6. 6 CONFIDENTIAL – INTERNAL ONLY6 F O R T I N E T C O N F I D E N T I A L
FortiOS 5
More SecurityMore Security
More ControlMore Control
More IntelligenceMore Intelligence
7. 7 CONFIDENTIAL – INTERNAL ONLY
Over 150 New Features & Enhancements
Fighting Advanced Threats
--------------------------------------
Client Reputation
Advanced Anti-malware
Protection
More Security
Securing Mobile Devices
------------------------------------
Device Identification
Device Based Policy
Endpoint Control
More
Control
Making Smart Policies
--------------------------------------
Identity Centric Enforcement
Secured Guest Access
Visibility & reporting
More
Intelligence
FortiOS 5 Highlights
8. 8 CONFIDENTIAL – INTERNAL ONLY
Fighting AdvancedFighting Advanced
ThreatsThreats
Client Reputation
Advanced Anti-malware Protection
More Security
9. 9 CONFIDENTIAL – INTERNAL ONLY
Ranking
Client Reputation
Identification
Policy
Enforcement
Multiple Scoring Vectors
Reputation by Activity Threat Status
Real Time, Relative,
Drill-down, Correlated
Identify potential
… zero-day attacks
Score
Computatio
n
Zero Day Attack Detection
10. 10 CONFIDENTIAL – INTERNAL ONLY
Multi-pass Filters
In-box Enhanced AV Engine Cloud Based AV Service
Hardware Accelerated
& Code optimized
Real time updated,
3rd
party validated
Signature DB
Local Lightweight
Sandboxing
Behavior / Attribute Based
Heuristic Detection
Application Control –
Botnet Category
FortiGuard Botnet IP
Reputation DB
Cloud Based
Sandboxing
Improves threat
…. … detection
Advanced Anti-Malware Protection
11. 11 CONFIDENTIAL – INTERNAL ONLY
Client Reputation
Threat profiling to quickly identify most suspicious clients
Effective zero-day attacks detection
!
Advanced Anti-malware Protection
Mutilayered: Combines best-in class local AV Engine with
additional cloud based detection system
Detects and block Botnet clients and activities
Improves malware detection capabilities
More Security
12. 12 CONFIDENTIAL – INTERNAL ONLY
Securing Mobile DevicesSecuring Mobile Devices
Device Identification
Device Based Policy
Endpoint Control
More Control
13. 13 CONFIDENTIAL – INTERNAL ONLY
See It… Control IT
Seamless
integration!
BYOD – Device Identity & Policies
Device Based
Identity Policies
Agentless
Agent based
Device Identification Access Control
Security
Application
UTM Profiles
Awareness
14. 14 CONFIDENTIAL – INTERNAL ONLY
Authorized Device
Device Based Policy
Securely adopt BYOD
Setup different security and network usage policies based on device
types
Personal Device
✔ DMZ ✔ INTERNET
✗DMZ ✔ INTERNET
More Control
15. 15 CONFIDENTIAL – INTERNAL ONLY
“Off-Net” Protection
Endpoint Control: FortiClient 5
INTERNET
LAN
OFF
ON
• Client enrolls into the
FortiGate and then receives
its end point policy. It will
receive any updates when
connected again.
• Client uses last known
security policies and
VPN configurations.
11
22
16. 16 CONFIDENTIAL – INTERNAL ONLY
Securing Remote Devices
Protect mobile hosts against malicious external threats
Enforce consistent end point security policies, anywhere all the time
Simplified host security and remote VPN management
Endpoint Control: FortiClient 5
17. 17 CONFIDENTIAL – INTERNAL ONLY
Making Smart PoliciesMaking Smart Policies
Identity Centric Enforcement
Secured Guest Access
Visibility & Reporting
More Intelligence
18. 18 CONFIDENTIAL – INTERNAL ONLY
Identity = Policy
External Radius ServiceExternal Radius Service
Windows ADWindows AD
Citrix EnvironmentCitrix Environment
= M.Jones =
= S.Lim =
= V.Baker
=
= J.Jackson =
Captive PortalCaptive Portal
802.1x802.1x
Users identified
without additional logins
FortiClientFortiClient
DMZ
DMZ
Users
assigned to
their policies
Identity-Centric Enforcement
FSSOFSSO Identity based PoliciesIdentity based Policies
19. 19 CONFIDENTIAL – INTERNAL ONLY
Single Sign-On and Role Based Policies
Authorized network access based on user credentials secure network
right at entry point
Reuse captured information for security policies unifies security
configurations and offers better user experience.
Reduce administrative tasks & configuration errors
Marketing, Management
Operation, Staff
✔ CMS ✔ INTERNET
✗CMS ✔ INTERNET
M.Jones
S.Lim
SSID: STAFF
SSID: MGMT
Identity-Centric Enforcement
20. 20 CONFIDENTIAL – INTERNAL ONLY
Temporary Network
Access
Guest Administration Portal
Credential Generation & Delivery
Time Quota
Ad hoc access without
compromising security
Integrated Guest Access
Identify and track guest activities
Time limits prevent unnecessary exposure to exploits
21. 21 CONFIDENTIAL – INTERNAL ONLY
Network & Threat Status
Knowledge is Power !
Drill-Down Statistics
Filter & Sorting
Object Details
Contextual Information
Visibility & Reporting
22. 22 CONFIDENTIAL – INTERNAL ONLY
Deep Insights
New PDF Formatting
Drill-downs
Per User Summary
FortiManager
FortiCloud
Comprehensive
reports
Visibility & Reporting
26. 26 CONFIDENTIAL – INTERNAL ONLY
UTM
SSL Inspection of IPS & App Control
DNS-based Web Filtering
CIFS (Flow-AV) & MAPI Scanning
SSH proxy
DLP Watermarking
Enhancements
27. 27 CONFIDENTIAL – INTERNAL ONLY
Wireless
Wireless IDS
Wireless Mesh
Local Bridge Mode (Remote sites)
SSID & Port Bridging
Enhancements
28. 28 CONFIDENTIAL – INTERNAL ONLY
User Notification
Notify Users in Real-Time
• Blocked Applications
• Denied Traffic
• Quotas
• Notifies via FortiClient if Host is Registered
Additional Enhancements
29. 29 CONFIDENTIAL – INTERNAL ONLY
FortiGuard Services
DNS-based Web Filter DB Query
DDNS Service
NTP Service
BYOD Signature Updates
Geography Updates
USB Modem Updates
Vulnerability Scan DB Updates SMS Messaging
FDN
Real time
protection & new
services
Enhancements
30. 30 CONFIDENTIAL – INTERNAL ONLY
Supported Platforms
Desktop
Mid Range
3000 Series
5000 Series
FortiGate-VM
* Available on patch release
31. 31 CONFIDENTIAL – INTERNAL ONLY
Feature Matrix for Desktop Models
* Requires FMG/FAZ, FortiCloud for Monitoring, available in near future
32. 32 CONFIDENTIAL – INTERNAL ONLY
Services, Licenses & Subscriptions
*Registration Required
** Available on selected Models
Included with FortiGate
•DNS Service
•DDNS Service
•NTP Service
•2 FortiTokenMobile License*
•10 FortiClient Endpoint License*
•10 VDOMs License
•FortiCloud Service (trial)*
FortiCare Subscription Required
•Geography Updates
•BYOD Signatures Updates
•USB Modem DB Updates
•Vulnerability Scan Signature Updates
•Firmware Update
+ FortiTokenMobile License
+ Endpoint License**
+ VDOM License**
+ SMS Top-up
+ FortiCloud Storage Top-up
BOLD: New Offerings
33. 33 CONFIDENTIAL – INTERNAL ONLY
Services, Licenses & Subscriptions
FortiGuard AV Subscription
•Botnet IP reputation DB
•FortiGuard Analytics Service
•Proxy & Flow based AV signatures
FortiGuard Web Filter Subscription
•Botnet IP reputation DB
•FortiGuard Analytics Service
•Proxy & Flow based AV signatures
FortiGuard IPS Subscription
•IPS Signature Updates
•Application Control Signature Updates
FortiGuard Anti-spam Subscription
•Anti-spam Services
BOLD: New Offerings
Notas del editor
Wired Connectivity10G is becoming standard, 40G and 100G deployments starting
Wireless ConnectivityWireless everywhere, wifi speeds moves to Gbps with 802.11ac
Mobile Devices EverywhereBring your own device to work
Video and Audio 48 Hours of content uploaded to YouTube per minute
IPv6Real for carriers, and even some end users
Visibility of TrafficAdmin requirements extends to end users
Accuracy of detection
Is that really ‘Skype’ traffic you said you detected?
Policy Explosion
The complexity of enterprise security policies grows exponentially
Log Explosion
How to keep this relevant, the needle in the haystack problem
Threats continue to scaleNation state, Stuxnet, Flame - Remember RSA, and Linkedin
IT BudgetRemains flat, more with less is the trend
IT DepartmentSize remains largely the same, or shrinking
Moore’s Law Arrives
at the IT Department
The number of Internet attached devices managed by the IT Department
doubles every two years
Pricing
FortiGuard Services simple licensing and pricing model maintained
FortiGate more performance, more features, same aggressive pricing
No complex feature enablement
No per user calculations
No surprises
Benefits of FortiOS 5.0 center around improved security, improved control and more intelligence.
Tackle today’s challenges:
The need for more control – how do I control devices – as they may be personal or belongs to the organization
The need to protect against new threats – How do I protect the network against zero-day attacks and goes beyond using Signatures …
The need to effectively enforce security with more complex network environment and requirements – How do I simplify the management and implementation, so that I as the weakness link – do it correctly! Also, How can I better understand what is going on my network
We also take our customers feedback seriously and have adopt a number of enhancement that improves our functionalities, our deliverables and user experience
Switch focus, and cover 3 main topics with APT:
AV Engine – misconceptions and 5.0 extensions
Cloud-based submission & updates
Multi-vector analysis (Client Reputation)
Client Reputation is a key differentiator with FOS 5.0
It gives enterprises a cumulative security ranking of each device based on a range of behaviors and provides specific, actionable information that enables organizations to identity compromised systems and potential zero-day attacks in real time.
Scoring Mechanism
-- score for different behaviors
-- enforcement works the same
Cross Vectors
-- Blocked apps
-- Blocked websites
-- Denied policies
-- Malware
The new advanced anti-malware detection system adds an on-device behavior-based heuristic engine and cloud-based AV services that includes an operating system sandbox and botnet IP reputation database. Together with superior industry-validated AV signatures, FortiOS 5.0 delivers unbeatable multi-layered protection against today’s sophisticated malware.
Behavior Analysis
“Attributes” for each sig
Different degrees of matching
Java Script Obfuscation
Common technique to hide malware in JS
New Emulator
Object Oriented Ext. for Mobile Malware (Android)
Cloud Integration for submission & updates
This is one of the biggest matter to tackle in today’s IT environment.
Do you or do you not allow personal devices for organisation’s use? Either way, how can I do that?
BYOD – D is the keyword here. Device – No longer can we imagine that an IP Address or a user ID explicitly means it can do what is permissible.
In order to empower the IT dept with the ability to control access and enforce security policies upon devices, we have build a couple of cool features.
We talk a little on those features a little later but 1ST, let us why the ability to manage devices from a security context is important.
FortiOS 5.0 lets you secure mobile devices and BYOD environments by identifying devices and applying specific access policies as well as security profiles, according to the device type or device group, location and usage.
So what what are we doing to make it work?
Device Identification – by using 3 different technologies, and user can choose all of them or either, depending on their network setup
Once a device is identified, admin can apply specific access policy as well as security profile, according to the device type or device group. We will work through a use case soon.
What is a huge advantage here is that it al work seamlessly in the box.
Does it work with user Authentication to create even more gradual policies – yes! Thus, giving the ability to tell who does what on which device.
One of the improvements in FortiClient 5.0 allows for off-net protection. The similar security policies can be applied even when the user is not connected to the corporate network. For example, policies can sent to the FortiClient that block access to malicious websites. When that user is no longer connected to the corporate network, they would still be denied access to those websites.
Making security administration is simpler and more efficient as networks become more complex and larger. Ultimately, these enhancements make security enforcement more accurate hence lower the risk of security beaches as the human is still the weakest link.
- Going beyond traditional SSO capabilities
Take advantage of our capabilities as a wireless controller and new switch controller
Make it easier for the security device to acquire user ID
Aslo made improvement to existing SSO feature which makes it easier to implement
FortiOS provides automatic adjustment of role-based policies for users and guests based on location, data and application profile
Guest access is now part of security. Setting up guest policies is now very easy with the guest administration profile.
Enhanced reporting and analysis also provides administrators with more intelligence on the behavior of their network, users, devices, applications and threats.
FOS 5.0 provides very rich reporting functions. Comprehensive reports are easily constructed and ideal for generating documents for compliance and auditing
(Note: Expand these reports to show the level of available detail).
Client Reputation
Reputation built by activityWhat, Where, How
Compromised client?
Drill down report created for those with the worst reputations
Administrator defined thresholds
New JS emulator in AV engine
Added native scripting framework
XDP support to extract PDF file from XML
Client Reputation
Reputation built by activityWhat, Where, How
Compromised client?
Drill down report created for those with the worst reputations
Administrator defined thresholds
New JS emulator in AV engine
Added native scripting framework
XDP support to extract PDF file from XML
Client Reputation
Reputation built by activityWhat, Where, How
Compromised client?
Drill down report created for those with the worst reputations
Administrator defined thresholds
New JS emulator in AV engine
Added native scripting framework
XDP support to extract PDF file from XML
Client Reputation
Reputation built by activityWhat, Where, How
Compromised client?
Drill down report created for those with the worst reputations
Administrator defined thresholds
New JS emulator in AV engine
Added native scripting framework
XDP support to extract PDF file from XML
Client Reputation
Reputation built by activityWhat, Where, How
Compromised client?
Drill down report created for those with the worst reputations
Administrator defined thresholds
New JS emulator in AV engine
Added native scripting framework
XDP support to extract PDF file from XML