Internal Network Firewall (INFW) Protecting your network from the inside out

© Copyright Fortinet Inc. All rights reserved.

Internal Network Firewall (INFW)

Protecting your network from the inside out

Ted Maniatis, SE – Central Canada

Fortinet Technologies

Agenda

Internal Security Threats and Challenges

Introducing Internal Network Security

Meeting Customer Requirements – INFW Deployment

Customer Scenario’s

3

A Global Leader and Innovator in Network Security

Fortinet Quick Facts

Platform Advantage

built on key innovations

• FortiGuard: industry-leading threat

research

• FortiOS: tightly

integrated

network + security OS

• FortiASIC:

custom

ASIC-based architecture

• Market-leading technology: 196

patents

, 162 pending

Founded November

2000,

1st_{product shipped}

_2002,

_IPO

₂₀₀₉

HQ:

Sunnyvale

,

California

Employees:

3000+

worldwide

Consistent

growth,

gaining

market share

Strong

positive cash flow,

profitable

$13M $770M $16M ~$1B Cash Revenue 2003 2014 2003 2014

Global presence

and customer base

• Customers:

225,000+

• Units shipped:

1.9+ Million

• Offices:

80+

worldwide

Fortinet Advantage -

GLOBAL

Platform

FortiOS Enables Networking & Security Convergence, Security Consolidation

Firewall VPN Application Control IPS Web Filtering Anti-malware WAN Acceleration Data Leakage Protection WiFi Controller Advanced Threat Protection

SaaS Gateway

Management

Single

management console

Common platform

across all size

deployments

Deploy what you

need

, where you need it

Consistent

, coordinated policy

Consolidated

infrastructure

Faster and more robust

response to

threats,

decreased risk

exposure

Lower

admin burden,

easier

to maintain

infrastructure

Frees up IT resources

to be reallocated to

strategic projects

5

Advanced Threats Take Advantage

of the “Flat Internal” Network

Existing Firewall’s focused on

the border

Internal network no longer

“trusted”

Many ways into the network

Once inside threats

Time to Discovery of a Breach is Not Keeping Up

Wide gap between

percentages for the two

phases

Time to compromise

accelerating faster than

Discovery

Once inside, what can be

done to contain and minimize

the attack?

*Verizon DBIR 2014

Percent of breaches where time to compromise (red)/time to

discovery (blue) was days or less

100% 75% 50% 25% 2 0 0 4 2 0 0 5 2 0 0 6 2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2 2 0 1 3

Time to compromise

Time to discovery

7

Internal Security is Integral to a

Layered Security Approach

What is Recommended

»

Inside-out visibility

»

Internal segmentation

»

Easy deployment

and administration

What is Internal Security?

DMZs, firewalls,

IDS, gateway AV

Protects attacks

from within

Client security

controls

Business Drivers for Internal Security

Business Driver

IT Pain Point

Prevent Business Disruption

•

Stop spread of malware

•

Ensure application and network availability

Revenue & Profitability

•

Reduce costs associated with recovery and remediation

•

Minimize IT activity

9

Too Many Ways In…

Endpoint

Multi-Function

Gateway

Data Center

Cloud

WAN

External Network

(Multi-Megabit)

AV Signature Only Protection Less Trustworthy Networks/Subsidiary Security out of your Control Not every Security App switched on Internet More Customer/Partner Access Security Becomes a Bottleneck

Too Many Point Solutions No Security Agents

“FLAT” Internal

Network Architecture

Internal Network

(Multi-Gigabit)

Too Many Ways In… Rethink Your Architecture

Endpoint

Multi-Function

Gateway

Data Center

Cloud

WAN

AV Signature Only Protection Less Trustworthy Networks/Subsidiary Security out of your Control Not every Security App switched on More Customer/Partner Access Security Becomes a Bottleneck No Security Agents INFW INFW INFW

INFW

_{External Network}

(Multi-Megabit)

Internal Network

(Multi-Gigabit)

Internet Too Many Point Solutions

Internal Network Firewall

100G+ Performance

Ease of Deployment

11

Introducing: Internal Network Firewall (INFW)

Complete Protection– Continuous

inside-out protection against

advanced threats

Easy Deployment – Default

Transparent Mode means no need

to re-architect the network

High Performance – Multi-Gigabit

throughput supports wire speed

East-West traffic

LOCAL SERVERS USER NETWORK DEVICES

To Internet

Core/Distribution Switch Access Switch/VLAN

DISTRIBUTION/

CORE LAYER

ACCESS LAYER

• FortiGate wire intercept using transparent port pair • High speed interface

connectivity • IPS, ATP & App

Internal Network Firewall – How is it different?

Deployment

INFW

NGFW

UTM

DCFW

CCFW

Purpose Visibility & protection for internal segments

Visibility & protection against external threats and internet activities

Visibility & protection against external threats and user activities

High performance, low latency network protection

Network security for Service Providers

Location Access Layer Internet Gateway Internet Gateway Core Layer/DC gateway Various Network Operation

Mode

Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode

Hardware requirements Higher port density to protect multiple assets, hardware acceleration

GbE and GbE/10 port High GbE port density, integrated wireless connectivity and PoE

High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration

High speed (GbE/10 GbE/40 GbE, GbE/100) & high port density,

hardware acceleration Security Components Firewall, IPS, ATP,

Application Control

(User-based) Firewall, VPN, IPS, Application Control,

Comprehensive and extensible, client and device integration

Firewall, DDoS protection Firewall, CGN, LTE & mobile security

Other Characteristics Rapid Deployment – near zero configuration

Integration with Advanced Threat Protection

(Sandbox)

Broad WAN connectivity options including 3G/4G/LTE

Firewall Deployment Modes

Deployment

Mode

Deployment

Complexity

Network

Functions

High

Availability

Traffic

Visibility

Threat

Prevention

Network

Routing

High

L3 – L7







Transparent

Low

L1 – L2

_

_

_

Sniffer

Low

_

_

_

_

Transparent mode combines the advantages of

Network Routing and Sniffer mode

INFW – Customer Scenario’s

Existing FortiGate customers

Requirements

»

Protection against advanced threats

Benefits

»

Multi-layered attack prevention

»

Network segmentation prevents spread

of malware

»

Reduced costs with security management

New customers with legacy firewalls

Requirements

»

Application visibility, address weaknesses

in legacy competitive firewalls

Benefits

»

Instant application visibility with default

Transparent Mode deployment

»

Advanced threat protection

»

Network segmentation prevents spread

29

Awards & Certifications Partnerships & Industry

35 Awards

Founded by Fortinet

additional members include Palo Alto Networks, McAfee and Symantec

Fortinet Advantage –

SECURE

Unparalleled Independent 3

rd

_{Party Certification}

Description Fortinet Check Point Cisco Palo Alto

Networks Juniper FireEye

NSS - Firewall NGFW Recommended Recommended Recommended_{& Neutral} Caution Caution x

NSS - Firewall DC Recommended x x x x x

NSS - Breach Detection Recommended x Recommended x x Caution

NSS - WAF Recommended x x x x x

NSS – Next Gen IPS Recommended x Recommended Neutral x x

NSS - IPS (DC) ✔ ✔ _{x x Caution x}

BreakingPoint Resiliency Record High - 95 x x Poor - 53 x x

ICSA Firewall ✔ ✔ x ✔ ✔ x ICSA IPS ✔ ✔ x x x x ICSA Antivirus ✔ _{x x x x x} ICSA WAF ✔ _{x x x x x} VB 100 ✔ _Caution x x x x AV Comparative ✔ _{x x x x x} Common Criteria ✔ ✔ ✔ ✔ ✔ ✔ FIPS ✔ ✔ ✔ ✔ ✔ ✔

31

NGFW

NSS Labs Validates Our Advantage

Fortinet is “Recommended” while top competitors are not

X-axis = TCO per protected Mbps Y-axis = Security Effectiveness Upper right quadrant = “Recommended” Lower left quadrant = “Caution”

The Fortinet Secured Network

Broad Complementary Security Portfolio

FortiDB Database Protectio n FortiClient Endpoint Protection, VPN FortiToken Two Factor Authentication FortiSandbox Advanced Threat Protection FortiClient Endpoint Protection FortiGate NGFW FortiAuthenticator User Identity Management FortiManager Centralized Management FortiAnalyzer Logging, Analysis, Reporting FortiADC Application Delivery Control FortiWeb Web Application Firewall FortiGate DCFW FortiGate Internal NGFW FortiDDoS DDoS Protection FortiMail Email Security FortiGateVM X SDN, Virtual Firewall FortiAP Secure Access Point DATA CENTER BRANCH OFFICE CAMPUS FortiGate Cloud FortiWi Fi UTM FortiGat e Top-of-Rack FortiCamera IP Video Security FortiGate Next Gen IPS

FortiExtender LTE Extension

33

Wide Product Range for Every Segments

MSSP

✔

✔

✔

✔

✔

✔

✔

Carrier

✔

✔

✔

Data Center

/ Cloud

✔

✔

✔

✔

Enterprise

✔

✔

(Branch)

✔

(Branch)

✔

(Branch)

✔

(Campus)

✔

(Campus)

✔

Distributed

Enterprise

✔

✔

✔

✔

✔

✔

✔

SMB

✔

✔

✔

✔

Model

20-90

Series

100

Series

200

Series

300-800

Series

1000

Series

3000

Series

5000

Series

Product

Range

Entry Level

Mid Range

High End

*Key

Hardware

Features

PoE,

Switch,

WiFi

PoE, High Density GE

High

Density

GE

High

Density

GE, 10 GE

10 GE,

40 GE

Chassis &

Blades

Per Minute

25,000

Spam emails intercepted

390,000

Network Intrusion Attempts resisted

83,000

Malware programs neutralized

160,000

Malicious Website accesses blocked

59,000

Botnet C&C attempts thwarted

39 million

Website categorization requests

Per Week

47 million

New & updated spam rules

100

Intrusion prevention rules

2 million

New & updated AV definitions

1.3 million

New URL ratings

8,000

Hours of threat research globally

Total Database

170

Terabytes of threat samples

17,500

Intrusion Prevention rules

5,800

Application Control rules

250 million

Rated websites in 78 categories

173

Zero-day threats discovered

Fortinet Advantage –

SECURE

35

The Fortinet Advantage

Best multi-layered protection on the market

Best performance for internal protection

Out-of-the-box Transparent Mode for