allow business to flourish but not to the detriment of security

Reduce the operational burden of local and guest user

management

»Identify users and apply granular user policy

»Integrate with existing user repositories (AD, LDAP)

»User lifecycle management workflow

(4)

FortiAuthenticator Use Cases

Enable strong password

security across your network

and application estate

»Secure remote access to critical

systems

Reduce operational overheads

»Self-service password reset

»Integration with existing LDAP

and AD databases

»Built in lost token workflow

»Migration strategy from

third-party vendor tokens

Two-factor Authentication Username Password Token LDAP/ Active Directory Protected Devices FortiAuthenticator

(5)

Support for wide range of secure authentication methods Physical Tokenless Certificate (BYOD) API Mobile

FortiAuthenticator Use Cases

Flexible range of token formats to

suit all deployment requirements

»OATH compatible TOTP (time)

based tokens (FTK200)

»USB certificate tokens (FTK300)

»FortiToken Mobile for Android, iOS

and Windows Mobile

»SMS and Email tokens.

Supports any RADIUS capable

device

»Juniper, Cisco, F5 , Array, Citrix etc

»Microsoft Windows Domain Login

and OWA

(6)

FortiAuthenticator Use Cases

FortiToken Mobile: Supports

Android, iOS and Windows Mobile

»6 or 8 digit passcode, 30 or 60s

refresh

»Free install, supports other TOTP

& HOTP OATH tokens e.g. Google, Dropbox, Amazon

»QR Code Provisioning support

»PIN protection enforced from FAC

Perpetual license

»Can be reissued if device is lost

»Can be reissued if user leaves the

organization

(7)

FortiAuthenticator Use Cases

Centralized WiFi Authentication

Authenticate users (PEAP,

EAP-TTLS) and machines.

Certificate based device

authorization (EAP-TLS) for

BYOD environments

In open guest or visitor

networks, FortiAuthenticator

can provide captive portal

functions

Wireless Authentication

FortiAuthenticator

FortiAP

(8)

FortiAuthenticator Use Cases

User Self-registration

Collection of user details

Option to SMS login details

(proof of identity)

Receptionist registration option

Time limited accounts

Delete expired accounts

Support multiple locations

 Coming soon:

Facebook,

Google, Linkedin, Twitter login

Guest Management

FortiAuthenticator

FortiAP

(9)

FortiAuthenticator Use Cases

Identify users and apply

identity based security policy

»FortiAuthenticator transparent

user identification collects and embellishes user identity

information

»Allows FortiGate, FortiMail and

FortiCache devices to apply appropriate policy based on user identity and role

»Granular control of network and

application access

Fortinet Single Sign-On

Staff Admin Guest

Corporate Resources Guest Access

(10)

Transparent User Identity

FortiAuthenticator Use Cases

Fortinet Single Sign-On

RADIUS Accounting Records FortiClient SSO Mobility Agent Active Directory Polling Login Portal

& Widgets REST API Syslog Kerberos with NTLM Fallback TS and AD Collector Agents

AD & Windows Generic Sources

FortiAuthenticator

(11)

FortiAuthenticator Use Cases

Simplifies the task of certificate

management

Issue certificates for multiple

uses:

»VPN Authentication

»Wireless 802.1X (PEAP, EAP)

»Windows Desktop

Authentication

»Compatible with FTK300 USB

PKI Certificate Store

Certificate Authority

X

(12)

FortiAuthenticator Use Cases

Strengthen and simplify VPN

security

»Certificate based VPN

enhances traditional pre shared keys with second factor

»Revoke certificates if device is lost (OCSP)

»Zero touch certificate distribution (SCEP)

»Integration with FortiManager to

simplify deployment

(13)

FortiAuthenticator Use Cases

Integrates Carrier/ISP

networks with Fortinet RADIUS

Single Sign-on

»Minimises changes needed to

critical business systems

»Takes the additional load by

duplicating RADIUS Packets

RSSO used to apply Identity

Policy for FortiGate, FortiMail

and FortiCache

RADIUS Accounting Proxy

Carrier / ISP RADIUS Server

RADIUS Accounting

(14)

Active-Passive High Availability

»Local sync with failover

»Supports all features

Active-Active Config Sync

 Geographic distribution

 Load balance across devices

(scalability)

 Supports authentication feature

sync (not FSSO)

 Can be combined with Active

Passive HA (A-P Master, standalone slaves)

FortiAuthenticator Use Cases

(15)
(16)

Case Study: Medium Enterprise Identity Management

Multiple user groups / domains

 Online retail organization with mobile

workforce and widespread BYOD adoption.

 Incumbent Cisco wireless network,

customer thought Cisco was the only option for gateway Identity Policy

Organization and Challenge

Why We Won

What They Bought

 Ability to consume user identity from Cisco wireless network (vis RADIUS Accounting)

 Fully inclusive guest management and registration features

 2x FortiAuthenticator 200D (HA)

 2x FortiGate 600C (HA)

 Still in the game for Wifi refresh

Who We Beat

 Cisco WAN

Remote Workers Cisco tried to claim that the only way to perform Identity Based Firewalling was using their own ISE and ASA .

FortiAuthenticator proved this wrong and have kept Fortinet in the running for the Wifi refresh

FortiAuthenticator

FortiGate

(17)

Case Study: Local Government Identity Management

Multiple user groups / domains

 Regional govt. requiring transparent identity aware firewalling

 5,000 users with granular permissions across 3 domain controllers, 2 domains

Organization and Challenge

Why We Won

What They Bought

 Multiple identity detection methods

 AD Polling combined with RADIUS (VPN) and guest portal

 Fully inclusive guest management and registration features

 2x FortiAuthenticator 1000D (HA)

 2x FortiGate 1000D (HA)

Who We Beat

 Juniper , CheckPoint, SonicWall WAN

Remote Workers

FAC gathers user identity and forwards to

FGT

FortiAuthenticator

FortiGate

(18)

Case Study: Enterprise Identity Management

90 Remote Sites

 Multinational enterprise with 3 Datacenters, 90 branches and 17,000 users throughout the world.

 Mobile workforce means users could be on any site.

Organization and Challenge

Why We Won

What They Bought

 Performance and scalability of user identity detection

 Selective distribution of login events to local site and core

 3 x FortiAuthenticator 3000D  9 x FortiGate 3600C  90 x FortiGate 110C Who We Beat  PaloAlto, Juniper WAN

FAC gathers user identity and selectively forwards identity to relevant FGT …… 3 Datacenters FortiAuthenticator

FortiGate Clusters

Active Directory

(19)

Case Study: Enterprise Two-Factor Auth

Network Operations Center

 Enterprise organization requiring secure multi-factor authorization for heterogeneous range of devices

 Integration with existing LDAP/AD infrastructure

Organization and Challenge

Why We Won

What They Bought

 Secure provisioning strategy (CD)

 Physical and Soft token support

 Support for wide range of client devices and Windows Desktop login

 2 x FortiAuthenticator 400C  100 x FortiToken 200  500 x FortiToken Mobile Who We Beat  RSA, Safenet Internet Multiple Datacenters FortiAuthenticator Home Workers

(20)

Large Enterprise/Service Provider Deployments FortiAuthenticator 1000D • Support up to 10,000 users • HDD – 2 x 2TB • 4 x 10/100/1000 • 2 x SFP • Rack Mountable, 2U • Dual AC PSU Large Enterprise/Service Provider Deployments FortiAuthenticator 3000D • Support up to 40,000 users • HDD – 2 x 2TB • 4 x 10/100/1000 • 2 x SFP • Rack Mountable, 2U • Dual AC PSU

All Sized Deployments from SME to Service Provider Deployments

FortiAuthenticator VM

• From 100 to 1M+ users • Unlimited CPU • Unlimited RAM Mid Enterprise Deployments FortiAuthenticator 400C • Support up to 2,000 users • HDD – 1 x 1TB • 4 x 10/100/1000 • Rack Mountable, 1U • Single AC PSU

Small / Mid Enterprise Deployments FortiAuthenticator 200D • Support up to 500 users • HDD – 1 x 1TB • 4 x 10/100/1000 • Rack Mountable, 1U • Single AC PSU

FortiAuthenticator Ordering Information

(21)
(22)

FortiAuthenticator vs FortiGate

Area Feature FortiGate FortiAuthenticator

Auth Two-factor Auth w. FortiToken

Auth Multiple FortiGate per token

Auth Support third party vendors

Auth User password reset

Auth User self registration

Auth Support multiple realms

FSSO AD Polling

FSSO DC & TS Agent

FSSO Kerberos

FSSO RADIUS Accounting û (FSSO)

(RSSO)

(Both)

FSSO Syslog

(23)

Competitive Landscape

Two-factor Auth

User Identity

FortiAuthenticator

(24)

Feature Comparison – User Identity

Feature FortiAuth PaloAlto

User-ID Cisco Identity Services Engine Juniper Pulse UAC * Checkpoint Identity Awareness Blade Identity Microsoft Windows Environments DC Polling DC Agent

Terminal Services Agent Kerberos Microsoft Exchange Identity Non-Microsoft Windows Environments Endpoint Agent Captive Portal Embeddable Widgets SYSLOG

Open API (IF-MAP)

RADIUS Accounting

Authorization LDAP/AD Local override

(25)

Feature Comparison – Two Factor Auth

Feature Type Feature FortiAuth Safenet RSA Vasco

Deployment Appliance Software Virtual Machine Cloud

Tokens Physical Token ü (Time)

(Event) ü (USB Cert) ü (Time) ü (Event) ü (USB Cert) ü (Time)

Mobile Token ü (iOS)

ü (Andriod) ü (WinMo) ü (BB) ü (iOS) ü (Andriod) ü (WinMo) ü (BB) ü (iOS) ü (Andriod) ü (WinMo) ü (BB)

Desktop Token (Mac)

(Win) ü (Mac) ü (Win) ü (Mac) ü (Win) Tokenless ü SMS ü Email ü SMS ü Email ü GrIDsure ü SMS ü Email

Agents Windows Domain 2FA Outlook Web Access 2FA

Sharepoint Roadmap

Integration Auth Methods ü RADIUS

ü LDAP SAML ü API ü RADIUS LDAP ü SAML ü API

External User repositories ü Local ü AD ü LDAP ü AD ü LDAP RADIUS ü AD ü LDAP (Oracle only)

(26)

References

Related documents

form could have a significant effect on a single-tooth implant in a patient who undergoes maximum growth changes, resulting in an implant crown that is out of

Virginia Commonwealth University, Richmond, Virginia Studio Art (Painting and Mixed Media concentration). 1996 Bachelor of Liberal Studies in

Is managed to ensure that data stewards apply the standards of data governance and data quality, consistent with guidance provided by OHS advisory and oversight offices such

Role Based Access Control (RBAC) – Role based access control is an implementation for restricting system access to authorized users based on role. Separation of Duties – Separation

El aumento de la incidencia de la enfermedad pulmonar obstructiva crónica en pacientes hospitalizados en el Servicio de Medicina Interna del Hospital Clínico-Quirúrgico

The model attempts to minimize the cost of reactive power procurement and energy losses as a main objective, while the technical criteria and voltage stability margin, especially,

Overall, the firm-level case studies support the account generated from social structural theory: an embedded developmental state facilitated firm restructuring (both SOEs