FortiOS 5.4.

1 and security fabric

Copyright Fortinet Inc. All rights reserved. 1

Agenda

Emerging threats and Security Fabric with FortiOS 5.4.1

Application Protection (WCCP FML, FWB, FAD, FCH)

User authentication 2FA

Secure Wireless

2
Emerging threats and Security Fabric with
FortiOS 5.4.1
FortiGate core part of Security Fabric

TRADITIONAL SOLUTIONS THE FORTINET SOLUTION

Cumbersome and costly Simple and cost-effective

4
Ransomware - User prompted to pay bitcoins

5
Advanced Threat Protection

Anti-spam
Spam
Spam Malicious
Email
Malicious
Malicious Web Filtering
Link
Link
Sandbox
Exploit Exploit Malicious
Intrusion Prevention Web Site

Malware
Malware Command &
Antivirus
Control Center
Bot Commands Bot Commands
& Stolen Data & Stolen Data
App Control/
IP Reputation

6
 Fortinet Security Fabric Integrated Security Architecture

FortiGate
Next Generation Firewall

FortiSandbox
Advanced Threat Protection

FortiMail
Email Security Gateway

FortiClient
Endpoint Threat Prevention Fortinet Security Fabric
7
What is Security Fabric?

What is it?
Global
Where did it come from? Intelligence

What does it include today? Client Alliance

Security Partners

Whats next?
IoT Cloud Security

Fortinet
Security
Fabric
Application
Secure LAN Security
Access
Local
Intelligence

Secure WLAN
Access Network Security

8
What is it?

Challenges Today

Many layers Global

Intelligence

Multiple vendors
No central visibility Client
Security
Alliance
Partners

No central control IoT Cloud Security

Cloud adoption
Big data
Zero day growth Fortinet
Security
Fabric
Application
Secure LAN Security
Access
Local
Intelligence

Secure WLAN
Access Network Security

9
What is it?

Security Fabric

A need exists for a cohesive set of features span multiple network

hops to work effectively together to simplify security operations and
provide visibility and controls needed at the overall network level.

Core - Must have

FortiGates + FortiAnalyzer

Recommended add significant visibility

Core or control
FortiAP, FortiSwitch, FortiClient
Recommended

Extended Extended Integrates with fabric, but

may not apply to everyone
FortiMail, FortiWeb, FortiDDOS,

10
What does it include today?

Available in 5.4.1

Integration
FGT + FAZ + AP + Switch + EMS + FCT

Network Visibility
Logical View
Physical View
Endpoint View

Segmentation
Identifying segments
Building policies between segments

11
What does it include today?

Available in 5.4.1

Telemetry
FortiGate full visibility downstream
FortiClient endpoint host details, applications, vulnerabilities,
controls

Reporting
FortiView short-term on FortiOS, long-term on FortiAnalyer
Endpoint logging & reporting
Single CSF object for report

12
Whats Next?

Coming Soon

Visibility
More granular maps
Server detection
APs, HA clusters, Mail, Web, etc.

Controls
More segment granularity for policy and reporting
Recommendations to improve visibility or security
Unifying management of the fabric elements

Optimize Traffic Flow

Log-once
Scan-once

13
Application Protection WCCP
integration with Fortigate
Introducing FortiSandbox
Advanced Threat Protection solution designed to identify and
thwart the highly targeted and tailored attacks

Advanced Threat Protection

Multi-layered filtering with Code Emulator, AV
engine, Cloud query and Virtual OS sandbox
Handles multiple file types, includes files that 4 Latest AV Signature Update
are encrypted or obfuscated
Examine files from various protocols, included
those that uses SSL encryption

Flexible Operation Modes

Receives file sample using integration with 3 Malicious
FortiGate/FortiMail, sniffer mode and manual Analysis
file uploads output
Capture files from remote locations using
deployed FortiGates ?
Monitoring and Reporting 1 File Submission 2 Centralized File Analysis
Detailed analysis reports and real-time
monitoring and alerting

15
Introducing FortiMail
Advanced anti-spam and antivirus filtering solution, with
extensive quarantine and archiving capabilities.

Specialized messaging security

system Mail
Servers
Advanced, bi-directional filtering prevents
spread of spam, viruses, phishing, worms, and
spyware

FortiMail
Flexible deployment options
Transparent, Gateway, and Server modes that
adapts to organizational needs and budget

Identity based encryption

Secure, encrypted communication

Email archiving
On-box archiving facilitates policy and
regulatory compliance requirements

16
 FortiMail

Targeted customers
- Any company size for gateway and transparent mode.
- Mainly SMBs to simplify deployment and combine user mailboxes and
filtering services in a single device.
- For mail encryption services: banks, health care, e-government and
departments such as Accounting, Finance, Legal, HR, IT.

Qualification questions to Ask

When do your AV/AS licences expire?
Are you looking at optimizing AV/AS cost?
Do you see sensitive information communicated by email?
Are you looking at securing email to communicate sensitive information?
Are you concerned about data leakage?
Do you need to comply with regulations?
Have you been targeted by a phishing campaign?

17
Introducing FortiWeb
Web application firewall to protect, balance, and accelerate web
applications.

Web Application Firewall Web Application

Aids in PCI DSS 6.6 compliance Servers
Protection against OWASP Top 10
Application layer DDoS protection
Auto Learn security profiles
Geo IP data analysis and security

Web Vulnerability Scanner FortiWeb

Scans, analyzes and detects web application
vulnerabilities
SQL Injection, XSS
Application Delivery
Assures availability and accelerates
performance of critical web applications

18
Fortiweb

19
Introducing FortiADC
Optimize the availability, performance and scalability of mobile,
cloud and enterprise application delivery

Application Availability
Layer 2/3/4 and 7 load balancing techniques
Application session persistence
Proxy and transparent modes
Global Server Load Balancing (GSLB) for
geographic resilience
Link Load Balancing Web Application
Servers
Application Acceleration
TCP Optimization
Memory based content caching
Data compression
SSL Offload and acceleration

Application Interoperability
Implementation Guides for Microsoft
Exchange, Lync, SAP etc.

20
FortiADC

21
Introducing FortiCache
Reduce the cost and impact of downloaded content, while
increasing performance by improving the speed of access

Web Content Caching FortiGuard

High performance content caching Network
Explicit or Transparent proxy cache
FortiGuard Web Filtering
Integrated FortiGuard Web
Video Caching Filtering
Broad CDN Support
Internet
Detects same video ID when content comes
from different CDN hosts
Supports seek forwards and backwards in
video, detectd preceding adverts
FortiCache
WN Optimization
Bandwidth optimisation across congested WAN
Links
Interoperates with FortiGate

22
FortiCache
Feature FortiGate FortiCache
Content Caching Video Caching
High throughput caching
Reduce network utilization and Video uses large
amounts of
latency
High volume storage network bandwidthand can be
Reduce costs viral causing repeatedly viewing
NAT Optimize network
Improve user satisfaction use by
Intrusion Prevention rebroadcasting locally

Application Control
AV
Web Filtering
Transparent proxy
Explicit proxy
WAN Optimization Web Security
WAN Optimization
Improve organization Prevent users from accessing
WCCP L2 & GRE, WCCP Server & L2 & GRE, WCCP Client
communications Client
offensive content
Avoid expensive
caching bandwidth
Protect organisation from
Video malicious content
upgrades
Protect business communications
Microsoft Updates

23
Introducing FortiDDoS not WCCP
integrated
Hardware Accelerated DDoS Intent Based Defense

Rate Based Detection

High performance protection using ASIC

Web Hosting
Self Learning Baseline ISP Center
Ease Maintenance FortiDDo
Maintain appropriate protection dynamically 1 S

Signature Free Defense

Hardware based protection

Inline Full Transparent Mode Firewall

No MAC address changes
ISP
Granular Protection 2 Legitimate Traffic
Multiple thresholds to detect subtle changes
Malicious Traffic
and provide rapid mitigation

24
FortiDDoS

25
User authentication and 2 FA
Introducing FortiAuthenticator

Authentication Server
Identity Management, User Access Control and multi-factor
identification

Authentication and Authorization

RADIUS, LDAP, 802.1X

Two Factor Authentication

FortiToken
Tokenless, via SMS and email

Certificate Management
X.509 Certificate Signing, Certificate FortiToken
Revocation
Remote Device / Unattended Issuing CA
Authentication

Fortinet Single Sign on

Active Directory Polling
RADIUS Integration
LDAP FortiAuthenticator
User Database

27
FortiAuthenticator

28
Introducing FortiToken

2 factor Authentication Token

Oath Compliant Time Based Hardware One Time Password Token

Supports Strong Authentication

IPSEC VPN
SSL VPN
Administrative Login
Captive Web Portal
802.1x Authentication
Web Application Access
SSO

Authentication Platforms
FortiGate (FOS4.3 and later)
FortiAuthenticator (FAC 1.4 and later)

Secure Seed Delivery Options

Online Via FortiGuard
Encrypted file on CD (FTK-200S)
In-house Seed Provisioning Tool (special
order)

29
FTK220 Features
New Form Factor for Time Based OTP Token
Operates same as the same as the FTK200 ; activation via FortiGuard, same
as FTK200
Flexible, Durable, Light
Fits in wallet like any other card. No need for clunky tokens that crowd your
keychain and bulge in your pocket.
Efficient Logistics
The FTK220 tokens slim form makes it quick, easy and cheap to ship to end-
users anywhere in the world using simple postal letter envelopes.
Tap & Program*
Like FTK200 OTP tokens, the FTK220 is OATH compatible and designed to
integrate with FortiGate and FortiAuthenticator out of the box. For use with
third party authentication servers, you can tap and program the FTK220 on
your own anytime using just your NFC-enabled smart phone or tablet and our
FTK220 Programmer app.
Tap & Read*
Typing into a little password field on your phone or tablet can be a headache.
That's why we've developed an easy way for you to paste your OTP code
directly into a password field. Just tap the card on your mobile device to read it
and select the code. Then copy and paste it into the field to sign in. There's no
need to type anything ever again.
* Requires NFC-enabled device using and FTK220-Edge Programmer app. App is available but not 30
officially supported yet
FTK-220 Specifications

Authentication Standard
IETF RFC6238 time-based OTP

Algorithm
SHA-1 (optional SHA-256 or SHA-512)

OTP Code
6 digits with time indicator

Time Interval
60 (optional 30 seconds on request)

Dimension
66 mm x 42 mm (2.6 x 1.7)

Weight
4 grams (0.14 oz.)

31
FortiToken Mobile - Simplicity Without Compromising
Security

User Approves or Denies login attempt

on the mobile device based on login
attempt details
Optionally, user can authenticate to app
with Fingerprint or PIN ensuring no one
else can approve a bogus login attempt
App automatically sends the OTP
(second factor) to the FAC in the
background to complete the auth
process so user does not have to enter
a OTP.

32
 How it works

Browser

End-
user
ExampleWebsite.
Mobile Device with
com
FTM

Login Attempt details can be used to defend

against phishing
Sample Details are:
Username = Joe
App server's account name = Mantis
IP address = 65.56.55.66
Timestamp = June 8 at 12:45PM
Browser Name and Version (from User FortiAuthentica
tor
Agent) = Mobile Safari/4.2.1

33
Secure Wireless
 Fortinet Delivers The Only Full and Comprehensive Secure WLAN

FortiGate FortiAP
Security Mgt + Secure Wireless
FortiAuthenticator
Wireless Controller
Centralized Identity
Management

FortiAnalyzer
Centralized FortiSwitch
Reporting System Secure Wired
access

FortiManager
Centralized
Management
35
Building the Secure WLAN

Infrastructure Security
Secure Wireless Secure WLAN
with Integrated
Access Points Features
Wireless Controller

36
The Secure WLAN Features

No additional licenses needed

Captive Portal, 802.1xRadius /shared key

Assign users and devices to their role

Corporate
Examines wireless traffic to remove
Wi-Fi threats
Identify applications and destinations of
interest
True stateful firewall controls
users/applications
Ensures Business traffic has right of way

Reports on policy violations, application

usage, destinations and PCI DSS

37
Secure Wireless

38