Fortinet Ecosystem Overview
Short Description
Overview of Fortinet's End-to-End Security Ecosystem...
Description
Security for a New World Peter Smetny, Bill Park, Derek Holmes, Mike Bailey May 5th, 2016
© Copyright Fortinet Inc. All rights reserved.
Agenda Fortinet Overview Fortinet EcoSystem Overview Fortinet Advanced Threat Prevention Fortinet SDN Framework FortiGuard Threat Intelligence Questions
2
Fortinet Facts FOUNDED
2000 IPO
2009
HQ
SUNNYVALE, CA
100+ OFFICES WORLDWIDE
OVER
MILLION 2 DEVICES SHIPPED
#1
UNIT SHARE WORLDWIDE
In Network Security (IDC)
1.17B
$
CASH
40% GROWTH
3,900+ EMPLOYEES
MARKET LEADING
TECHNOLOGY
255,000+ CUSTOMERS
257 PATENTS 228 PENDING 280+ 0-DAYs Discovered 3
SECURITY HAS CHANGED
3.2
BILLION INTERNET USERS
10,000x INCREASE IN CYBER THREATS
1.3
BILLION SMARTPHONES SHIPPED WORLDWIDE
3
BILLION NEW DEVICES PER YEAR THROUGH 2020
PUBLIC CLOUD MARKET IS ESTIMATED TO REACH
$191 BILLION 4
TODAY’S STANDARD APPROACHES
NO LONGER WORK TOO MUCH FOCUS ON COMPLIANCE
TOO RISK BASED
TOO MANY POINT SOLUTIONS
Enterprises spend too much on checking boxes down a list.
Taking a reactive approach only addresses known threats, not the new unknowns.
Too many different security vendors whose products do not communicate with one another.
5
SECURITY FOR A NEW WORLD IS SECURITY WITHOUT COMPROMISE
Advanced Security
Network Performance
Our customers can have both 6
Security Without Compromise Seamless Security Across the Entire Attack Surface
FortiGuard Threat Intelligence & Services
Client Security
Secure Access
Network Security
Application Security
Cloud Security
FortiGate
SEAMLESS Consistent threat posture end-to-end, across the expanding attack surface
INTELLIGENT Threat intelligence and advanced threat protection from the inside out for full visibility and control
POWERFUL Unrivaled network performance for today – and the power to take on the future 7
Global Intelligence & Control
FortiGuard Labs
Global Threat Intelligence
200+ Full Visibility Single Pane of Glass
FortiGuard Services
FortiGuard Sensors
2M+ 8
Global Intelligence & Control
Global Threat Intelligence Full Visibility Single Pane of Glass
9
Global Intelligence & Control
Global Threat Intelligence Full Visibility Single Pane of Glass
10
Agenda Fortinet Overview Fortinet EcoSystem Overview Fortinet Advanced Threat Prevention Fortinet SDN Framework FortiGuard Threat Intelligence Questions
11
Broad Complementary Solution Portfolio Further Simplify Your Network Product List FortiADC
Application Delivery Controller
FortiAnalyzer
Log Analysis
FortiAP
Secure Wireless
FortiAuthenticator
Authentication
FortiCamera
IP Video Security
FortiClient
DATA CENTER FortiAuthenticator User Identity Management
Cloud Logging and Provisioning
FortiDB
Database Security
FortiDDoS
DDoS Protection
FortiExtender
Cellular LTE Extension
FortiGate
Core Firewall Platform
FortiMail
Email Security
FortiManager
Centralized Management
FortiSandbox
Advanced Threat Protection
FortiSwitch
Access & Data Switching
FortiToken
2FA Token
FortiVoice
IP PBX Phone Systems
FortiWeb
Web Application Firewall
FortiWiFi
UTM with Wireless Access
Cloud
FortiManager
Endpoint Security
FortiCloud
FortiGate FortiGate
FortiDB
Top-of-Rack
Database Protection
FortiGateVMX
Centralized Management
Secure Wireless Access
SDN, Virtual Firewall
FortiAnalyzer
Switching
FortiADC
Logging, Analysis, Reporting
Application Delivery FortiWeb Controller Web Application Firewall
CAMPUS FortiSandbox
Advanced Threat Protection
FortiGate
Advanced Threat Protection
Next Gen IPS FortiGate DCFW
FortiAP Secure Access Point
Authentication & Tokens
FortiGate
FortiGate
Internal NGFW
NGFW
FortiMail
Application Security
Email Security
FortiDDoS
FortiSwitch
Application Delivery/SLB
DDoS Protection
Switching
FortiWiFi
Endpoint Security
UTM
FortiToken Two Factor Authentication
FortiCamera IP Video Security
FortiClient
IP PBX and Phones
Endpoint Protection, VPN
FortiClient
FortiExtender
Endpoint Protection
LTE Extension
FortiVoice IP PBX Phone System
More…
BRANCH OFFICE 12
Solution-Based Ecosystem Enterprise Firewall
ENTERPRISE NextGen FIREWALL
CONNECTED UTM
Application & Access Security
ATP FRAMEWORK
CLOUD SECURITY
Data Center SECURITY
SECURE ACCESS ARCHITECTURE
Security Research & Services
Reputation
App Control
Antivirus
Anti-Botnet
IPS
Web App
Mobile Security
Web Filtering
Anti-spam
13
ENTERPRISE FIREWALL
5.4
FortiASIC
FortiGuard
FortiAuthenticator
FortiOS
Physical
IPS
Virtual
SWG
FortiManager Cloud
VFW
Rugged
FortiAnalyzer
SDN
FortiGate
14
CONNECTED UTM (Branch)
5.4
FortiASIC
FortiGuard
FortiManager
FortiPrivateCloud
FortiCloud
FortiSwitch
FortiAP
FortiClient
FortiVoice
FortiMail
FortiOS
FortiWiFi
Physical
FortiExtender
FortiWAN
Cloud
FortiGate
15
FORTIGATE UTM, HIGH-END DATA CENTER FIREWALLS AND NEXT-GENERATION SECURITY APPLIANCES
FortiGate 50-900 SERIES UNIFIED THREAT MANAGEMENT
FortiGate
FortiGate
1000-2000 SERIES
3000-6000 SERIES
Data Center Firewall and Next-Generation Security
High Performance Data Center Firewall & Next-Gen. Security
•
Multiple form-factors and port options including wifi, PoE & rugged for varied options.
•
Ultra-high 1/10 GE port density enables broad connectivity and visibility closer to assets.
•
High-speed 40/100 GE ports provide future-proofing for next-generation network fabrics.
•
Manages wireless APs, switches & 4G LTE wireless WAN extenders directly.
•
Multi-gigabit throughput (up to 80 Gbps) inspects traffic while keeping up with higher internal network speeds.
•
Up to Terabit throughputs (1 Tbps+) inspects traffic while keeping up with higher internal network speeds.
• • • • •
ASIC-based Optimal Path Processing (OPP) ensures high-security and high-performance FortiOS 5.4 provides feature rich Networking, Security and Management functions IPv6 hardware acceleration provides IPv4-to-IPv6 performance parity. Extensible management platform enables automation and orchestration with cloud management and SDN controllers. Features also include compact, power-efficient appliance form factors.
• Ensures continuous protection from the latest threats with dynamic updates from FortiGuard Labs. • Simplifies config and troubleshooting via single-pane-of-glass management. 16
SECURITY MANAGEMENT
FortiManager
FortiAnalyzer
FortiMoM
CENTRALIZED DEVICE MANAGEMENT
CENTRALIZED LOGGING AND REPORTING
HYPERSCALED SECURITY ENTERPRISE MANAGEMENT
•
Combines analytics, reporting and logging functions.
•
Delivers high-performance log rates for large enterprises/MSSPs.
•
Supports a high number of managed devices (up to 10,000).
•
Optimizes policy pushes for large enterprises/MSPs.
•
•
•
•
•
Multiple concurrency and locking options. Manages the security policy approvals process with Workflow Mode. Full API support for orchestration integration, as well as scripting support using CLI or TCL.
•
•
Ability to control multiple FortiManagers / FortiAnalyzers for mass scale security operations.
Provides interoperability with thirdparty devices using Syslog.
•
Enables forensics for post-breach discovery and future risk prevention.
Immediate visibility into problematic devices or current management tasks in progress.
•
Offers more application, user and Web insights with new report templates.
Holistic view of objects (devices, policy packages, domains, etc.) residing on disparate systems.
•
Enables migration and instantaneous provisioning of devices/domains to any management system.
•
Provides Forensics with central Fortiviews.
•
Fully customizeable using SQL queries, charts and macros 17
FIREWALL CONVERSION
FortiConverter CONFIGURATION AND MIGRATION TOOL
•
Provides a single tool for multiple installations allowing for cross vendor installation conversion.
•
Supports automated configuration conversion.
•
Significantly reduces the possibility of human error in the conversion process.
•
Identifies and eliminates errors in existing configurations.
18
DATA CENTER SECURITY
Virtual
Physical
FortiGuard (IP Rep, WAF, AV)
Virtual
Physical
FortiADC
Virtual
Physical
FortiWeb
Physical
Physical
FortiMail
FortiDB
FortiDDoS
19
APPLICATION SECURITY AND DELIVERY PRODUCTS
•
•
FortiWeb
FortiADC
FortiDDoS
WEB APPLICATION FIREWALLS
APPLICATION DELIVERY CONTROLLERS
DDOS ATTACK MITIGATION APPLIANCES
Protect custom and commercial applications with automatic usage profiling and anomaly scanning.
•
Scale applications with Server Load Balancing.
•
Detect DDoS attacks faster with 100% ASIC-based DDoS detection and mitigation.
•
Improve secure application/server performance with SSL Offloading / Acceleration.
•
Protect against zero-day threats with 100% behavior-based detection.
•
Get complete DDoS protection with 100% traffic inspection.
•
Delivers the lowest false positive detection rate with Continuous Attack Reevaluation.
Meet PCI Compliance (5.5 and 6.6) with behavior-based attack detection and mitigation. •
•
•
Identify Web application security weaknesses with vulnerability scanning. Publish websites with Single Sign On/Authentication.
•
Reduce bandwidth needs with HTTP Compression. Provide disaster recovery that spans multiple data centers with included Global Server Load Balancing.
20
FortiWeb – Web Application Firewall Protects web-based applications from code-based attacks » » » »
Web Application Servers
SQL Injection or other injection types Cross Site Scripting and Request Forgery Layer 7 DoS/DDoS attacks Cookie poisoning
Protects against application vulnerabilities in custom code and commercial platforms Understands/learns “normal” behaviors and stops anomalies » URL parameters, HTTP methods, session IDs, cookies, etc.
Dynamic and adaptive to adjust to new threats FortiASIC= High performance and low TCO compared to competition
FortiWeb WAF
INTERNET
SQL Injection, XSS, Defacement…
Can’t a Firewall or IPS do this?
Firewalls look for network-based attacks IPS Signatures detect only known problems Firewall has no understand of application (fields, flow, etc.) FortiWeb has rich feature-set for web-related functions: Vulnerability Scanner (with 3rd party support) Robust Load-Balancing Authentication, Site Publishing, SSO Out-of-Box profiles for common apps – Sharepoint, Drupal, OWA, Wordpress
21
FortiWeb – Web Application Firewalls 5 models from 25 Mbps to 20 Gbps HTTP throughput
Automatic behavior-based scanning Auto setup/learning mode
4 Virtual Models for virtual and cloud deployments (AWS, Azure)
Layer 7 DDoS protection
Up to 8x GE and models with 4x 10GE SFP+ ports
FortiGuard antivirus, IP reputation and signatures
Included vulnerability scanning and antivirus Hardware and VM options FortiGate and FortiSandbox Integration
Transparent, reverse and non-inline deployment options Central Management/ADOMs REST API Virtual Patching/3rd Party support Advanced False Positive Mitigation Advanced real-time reporting SSL offloading/compression SSO/Authentication Layer 7 load balancing User Threat Scoring & auto-quarantine
Fastest Web Application Firewall in the Industry 22
FortiWeb Protection at all Layers ATTACKS/THREATS
APPLICATION LEVEL DDOS ATTACKS IMPROPER HTTP RFC KNOWN APPLICATION ATTACK TYPES VIRUSES, MALWARE, LOSS OF DATA FORTIGATE AND FORTISANDBOX APT DETECTION
IP REPUTATION DDOS PROTECTION PROTOCOL VALIDATION ATTACK SIGNATURES ANTIVIRUS/DLP INTEGRATION
SCANNERS, CRAWLERS, SCRAPERS
ADVANCED PROTECTION
UNKNOWN APPLICATION ATTACKS
BEHAVIORAL VALIDATION
CORRELATION
BOTNETS, MALICIOUS HOSTS, ANONYMOUS PROXIES, DDOS SOURCES
APPLICATION 23
FortiWeb Recommended by NSS Labs Test Categories » Security: URL Parameter manipulation, form/hidden field manipulation, cookie/session poisoning, cross-site scripting, directory traversal, SQL injection and padding Oracle attacks » Evasions: packet fragmentation reassembly, stream segmentation, URL obfuscation » Performance: stability, reliability and connections per second
Fortinet FortiWeb-1000D earned a Recommended rating Strong performance with 99.85% block rate and 15,865 connections/second Passed all tests for evasion techniques and for stability and reliability 0.366% false positive detection rate SVM Published on September 30, 2014 24
DATA CENTER SECURITY
5.4
FortiASIC
Physical
FortiGuard
Virtual
FortiOS
Physical
FortiAnalyzer
Virtual
FortiManager
VMX
FortiCore
FortiGate VMX
Physical
Virtual
FortiGate
25
CLOUD SECURITY
5.4
FortiGuard
Cloud
Virtual
FortiOS
Cloud
Virtual
FortiAnalyzer
FortiManager
FortiSandbox
FortiWeb
Cloud
Virtual
FortiGate
26
ADVANCED THREAT PROTECTION FRAMEWORK
5.4
FortiGuard
FortiOS
FortiClient
FortiManager
FortiWeb
FortiAnalyzer
FortiMail
FortiMonitor
FortiSandbox FortiGate
Virtual Physical
Cloud
27
A Picture of the ATP Framework in Action FortiClient
Unkown URLs and Files submission to FortiSandbox
FortiSandbox
Bit9
EPP lockdown in case of infection, from the NGFW FortiView FortiSandbox
Internet FortiMail FortiGateNGFW
Known threats on web/messaging traffic blocked on the NGFW, WAF and SEG.
FortiSandbox to deliver URL and AV DB updates for malicious or suspicious detection. FortiWeb 28
ATP Integration
Status Summary on dashboard
FortiView FortiSandbox viewer By Source (with Threat Scoring) , by File
Analysis report via FortiView Drill-in
Detailed Status Report Signatures, URL lists
FortiGate - FortiSandbox Integration Status Reporting, Signatures, URLs 29
ICSA Labs Advanced Threat Defense – Report-at-a-Glance Fortinet, Inc.
Advanced Threat Protection Framework
Executive Summary
• Ran by ICSA Labs for 33 days, with close to 600 runs. • Periodic launch of innocuous apps and constant validation of logs and alerts • Fortinet ATP framework obtained great results. Test Length
33 days
Malicious Samples
279
Innocuous Apps
318
Test Runs
597
% Detected
99.6%
% False Positives
1.6%
Fig1 – High Detection Effectiveness & Few False Positives
ICSA Labs Advanced Threat Defense
Certified Test Period: Q1 2016 Certified Since: 12 / 2015
ATD-FORTINET-2016-0330-01
Fig. 2 – Detected 278 of 279 New & Little-Known Malicious Samples
Fig. 3 – Few Alerts on Innocuous Applications
30
Sandboxing - Integrated vs. Standalone Sample Stand Alone FireEye Sandboxing- Conceptual Level 30 Dedicated Sandbox Appliances, $5.7m Mobile Users
Internet
Satellite Offices
Branch Offices
Customers and Partners
FireEye (NX900)
FireEye (EX8400)
FireEye (NX2400) FireEye (CM9400)
FireEye (AX5400)
FireEye (NX4400)
Main Offices
FireEye (NX10000)
FireEye (FX8400)
Datacenters
FireEye (CM9400)
FireEye (AX5400)
Enterprise-Wide ? Firewalls- $?m 30 Sandboxes- $5.7m 31
Sandboxing - Integrated vs. Standalone Sample Integrated Fortinet NGFW + ATP Full Coverage Detail 44 NGFWs, $3.2m + 12 Sandboxes, $1.5M Satellite Offices
Mobile Users
Internet
Next Generation Firewall (NGFW)
Customers and Partners
Branch Offices
Web Application Firewalls Perimeter Firewalls
Secure Mail Gateways
Advanced Threat Protection (ATP)
NGFW & ATP (Opt.)
Core Firewalls
Main Offices
NGFW & ATP (opt.)
Datacenters
Remote Access Firewalls
Partner Access Firewalls
Authentication, Management & Reporting
Enterprise-Wide 4.7M NGFW+ATP
32
SECURE ACCESS ARCHITECTURE
FortiPresence
FortiAuthenticator
FortiManager
FortiWLM
FortiClient
FortiWiFi
N
FortiWLC
FortiGate Controller
FortiSwitch (POE)
FortiAP
33
Infrastructure Infrastructure WLAN solution to provide scale and flexibility Why Infrastructure?
Mobile: Fit for highly mobile and scalable deployments where low latency and roaming support matter Channel Flexibility: Channel planning flexibility to shorten site survey and deployment times Stand-alone: Able to separate access infrastructure purchase decision from security purchase
Security
Mobility / Roaming / Scale • Supports highly mobile environments • Lowest latencies for video and voice traffic • “Network in control” optimizes access
Channel Planning Flexibility • Reduce site survey planning • Reduce deployment times
WLAN Management
Stand-alone Flexibility • Security and access unbundled • Ability to pick and choice best options 34
Integrated Integrated WLAN solution to provide security and wireless control in one box Why Integrated?
Integrated: Industry’s most integrated secure access offering Unified Management: Single pane of glass to manage both security and access Scalable: Scalable to support enterprises of all different sizes
Central Location
Security
Access Control
FortiCloud
Remote
Fully Security Integrated • Full integration of FortiGuard and FortiOS threat intelligences and securty • Includes Wireless Security: WIDS, Rogues
Branch Office
Single Pane Management/Reporting • Integrates into FMG & FAZ • Can be managed directly for FGT • Leverage central authentication & identity management
Sizing Scalability • From 5 APs to 10K Aps • Management options (bridge, tunnel) 35
Integrated Wireless Deployment Diagram Security
FortiGate NGFW/UTM
WLAN Controller
Access Points
Wireless Plane
FortiSwitch POE Access Points
Data Control Management
36
Cloud Cloud WLAN solution to provide simplified management Why Cloud?
Secure: Industry’s only UTM + AP solution Cloud: Roll out remote sites in minutes - not hours and days Controller-less: Wi-Fi without the complexity of on premise controllers
Cloud Management
Fortinet UTM Built-In
Controller-less
37
Agenda Fortinet Overview Fortinet EcoSystem Overview Fortinet Central Management Fortinet SDN Framework FortiGuard Threat Intelligence Questions
38
Single Pane-of-Glass Management Consistent Policies and Posture Across the Hybrid Cloud Management & Policy
Logging & Analysis
SaaS-Based Portal
Centralized Management and Policy
Public Cloud
Physical Networks
Virtualization VM VM VM VM VMware
39
Core Management Products
Fortinet Security Management Lineup FortiAnalyzer
FortiMonitor
Aggregated logging, event management, reporting and analytics
Unified risk management , big data logging and event correlation
FortiManager
FortiMoM
Centralized management of security policies, firmware and content updates
Hyperscale security management (manager of managers) for FMG/FAZ
FortiCloud
FortiDeploy
Subscription-based provisioning, management & analytics in the cloud
Cloud-based device provisioning and bootstrapping from the cloud
FortiPrivateCloud
Fortinet Developer Network
Cloud-based security management that MSSPs can whitelabel for their clientele
Subscription-based web portal for developers using management APIs
40
FortiManager Enterprise central management
43
FortiManager Enterprise central management
44
Key Features of FortiManager Centralized management / Configuration revision control and tracking Firmware management / local FortiGuard service provisioning Administrative domains & Global Policies Scripting & APIs for integration with external tools Logging and reporting / Alert management
45
FortiManager Features
Traditional “FortiManager” Functions
ADOM & Notifications Menu
Traditional “FortiAnalyzer” Functions
46
FortiManager Device Manager
Total Devices
Device Connections
Device Config Changes
Policy Package Changes
47
FortiAnalyzer Overview FortiAnalyzer is an integrated network logging, analysis, alerting and reporting platform
FortiMail FortiCarrier
FortiWeb
FortiGate
FortiCache
FortiSandbox FortiClient
Syslog 48
Key Features of FortiAnalyzer Device Logs Aggregation and Management Security Log Analysis / Forensics Breach Detection & Network Analysis Content Archiving / Quarantine Alerts Management Admin Partitions (ADOMS) Graphical Reporting
49
FortiAnalyzer – Drill-Down Dashboards Drillable Views • Threat Map • Top Countries • Policy Hits • Top Browsing Users • Authorized APs • Authorized SSIDs • WiFi Clients • Storage Statistics • Failed Auth Attempts • All Endpoints •Etc. 50
FortiAnalyzer – Drill-Down Analytics
51
FortiAnalyzer – Event Management
52
FortiAnalyzer – Threat Detection Service FortiAnalyzer historically has relied on the ratings and static/point-intime FortiGuard analytics from the FortiGate devices to generate FortiView and Reports. Breach detection brings fresh correlation and IOC (indicator of compromise) data daily to the FortiAnalyzer itself, and allows it to re-analyze webfilter logs and realtime events applying today’s new FortiGuard intelligence to understand yesterday’s events.
53
FortiAnalyzer – Threat Detection Service Real-Time and Retroactive Log Correlation New Menu Item “Breach Detection” in FortiView Threats Section!
54
FortiAnalyzer – Threat Detection Service Real-Time and Retroactive Log Correlation
What is FortiAnalyzer Breach Detection?
• • • •
Threat Analytics/Intelligence from Fortiguard Labs Threat Detection Service FortiGate detects and logs threats using FortiGuard services as usual (point-in-time log creation) FortiAnalyzer will do further analytics and correlation against WebFilter logs using new Threat Detection data and present the info in FortiView for up to 7 days prior. Breach Detection Comprehensive Reports may be generated for earlier time periods
55
Scalable Architecture Options FortiAnalyzer (Analyzer Mode) FortiAnalyzers (Collector Mode)
Analytics Logs DATA & COMPLIANCE POLICY
90 DAYS
SIEM
(Compressed 8:1)
(SQL Insertion)
FortiGates, etc.
Archived Logs
FortiAnalyzer (Fetch Client)
365 DAYS
56
Scaling beyond single FortiManager: FortiMoM What is it? A Manager of Managers (MoM) Horizontally scalable architecture Hierarchical add-on to existing Fortinet Products Multi “Forti-” product management console FortiManager
FortiAnalyzer
FortiDDoS
FortiWeb
FortiMail
FortiMoM
57
FortiMoM Features Manager of Managers Central policy editor and objects DB Domain (ADOMS) Manager – ADOM Grouping, Clone, Migrate Manages multiple products Services
Objects
Domains
FortiManager 1
FortiManager 2
Policies
FortiAnalyzer 1
FMGR
FAZ
FDOS
FWEB
FMAIL
58
Agenda Fortinet Overview Fortinet EcoSystem Overview Fortinet Advanced Threat Prevention Fortinet SDN Framework FortiGuard Threat Intelligence Questions
59
Fortinet Solutions for Software-Defined Network Security FortiGate VM FortiGate Cloud VDOM
FortiGate VMX (NSX) Cisco ACI Connector OpenStack Connector FortiCore Control Plane
Data Plane
FortiManager FortiAnalyzer Splunk Connector
Mgmt API’s
Mgmt Plane
SDNS Framework Platform Orchestration & Automation
Network Data Plane Function Virtualization
Control Plane On-Demand
Self-Service
Single Pane-of-Glass Management
Management SaaS Plane Multi-Tenancy
XML
Platform Extensibility
Virtual Appliances/ Services
JSON Other Interfaces
CLI/ Scripting
Service Delivery Extensions Service Delivery Extensions
Logging/ Event
VNF Support NFV MANO Integration
Utility Pricing AWS & Azure Marketplace Integration
FortiCloud FortiPrivateCloud
Cloud/SDN Ecosystem
SDN Controllers Orchestration Platforms Programmable Switches Cloud Management Centralized Policy & Analytics
60
Software-Defined Network Security Partner Ecosystem
ORCHESTRATION PLATFORMS
Platform Extensibility
Software-Defined Security Framework
SDN / NETWORK VIRTUALIZATION CONTROLLERS
API’s PROGRAMMABLE SWITCHING
CENTRALIZED POLICY & ANALYTICS
61
Platform Orchestration & Automation Agility Through Control Plane Integration VM
VM
VM
Control Plane Orchestration Network Visibility
VMware
Elastic provisioning Distributed
NSX
Object-based policy
Control Plane Fortinet Service VM
ACI Benefits
Auto-Scaling Firewall & Rule Provisioning
SDN Flow Visibility (dynamic flow control, overlay/ underlay traffic)
Dynamic Policies (follow logical port, IP, MAC)
62
FortiGate-VMX Solution Interaction / Workflow FortiGate-VMX Service Manager 1. Register Fortinet as security service with NSX Manager
7. Policy synchronization to all FortiGate-VMX deployed in cluster
2. Auto-deploy FortiGate-VMX to all hosts in security cluster
5. Redirection policy rules updated for enablement of FortiGate-VMX security service
4. License verification and configuration synchronization with FortiGate-VMX
3. FortiGate-VMX connects with FortiGate-VMX Service Manager
6. Real-time updates of object database
vDistributed Switch VMware Kernel
VMware Kernel
63
FGT-VMX and VMWARE NSX Filter Driver Interaction 1
Define NGFW Firewall Policies
FortiGate-VMX Service Manager
FGT-VMX 2
Packet Flow NetX NSX Filter Driver dvSwitch VMware Kernel
int ext
1. 2. 3. 4.
From VM to NSX Filter Driver NSX Filter Driver Forward to Third party Solution (FGT-VMX) FGT-VMX applies Security and sends packet back to NSX Filter Driver NSX Filter Driver can do service chaining or send packet to destination
Leverages TSO for High Throughput 64
Integrated FortiGate Solution for Cisco ACI Fortinet SDN Security
Cisco ACI
FortiGate Physical or Virtual Appliances FortiGate Connector for Cisco ACI
Nexus 9000 Leaf/Spine Switches APIC Controller
Spine nodes APIC
VM
Internal
External
NET-b
NET-a
Leaf nodes
VM
VM
65
Integrated FortiGate Solution for Cisco ACI
66
Cisco ACI Integration Details ACI enables third-party L4-L7 service insertion » “Application Centric Infrastructure” - Endpoint/Workload-centric policy
FortiGate Connector for Cisco ACI enables Fortinet orchestration in APIC console » FortiGate device package contains XML metadata describing Fortinet’s device and security services » Admininstrator assigns Fortinet security policies to traffic (“Contracts”) between applications (Endpoint Groups)
Use Cases » » » »
Auto-provisioning workload security Micro-segmentation Secure multi-tenancy Tenant function segmentation
67
FortiCore – SDN Security Platform Scaling NSFs to meet architecture • Transparent link transection • Leaf-Spine
Pipeline Security • FortiGuard security intelligence • Augments partner/open SDN/NFV architectures
High Flow-Capacitance for Security Enabled SDN • >1 Tbps switch fabric • ~200K Flows – REGX (Single-Table) • ~2M Flows – EXACT MATCH (MultiTable) • vs Trident 2+ = 32K flows
Hypervisor
Hypervisor
68
Agenda Fortinet Overview Fortinet EcoSystem Overview Fortinet Advanced Threat Prevention Fortinet SDN Framework Questions
69
View more...
Comments
