360 likes | 654 Vues
Fortinet @ Data Connectors. Securing the Elastic Data Centre. Rafi Wanounou – Systems Engineering Manager rwanounou@fortinet.com +1.416.907.2096. Agenda. Fortinet Introduction Threats to the Data Centre APT’s BYOD Virtual Workloads; Clouds; Commodity Clouds NGFW – Apps and more Apps…
E N D
Fortinet @ Data Connectors Securing the Elastic Data Centre RafiWanounou – Systems Engineering Manager rwanounou@fortinet.com +1.416.907.2096
Agenda Fortinet Introduction Threats to the Data Centre APT’s BYOD Virtual Workloads; Clouds; Commodity Clouds NGFW – Apps and more Apps… Just a little bragging; Q&A
Fortinet Corporate Overview $434 • Market Leader • UTM - Fast-growth security segment • Advanced technology and products • 95+ patents; 115+ pending • Strong global footprint • 1,900+ employees; 30 offices worldwide • Blue chip customer base • 100,000 customers (incl. majority of Global 100) • Exceptional financial model • FY12 revenues: $534M (24% YoY growth) • Q412 revenues: $155M (25% YoY growth) • Strong balance sheet: $650M+ in cash; no debt • IPO - November 2009 FORTINET REVENUE ($MM) 48% CAGR $325 $252 $212 $155 $123 $80 $39 $13 03 04 05 06 07 08 09 10 11
Threats to the Data Centre APT’s and other sophisticated multi-faceted attacks against Applications. Targeted precision strikes – adversaries with customized weapons. Virtual Workloads in Motion Unmanaged Devices with corporate information present The application explosion and what to do with them all??
APT’S – So Called Advanced Persistent Threats Adversaries with specific goals and objectives. Custom payloads and weapons designed for a targeted strike. Can enter via any medium; email; web; unmanaged device; usb key (stuxnet). Adversaries have a well established target and map of the datacentre. Traditional tools such as desktop av becoming of less and less value. Advanced recon being performed to evade victim specific defenses.
APT’S – So Called Advanced Persistent Threats Misconception #1 • More Signatures = Higher Protection • Reality: • # Sigs actually decreasing through consolidation • VB RAP Score > 90% • 1 sig / multiple variants
APT’S – So Called Advanced Persistent Threats Misconception #2 • Antivirus Engines are just Pattern Matching • Reality: • Fortinet AVEN is highly intelligent, does local ‘Sandbox’ • Dynamic decryption & execution environment • Example: Botnet server zombie downloads • After decrypt: CPRL matching + behavior analysis
APT’S – So Called Advanced Persistent Threats Misconception #3 • Sandboxing is the answer to APT • Reality: • Malware is VM environment aware -- “VM Evasion” • Fortigate AVEN does not use regular VM hooks • Even when effective to identify malware, technique still relies on regular pattern matching signatures. • DEAD DATA! – No Feedback Loop!!!!
The Value of FortiGuard FortiGuard Analytics Harness the Cloud • Suspicious samples sent to cloud • Then sandboxed in cloud • Results are correlated • All FortiGuard services • Including AV • Updates then soon available
APT’S – So Called Advanced Persistent Threats • New “APT Focused” products are point solutions that are costly and only focus on common ingress points. • Fortinet offers complete APT solutions on branch appliances – the only vendor to do this today. • The only Tier 1 vendor to provide a complete layered defense in all of our devices.
BYOD • Unmanaged devices rampant in enterprises. • Recently a large Fortinet customer in Toronto discovered over 75 Mac Minis, 50 Xboxes and, 100 Magic Jacks in their network (most hidden in locked drawers). • MDM a failing technology – you do not have root access to an Android or Apple device. • Users at all levels putting pressure on IT to support personal devices. • Becoming a human resource issue – people refusing to work if access unavailable for personal devices.
BYOD Enablement through Network Security Emily, a customer, needs guest access to Skype on her iPad while visiting your headquarters WiFi Guest Access Bandwidth Management Bill’s device is infected with malware and he brings it on the corporate network Antivirus 2-Factor Authentication VPN Tunneling Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.
BYOD Enablement through Network Security Sue is in corporate marketing and should have access to post non-sensitive information to Facebook, but she should not be playing Farmville Application Control Data Leakage Prevention Joe started streaming movies while at work through his tablet – this is against corporate policy Application Control Data Leakage Prevention Ed unintentionally shared a sensitive company presentation via his personal Gmail account on his Android Phone.
Protecting ALL BYOD Attack Vectors • Email Sent – Contains Sensitive Data • Mail message detected as Data Loss (DLP) • User accesses phishing site, enters credentials • Access to phishing website is blocked • Phishing site sends Bot infection to user disguised as ‘Security Update’ application • Content scanning prevents download • End user executes malware, is infected and now all their data is compromised • Malicious activity is detected and blocked
Virtual Workloads; Clouds; Commodity Clouds Wow how things have changed in the past 12 months! • Traditional private cloud – Most common use of cloud and virtualization; numbers don’t lie – consolidation is king to driving down costs. • Public Cloud – Services 100% hosted and managed in the cloud; Salesforce.com, Cloudflare, Incapsula, etc. • Public/Private clouds where certain portions may be controlled by a third party. Includes traditional managed services like MS Exchange, web and email hosting.
Virtual Workloads; Clouds; Commodity Clouds 4.Virtual Private Clouds – Virtual slices of service are delivered and managed over a private VPN connection. i.e. Amazon S3, Rackspace Cloud, Bell, Telus, Clouds. Now includes voice services like SIP – traditional voice lines dying a slow death. 5. Directly Connected Clouds – Enterprises directly connected to virtual clouds containing millions of machines where resources are rented or spawned on demand. 10G and higher connections to replace intense enterprise workloads. i.e. Amazon direct connect. 6. Cloud Based resiliency and GSLB – Traditional infrastructure services being pushed out to the cloud.
Virtual Workloads; Clouds; Commodity Clouds • Internal Infrastructure Managed in the Cloud – Management consoles for equipment installed in the datacenter being pushed out to the cloud. Aruba, Meraki, McAfee etc. • Fast, Persistent, and long term archival systems in the cloud. Amazon, Rackspace, Joyent now long term keepers of data. 9. Cloud Based Global Networking – Rush is occurring in the area of cloud based wan optimization – companies with Wan-Optimized clouds allowing anyone to plug in and achieve the benefits of global wan-opt over night. 10. Branch Clouds – Mini clouds in the branch that encompass applications, firewalls, wireless AP management, Active Directory, logging etc. on one physical server.
Traditional Firewalls and the Cloud = Clunky • Traditional firewalls are inelastic; difficult in a large environment to upgrade firewalls on the fly; The cloud is elastic - therefore security devices that live in the cloud must also be elastic. • Physical access in the cloud is disappearing; any security services must be virtual. • The cloud does not make compliance go away. The need to track audit and log remains the same. • Physical firewalls protecting clouds present DR challenges. They cannot be moved, copied and spawned on demand. Business Continuity a large driver behind private cloud initiatives.
Why Fortinet Virtual Firewalls? • Virtualized to the core – the only tier 1 vendor that has physical/virtual parity. Every product we sell to the Financial Services market is virtualized. • The Cloud is noncontiguous; Tier2 and Tier3 firewalls must be able to support VMWare, Xen, Amazon, etc. • 100% feature parity; physical and virtual firewalls are on the same development track and utilize the same development teams. • All the elastic features of the cloud – upward/downward scaling and ‘motion.’ • Most importantly – World Class NGFW features in the cloud!
NGFW - What’s all the hype about? The Facts: NGFW is intended to unify firewall policies, application rules, and identity into intelligent security frameworks. • Applications running amuck in organization; business leaders need to control and contort them. • Traditional firewalls rule sets have become untenable. • Hooks to identity are mandatory for security, compliance, audit. • Security teams need knowledge about what applications exist on the network – YouTube, or Botnets – it’s all valuable information. • Increase in application layer attacks mandates that security devices function at the higher layers.
NGFW – Why have deployments struggled??? • Legacy vendors have not invested in technology to run NGFW at high speeds. • “New” vendors have disregarded traditional high speed firewall/filtering only to have their devices compromised. • Vendors have lost sight of fundamental network firewall features such as new connections per second, total sessions, and overall throughput. • No enterprise will ever be 100% NGFW; they will be an intelligent mix of traditional firewall and high performance stateful firewall.
NGFW – Why have Fortinet deployments succeeded?? • We built NGFW on the worlds fastest and strongest stateful firewall. • We can turn on what you need when you need. For one part of the network we may be your super high speed firewall; for another part we may be the Active Directory Integrated NGFW. • We have appliances that are proven to work at the Branch or deep inside the data centre at multi-gigabit speed. • As an organization we have a proven ability to deploy NGFW quickly in enterprise networks. • Remember: NGFW means you can use all the features of the device in any combination your desire – not only the ones that work!
Some of our Success in Canada • Canada’s most demanding NGFW deployments run on FortiGate: • School Board with 300,000 users • Canadian online TV on Demand services • The only NGFW to successfully integrate into a Big 5 bank with all features turned on. • The only NGFW to deploy in the core with all features turned on at Multi-Gig speeds. • We don’t discriminate – We’ll do NGFW at 60 Gigs or 60 megs;
Q&A www.fortinet.com
Thank You www.fortinet.com