Internal Network Firewall (INFW) Protecting your network from the inside out Ted Maniatis, SE Central Canada Fortinet Technologies Data Connectors 2015 Copyright Fortinet Inc. All rights reserved.
Agenda Internal Security Threats and Challenges Introducing Internal Network Security Meeting Customer Requirements INFW Deployment Customer Scenario s The Fortinet Advantage 2
A Global Leader and Innovator in Network Security Fortinet Quick Facts Global presence and customer base Customers: 225,000+ Units shipped: 1.9+ Million Offices: 80+ worldwide Revenue $770M Platform Advantage built on key innovations FortiGuard: industry-leading threat research FortiOS: tightly integrated network + security OS FortiASIC: custom ASIC-based architecture Market-leading technology: 196 patents, 162 pending Founded November 2000, 1 st product shipped 2002, IPO 2009 $13M 2003 2014 ~$1B Cash HQ: Sunnyvale, California Employees: 3000+ worldwide Consistent growth, gaining market share Strong positive cash flow, profitable $16M 2003 2014 Based on Q4 and FY 2014 data 3
Fortinet Advantage - GLOBAL Platform FortiOS Enables Networking & Security Convergence, Security Consolidation Single management console Management Common platform across all size deployments Deploy what you need, where you need it Firewall VPN Application Control IPS Web Filtering Anti-malware WAN Acceleration Data Leakage Protection WiFi Controller Advanced Threat Protection SaaS Gateway Consistent, coordinated policy Consolidated infrastructure Faster and more robust response to threats, decreased risk exposure Lower admin burden, easier to maintain infrastructure Frees up IT resources to be reallocated to strategic projects Fewer user complaints 4
Advanced Threats Take Advantage of the Flat Internal Network Existing Firewall s focused on the border Internal network no longer trusted Many ways into the network Once inside threats can spread 5
Time to Discovery of a Breach is Not Keeping Up Wide gap between percentages for the two phases Time to compromise accelerating faster than Discovery Once inside, what can be done to contain and minimize the attack? Percent of breaches where time to compromise (red)/time to discovery (blue) was days or less 100% 75% 50% 25% 2004 Time to compromise Time to discovery 2005 2006 2007 2008 2009 2010 2011 2012 2013 *Verizon DBIR 2014 6
Internal Security is Integral to a Layered Security Approach What is Recommended» Inside-out visibility» Internal segmentation» Easy deployment and administration What is Internal Security? DMZs, firewalls, IDS, gateway AV Protects attacks from within Client security controls 7
Business Drivers for Internal Security Business Driver Prevent Business Disruption Revenue & Profitability IT Pain Point Stop spread of malware Ensure application and network availability Reduce costs associated with recovery and remediation Minimize IT activity Regulatory Compliance Ensure confidentiality / integrity of information 8
Too Many Ways In Security Becomes a Bottleneck Data Center Cloud AV Signature Only Protection Security out of your Control Endpoint Internal Network (Multi-Gigabit) FLAT Internal Network Architecture External Network (Multi-Megabit) Too Many Point Solutions Internet No Security Agents Multi-Function Gateway Not every Security App switched on More Customer/Partner Access WAN Less Trustworthy Networks/Subsidiary 9
Too Many Ways In Rethink Your Architecture Security Becomes a Bottleneck Data Center Cloud AV Signature Only Protection Security out of your Control INFW INFW Internal Network (Multi-Gigabit) INFW External Network (Multi-Megabit) Too Many Point Solutions Endpoint Internal Network Firewall 100G+ Performance Ease of Deployment Protection Internet No Security Agents INFW Multi-Function Gateway Not every Security App switched on More Customer/Partner Access WAN Less Trustworthy Networks/Subsidiary 10
Introducing: Internal Network Firewall (INFW) Complete Protection Continuous inside-out protection against advanced threats DISTRIBUTION/ CORE LAYER To Internet Core/Distribution Switch Easy Deployment Default Transparent Mode means no need to re-architect the network High Performance Multi-Gigabit throughput supports wire speed East-West traffic LOCAL SERVERS ACCESS LAYER Access Switch/VLAN USER NETWORK DEVICES FortiGate wire intercept using transparent port pair High speed interface connectivity IPS, ATP & App Control 11
Internal Network Firewall How is it different? Deployment INFW NGFW UTM DCFW CCFW Purpose Visibility & protection for internal segments Visibility & protection against external threats and internet activities Visibility & protection against external threats and user activities High performance, low latency network protection Network security for Service Providers Location Access Layer Internet Gateway Internet Gateway Core Layer/DC gateway Various Network Operation Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode Hardware requirements Higher port density to protect multiple assets, hardware acceleration GbE and GbE/10 port High GbE port density, integrated wireless connectivity and PoE High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration High speed (GbE/10 GbE/40 GbE, GbE/100) & high port density, hardware acceleration Security Components Firewall, IPS, ATP, Application Control (User-based) Firewall, VPN, IPS, Application Control, Comprehensive and extensible, client and device integration Firewall, DDoS protection Firewall, CGN, LTE & mobile security Other Characteristics Rapid Deployment near zero configuration Integration with Advanced Threat Protection (Sandbox) Broad WAN connectivity options including 3G/4G/LTE High Availability High Availability 12
Firewall Deployment Modes Deployment Mode Network Routing Deployment Complexity Network Functions High Availability Traffic Visibility Threat Prevention High L3 L7 Transparent Low L1 L2 Sniffer Low Transparent mode combines the advantages of Network Routing and Sniffer mode 14
INFW Customer Scenario s Existing FortiGate customers Requirements» Protection against advanced threats Benefits» Multi-layered attack prevention» Network segmentation prevents spread of malware» Reduced costs with security management New customers with legacy firewalls Requirements» Application visibility, address weaknesses in legacy competitive firewalls Benefits» Instant application visibility with default Transparent Mode deployment» Advanced threat protection» Network segmentation prevents spread of malware 28
Fortinet Advantage SECURE FortiGuard Labs Is An Industry Leader in Threat Research Awards & Certifications Partnerships & Industry 35 Awards Founded by Fortinet additional members include Palo Alto Networks, McAfee and Symantec 29
Unparalleled Independent 3 rd Party Certification Description Fortinet Check Point Cisco Palo Alto Networks Juniper FireEye NSS - Firewall NGFW Recommended Recommended Recommended & Neutral Caution Caution x NSS - Firewall DC Recommended x x x x x NSS - Breach Detection Recommended x Recommended x x Caution NSS - WAF Recommended x x x x x NSS Next Gen IPS Recommended x Recommended Neutral x x NSS - IPS (DC) x x Caution x BreakingPoint Resiliency Record High - 95 x x Poor - 53 x x ICSA Firewall x x ICSA IPS x x x x ICSA Antivirus x x x x x ICSA WAF x x x x x VB 100 Caution x x x x AV Comparative x x x x x Common Criteria FIPS Contains results from the latest published NSS Labs reports X = did not participate, not certified 30
NSS Labs Validates Our Advantage Fortinet is Recommended while top competitors are not NGFW Breach Detection X-axis = TCO per protected Mbps Y-axis = Security Effectiveness Upper right quadrant = Recommended Lower left quadrant = Caution 31
The Fortinet Secured Network Broad Complementary Security Portfolio DATA CENTER FortiAuthenticator User Identity Management FortiManager Centralized Management FortiAnalyzer Logging, Analysis, Reporting FortiGate Cloud FortiADC Application Delivery Control FortiWeb Web Application Firewall FortiGate Next Gen IPS FortiGate DCFW FortiGateVM X SDN, Virtual Firewall FortiGat e Top-of- Rack FortiDB Database Protectio n FortiGate Internal NGFW CAMPUS FortiAP Secure Access Point FortiSandbox Advanced Threat Protection FortiDDoS DDoS Protection FortiMail Email Security FortiClient Endpoint Protection FortiGate NGFW FortiWi Fi UTM FortiClient Endpoint Protection, VPN FortiToken Two Factor Authentication FortiExtender LTE Extension FortiCamera IP Video Security BRANCH OFFICE FortiVoice IP PBX Phone System 32
Wide Product Range for Every Segments MSSP Carrier Data Center / Cloud Enterprise Distributed Enterprise (Branch) (Branch) (Branch) (Campus) (Campus) SMB Model 20-90 Series Product Range *Key Hardware Features PoE, Switch, WiFi 100 Series 200 Series 300-800 Series 1000 Series 3000 Series Entry Level Mid Range High End PoE, High Density GE High Density GE High Density GE, 10 GE 10 GE, 40 GE 5000 Series Chassis & Blades 33 * May be available as hardware variants
Fortinet Advantage SECURE FortiGuard Labs Threat Research Per Minute 25,000 Spam emails intercepted 390,000 Network Intrusion Attempts resisted 83,000 Malware programs neutralized 160,000 Malicious Website accesses blocked 59,000 Botnet C&C attempts thwarted 39 million Website categorization requests Based on Q1 2015 data Image: threatmap.fortiguard.com Per Week 47 million New & updated spam rules 100 Intrusion prevention rules 2 million New & updated AV definitions 1.3 million New URL ratings 8,000 Hours of threat research globally Total Database 170 Terabytes of threat samples 17,500 Intrusion Prevention rules 5,800 Application Control rules 250 million Rated websites in 78 categories 173 Zero-day threats discovered 34
The Fortinet Advantage Best multi-layered protection on the market Best performance for internal protection Out-of-the-box Transparent Mode for easy deployment 35