Fortinet Unified Access Layer Architecture A FORTINET SOLUTION GUIDE www.fortinet.com
Introduction to Wireless Security Broad adoption of IEEE 802.11n has created a complex Wi-Fi landscape with proliferating mobile devices and applications. It is no longer sufficient to treat all Wi-Fi users and applications alike and there is a compelling need to deploy and enforce WLAN control policies. Fortinet offers the only business-grade Wi-Fi solution in the industry today, which addresses these myriads of challenges: Identifies business applications and controls their usage Applies full UTM policies to both wired and wireless data Brings maximum productivity with fair-use enforcement Empowers identity-driven policies without complexity Introduces simplicity via single pane of glass management Provides deployment flexibility with low TCO Growth of Wireless LANs The increasing popularity of mobile devices and the need for cost reduction are driving Wireless LAN (WLAN) adoption. In-stat research forecasts that mobile handset shipments with Wi-Fi capability will achieve 50% CAGR from 2009 to 2013. In addition, organizations have embraced a wireless edge design to drive down the cost associated with edge switches and wiring. The ratification of the IEEE 802.11n wireless standard is the catalyst for new enterprise adoption since the new standard provides better coverage and fivefold performance increase over legacy wireless outperforming wired Fast Ethernet LANs. 3500 Enterprise Wireless LAN Market Size Forecast $1B TAM Increase due to IPad VALUE ($BILLIONS) 3000 2500 2000 1500 1000 500 TIMESTAMP (SECONDS) TRANSMIT RATE RECIEVE RATE REGION NORTH AMERICA EMEA Asia-Pacific LATIN AMERICA WORLDWIDE 0 2008 2009 2010 2011 2012 2013 2014 YEAR
Choice of Architectures There are two leading Wi-Fi architectures today. One is called Thick APs and the other is referred to as Thin APs. The use of a thick or thin AP Wi-Fi architecture depends on the service needs. Thick AP refers to a wireless access point or Wireless Termination Point (WTP) that autonomously switches packets between wired and wireless domains. Each Thick AP is a standalone device responsible for authentication, encryption and applying access control policies. Each Thick AP requires independent management, or management via a centralized network management application. All-in-one, Thick APs are ideal for locations such as small office or retail shops requiring smaller service area. A Thin AP provides the same features as a Thick AP, but in a distributed fashion to provide greater service area. The Thin AP simply passes wireless network traffic to the switch/controller, performing few complex tasks locally. This capability will enable all the Thin APs to delegate all the authentication, security processing, channel assignment, transmitter power level and rogue AP detection to the centralized wireless LAN controller which decreases management complexity and reduces overall cost of deployment. As the size of service area increases, you can deploy additional Thin APs and connect them to the existing Controller. Thin APs require a centralized wireless controller for management, and are ideal for locations requiring greater coverage and capacity than a single Thick AP can deliver. The Need for Comprehensive Wireless LAN Security Independent of the type of architecture used for access points, WLANs face many threats that strong authentication and link encryption do not address. Because wireless is a shared medium, it is more prone to malicious attacks such as de-authentication broadcasts, evil twin access point (AP) / Honeypot. Also, it is possible for one user s high usage of application traffic to reduce the bandwidth available to all other users. Therefore you need to implement the same protection mechanisms, that you deploy ubiquitously on your WAN gateway, on your wireless LAN as well. Also, in response to these threats, regulators and standards bodies like the PCI Security Standards Council have created wireless data protection requirements. Failure to comply with those standards can result in significant penalties and/or loss of customer trust due to exposure of protected data.
Unified Access Layer Architecture There is one policy for how data should be treated in your organisation, and that policy rules certain parameters according to who the user is and what applications they are using. This requires instituting the single pane of glass management view across wired and wireless resources, as mentioned earlier. The opportunity here is for greater consolidation of networking elements, providing simplicity and scalability through deployment flexibility with low cost of ownership. Sometimes piecemeal solutions work when money is no object. In reality, budgets are limited, resources are scarce and networks evolve over-time. It is typically unavoidable that WLAN is an overlay solution, in the sense that it is added to the rest of the network, though this doesn t prevent it being able to behave as though were a designed piece from inception. Given the limitation of power budget and rack space in corporate networks, wireless solutions must avoid adding a large burden. For example, in a truly businessgrade WLAN; the controller may be the existing firewall or UTM device already installed in the network. These devices are designed to handle large amount of information and therefore there is reserve processing and storage capacity that may be utilised by the business-grade WLAN. Utilizing existing installed base of network devices, inadvertently reduces cost and complexity and lends itself to a more scalable architecture. Fortinet's Unified Access Layer Solution As described previously, the Unified Access Layer architecture will simplify the LAN connectivity/security for both wired and wireless networks. It is actually based on 4 key pillars exploiting common: Firewall and application policies User Management Logging and reporting Configuration and provisioning The Fortinet Unified Access Layer Solution is represented Fig 1. It is a combined set of products circulated around the FortiGate and the FortiAPs, which are the core products. Based on the size of the network and architecture FortiAuthenticator, FortiAnalyzer and FortiManager complements the core products for delivering a full and comprehensive solution. Figure 1: Fortinet Unified Access Layer Solution
Core Products FortiGate and FortiAPs are the core products of the Fortinet Unified Acess Layer Architecture. FortiGate Network Security Platform: Security Management + Wireless Controller The FortiGate consolidated security platforms can act as wireless controllers, significantly reducing the cost and complexity of deploying secure WLANs. FortiGate platforms enable the integration of both wired and wireless traffic into a single management console, giving you a single pane of glass management interface of your network. FortiGate platforms provide complete content protection against network, content, and application-level threats. These high-performance, low-latency devices ensure that your network security does not become a network bottleneck. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) capabilities to provide multi-tenant support for subscriber-based environments or greater internal segmentation of data for policy compliance. FortiWiFi is a FortiGate, ranging from the FortiWiFi-20C to the FortiWiFi-81CM. The FortiWiFi security appliances with Thick AP capabilities,. These Thick AP devices offer a range of performance and features, including high-speed 802.11n support and WAN communications via optional wireless broadband access and dial-up modems. The FortiWiFi consolidated security platforms deliver comprehensive enterprise-class protection for smaller locations at an affordable price. They make it easy to protect smaller locations, branch offices; customer platforms integrated set of essential security technologies, you can deploy a single device that protects all of your applications and data. The simple per-device pricing, integrated management console, and remote management capabilities significantly reduce the costs associated with deploying and managing complete content protection. Each FortiWiFi model is capable of broadcasting up to seven SSIDs or Virtual Access Points (VAPs) enabling multi-tenant environments in a single device. Each VAP appears a separate virtual interface on the FortiWiFi device, enabling the application of separate firewall and user policies to the traffic. FortiAp Wireless Security: Secure Business-Grade Wireless Deploying FortiAPs with a FortiGate gateway acting as a wireless controller enables FortiAPs to homerun their client traffic directly to the FortiGate device. In this overlay network the wireless traffic bypasses the LAN and terminates at the FortiGate for security processing and routing, which ensures that traffic, undergoes threat removal and policy examination before it s allowed back on the LAN. Fortinet is the only company to provide wireless controller options for any size environment and use case, from small offices and remote branch offices to headquarters for very large enterprises, as well as service providers and telecommunications carriers. FortiGate platforms protect a majority of the Fortune Global 500, as well as tens of thousands of smaller organizations around the world. Each FortiAP can support up to seven SSIDs per radio and these SSIDs show up as separate interfaces on the FortiGate, enabling multi-tenant environments in an Access Point. This architecture allows for the easy application of security policies from a single FortiGate platform, whether a single set of policies applied all SSIDs or unique policies applied separately to each SSID.
FortiAuthenticator Two Factor Authentication: Centralized Identity Management FortiAuthenticator is a centralized user authentication and management service providing various methods of validating the true identity of a user before allowing the access to the requested service making the solution ideal for deployment within small to medium enterprises. Authentication methods include local LDAP and RADIUS or integration with an existing directory service. These methods can be incremented with either time or certificate based two-factor authentication. FortiAuthenticator will provide as well the self-user registration capabilities and is also available as a Virtual machine (VM). FortiAnalyzer Logging & Reporting: Centralized Reporting System FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. They provide organizations of any size with centralized security event analysis, forensic research, reporting, content archiving, data mining, malicious file quarantining and vulnerability management. Centralized collection, correlation, and analysis of geographically and chronologically diverse security data from Fortinet appliances and third-party devices deliver a simplified, consolidated view of your security posture. The FortiAnalyzer family minimizes the effort required to monitor and maintain acceptable use policies, as well as identify attack patterns to help you fine tune your policies. In addition, FortiAnalyzer platforms provide detailed data capture for forensic purposes to comply with policies regarding privacy and disclosure of information security breaches. FortiAnalyzer is available as an appliance and as a Virtual Machine (VM). FortiManager Centralized Management: Centralized Management System FortiManager centralized management appliances deliver the essential tools needed to effectively manage your Fortinet-based security infrastructure. Whether deploying several or thousands of new devices and agents, distributing updates, or installing security policies across managed assets, FortiManager appliances drastically reduce management costs and overhead. Device discovery, group management, auditing facilities, and the ability to manage complex mesh and star VPN environments are just a few of the timesaving features that FortiManager appliances offer. Complemented by the FortiAnalyzer centralized logging and reporting appliance, FortiManager provides a comprehensive and powerful centralized management solution for your organization. FortiManager appliances can scale to manage thousands of Fortinet devices and agents. Groups of devices and agents, along with their administrators, form the FortiManager concept of Administration Domains (ADOMs). Within an ADOM, an administrator has the ability to create policy packages, folders, and objects that can be shared between all the FortiGate devices in the local ADOM. In the Global ADOM of FortiManager, global policies and objects can also be assigned and applied to sub ADOMs. Whether you are managing one or one thousand ADOMs, FortiManager appliances always provide effective and efficient management of your Fortinet assets. FortiManager is available as an appliance and as a Virtual Machine (VM).
Why Fortinet Unified Access Layer Solution? Fortinet is the only vendor providing a full and comprehensive solution delivering Highest security Thanks to its FortiGate platform, Fortinet is recognized by IDC as the worldwide #1 on the UTM (Unified Threat Management) market and by Gartner as the leader in their UTM magic quadrant. As the FortiGate platform is at the core of the Unified Access layer solution, it provides the highest level of security, integrity and management on both the wire and wireless LAN areas. Fig 2. Right sized solution for your deployment The broad range of FortiGate, FortiAuthenticator, FortiAnalyzer and FortiManager platforms (all available as virtual machine too), ranging from low-end towards mid-range and High-End, enable our customers choosing the right solution based on their needs. Simplified Management Many vendors are offering a Unified Access Layer Solution adding products from different third party suppliers. This brings complexity in terms of configuration, interoperability, troubleshooting and keeps increasing the TCO. Fortinet is dramatically reducing all of these thanks to its different platforms. Figure 2: How The FortiGate Platform Simplifies And Unifies All Aspects Of Security
Fortinet Secure Business Grade Wireless LAN Fortinet pioneered the concept of a single security platform providing a wide range of integrated security technologies. This integrated approach addresses the fundamental challenges of deploying multiple layers of protection: They are complex and costly to deploy and manage. When adding so many layers of security, your network performance will degrade, due to the redundant processing. The result is that your network security becomes your network bottleneck. We pioneered our solution to address all these security and management issues, while also lowering cost and delivering faster network performance We utilize one appliance to deliver a robust set of security features, while also providing better performance We couple our security features with a set of services, called FortiGuard, to provide industry leading real-time security intelligence and protection We have a differentiated technology platform based on custom hardware and custom software specifically engineered to efficiently tackle IT security tasks All this allows us to lower our products total cost of ownership (TCO) and just make everything easier to use while improving performance Fortinet added the Wi-Fi controller capabilities to the FortiGate, which makes it the single and unique to deliver security services both on the wired and wireless side. Fortinet consolidated security platforms deliver fully integrated security technologies in a single device, delivering increased performance, improved protection, and reduced costs. They act as a wireless controller while providing firewall, VPN, intrusion prevention, application control, web filtering and many other security and network technologies. There are FortiGate platforms for every size of network, from small offices to large enterprises and service providers. By simply connecting the FortiAPs to the FortiGate, our customers can deploy a Secure Business Grade Wireless LAN very easily and rapidly. Most of the Business Grade Wireless features are inherited from the FortiGate itself and thus applicable both on the wired and wireless side. Figure 3 highlights the combination of FortiAPs and FortiGate to deliver Business-Grade Wireless capabilities. Figure 3: Fortinet's Business-Grade Wireless
The Benefits of Fortinet Business-Grade Wireless Once a user connects to the wireless network, his connection will go through different steps to make it fully secured for himself and the network. Captive Portal, 802.1x Radius /shared key Assign users and devices (BYOD) to their role Examines wireless traffic to remove threats Identify applications and destinations of interest Truly stateful firewall controls users and applications Ensures business traffic has right of way Reports on policy violations, application usage, destinations, and PCI DSS BYOD (Bring Your Own Device) As mentioned before the growth of Wireless LANs is driven by the proliferation on mobile devices and applications. This includes tablets and smartphones. Often they are personal devices or even corporate but employees are bringing them back home. Home is usually not a secure environment and those type of devices can be considered as such. The Fortinet Secure Business Grade Wireless allows the setting of firewall policies based on the device and Operating System type. For example, granting access to resources or bandwidth limitation based on the type of device or operating system is possible. This can be extended to the type of application as well.
PCI DSS Compliance Rogue APs can pose a threat to your internal network by creating a leakage point where a malicious user can steal confidential, regulated, or proprietary data. For this reason, industry policies such as PCI-DSS mandate the regular scanning for suspicious or unknown APs. The goal of the FortiGate Rogue AP detection engine is to automate this scanning process and provide the ability for FortiWiFi and FortiAP system administrators to continuously monitor for unknown APs and also to determine if unknown APs are on the network. FortiGate/FortiWiFi and FortiAPs are addressing the requirements to mitigate the threat that rogue APs pose to the integrity of their credit card transaction system. The simplest and most cost effective method to address this risk is to use an automated monitoring system. For example, both FortiWiFi-60C platforms and FortiAP devices provide dual band radios that operate on both the 2.4 GHz and 5 GHz bands to seek out other APs. After identifying the APs by MAC address and manufacturer type, the Fortinet devices use wireless and onwire correlation technique to seek out wireless devices connected to the retail network. The Fortinet devices flag these APs with a high severity on-wire syslog message and transmits it to an upstream log aggregation device and/or the FortiAnalyzer centralized analysis and reporting system. Once alerted of the presence of the device at the retail location, the IT staff can physically remove the rogue AP from the network. Fortinet s Rogue AP detection capability supports the following features: Dedicated or background Air Monitor scans for unknown APs and wireless client traffic. Unknown APs MAC address, Manufacturer, Security profile of AP, speed, last seen and on-wire status are all shown in the FortiOS Rogue AP detection table. The on-wire detection engine uses various correlation techniques to determine whether the unknown AP is connected to the FortiWiFi or FortiAP wireless LAN. If the engine finds that AP is on the LAN, a log message is generated in real time to inform system administrators. The correlation engine constantly compares wireless client traffic to wired client traffic to determine if a client using an unknown AP is communicating through a FortiGate device. This technique can detect an AP operating as a bridge regardless of wireless security settings and encryption and authentication levels. Another technique correlates wireless and wired MAC addresses to detect Layer-3 APs regardless of security settings and NAT configuration. Administrators can manually classify unknown APs as trusted or untrusted. The FortiAnalyzer Logging & Reporting Centralized Reporting System provides detailed information on theno status of your wireless infrastructure: Summary of access points by category List of rogue access points by category List of all managed access points PCI Compliance Rogue Access Point on-wire detection and mitigation capability Special dual radio AP for simultaneous Security and Client Access Local vulnerability scanning with central report aggregation
FortiAP Wireless Access Points Enterprises are looking to increase productivity through uninterrupted access to applications and resources, without compromising security and agility. You want to increase visibility and control of your wireless network traffic by enforcing the same policies as your wired network and eliminate potential blind spots. You also need a solution that helps you meet compliance by proactively blocking unauthorized access all while providing tools for business continuity by following industry best practices. Integrated Wireless Security and Access Solution Fortinet s FortiAP wireless thin access points deliver secure, identity-driven WiFi client access that creates a fortified WLAN network. Centrally managed by a FortiGate or FortiWiFiTM platform with its integrated Wireless Controller, FortiAPs allow you to deploy a comprehensive, integrated security solution for your wireless and wired networks. By acting as a Wireless Controller, FortiGate or FortiWiFi security platforms enable you to deploy the comprehensive protection of the industry leader in enterprise unified threat management (UTM) in overlay architecture, thus leveraging your current investment. Industry-Leading Wireless Technology FortiAP wireless access points are IEEE 802.11a/b/g/n standards-based, and operate on both 2.4 GHz b/g/n and 5 GHz a/n spectrums. They utilize industry leading wireless chip technology that takes advantage of 2x2 MIMO (multiple input multiple output) with dual transmit streams. This MIMO technology allows the FortiAP to reach wireless association rates as high as 300Mbps per radio and enables the coverage to extend twice as far as legacy 802.11a/b/g. Each FortiAP can support up to eight SSIDs per radio--seven for client access and one for scanning for rogue access points. They also use multiple discovery techniques to find available FortiGate controllers over L2 or L3 networks. Example of FortiAP Deployment
FortiAP-210B The FortiAP-210B is a durable, business-grade 802.11n solution that provides you with up to 300 Mbps of total throughput for demanding use cases. It uses a single radio dual-band (2.4 GHz and 5 GHz) with 2x2 MIMO technology. The FortiAP-210B is an enterprise-grade AP that not only provides speedy client access but also offers intelligent application detection and traffic shaping capabilities. Two (2) internal antennas support IEEE 802.11a, b, g and n wireless standards. The access point is capable of continuous air monitoring for rogue AP detection or delivering high throughput traffic to Wi-Fi clients. Unlike traditional airtime fairness algorithms that are not Business application aware, the FortiOS engine can perform deep L7 packet inspection to accelerate business applications, slow down non-priority traffic, and remove malware. When used as a dedicated AP with background scan or as a dedicated air monitor, the FortiAP-210B will help you meet PCI compliance requirements. FortiAP-220B The FortiAP-220B is a durable, business-grade high performance 802.11n solution that delivers up to 600 Mbps of total throughput. It uses a dual concurrent frequency (2.4 GHz and 5 GHz) with 2x2 MIMO technology designed for demanding use cases for any indoor deployment. The FortiAP-220B has 4 antennas which enable it to provide concurrent operations on both 2.4 GHz and 5 GHz frequencies supporting 802.11a, b, g and n. The access point is capable of continuous air monitoring for rogue AP detection while delivering high throughput traffic to Wi-Fi clients. Fortinet offers industry s largest selection of WLAN controllers for all thin access points including the FortiAP- 220B. Moreover, these controllers provide a unified wired and wireless console, giving you a single pane of glass management solution while reducing the total cost of ownership. The FortiAP-220Bis an enterprisegrade AP that not only provides uninterrupted client access but also offers intelligent application detection and traffic shaping capabilities. FortiAP-221B The FortiAP-221B is a concealable 802.11a/b/g/n wireless access point. When paired with the FortiGate embedded wireless controller, it can deliver up to 600 Mbps of secure business-grade wireless throughput. The FortiAP-221B features dual-concurrent radios that are ideal for demanding client access for indoor deployments. The FAP-221B is specially designed with PCI-DSS security compliance in mind. One radio can be configured to automatically switch between 2.4 GHz and 5 GHz frequencies, while the second radio delivers uninterrupted high throughput access to Wi-Fi clients. The FAP-221B sports the latest generation of wireless hardware, enabling advanced 802.11n technologies and features. These features include Low-Density Parity Check (LDPC) encoding, Maximum Likelihood Demodulation/Maximum Ratio Combining (MLD/MRC), and Transmit Beam Forming (TxBF). The end result is an impressive increase in performance and coverage.
FortiAP-222B The FortiAP-222B is an enterprise-grade outdoor wireless access point, suitable for challenging environmental conditions including extreme temperatures, contaminated zones and humid conditions. It is designed for all types of outdoor applications including golf courses, resorts, warehouses, stadiums, weather monitoring sites and refineries. Four (4) external antennas allow the FortiAP-222B to operate concurrently on 2.4 GHz and 5 GHz frequencies, providing support for IEEE 802.11a, b, g and n wireless standards. The access point provides continuous air monitoring for rogue AP detection, intelligent application detection and traffic shaping capabilities. Unlike traditional airtime fairness algorithms that are not Business application aware, the FortiOS engine can perform deep L7 packet inspection to accelerate business applications and slow down unwanted traffic and remove malware. When used as a dedicated AP with background scan or as a dedicated air monitor, the FortiAP-222B will help you meet PCI compliance requirements. FortiAP Common Product Features & Benefits Scalable Hardware Platform Indoor Deployments Two radios provide simultaneous 802.11a/b/g/n connections with high throughput* Support for 802.3af PoE or standard power adapter Security Simultaneous rogue AP detection, monitoring and control (suppression) as well as client access Support for 2-factor authentication with FortiToken WPA and WPA2, 802.11i, WEP, 802.1X, PSK Encryption: AES:CCMP, TKIP, and RC4 (WEP only) Intra-SSID privacy Wireless Multimedia Extensions (WME) with 4 QoS priority queues for voice, video, data & background traffic WME power save (U-APSD) Traffic Control Layer 7 traffic prioritization for business-grade application performance guarantees Fast roaming for uninterrupted Wi-Fi connectivity and VOIP over WLAN operations 2 dedicated SSIDs (1 per radio) for monitoring* Centralized management with FortiManager Centralized reporting with FortiAnalyzer Global profile management WME with 4 priority queues for voice, video, data and background traffic Distributed Automatic Radio Resource Provisioning (DARRP) No dependency on client software or hardware Fully utilizes available spectrum Reduces load on the controller Reduces chatter between APs Automatic client channel migration * except FortiGate-210B
FortiAP Product Family Technical Specifications Simple And Flexible Wi-Fi Planning Tools FortiPlanner helps you to estimate the number FortiAP wireless access points (AP) and recommends their placement on your premises for optimum performance. This easy to use windows application allows you to import a your building floor plan, draw the walls and other obstructions that can impede with wireless signal, and places the right number of APs based on the type of wireless. application you choose. The output of the tool is a comprehensive report that can be used to purchase the right number of FAPs as well as maps to aid installation.
Conclusion The Fortinet Unified Access Layer solution delivers the integrated, consolidated security every organization needs to fortify their wireless network security. FortiGate, FortiWiFi and FortiAP security platforms add layers of security to wireless traffic without affecting performance or increasing costs. You can quickly and easily add core security services such as application control, antivirus, intrusion prevention (IPS), web filtering, antispam, and traffic shaping to your network, which reduce your risk of unauthorized access, data loss, or damage to critical systems. FortiGate and FortiWiFi platforms provide the single pane of glass management you need for increased control and visibility of all network traffic. Our robust reporting and analysis tools also help you demonstrate policy compliance and satisfy audit requests. Fortinet delivers complete, end-to-end security, from the mobile endpoint to the network core. Our solutions scale for any size environment, from the SOHO to Headquarters to a global telecommunications provider.
AMERICAS HEADQUARTERS EMEA HEADQUARTERS APAC HEADQUARTERS 1090 Kifer Road Sunnyvale, CA 94086 United States Tel +1.408.235.7700 Fax +1.408.235.7737 120 rue Albert Caquot Sophia Antipolis France 06560 Tel +33.4.8987.0510 Fax +33.4.8987.0501 300 Beach Road 20-01 The Concourse Singapore 199555 Tel +65.6513.3730 Fax +65.6223.6784 www.fortinet.com Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Nothing herein should be considered a representation, guarantee, warranty or contractually binding provision.