© Copyright Fortinet Inc. All rights reserved.
Internal Network Firewall (INFW)
Protecting your network from the inside out
Ted Maniatis, SE – Central Canada
Fortinet Technologies
Agenda
Internal Security Threats and Challenges
Introducing Internal Network Security
Meeting Customer Requirements – INFW Deployment
Customer Scenario’s
3
A Global Leader and Innovator in Network Security
Fortinet Quick Facts
Platform Advantage
built on key innovations• FortiGuard: industry-leading threat
research
• FortiOS: tightly
integrated
network + security OS• FortiASIC:
custom
ASIC-based architecture• Market-leading technology: 196
patents
, 162 pendingFounded November
2000,
1stproduct shipped2002,
IPO2009
HQ:
Sunnyvale,
CaliforniaEmployees:
3000+
worldwide
Consistent
growth,
gaining
market share
Strong
positive cash flow,
profitable
$13M $770M $16M ~$1B Cash Revenue 2003 2014 2003 2014
Global presence
and customer base• Customers:
225,000+
• Units shipped:
1.9+ Million
• Offices:
80+
worldwideFortinet Advantage -
GLOBAL
Platform
FortiOS Enables Networking & Security Convergence, Security Consolidation
Firewall VPN Application Control IPS Web Filtering Anti-malware WAN Acceleration Data Leakage Protection WiFi Controller Advanced Threat Protection
SaaS Gateway
Management
Single
management console
Common platform
across all size
deployments
Deploy what you
need
, where you need it
Consistent
, coordinated policy
Consolidated
infrastructure
Faster and more robust
response to
threats,
decreased risk
exposure
Lower
admin burden,
easier
to maintain
infrastructure
Frees up IT resources
to be reallocated to
strategic projects
5
Advanced Threats Take Advantage
of the “Flat Internal” Network
Existing Firewall’s focused on
the border
Internal network no longer
“trusted”
Many ways into the network
Once inside threats
Time to Discovery of a Breach is Not Keeping Up
Wide gap between
percentages for the two
phases
Time to compromise
accelerating faster than
Discovery
Once inside, what can be
done to contain and minimize
the attack?
*Verizon DBIR 2014
Percent of breaches where time to compromise (red)/time to
discovery (blue) was days or less
100% 75% 50% 25% 2 0 0 4 2 0 0 5 2 0 0 6 2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2 2 0 1 3
Time to compromise
Time to discovery
7
Internal Security is Integral to a
Layered Security Approach
What is Recommended
»
Inside-out visibility
»
Internal segmentation
»
Easy deployment
and administration
What is Internal Security?
DMZs, firewalls,
IDS, gateway AV
Protects attacks
from within
Client security
controls
Business Drivers for Internal Security
Business Driver
IT Pain Point
Prevent Business Disruption
•
Stop spread of malware
•
Ensure application and network availability
Revenue & Profitability
•
Reduce costs associated with recovery and remediation
•
Minimize IT activity
9
Too Many Ways In…
Endpoint
Multi-Function
Gateway
Data Center
Cloud
WAN
External Network
(Multi-Megabit)
AV Signature Only Protection Less Trustworthy Networks/Subsidiary Security out of your Control Not every Security App switched on Internet More Customer/Partner Access Security Becomes a BottleneckToo Many Point Solutions No Security Agents
“FLAT” Internal
Network Architecture
Internal Network
(Multi-Gigabit)
Too Many Ways In… Rethink Your Architecture
Endpoint
Multi-Function
Gateway
Data Center
Cloud
WAN
AV Signature Only Protection Less Trustworthy Networks/Subsidiary Security out of your Control Not every Security App switched on More Customer/Partner Access Security Becomes a Bottleneck No Security Agents INFW INFW INFWINFW
External Network
(Multi-Megabit)
Internal Network
(Multi-Gigabit)
Internet Too Many Point Solutions
Internal Network Firewall
100G+ Performance
Ease of Deployment
11
Introducing: Internal Network Firewall (INFW)
Complete Protection– Continuous
inside-out protection against
advanced threats
Easy Deployment – Default
Transparent Mode means no need
to re-architect the network
High Performance – Multi-Gigabit
throughput supports wire speed
East-West traffic
LOCAL SERVERS USER NETWORK DEVICES
To Internet
Core/Distribution Switch Access Switch/VLANDISTRIBUTION/
CORE LAYER
ACCESS LAYER
• FortiGate wire intercept using transparent port pair • High speed interfaceconnectivity • IPS, ATP & App
Internal Network Firewall – How is it different?
Deployment
INFW
NGFW
UTM
DCFW
CCFW
Purpose Visibility & protection for internal segments
Visibility & protection against external threats and internet activities
Visibility & protection against external threats and user activities
High performance, low latency network protection
Network security for Service Providers
Location Access Layer Internet Gateway Internet Gateway Core Layer/DC gateway Various Network Operation
Mode
Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode
Hardware requirements Higher port density to protect multiple assets, hardware acceleration
GbE and GbE/10 port High GbE port density, integrated wireless connectivity and PoE
High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration
High speed (GbE/10 GbE/40 GbE, GbE/100) & high port density,
hardware acceleration Security Components Firewall, IPS, ATP,
Application Control
(User-based) Firewall, VPN, IPS, Application Control,
Comprehensive and extensible, client and device integration
Firewall, DDoS protection Firewall, CGN, LTE & mobile security
Other Characteristics Rapid Deployment – near zero configuration
Integration with Advanced Threat Protection
(Sandbox)
Broad WAN connectivity options including 3G/4G/LTE
Firewall Deployment Modes
Deployment
Mode
Deployment
Complexity
Network
Functions
High
Availability
Traffic
Visibility
Threat
Prevention
Network
Routing
High
L3 – L7
Transparent
Low
L1 – L2
Sniffer
Low
Transparent mode combines the advantages of
Network Routing and Sniffer mode
INFW – Customer Scenario’s
Existing FortiGate customers
Requirements
»
Protection against advanced threats
Benefits
»
Multi-layered attack prevention
»
Network segmentation prevents spread
of malware
»
Reduced costs with security management
New customers with legacy firewalls
Requirements
»
Application visibility, address weaknesses
in legacy competitive firewalls
Benefits
»
Instant application visibility with default
Transparent Mode deployment
»
Advanced threat protection
»
Network segmentation prevents spread
29
Awards & Certifications Partnerships & Industry
35 Awards
Founded by Fortinet
additional members include Palo Alto Networks, McAfee and Symantec
Fortinet Advantage –
SECURE
Unparalleled Independent 3
rd
Party Certification
Description Fortinet Check Point Cisco Palo Alto
Networks Juniper FireEye
NSS - Firewall NGFW Recommended Recommended Recommended& Neutral Caution Caution x
NSS - Firewall DC Recommended x x x x x
NSS - Breach Detection Recommended x Recommended x x Caution
NSS - WAF Recommended x x x x x
NSS – Next Gen IPS Recommended x Recommended Neutral x x
NSS - IPS (DC) ✔ ✔ x x Caution x
BreakingPoint Resiliency Record High - 95 x x Poor - 53 x x
ICSA Firewall ✔ ✔ x ✔ ✔ x ICSA IPS ✔ ✔ x x x x ICSA Antivirus ✔ x x x x x ICSA WAF ✔ x x x x x VB 100 ✔ Caution x x x x AV Comparative ✔ x x x x x Common Criteria ✔ ✔ ✔ ✔ ✔ ✔ FIPS ✔ ✔ ✔ ✔ ✔ ✔
31
NGFW
NSS Labs Validates Our Advantage
Fortinet is “Recommended” while top competitors are not
X-axis = TCO per protected Mbps Y-axis = Security Effectiveness Upper right quadrant = “Recommended” Lower left quadrant = “Caution”
The Fortinet Secured Network
Broad Complementary Security Portfolio
FortiDB Database Protectio n FortiClient Endpoint Protection, VPN FortiToken Two Factor Authentication FortiSandbox Advanced Threat Protection FortiClient Endpoint Protection FortiGate NGFW FortiAuthenticator User Identity Management FortiManager Centralized Management FortiAnalyzer Logging, Analysis, Reporting FortiADC Application Delivery Control FortiWeb Web Application Firewall FortiGate DCFW FortiGate Internal NGFW FortiDDoS DDoS Protection FortiMail Email Security FortiGateVM X SDN, Virtual Firewall FortiAP Secure Access Point DATA CENTER BRANCH OFFICE CAMPUS FortiGate Cloud FortiWi Fi UTM FortiGat e Top-of-Rack FortiCamera IP Video Security FortiGate Next Gen IPS
FortiExtender LTE Extension
33
Wide Product Range for Every Segments
MSSP
✔
✔
✔
✔
✔
✔
✔
Carrier
✔
✔
✔
Data Center
/ Cloud
✔
✔
✔
✔
Enterprise
✔
✔
(Branch)
✔
(Branch)
✔
(Branch)
✔
(Campus)
✔
(Campus)
✔
Distributed
Enterprise
✔
✔
✔
✔
✔
✔
✔
SMB
✔
✔
✔
✔
Model
20-90
Series
100
Series
200
Series
300-800
Series
1000
Series
3000
Series
5000
Series
Product
Range
Entry Level
Mid Range
High End
*Key
Hardware
Features
PoE,
Switch,
WiFi
PoE, High Density GE
High
Density
GE
High
Density
GE, 10 GE
10 GE,
40 GE
Chassis &
Blades
Per Minute
25,000
Spam emails intercepted
390,000
Network Intrusion Attempts resisted
83,000
Malware programs neutralized
160,000
Malicious Website accesses blocked
59,000
Botnet C&C attempts thwarted
39 million
Website categorization requests
Per Week
47 million
New & updated spam rules
100
Intrusion prevention rules
2 million
New & updated AV definitions
1.3 million
New URL ratings
8,000
Hours of threat research globally
Total Database
170
Terabytes of threat samples
17,500
Intrusion Prevention rules
5,800
Application Control rules
250 million
Rated websites in 78 categories
173
Zero-day threats discovered
Fortinet Advantage –
SECURE
35