Fortinet Integra il Wi-Fi nella Gestione della Sicurezza

Fortinet Integra il Wi-Fi nella Gestione della Sicurezza Bologna, 14 Maggio 2014 1 maggio 20, 2014 Giosuè Vitaglione Channel Accounts Manager Cell: 340 6245 997 gvitaglione@fortinet.com Agenda Network Security: Recenti Evoluzioni e Rischi. Punti di Attenzione per le Reti WiFi: Sicurezza. Domande e Risposte. Discussione aperta. 2 1

The Fortinet Difference 3 Scenarios Edge or Core Firewall (NGFW) Enterprise Campus Carrier Firewall Platform Cloud/Carrier Data Center Firewall (Core, Perimeter, VM) Data Center INTERNET Branch Firewall (NGFW) Branch Office Client Firewall (VPN) Remote End Points Distributed Enterprise Unified Threat Management (UTM) 4 Fortinet - Confidential 2

Annoyware -> CyberCrime 5 IT Security Market: 30 B USD in 2017 (source: Canalys). Server, Personal Computer, ora anche Dispositivi Mobili Connesso Penetrabile CPU Informazioni sensibili Non sempre Aggiornabile Info Personali Billing (premium call, SMS, etc.) Account (con billing) Microfono Telecamera Mobile Etc. 6 3

Mobile Malware 7 Ransomware su Android (Ransom=Riscatto) 8 http://blog.fortinet.com/security-digest--may-10th/ http://thehackernews.com/2014/05/police-ransomware-malware-targeting.html 4

Botnet: Torpig.Mebroot 9 Botnet: Zeroaccess 10 5

Esempio Attacco DDOS via Web Slowloris Attack What does it target? What type of traffic? Valid server connection! It s all about the RFC! GET HEAD POST X-a 11 Rouge WiFi Access Point Access Point dall Identità Fasulla Simula di esser parte alla rete WiFi target. Accesso aperto a tutti, con SSID e criteri di sicuerezza esposti simili alla rete WiFi target. Uplink cellulare, wired o WiFi (seconda radio). Caratteristiche Facile da Creare. Spia traffico utente. Cattura informazioni sensibili. Non lascia traccia sui client. 12 6

Rete WiFi: Sfide per l ICT Manager 1. Come realizzo o estendo la mia rete WiFi? Ø Stabile, Veloce, Feature-rich, e Sicura. 2. Come gestisco la sicurezza sulla rete fissa e sulla rete wireless? 3. Posso migliorare la mia sicurezza, rispetto alle reali esigenze della mia azienda? 4. C e un modo semplice e sicuro per implementare il BYOD? 5. Come riduco i costi? 13 Ubiquitous Access Unified Access Layer Remote Access (RAP, VPN Client) User Identification Access Control Wired Access DIGITAL ASSET Wireless Access Content Inspection Attack Mitigation 14 7

FortiGate + FortiAP = Unified Access Layer Overlay Wireless Management system Single Management System VPN Intrusion Prevention Application Control Web Filtering WAN Optimization Antispam Antivirus Firewall FortiAP Wi-Fi Controller FortiGate Switch Lower cost of acquisition Lower cost of ownership Improves security provisioning 15 Fortinet Secure WLAN Approach No additional licenses needed " Captive Portal, 802.1x Radius /shared key Corporate Wi-Fi " Assign users and devices to their role " Examine wireless traffic to remove threats " Identify applications and destinations " Apply policy to users and applications " Ensure business traffic has priority " Report on policy violations, application usage, destinations and PCI DSS 16 8

Single Pane of Glass Management 17 Rich Wireless Controller Options Right-size Deployments 20+ FortiGate Platforms 5 AP/100user to 10,000 AP / 32K user capacity 18 9

FortiAP Family 802.11n and 802.11ac 3x3:3 Resiliency and Versatility 2x2:2 Performance Dual Radio Dual Band FAP-222B FAP-320C FAP-320B FAP-223B FAP-221B FAP-221C 1x1:1 Value Single Radio FAP-28C FAP-14C FAP-11C FAP-112B FAP-210B Remote Outdoor Indoor 19 FortiAP Simple and Secure VLANs Traffic flows to controller Increased control No trunking No VLAN management No Layer-3 roaming, just fast Layer-2 switching No need to re-dhcp Controller Redundancy 20 10

24/7 on-wire Rogue AP Detection & Suppression Rogue AP Detection» Determines whether an AP is indeed a Rogue device connected to your physical wired LAN network Rogue AP suppression» DeAuthentication Frames are sent to render unauthorized Rogue AP s unusable by clients 21 WIDS Wireless Intrusion Detection System WiFi protocol & RF level attack detection Detection includes attacks & vulnerabilities such as:» Weak WEP Encryption Usage» Null SSID Probes» Deauth Broadcasts» Various Management, EAP, Auth & Beacon floods 22 11

Problem: Poor Business Application Performance Clients and applications on wireless networks compete with each other for shared bandwidth 802.11e, Wireless Multimedia Extensions (WME) doesn't solve this problem, as Business applications like Remote Desktop, VNC, Webex, etc. are not be prioritized differently Priority App WebEx Non- Priority App YouTube Client #1 Client #2 23 Solution: Fortinet Application Control Application Control uses Layer-7 inspection to ensures bandwidth guarantees are provided for business critical applications Fortinet Application Control Sensors Over 2,700+ Signatures, 16 Categories Advanced IM & P2P control Application Control Traffic Shaping SSL Content Inspection Priority App Webex Non- Priority App Non- Priority App Non- Priority App Youtube Priority App High Priority App Client #1 Client #2 24 12

Remote Telecommuter / Road Warrior Headquarters Automatic connection to HQ Data is encrypted Multiple devices can share WiFi Internet 25 BYOD Device Identification and Policy Identification Device User Application Policies Enforcement on Device/User/App 26 13

Guest Access to Secure Wireless LAN Temporary user Provisioning & Access» Allow non-it staff to create Guest account via web portal» Assign time quota» Generate temporary password» Distribute guest credentials: Print Email SMS» Batch guest users creation option Enables Guest Access to the Secure WLAN via a Captive Portal. 27 WiFi Secondo Fortinet 1. WiFi Sicuro Ø Ø Sicurezza fornita da un esperti in sicurezza. Wireless allo stato dell arte. 2. Gestione unificata: wired e wireless. 3. Migliore sicurezza, anche in scenari BYOD. 4. Costi ridotti: CAPEX ed OPEX. 28 14

Q & A 29 Grazie 30 15

Backup Slides 31 Automatic Radio Resource Provisioning CH 1 CH 6 CH 11 Channel Assignment» Automatically assigns nonoverlapping channels» Selects channels with least noise and interference» Reduces chatter between APs Auto TX Power» Changes radio transmission power settings automatically 32 16

Automatic Radio Resource Provisioning CH 1 CH 6 CH 11 Channel Assignment» Automatically assigns nonoverlapping channels» Selects channels with least noise and interference» Reduces chatter between APs Auto TX Power» Changes radio transmission power settings automatically 33 Automatic Radio Resource Provisioning CH 1 CH 6 CH 11 Interference Avoidance» Microwave ovens, cordless phones, baby monitors, etc. all emit RF interference» FortiAPs frequently sample RF spectrum for sources of interference» Changes channel and TX power to avoid RF interference impacting Wireless LAN 34 17

Beamforming: FAP-221B/FAP-223B/FAP-320B Radio beams add at the device to enhances the signal and link-rate BB / MAC TX Radio RX TX Radio RX T R S W T R S W TX Radio RX T R S W 35 Wireless Mesh Dynamic Multi-hop Mesh with resiliency Point-to-point / Multipoint Bridging 36 18

Granular Visibility and Control Applications 37 Guest User Management Portal 38 19

Live Captive Portal HTML Customization 39 Wireless AP Technical Specifications 40 maggio 20, 2014 20

FortiAP Devices and Capabilities FortiAP: Part#: Radios: Antennas: Streams: Max Data Rate FAP-320B FAP-223B FAP-221B FAP-222B 1 BGN 1 AN 1 BGN 1 AN 1 BGN 1 AN 1 BGN 1 AN 3 TX 3 RX 2 TX 2 RX 2 TX 2 RX 2 TX 2 RX FAP-210B 1 ABGN 2 TX 2 RX FAP-112B 1 BGN 1 TX 1 RX FAP-28C 1 BGN 1 TX 1 RX FAP-14C 1 BGN 1 TX 1 RX FAP-11C 1 BGN 1 TX 1 RX 3 900 Mbps 2 600 Mbps 2 600 Mbps 2 600 Mbps 2 300 Mbps 1 150 Mbps 1 150 Mbps 1 150 Mbps 1 150 Mbps 41 Controller Scalability update: now extended for remote AP V5.0 FG/FWF-20C Series - 5.0.3 Global FG/FWF-40C Series 5 5+5 FG/FWF-60C Series 5 5+5 FG/FWF-80C Series 16 16+16 FG-110/111C FG VM00 32 32+32 FG-100D 32 32+32 FG200B(POE) 32 32+32 FG310/311B FG VM01 256 256+256 FG300C / 300D 256 256+256 FG-620/621B 256 256+256 V5.0 5.0.3 Global FG-600C 256 256+256 FG-800C 256 256+256 FG-1000C 512 512+512 FG-1240B 512 512+512 FG-3016B 1,024 1024+3072 FG-3040B 1,024 1024+3072 FG-3140B 1,024 1024+3072 FG-3240C 1,024 1024+3072 FG-3810A 1,024 1024+3072 FG-3950/51B FG VM08 1,024 1024+3072 FG-5001A-SW/DW 1,024 1024+3072 FG-5001B 1,024 1024+3072 FG-5101C 1,024 1024+3072 42 21

FortiAP-221B 1 x GbE Copper Interface Hardware Performance Target Environment Indoor Simultaneous SSIDs 16 (14 for client access, 2 for monitoring) Number of Antenna 4 internal Max Transmission Power 17 dbm (50mW) Number of Radio 2 PoE Support 802.3af Tx / RX Stream (802.11n) 2x2 MIMO with Dual Spatial streams, 600 Mbps Total 43 FortiAP-223B 1 x GbE Copper Interface Hardware Performance Target Environment Indoor Simultaneous SSIDs 16 (14 for client access, 2 for monitoring) Number of Antenna 4 external Max Transmission Power 17 dbm (50mW) Number of Radio 2 PoE Support 802.3af Tx / RX Stream (802.11n) 2x2 MIMO with Dual Spatial streams, 600 Mbps Total 44 22

FortiAP-320B 2 x GbE Copper Interface Hardware Performance Target Environment Indoor Simultaneous SSIDs 16 (14 for client access, 2 for monitoring) Number of Antenna 6 Internal Max Transmission Power 24 dbm (250mW) Number of Radio 2 PoE Support 802.3af / 802.3at Tx / RX Stream (802.11n) 3x3 MIMO with 3 spatial streams, 900 Mbps Total 45 FortiAP-112B 2 x FE Interface Hardware Performance Target Environment Indoor/Outdoor Simultaneous SSIDs 8(7 for client access, 1 for monitoring) Number of Antenna 1 Internal Max Transmission Power 24 dbm (250mW) Number of Radio 1 PoE Support 802.3af Tx / RX Stream (802.11n) 1x1 MIMO, 65 Mbps 46 23

FortiAP-222B 1 x GbE Interface Hardware Performance Target Environment Outdoor Simultaneous SSIDs 16(14 for client access, 1 for monitoring) Number of Antenna 4 Internal Max Transmission Power 27 dbm (500mW) Number of Radio 2 PoE Support 802.3at Tx / RX Stream (802.11n) 2x2MIMO, 600 Mbps 47 FortiAP-28C 10x GbE Copper Interfaces Hardware Performance Target Environment Indoor/remote Simultaneous SSIDs 8 (7 for client access, 2 for monitoring) Number of Antenna 2Internal Max Transmission Power 17 dbm (50mW) Number of Radio 1 PoE Support NA Tx / RX Stream (802.11n) 2x2MIMO 300 Mbps Total 48 24

FortiAP-14C 5x FE Copper Interface Hardware Performance Target Environment Indoor/remote Simultaneous SSIDs 8 (7 for client access, 2 for monitoring) Number of Antenna 1 Internal Max Transmission Power 17 dbm (50mW) Number of Radio 1 PoE Support NA Tx / RX Stream (802.11n) 1x1 MIMO 65 Mbps Total 49 FortiAP-11C 2 x FE Interface Hardware Performance Target Environment Indoor Simultaneous SSIDs 8(7 for client access, 1 for monitoring) Number of Antenna 1 Internal Max Transmission Power 17 dbm (50mW) Number of Radio 1 PoE Support 802.3af Tx / RX Stream (802.11n) 1x1 MIMO, 65 Mbps 50 25

FortiAP-Antennas Specification Compatible AP Type Accessories FAP-222B / FAP-223B 120 degree sector antenna. Suitable for shopping centers, hallways and courtyards Mount Kit sold separately FAN-M22. FAN-612N/R Specification FAN-500N Compatible AP Type Accessories FAP-222B Directional 12 degree point to point outdoor panel antenna. Suitable for building to building bridging Includes two 120cm Cables with N connector. Mount Kit sold separately FAN-22. 51 POE Power Source Options Device PoE Ports FortiGate-60C-POE 24 FortiGate-140D-POE 16 FortiGate-200B-POE 8 FortiSwitch-324-POE 24 Fortiswitch-124-POE 12 FortiSwitch-80-POE 4 GPI-115 1 52 26

Sample of Fortinet s Wireless Customers Distributed Enterprise / Distributed Retail Large Enterprise Education Services / Financial / Healthcare / Gov Outdoor / Mesh 53 27