SlideShare una empresa de Scribd logo

PLNOG14: Fortinet, Carrier and MSSP - Robert Dąbrowski

Descargar como PPTX, PDF
PROIDEA
PROIDEA

Robert Dąbrowski - Fortinet Language: English The presentation covers types of projects as well as specific examples of FORTINET activity in the telecommunications sector. It showcases technologies, their development and advancement driven by the needs of service providers for securing the ISP infrastructure and MSSP service distribution. Register to the next PLNOG edition today: krakow.plnog.pl

Internet
1 de 34
1 © Copyright 2013 Fortinet Inc. All rights reserved. Fortinet – Carrier and MSSP Robert Dabrowski, CISSP SE Fortinet
2 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
3 SECURING CSP NETWORKS Mobile Network Fixed Line Network Other SPIMS LTE/ xCell Secure GW eNodeBs Accelerated IPSec SCTP Internet PoP Carrier Grade Nat IPv6 <-> IPv4 IP Blacklisting Botnet identification Gi/SGi Border Gw / Roaming VPMN HPMN GTP V1/V2 DIAMETER SIP Datacenter IP Backbone DC Core DDOS ADC WAF Virtualization Mail Services Platform Network (WiFi, DHCP, DNS….) Voice Gaming Video Messaging Mail B2B Network Multimedia Services SIP ALG X-CSCF IMS VoLTE DC Edge Edge Firewall DDOS Partners, HQ, Campus, Branch… WIFi BackboneMobile Fix Others Backbone B2B B2B / MSSP Cloud Cleanpipe Partners, HQ, Campus, Branch… WIFi CPE IS Infrastructure Shops, HQ, Website
4 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
5 ISP France – project starts from R&D tests • Product used for testing : FG 3240C • SEs and Support teams helped the customer tune the config • Tests results were very positive: » SIP ALG worked as expected » Firewall Logging is relevant » Customer had to modify his testing tool in order to fully test the Firewall’s performances » Firewall managed to process 6000 SIP requests per second without being to stressed ISP R&D SIP test results
6 FortiOS VoIP Protection Features • Stateful SIP tracking • The SIP SFW tracks the SIP session over it‘s lifespan. A SIP-Session (or SIP dialog) normally is established after the SIP INVITE procedure. The SIP SFW then tracks this call as a „SIP session“. A Session can for instance end by regular BYE procedure (users hang-off the phone) or by another unexpected Signaling or Transport event. • SIP per request method message rate limitation • Configurable threshold for SIP message rates per request method. Protects SIP servers from SIP overload and DoS attacks. • SIP High Availability (HA) • Allows to configure HA configuration (active-standby) for SIP. Supports failover of SIP sessions in case of an active firewall instance fails. • RTP Pinholing • The SIP SFW opens the respective RTP Ports as long as the SIP session is alive and conforming with the operator security policies. • RTP Bypass • Supports configurations with and without RTP pin-holing. May inspect and protect SIP signaling only. • SIP NAT with IP address conservation • Performs SIP and RTP aware IP Network Address translation. Preserves the lost IP address information in the SIP/SDP info header for later processing/debugging in the SIP server. • Various NAT policies can be defined for SIP signal sessions and RTP sessions that are negotiated through the SIP signal session. • SIP Transparent or NAT mode • The SFW supports a transparent mode, where SIP messages are inspected but not modified. Just in case of an attack or overload the SFW becomes visible. The other mode is SIP NAT. In this mode, the SIP header is modified with regard to translation of IP addresses. • Support for Geographical Redundancy • Maintains a active-standby SIP server configuration, which even supports geographical distribution. If the active SIP server fails (missing SIP heartbeat messages or SIP traffic) FortiOS will redirect the SIP traffic to a secondary SIP server.
7 FortiOS VoIP Protection Features • SIP command control • The SIP SFW can block SIP methods. SIP methods that can be blocked are: ack, bye, cancel, info, invite, notify, options, publish, refer, register, subscribe, update and „unknown commands“. • SIP fuzzing • Protection from malicious SIP messages • SIP communication logging • The SIP SFW supports logging to a FortiAnalyzer. The Logfiles will show up in the „Content Archive“ section under the VoIP Tab. • Hardware accelerated RTP processing • In cases where RTP is pin-holed by a FortiOS Carrier™ device, it needs to be understood that RTP packets can be very small (around 100bytes or less), sensitive to processing latency, packet loss or jitter (packet delay variation). FortiGate devices can offload RTP packet processing to HW assistance (FortiASIC). This will greatly enhance the overall throughput and will give the firewall device a multiple GE wirespeed (1 Gbps) VoIP security solution. • Media Inactivity • In some case SIP signaling is established, but the voice bearer (RTP) is broken. The SIP SFW supports optionally the detection of Media Inactivity that cleans the SIP call context in the SFW once there‘s no RTP anymore for a specific time. • SIP over IPv6 • Supports Signaling Firewall for SIP messages using IPv6 transport. Limited to SIP over IPv6 in SIP transparent mode (no SIP/RTP NAT of IPv6 to IPv4) • IP Topology Hiding • IP topology of a network can be hidden through NAT and NAPT manipulation of IP and SIP level addressing. • Deep SIP header inspection • Deep SIP header syntax inspection. Prevents from many SIP Fuzzing attacks with malformed SIP message headers. User configurable bypass and response message options. SIP conformance violations can be logged with the FortiAnalyzer. • Hosted NAT traversal • Resolves IP address issue in SIP-SDP header due to NAT-PT in far end firewall. Important feature for VoIP access networks.
8 ISP Germany - GTP solution ISP was using Other Vendor GX Firewall as GTP roaming solution for the last 8 years During that time ISP faced major performance issues Other Vendor GX Release 4 was able to handle only 120MB of traffic per Core, but only one single Core was supported Other Vendor tried several years to provide a solution with no success Finally ISP decided to look for an alternative FTNT was able to show 11GB of GTP traffic passing a single cluster of FGT-3950 with XH0
9 GTP filter IMSI filter example - IMSI filter TP mode : IMSI filter test: block Vlan 452 Vlan 452 T_SGSN4 T_GGSN1 123.30.194.1123.30.194.4 port5 port6 Authorized IMSI= 452021xxxxxxxxx edit "Gn_imsi_SN4_GN1" set authorized-ggsns "vinaph_GGSN_1" set authorized-sgsns "vinaph_SGSN_4" set default-imsi-action deny set handover-group "all" config imsi edit 1 set mcc-mnc "0452021" next end set imsi-filter enable
10 GTP security gateway XH0 offloaded GTP-U /IPSEC
11 SeGW in ISP France • Secures protocols within LTE networks • Various GTP Versions • SCTP • Provides very powerful in depth GTP inspection and analysis at high speed (with XH0) • Rate limiting of GTP-U, GTP-C inspection (XH0) • High new tunnel per second rate (regional backups) • High IPSEC throughput and low latency • VDOM is used to policy route some traffic for radio optimization purpose (X2 traffic) • 3GPP Certificate enrollment Key Features - IOT (interoperability test) : Top telco infrastructure providers
12 FortiGate LTE Security Gateway (SeGW) Secure Gateway (SeGW) MME SG W Core Network Backhaul Network S1 Traffic (Control Plane + User Plane) X2 Traffic Management GTP-U tunnel eNode B eNode B eNode B SCTP Firewalling and Rate Limiting GTP-U Inspection and rate limiting IPSEC Termination and re-routing GTP-C Inspection and control Untrusted Trusted
13 FortiGate Gi Firewall (GiFW) • As a GiFW, the FortiGate can provide full FortiOS functionality in protecting UE’s and the EPC from connected PDNs • FG’s VDOM capability provides full functional segregation per PDN, while HW- accelerated inter-VDOM links offer stateful connectivity to the P-GWs in the EPC • FortiCarrier OS offers additional MMS scanning support • By using dynamic contexts, the FortiGate can provide user specific protection profiles, based on accounting messages from the MME/HSS » Provides support for value-added security options for users (Inter-VDOM Links) VDOM APN.MMS VDOM APN.MPLS.X VDOM APN.Internet VDOM P-GW P-GW S-GW EPC SGi SGiSGiSGi S5
14 MMS Content Scanning (GiFW) FortiCarrier MMS scanable interface • Multimedia Messinging Service (MMS) allows for transfer of file/stream based media beyond texting (SMS – Simple Messaging Service) • Can scan MMS traffic directly from users (MM1), to/from email and VAS (Value Added Service) servers (MM3/MM7), or between carriers (MM4) • MMS scanning provides carriers a means of protecting their infrastructures against MMS-based DoS attacks, as well as to filter MMS content • MMS scanning also extends ForitOS Data Leakage Protection (DLP) capabilities by scanning MMS file transfers for DLP signatures
15 NAT64 – CLAT + PLAT Source: https://sites.google.com/site/tmoipv6/464xlat
16 LAB Topology – CLAT + NAT64 192.168.3.0/24 2a00:e18:8001:6cd::c1a6/32 FG310B .100.52 .52 P9P10 .119 ubu64 eth0 172.16.132.0/24 2a00:e18:8000:6cd::c1a1/32 CLAT address 192.0.0.9 2a00:e18:8000:6cd::c1a9 .81 .20 FTP, RTSP 192.168.5.99/24 VPN: IPSec PPTP tayga.conf tun-device nat64 ipv4-addr 192.168.255.8 prefix 2001:db8:1:ffff::/96 dynamic-pool 192.168.255.0/24 map 192.0.0.9 2a00:e18:8000:6cd::c1a9 config firewall ippool edit "nat64" set startip 192.168.3.201 set endip 192.168.3.210 next edit "nat44" set startip 192.168.3.211 set endip 192.168.3.220 next end
17 NAT64 tests Translation FG15 (NAT64) # get system session list | grep 192.168.3.20: icmp 59 (2a00:e18:8000:6cd::c1a9:129)192.168.3.204:3210 - (2001:db8:1:ffff::c0a8:314:3210)192.168.3.20:8 - icmp 59 (2a00:e18:8000:6cd::c1a7:129)192.168.3.202:3941 - (2001:db8:1:ffff::c0a8:314:3941)192.168.3.20:8 - icmp 59 (2a00:e18:8001:6cd::c1a6:129)192.168.3.205:3141 - (2001:db8:1:ffff::c0a8:314:3141)192.168.3.20:8 - icmp 59 (2a00:e18:8000:6cd::c1a6:129)192.168.3.201:3864 - (2001:db8:1:ffff::c0a8:314:3864)192.168.3.20:8 – IPv6 FTP active FG15 (NAT64) # get system session list | grep 192.168.3.20: tcp 3599 (2a00:e18:8001:6cd::c1a6:39104)192.168.3.205:34896 - (2001:db8:1:ffff::c0a8:314:21)192.168.3.20:21 - tcp 0 (2a00:e18:8001:6cd::c1a6:42747)192.168.3.20:20 - (2001:db8:1:ffff::c0a8:314:20)192.168.3.205:42747 - IPv6 FTP passive FG15 (NAT64) # get system session list | grep 192.168.3.20: tcp 3599 (2a00:e18:8001:6cd::c1a6:39108)192.168.3.205:12372 - (2001:db8:1:ffff::c0a8:314:21)192.168.3.20:21 - tcp 0 (2a00:e18:8001:6cd::c1a6:55545)192.168.3.205:55545 - (2001:db8:1:ffff::c0a8:314:46219)192.168.3.20:46219 - CLAT FTP active FG15 (NAT64) # get system session list | grep 192.168.3.20: tcp 0 (2a00:e18:8000:6cd::c1a9:52775)192.168.3.20:20 - (2001:db8:1:ffff::c0a8:314:20)192.168.3.204:52775 - tcp 3599 (2a00:e18:8000:6cd::c1a9:39035)192.168.3.204:14571 - (2001:db8:1:ffff::c0a8:314:21)192.168.3.20:21 - CLAT FTP passive FG15 (NAT64) # get system session list | grep 192.168.3.20: tcp 0 (2a00:e18:8000:6cd::c1a9:54727)192.168.3.204:54727 - (2001:db8:1:ffff::c0a8:314:46326)192.168.3.20:46326 - tcp 3599 (2a00:e18:8000:6cd::c1a9:39036)192.168.3.204:24812 - (2001:db8:1:ffff::c0a8:314:21)192.168.3.20:21 - CLAT IPSec FG15 (NAT64) # get system session list | grep 192.168.3.81: udp 95 (2a00:e18:8000:6cd::c1a9:4500)192.168.3.204:41220 - (2001:db8:1:ffff::c0a8:351:4500)192.168.3.81:4500 - udp 95 (2a00:e18:8000:6cd::c1a9:500)192.168.3.204:47460 - (2001:db8:1:ffff::c0a8:351:500)192.168.3.81:500 -
18 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
19 FortiGate 3700D • 2 x GE RJ45 Management Ports • 4 x 40GE QSFP Slots • 20 x 10GE SFP+/GE SFP Slots • 8 ultra-low latency 10GE SFP+ Slots Hardware Performance Firewall Throughput (1518/512/64) 160/160/110 Gbps IPS Throughput 23 Gbps Firewall Latency 2 μs Antivirus Throughput (Proxy Based / Flow Based) 7.5/18 Gbps Concurrent Sessions 44 Mil Virtual Domains (Default / Max) 10/500 New Sessions/Sec 300,000 Max Number of FortiAPs (Total/Tunnel) 4096 / 1024 Firewall Policies 100,000 Max Number of FortiTokens 5,000 IPSec VPN Throughput 100 Gbps Client-to-Gateway IPSec VPN Tunnels 64,000 SSL-VPN Throughput 6 Gbps Concurrent SSL-VPN Users (Recommended Max) 30,000 1 2 3 1 2 3 4 4
20 What s new in NP6 • More accelerated features » IPv4 » IPv6 » Multicast » SCTP » Capwap data (not dtls) » QOS support with traffic prioritization » IPSEC sha2-256 and 512 » Syn proxy , host and server protection via traffic shaping » tunneling: V4 -> v6, v6 -> v4, v4 -> v4 and v6 to v6 » Translation (tcp/udp): V4 -> v6, v6 -> v4, v4 -> v4 and v6 to v6 • More bandwidth »40G per NP6 in place of 20G for the np4 • Less jitter and latency »we are now at about 3.5 micro sec of latency in place of 5 on standard ports »1.6 with the low latency port (last 8 ports) • More accelerated sessions
21 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
22 Managed Security Services Multiple customers on shared infrastructure with dedicated services Key Features: • Virtual Domain per customer • Firewall, IPSec IPS, Antivirus, Web Filtering, Application Control • End Customer Portal • Dynamic Profiles (RADIUS Single Sign on) • Allows for per user services • MSISDN, APN Aware • Cookie Based Web Filtering (multi-user, behind NAT boundary)
23 A typical MSSP offer includes » Perimeter Protection, including managed services for Firewalls, Intrusion Detection and Prevention Systems (IDPSs), and Virtual Private Networks (VPNs), such as IPSec and SSL » Monitoring the Security Service » Incident Management, with emergency response and forensic analysis » Upfront and partly permanent Vulnerability Assessment and Penetration Testing » Anti-Spam, Anti-Virus and Content Filtering services » Traffic Shaping » Application Control, to differentiate what is really running on port 80 » Web Filtering, not allowing all sites to be visited » Data Leakage Prevention, stopping sensitive data at the internal border » Risk Assessments of the Information Security » WAN Optimization and Web Caching » VoIP Security » Data Archiving and Restoration » On-Site Consulting
24 MSSP LAB network
25 FortiGate HA – vistrual clusters
26 FortiManager – admin profiles Administrator PKI adom1 Can connect only from customer’s network Must posses specific certificate
27 „admin” – main administrator sets global policies e.g. to management network, so that local ADOM administrator can’t remove access to Fortimanagera Admin „adom1” can’t change global policy, just his adom specific policies.
28 Managing and Reporting FortiManager can be used to configure, alter settings and change configuration through its interface towards • internal provisioning systems (industrialized provisioning) • external users (standard portal interface) • external users via Web Server backend (SDK)
29 JSON API : Anatomy of a JSON API Request
30 JSON API : Methods method use get retrieve a current list or status of an object add create an object; it won’t overwrite existing objects update modify existing objects; it won’t create them for you set create or overwrite an existing object it will forcefully create or overwrite anything you tell it to (use with caution) delete remove objects; for most objects this can be done via the name on the URL move move policies around within a package clone clone a policy or object exec log in, log out, copy and install policy packages, etc. The JSON API supports the methods below:
31 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
32 FortiGuard Minute Per Minute Updates Per Week 72,000 Spam emails intercepted 210,000 Network Intrusion Attempts resisted 68,000 Malware programs neutralized 310,000 Malicious Website accesses blocked 67,000 Botnet C&C attempts thwarted 34 Million Website categorization requests 53 Million New & updated spam rules 100 Intrusion prevention rules 920,000 New & updated AV definitions 1 Million New URL ratings 8,000 Hours of threat research globally FortiGuard Database 150 Terabytes of threat samples 17,000 Intrusion Prevention rules 5,800 Application Control rules 250 Million Rated websites in 78 categories 151 Zero-day threats discovered Based on Q4 2014 data
33 Fortinet Support Centers Vancouver, Canada Sophia Antipolis, France Prague, Czech Republic Bangalore, India Beijing, China Tokyo, Japan Kuala Lumpur, Malaysia Global Support 24/7
34 Fortinet Confidential THANK YOU !!! Konkurs !!! Pytanie: Podaj wybrane dwie funkcjonalności FortiAsic NP6, które wyróżniają go w porównaniu ze starszą generacją NP4. Odpowiedzi można wpisywać na odwrocie wizytówki i zostawić ją na stoisku Fortinet. Wśród osób, które dostarczą prawidłowe odpowiedzi, rozlosowane zostaną 3 nagrody.

Recomendados

Sangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingSangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingEmpatiq İletişim Teknolojileri AŞ.
 
Sangoma SBC Training Presentation
Sangoma SBC Training PresentationSangoma SBC Training Presentation
Sangoma SBC Training PresentationEmpatiq İletişim Teknolojileri AŞ.
 
FreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingFreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingMoises Silva
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
PI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PI UK Seminar (Nov 2021) - PROFINET Implementation and TestingPI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PI UK Seminar (Nov 2021) - PROFINET Implementation and TestingPROFIBUS and PROFINET InternationaI - PI UK
 
Ip live production
Ip live productionIp live production
Ip live productionAbhinav Aditya
 

Recomendados

Sangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingSangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingEmpatiq İletişim Teknolojileri AŞ.
 
Sangoma SBC Training Presentation
Sangoma SBC Training PresentationSangoma SBC Training Presentation
Sangoma SBC Training PresentationEmpatiq İletişim Teknolojileri AŞ.
 
FreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingFreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingMoises Silva
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
PI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PI UK Seminar (Nov 2021) - PROFINET Implementation and TestingPI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PI UK Seminar (Nov 2021) - PROFINET Implementation and TestingPROFIBUS and PROFINET InternationaI - PI UK
 
Ip live production
Ip live productionIp live production
Ip live productionAbhinav Aditya
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In VoipWaqas Daar
 
ICE basic
ICE basicICE basic
ICE basicVu Nguyen
 
VoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP CommunicatorVoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP Communicatorchinmaypadhye1985
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilotMihály Mészáros
 
Nat traversal in WebRTC context
Nat traversal in WebRTC contextNat traversal in WebRTC context
Nat traversal in WebRTC contextAudioCodes
 
SIP Parity Actvity Group & Video Interoperability Review
SIP Parity Actvity Group & Video Interoperability ReviewSIP Parity Actvity Group & Video Interoperability Review
SIP Parity Actvity Group & Video Interoperability ReviewIMTC
 
C6 profibus system design, andy verwer
C6 profibus system design, andy verwerC6 profibus system design, andy verwer
C6 profibus system design, andy verwerPROFIBUS and PROFINET InternationaI - PI UK
 
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...MIPI Alliance
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basicsKarel Berkovec
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Squire Technologies: Media Gateway
Squire Technologies: Media GatewaySquire Technologies: Media Gateway
Squire Technologies: Media GatewaySquire Technologies
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT TraversalLi-Wei Yao
 
Experiences from weekly sports broadcasts over 5G - what's possible and what ...
Experiences from weekly sports broadcasts over 5G - what's possible and what ...Experiences from weekly sports broadcasts over 5G - what's possible and what ...
Experiences from weekly sports broadcasts over 5G - what's possible and what ...Kieran Kunhya
 
PI UK Seminar (Nov 2021) - PROFINET Design Basics
PI UK Seminar (Nov 2021) - PROFINET Design BasicsPI UK Seminar (Nov 2021) - PROFINET Design Basics
PI UK Seminar (Nov 2021) - PROFINET Design BasicsPROFIBUS and PROFINET InternationaI - PI UK
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVikas Shokeen
 
Introduction to PROFINET - Derek Lane of Wago
Introduction to PROFINET - Derek Lane of WagoIntroduction to PROFINET - Derek Lane of Wago
Introduction to PROFINET - Derek Lane of WagoPROFIBUS and PROFINET InternationaI - PI UK
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation ProtocolMatt Bynum
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPSaúl Ibarra Corretgé
 
2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cmeYves Jean Louis
 
PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...
PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...
PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...PROIDEA
 
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPROIDEA
 

Más contenido relacionado

La actualidad más candente

PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePROIDEA
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In VoipWaqas Daar
 
VoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP CommunicatorVoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP Communicatorchinmaypadhye1985
 
Nat traversal in WebRTC context
Nat traversal in WebRTC contextNat traversal in WebRTC context
Nat traversal in WebRTC contextAudioCodes
 
SIP Parity Actvity Group & Video Interoperability Review
SIP Parity Actvity Group & Video Interoperability ReviewSIP Parity Actvity Group & Video Interoperability Review
SIP Parity Actvity Group & Video Interoperability ReviewIMTC
 
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...MIPI Alliance
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Squire Technologies: Media Gateway
Squire Technologies: Media GatewaySquire Technologies: Media Gateway
Squire Technologies: Media GatewaySquire Technologies
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT TraversalLi-Wei Yao
 
Experiences from weekly sports broadcasts over 5G - what's possible and what ...
Experiences from weekly sports broadcasts over 5G - what's possible and what ...Experiences from weekly sports broadcasts over 5G - what's possible and what ...
Experiences from weekly sports broadcasts over 5G - what's possible and what ...Kieran Kunhya
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVikas Shokeen
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation ProtocolMatt Bynum
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPSaúl Ibarra Corretgé
 
2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cmeYves Jean Louis
 

La actualidad más candente (20)

PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
 
ICE basic
ICE basicICE basic
ICE basic
 
VoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP CommunicatorVoIP - Cisco CME &amp; IP Communicator
VoIP - Cisco CME &amp; IP Communicator
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilot
 
Nat traversal in WebRTC context
Nat traversal in WebRTC contextNat traversal in WebRTC context
Nat traversal in WebRTC context
 
SIP Parity Actvity Group & Video Interoperability Review
SIP Parity Actvity Group & Video Interoperability ReviewSIP Parity Actvity Group & Video Interoperability Review
SIP Parity Actvity Group & Video Interoperability Review
 
C6 profibus system design, andy verwer
C6 profibus system design, andy verwerC6 profibus system design, andy verwer
C6 profibus system design, andy verwer
 
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...
MIPI DevCon Bangalore 2017: MIPI VGI for Sideband GPIO and Messaging Consolid...
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Squire Technologies: Media Gateway
Squire Technologies: Media GatewaySquire Technologies: Media Gateway
Squire Technologies: Media Gateway
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
 
Experiences from weekly sports broadcasts over 5G - what's possible and what ...
Experiences from weekly sports broadcasts over 5G - what's possible and what ...Experiences from weekly sports broadcasts over 5G - what's possible and what ...
Experiences from weekly sports broadcasts over 5G - what's possible and what ...
 
PI UK Seminar (Nov 2021) - PROFINET Design Basics
PI UK Seminar (Nov 2021) - PROFINET Design BasicsPI UK Seminar (Nov 2021) - PROFINET Design Basics
PI UK Seminar (Nov 2021) - PROFINET Design Basics
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS Stack
 
Introduction to PROFINET - Derek Lane of Wago
Introduction to PROFINET - Derek Lane of WagoIntroduction to PROFINET - Derek Lane of Wago
Introduction to PROFINET - Derek Lane of Wago
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation Protocol
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIP
 
2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme2+ipt+configuring cisco-cme
2+ipt+configuring cisco-cme
 

Destacado

PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...
PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...
PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...PROIDEA
 
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPROIDEA
 
4Developers 2015: Baza danych w aplikacji typu SaaS - błędy w projektowaniu -...
4Developers 2015: Baza danych w aplikacji typu SaaS - błędy w projektowaniu -...4Developers 2015: Baza danych w aplikacji typu SaaS - błędy w projektowaniu -...
4Developers 2015: Baza danych w aplikacji typu SaaS - błędy w projektowaniu -...PROIDEA
 
JDD2015: Frege - how to program with pure functions - Dierk König
JDD2015: Frege - how to program with pure functions - Dierk KönigJDD2015: Frege - how to program with pure functions - Dierk König
JDD2015: Frege - how to program with pure functions - Dierk KönigPROIDEA
 
4Developers 2015: Be pragmatic, be SOLID - Krzysztof Menżyk
4Developers 2015: Be pragmatic, be SOLID - Krzysztof Menżyk4Developers 2015: Be pragmatic, be SOLID - Krzysztof Menżyk
4Developers 2015: Be pragmatic, be SOLID - Krzysztof MenżykPROIDEA
 
4Developers 2015: Do you think you're doing microservice architecture? - Marc...
4Developers 2015: Do you think you're doing microservice architecture? - Marc...4Developers 2015: Do you think you're doing microservice architecture? - Marc...
4Developers 2015: Do you think you're doing microservice architecture? - Marc...PROIDEA
 
4Developers 2015: Refactoring za duże pieniądze, pierwsze kroki - Michał Gruca
4Developers 2015: Refactoring za duże pieniądze, pierwsze kroki - Michał Gruca4Developers 2015: Refactoring za duże pieniądze, pierwsze kroki - Michał Gruca
4Developers 2015: Refactoring za duże pieniądze, pierwsze kroki - Michał GrucaPROIDEA
 
4Developers 2015: Behavior Driven Development - sounds perfect but why are we...
4Developers 2015: Behavior Driven Development - sounds perfect but why are we...4Developers 2015: Behavior Driven Development - sounds perfect but why are we...
4Developers 2015: Behavior Driven Development - sounds perfect but why are we...PROIDEA
 
PLNOG14 - Wireless Cloud, a new business for operators - Jochen Müdsam
PLNOG14 - Wireless Cloud, a new business for operators - Jochen MüdsamPLNOG14 - Wireless Cloud, a new business for operators - Jochen Müdsam
PLNOG14 - Wireless Cloud, a new business for operators - Jochen MüdsamPROIDEA
 
PLNOG14: Architektura oraz rozwiązywanie problemów na routerach IOS-XE - Piot...
PLNOG14: Architektura oraz rozwiązywanie problemów na routerach IOS-XE - Piot...PLNOG14: Architektura oraz rozwiązywanie problemów na routerach IOS-XE - Piot...
PLNOG14: Architektura oraz rozwiązywanie problemów na routerach IOS-XE - Piot...PROIDEA
 
4Developers 2015: Orleans - aplikacje, które skalują i dystrybuują się same -...
4Developers 2015: Orleans - aplikacje, które skalują i dystrybuują się same -...4Developers 2015: Orleans - aplikacje, które skalują i dystrybuują się same -...
4Developers 2015: Orleans - aplikacje, które skalują i dystrybuują się same -...PROIDEA
 
PLNOG14: Optymalizacja rozwiązywania problemów sieciowych - Marcin Kuczera
PLNOG14: Optymalizacja rozwiązywania problemów sieciowych - Marcin KuczeraPLNOG14: Optymalizacja rozwiązywania problemów sieciowych - Marcin Kuczera
PLNOG14: Optymalizacja rozwiązywania problemów sieciowych - Marcin KuczeraPROIDEA
 
4Developers 2015: Dying Light: Burzliwa historia Action Directora - Andrzej B...
4Developers 2015: Dying Light: Burzliwa historia Action Directora - Andrzej B...4Developers 2015: Dying Light: Burzliwa historia Action Directora - Andrzej B...
4Developers 2015: Dying Light: Burzliwa historia Action Directora - Andrzej B...PROIDEA
 
4Developers 2015: CQRS dla każdego - Maciej Aniserowicz
4Developers 2015: CQRS dla każdego - Maciej Aniserowicz4Developers 2015: CQRS dla każdego - Maciej Aniserowicz
4Developers 2015: CQRS dla każdego - Maciej AniserowiczPROIDEA
 
4Developers 2015: Responsywne aplikacje web'owe z użyciem OpenUI5 - Witalij R...
4Developers 2015: Responsywne aplikacje web'owe z użyciem OpenUI5 - Witalij R...4Developers 2015: Responsywne aplikacje web'owe z użyciem OpenUI5 - Witalij R...
4Developers 2015: Responsywne aplikacje web'owe z użyciem OpenUI5 - Witalij R...PROIDEA
 
4Developers2015: Serwis z kamerkami - pole minowe wydajności - Łukasz Łuczak
4Developers2015: Serwis z kamerkami - pole minowe wydajności - Łukasz Łuczak4Developers2015: Serwis z kamerkami - pole minowe wydajności - Łukasz Łuczak
4Developers2015: Serwis z kamerkami - pole minowe wydajności - Łukasz ŁuczakPROIDEA
 
4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek
4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek
4Developers 2015: Bypassing Same-Origin Policy - Jakub ŻoczekPROIDEA
 
Global Environmental Facility Bridging climate and biodiversity
Global Environmental Facility Bridging climate and biodiversityGlobal Environmental Facility Bridging climate and biodiversity
Global Environmental Facility Bridging climate and biodiversitySIANI
 
Diversity, Sustainability and Resilience in Natural Resource Management in Af...
Diversity, Sustainability and Resilience in Natural Resource Management in Af...Diversity, Sustainability and Resilience in Natural Resource Management in Af...
Diversity, Sustainability and Resilience in Natural Resource Management in Af...SIANI
 
Respect for human_rights_and_relevant_legal_aspects_in_western_sahara-asklof-...
Respect for human_rights_and_relevant_legal_aspects_in_western_sahara-asklof-...Respect for human_rights_and_relevant_legal_aspects_in_western_sahara-asklof-...
Respect for human_rights_and_relevant_legal_aspects_in_western_sahara-asklof-...SIANI
 

Destacado (20)

PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...
PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...
PLNOG14: Vectra i Infoblox Advanced DNS Protection , historia sukcesu pewnego...
 
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
 
4Developers 2015: Baza danych w aplikacji typu SaaS - błędy w projektowaniu -...
4Developers 2015: Baza danych w aplikacji typu SaaS - błędy w projektowaniu -...4Developers 2015: Baza danych w aplikacji typu SaaS - błędy w projektowaniu -...
4Developers 2015: Baza danych w aplikacji typu SaaS - błędy w projektowaniu -...
 
JDD2015: Frege - how to program with pure functions - Dierk König
JDD2015: Frege - how to program with pure functions - Dierk KönigJDD2015: Frege - how to program with pure functions - Dierk König
JDD2015: Frege - how to program with pure functions - Dierk König
 
4Developers 2015: Be pragmatic, be SOLID - Krzysztof Menżyk
4Developers 2015: Be pragmatic, be SOLID - Krzysztof Menżyk4Developers 2015: Be pragmatic, be SOLID - Krzysztof Menżyk
4Developers 2015: Be pragmatic, be SOLID - Krzysztof Menżyk
 
4Developers 2015: Do you think you're doing microservice architecture? - Marc...
4Developers 2015: Do you think you're doing microservice architecture? - Marc...4Developers 2015: Do you think you're doing microservice architecture? - Marc...
4Developers 2015: Do you think you're doing microservice architecture? - Marc...
 
4Developers 2015: Refactoring za duże pieniądze, pierwsze kroki - Michał Gruca
4Developers 2015: Refactoring za duże pieniądze, pierwsze kroki - Michał Gruca4Developers 2015: Refactoring za duże pieniądze, pierwsze kroki - Michał Gruca
4Developers 2015: Refactoring za duże pieniądze, pierwsze kroki - Michał Gruca
 
4Developers 2015: Behavior Driven Development - sounds perfect but why are we...
4Developers 2015: Behavior Driven Development - sounds perfect but why are we...4Developers 2015: Behavior Driven Development - sounds perfect but why are we...
4Developers 2015: Behavior Driven Development - sounds perfect but why are we...
 
PLNOG14 - Wireless Cloud, a new business for operators - Jochen Müdsam
PLNOG14 - Wireless Cloud, a new business for operators - Jochen MüdsamPLNOG14 - Wireless Cloud, a new business for operators - Jochen Müdsam
PLNOG14 - Wireless Cloud, a new business for operators - Jochen Müdsam
 
PLNOG14: Architektura oraz rozwiązywanie problemów na routerach IOS-XE - Piot...
PLNOG14: Architektura oraz rozwiązywanie problemów na routerach IOS-XE - Piot...PLNOG14: Architektura oraz rozwiązywanie problemów na routerach IOS-XE - Piot...
PLNOG14: Architektura oraz rozwiązywanie problemów na routerach IOS-XE - Piot...
 
4Developers 2015: Orleans - aplikacje, które skalują i dystrybuują się same -...
4Developers 2015: Orleans - aplikacje, które skalują i dystrybuują się same -...4Developers 2015: Orleans - aplikacje, które skalują i dystrybuują się same -...
4Developers 2015: Orleans - aplikacje, które skalują i dystrybuują się same -...
 
PLNOG14: Optymalizacja rozwiązywania problemów sieciowych - Marcin Kuczera
PLNOG14: Optymalizacja rozwiązywania problemów sieciowych - Marcin KuczeraPLNOG14: Optymalizacja rozwiązywania problemów sieciowych - Marcin Kuczera
PLNOG14: Optymalizacja rozwiązywania problemów sieciowych - Marcin Kuczera
 
4Developers 2015: Dying Light: Burzliwa historia Action Directora - Andrzej B...
4Developers 2015: Dying Light: Burzliwa historia Action Directora - Andrzej B...4Developers 2015: Dying Light: Burzliwa historia Action Directora - Andrzej B...
4Developers 2015: Dying Light: Burzliwa historia Action Directora - Andrzej B...
 
4Developers 2015: CQRS dla każdego - Maciej Aniserowicz
4Developers 2015: CQRS dla każdego - Maciej Aniserowicz4Developers 2015: CQRS dla każdego - Maciej Aniserowicz
4Developers 2015: CQRS dla każdego - Maciej Aniserowicz
 
4Developers 2015: Responsywne aplikacje web'owe z użyciem OpenUI5 - Witalij R...
4Developers 2015: Responsywne aplikacje web'owe z użyciem OpenUI5 - Witalij R...4Developers 2015: Responsywne aplikacje web'owe z użyciem OpenUI5 - Witalij R...
4Developers 2015: Responsywne aplikacje web'owe z użyciem OpenUI5 - Witalij R...
 
4Developers2015: Serwis z kamerkami - pole minowe wydajności - Łukasz Łuczak
4Developers2015: Serwis z kamerkami - pole minowe wydajności - Łukasz Łuczak4Developers2015: Serwis z kamerkami - pole minowe wydajności - Łukasz Łuczak
4Developers2015: Serwis z kamerkami - pole minowe wydajności - Łukasz Łuczak
 
4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek
4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek
4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek
 
Global Environmental Facility Bridging climate and biodiversity
Global Environmental Facility Bridging climate and biodiversityGlobal Environmental Facility Bridging climate and biodiversity
Global Environmental Facility Bridging climate and biodiversity
 
Diversity, Sustainability and Resilience in Natural Resource Management in Af...
Diversity, Sustainability and Resilience in Natural Resource Management in Af...Diversity, Sustainability and Resilience in Natural Resource Management in Af...
Diversity, Sustainability and Resilience in Natural Resource Management in Af...
 
Respect for human_rights_and_relevant_legal_aspects_in_western_sahara-asklof-...
Respect for human_rights_and_relevant_legal_aspects_in_western_sahara-asklof-...Respect for human_rights_and_relevant_legal_aspects_in_western_sahara-asklof-...
Respect for human_rights_and_relevant_legal_aspects_in_western_sahara-asklof-...
 

Similar a PLNOG14: Fortinet, Carrier and MSSP - Robert Dąbrowski

volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
ETE405-lec4.pdf
ETE405-lec4.pdfETE405-lec4.pdf
ETE405-lec4.pdfmashiur
 
8 the path to voice over lte - vo lte
8 the path to voice over lte - vo lte8 the path to voice over lte - vo lte
8 the path to voice over lte - vo lteCPqD
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service ProvidersBAKOTECH
 
4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdfssuser88346b
 
ETE405-lec4.pptx
ETE405-lec4.pptxETE405-lec4.pptx
ETE405-lec4.pptxmashiur
 
IPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesIPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesAPNIC
 
Secure-Access-FortiSwitch-08.24.pdf
Secure-Access-FortiSwitch-08.24.pdfSecure-Access-FortiSwitch-08.24.pdf
Secure-Access-FortiSwitch-08.24.pdfDAVIDALFONSORAMIREZH
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
Sip Trunking Getting It Right The 1st Time
Sip Trunking Getting It Right The 1st TimeSip Trunking Getting It Right The 1st Time
Sip Trunking Getting It Right The 1st TimeGraham Francis
 
Ryu SDN Framework
Ryu SDN FrameworkRyu SDN Framework
Ryu SDN FrameworkAPNIC
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...gogo6
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyChristopher Duffy
 
Service Provider Wi-Fi
Service Provider Wi-FiService Provider Wi-Fi
Service Provider Wi-FiCisco Canada
 

Similar a PLNOG14: Fortinet, Carrier and MSSP - Robert Dąbrowski (20)

Why choose pan
Why choose panWhy choose pan
Why choose pan
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architecture
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
ETE405-lec4.pdf
ETE405-lec4.pdfETE405-lec4.pdf
ETE405-lec4.pdf
 
FortiGate-200B
FortiGate-200BFortiGate-200B
FortiGate-200B
 
8 the path to voice over lte - vo lte
8 the path to voice over lte - vo lte8 the path to voice over lte - vo lte
8 the path to voice over lte - vo lte
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service Providers
 
4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf
 
Gda ipsoc blr_hic_final
Gda ipsoc blr_hic_finalGda ipsoc blr_hic_final
Gda ipsoc blr_hic_final
 
ETE405-lec4.pptx
ETE405-lec4.pptxETE405-lec4.pptx
ETE405-lec4.pptx
 
Cyclone IV FPGA Device
Cyclone IV FPGA DeviceCyclone IV FPGA Device
Cyclone IV FPGA Device
 
IPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for MobilesIPv6 - A Real World Deployment for Mobiles
IPv6 - A Real World Deployment for Mobiles
 
Secure-Access-FortiSwitch-08.24.pdf
Secure-Access-FortiSwitch-08.24.pdfSecure-Access-FortiSwitch-08.24.pdf
Secure-Access-FortiSwitch-08.24.pdf
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
Vo ip
Vo ipVo ip
Vo ip
 
Sip Trunking Getting It Right The 1st Time
Sip Trunking Getting It Right The 1st TimeSip Trunking Getting It Right The 1st Time
Sip Trunking Getting It Right The 1st Time
 
Ryu SDN Framework
Ryu SDN FrameworkRyu SDN Framework
Ryu SDN Framework
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
 
Service Provider Wi-Fi
Service Provider Wi-FiService Provider Wi-Fi
Service Provider Wi-Fi
 

Último

AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 

Último (20)

AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 

PLNOG14: Fortinet, Carrier and MSSP - Robert Dąbrowski

  • 1. 1 © Copyright 2013 Fortinet Inc. All rights reserved. Fortinet – Carrier and MSSP Robert Dabrowski, CISSP SE Fortinet
  • 2. 2 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
  • 3. 3 SECURING CSP NETWORKS Mobile Network Fixed Line Network Other SPIMS LTE/ xCell Secure GW eNodeBs Accelerated IPSec SCTP Internet PoP Carrier Grade Nat IPv6 <-> IPv4 IP Blacklisting Botnet identification Gi/SGi Border Gw / Roaming VPMN HPMN GTP V1/V2 DIAMETER SIP Datacenter IP Backbone DC Core DDOS ADC WAF Virtualization Mail Services Platform Network (WiFi, DHCP, DNS….) Voice Gaming Video Messaging Mail B2B Network Multimedia Services SIP ALG X-CSCF IMS VoLTE DC Edge Edge Firewall DDOS Partners, HQ, Campus, Branch… WIFi BackboneMobile Fix Others Backbone B2B B2B / MSSP Cloud Cleanpipe Partners, HQ, Campus, Branch… WIFi CPE IS Infrastructure Shops, HQ, Website
  • 4. 4 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
  • 5. 5 ISP France – project starts from R&D tests • Product used for testing : FG 3240C • SEs and Support teams helped the customer tune the config • Tests results were very positive: » SIP ALG worked as expected » Firewall Logging is relevant » Customer had to modify his testing tool in order to fully test the Firewall’s performances » Firewall managed to process 6000 SIP requests per second without being to stressed ISP R&D SIP test results
  • 6. 6 FortiOS VoIP Protection Features • Stateful SIP tracking • The SIP SFW tracks the SIP session over it‘s lifespan. A SIP-Session (or SIP dialog) normally is established after the SIP INVITE procedure. The SIP SFW then tracks this call as a „SIP session“. A Session can for instance end by regular BYE procedure (users hang-off the phone) or by another unexpected Signaling or Transport event. • SIP per request method message rate limitation • Configurable threshold for SIP message rates per request method. Protects SIP servers from SIP overload and DoS attacks. • SIP High Availability (HA) • Allows to configure HA configuration (active-standby) for SIP. Supports failover of SIP sessions in case of an active firewall instance fails. • RTP Pinholing • The SIP SFW opens the respective RTP Ports as long as the SIP session is alive and conforming with the operator security policies. • RTP Bypass • Supports configurations with and without RTP pin-holing. May inspect and protect SIP signaling only. • SIP NAT with IP address conservation • Performs SIP and RTP aware IP Network Address translation. Preserves the lost IP address information in the SIP/SDP info header for later processing/debugging in the SIP server. • Various NAT policies can be defined for SIP signal sessions and RTP sessions that are negotiated through the SIP signal session. • SIP Transparent or NAT mode • The SFW supports a transparent mode, where SIP messages are inspected but not modified. Just in case of an attack or overload the SFW becomes visible. The other mode is SIP NAT. In this mode, the SIP header is modified with regard to translation of IP addresses. • Support for Geographical Redundancy • Maintains a active-standby SIP server configuration, which even supports geographical distribution. If the active SIP server fails (missing SIP heartbeat messages or SIP traffic) FortiOS will redirect the SIP traffic to a secondary SIP server.
  • 7. 7 FortiOS VoIP Protection Features • SIP command control • The SIP SFW can block SIP methods. SIP methods that can be blocked are: ack, bye, cancel, info, invite, notify, options, publish, refer, register, subscribe, update and „unknown commands“. • SIP fuzzing • Protection from malicious SIP messages • SIP communication logging • The SIP SFW supports logging to a FortiAnalyzer. The Logfiles will show up in the „Content Archive“ section under the VoIP Tab. • Hardware accelerated RTP processing • In cases where RTP is pin-holed by a FortiOS Carrier™ device, it needs to be understood that RTP packets can be very small (around 100bytes or less), sensitive to processing latency, packet loss or jitter (packet delay variation). FortiGate devices can offload RTP packet processing to HW assistance (FortiASIC). This will greatly enhance the overall throughput and will give the firewall device a multiple GE wirespeed (1 Gbps) VoIP security solution. • Media Inactivity • In some case SIP signaling is established, but the voice bearer (RTP) is broken. The SIP SFW supports optionally the detection of Media Inactivity that cleans the SIP call context in the SFW once there‘s no RTP anymore for a specific time. • SIP over IPv6 • Supports Signaling Firewall for SIP messages using IPv6 transport. Limited to SIP over IPv6 in SIP transparent mode (no SIP/RTP NAT of IPv6 to IPv4) • IP Topology Hiding • IP topology of a network can be hidden through NAT and NAPT manipulation of IP and SIP level addressing. • Deep SIP header inspection • Deep SIP header syntax inspection. Prevents from many SIP Fuzzing attacks with malformed SIP message headers. User configurable bypass and response message options. SIP conformance violations can be logged with the FortiAnalyzer. • Hosted NAT traversal • Resolves IP address issue in SIP-SDP header due to NAT-PT in far end firewall. Important feature for VoIP access networks.
  • 8. 8 ISP Germany - GTP solution ISP was using Other Vendor GX Firewall as GTP roaming solution for the last 8 years During that time ISP faced major performance issues Other Vendor GX Release 4 was able to handle only 120MB of traffic per Core, but only one single Core was supported Other Vendor tried several years to provide a solution with no success Finally ISP decided to look for an alternative FTNT was able to show 11GB of GTP traffic passing a single cluster of FGT-3950 with XH0
  • 9. 9 GTP filter IMSI filter example - IMSI filter TP mode : IMSI filter test: block Vlan 452 Vlan 452 T_SGSN4 T_GGSN1 123.30.194.1123.30.194.4 port5 port6 Authorized IMSI= 452021xxxxxxxxx edit "Gn_imsi_SN4_GN1" set authorized-ggsns "vinaph_GGSN_1" set authorized-sgsns "vinaph_SGSN_4" set default-imsi-action deny set handover-group "all" config imsi edit 1 set mcc-mnc "0452021" next end set imsi-filter enable
  • 10. 10 GTP security gateway XH0 offloaded GTP-U /IPSEC
  • 11. 11 SeGW in ISP France • Secures protocols within LTE networks • Various GTP Versions • SCTP • Provides very powerful in depth GTP inspection and analysis at high speed (with XH0) • Rate limiting of GTP-U, GTP-C inspection (XH0) • High new tunnel per second rate (regional backups) • High IPSEC throughput and low latency • VDOM is used to policy route some traffic for radio optimization purpose (X2 traffic) • 3GPP Certificate enrollment Key Features - IOT (interoperability test) : Top telco infrastructure providers
  • 12. 12 FortiGate LTE Security Gateway (SeGW) Secure Gateway (SeGW) MME SG W Core Network Backhaul Network S1 Traffic (Control Plane + User Plane) X2 Traffic Management GTP-U tunnel eNode B eNode B eNode B SCTP Firewalling and Rate Limiting GTP-U Inspection and rate limiting IPSEC Termination and re-routing GTP-C Inspection and control Untrusted Trusted
  • 13. 13 FortiGate Gi Firewall (GiFW) • As a GiFW, the FortiGate can provide full FortiOS functionality in protecting UE’s and the EPC from connected PDNs • FG’s VDOM capability provides full functional segregation per PDN, while HW- accelerated inter-VDOM links offer stateful connectivity to the P-GWs in the EPC • FortiCarrier OS offers additional MMS scanning support • By using dynamic contexts, the FortiGate can provide user specific protection profiles, based on accounting messages from the MME/HSS » Provides support for value-added security options for users (Inter-VDOM Links) VDOM APN.MMS VDOM APN.MPLS.X VDOM APN.Internet VDOM P-GW P-GW S-GW EPC SGi SGiSGiSGi S5
  • 14. 14 MMS Content Scanning (GiFW) FortiCarrier MMS scanable interface • Multimedia Messinging Service (MMS) allows for transfer of file/stream based media beyond texting (SMS – Simple Messaging Service) • Can scan MMS traffic directly from users (MM1), to/from email and VAS (Value Added Service) servers (MM3/MM7), or between carriers (MM4) • MMS scanning provides carriers a means of protecting their infrastructures against MMS-based DoS attacks, as well as to filter MMS content • MMS scanning also extends ForitOS Data Leakage Protection (DLP) capabilities by scanning MMS file transfers for DLP signatures
  • 15. 15 NAT64 – CLAT + PLAT Source: https://sites.google.com/site/tmoipv6/464xlat
  • 16. 16 LAB Topology – CLAT + NAT64 192.168.3.0/24 2a00:e18:8001:6cd::c1a6/32 FG310B .100.52 .52 P9P10 .119 ubu64 eth0 172.16.132.0/24 2a00:e18:8000:6cd::c1a1/32 CLAT address 192.0.0.9 2a00:e18:8000:6cd::c1a9 .81 .20 FTP, RTSP 192.168.5.99/24 VPN: IPSec PPTP tayga.conf tun-device nat64 ipv4-addr 192.168.255.8 prefix 2001:db8:1:ffff::/96 dynamic-pool 192.168.255.0/24 map 192.0.0.9 2a00:e18:8000:6cd::c1a9 config firewall ippool edit "nat64" set startip 192.168.3.201 set endip 192.168.3.210 next edit "nat44" set startip 192.168.3.211 set endip 192.168.3.220 next end
  • 17. 17 NAT64 tests Translation FG15 (NAT64) # get system session list | grep 192.168.3.20: icmp 59 (2a00:e18:8000:6cd::c1a9:129)192.168.3.204:3210 - (2001:db8:1:ffff::c0a8:314:3210)192.168.3.20:8 - icmp 59 (2a00:e18:8000:6cd::c1a7:129)192.168.3.202:3941 - (2001:db8:1:ffff::c0a8:314:3941)192.168.3.20:8 - icmp 59 (2a00:e18:8001:6cd::c1a6:129)192.168.3.205:3141 - (2001:db8:1:ffff::c0a8:314:3141)192.168.3.20:8 - icmp 59 (2a00:e18:8000:6cd::c1a6:129)192.168.3.201:3864 - (2001:db8:1:ffff::c0a8:314:3864)192.168.3.20:8 – IPv6 FTP active FG15 (NAT64) # get system session list | grep 192.168.3.20: tcp 3599 (2a00:e18:8001:6cd::c1a6:39104)192.168.3.205:34896 - (2001:db8:1:ffff::c0a8:314:21)192.168.3.20:21 - tcp 0 (2a00:e18:8001:6cd::c1a6:42747)192.168.3.20:20 - (2001:db8:1:ffff::c0a8:314:20)192.168.3.205:42747 - IPv6 FTP passive FG15 (NAT64) # get system session list | grep 192.168.3.20: tcp 3599 (2a00:e18:8001:6cd::c1a6:39108)192.168.3.205:12372 - (2001:db8:1:ffff::c0a8:314:21)192.168.3.20:21 - tcp 0 (2a00:e18:8001:6cd::c1a6:55545)192.168.3.205:55545 - (2001:db8:1:ffff::c0a8:314:46219)192.168.3.20:46219 - CLAT FTP active FG15 (NAT64) # get system session list | grep 192.168.3.20: tcp 0 (2a00:e18:8000:6cd::c1a9:52775)192.168.3.20:20 - (2001:db8:1:ffff::c0a8:314:20)192.168.3.204:52775 - tcp 3599 (2a00:e18:8000:6cd::c1a9:39035)192.168.3.204:14571 - (2001:db8:1:ffff::c0a8:314:21)192.168.3.20:21 - CLAT FTP passive FG15 (NAT64) # get system session list | grep 192.168.3.20: tcp 0 (2a00:e18:8000:6cd::c1a9:54727)192.168.3.204:54727 - (2001:db8:1:ffff::c0a8:314:46326)192.168.3.20:46326 - tcp 3599 (2a00:e18:8000:6cd::c1a9:39036)192.168.3.204:24812 - (2001:db8:1:ffff::c0a8:314:21)192.168.3.20:21 - CLAT IPSec FG15 (NAT64) # get system session list | grep 192.168.3.81: udp 95 (2a00:e18:8000:6cd::c1a9:4500)192.168.3.204:41220 - (2001:db8:1:ffff::c0a8:351:4500)192.168.3.81:4500 - udp 95 (2a00:e18:8000:6cd::c1a9:500)192.168.3.204:47460 - (2001:db8:1:ffff::c0a8:351:500)192.168.3.81:500 -
  • 18. 18 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
  • 19. 19 FortiGate 3700D • 2 x GE RJ45 Management Ports • 4 x 40GE QSFP Slots • 20 x 10GE SFP+/GE SFP Slots • 8 ultra-low latency 10GE SFP+ Slots Hardware Performance Firewall Throughput (1518/512/64) 160/160/110 Gbps IPS Throughput 23 Gbps Firewall Latency 2 μs Antivirus Throughput (Proxy Based / Flow Based) 7.5/18 Gbps Concurrent Sessions 44 Mil Virtual Domains (Default / Max) 10/500 New Sessions/Sec 300,000 Max Number of FortiAPs (Total/Tunnel) 4096 / 1024 Firewall Policies 100,000 Max Number of FortiTokens 5,000 IPSec VPN Throughput 100 Gbps Client-to-Gateway IPSec VPN Tunnels 64,000 SSL-VPN Throughput 6 Gbps Concurrent SSL-VPN Users (Recommended Max) 30,000 1 2 3 1 2 3 4 4
  • 20. 20 What s new in NP6 • More accelerated features » IPv4 » IPv6 » Multicast » SCTP » Capwap data (not dtls) » QOS support with traffic prioritization » IPSEC sha2-256 and 512 » Syn proxy , host and server protection via traffic shaping » tunneling: V4 -> v6, v6 -> v4, v4 -> v4 and v6 to v6 » Translation (tcp/udp): V4 -> v6, v6 -> v4, v4 -> v4 and v6 to v6 • More bandwidth »40G per NP6 in place of 20G for the np4 • Less jitter and latency »we are now at about 3.5 micro sec of latency in place of 5 on standard ports »1.6 with the low latency port (last 8 ports) • More accelerated sessions
  • 21. 21 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
  • 22. 22 Managed Security Services Multiple customers on shared infrastructure with dedicated services Key Features: • Virtual Domain per customer • Firewall, IPSec IPS, Antivirus, Web Filtering, Application Control • End Customer Portal • Dynamic Profiles (RADIUS Single Sign on) • Allows for per user services • MSISDN, APN Aware • Cookie Based Web Filtering (multi-user, behind NAT boundary)
  • 23. 23 A typical MSSP offer includes » Perimeter Protection, including managed services for Firewalls, Intrusion Detection and Prevention Systems (IDPSs), and Virtual Private Networks (VPNs), such as IPSec and SSL » Monitoring the Security Service » Incident Management, with emergency response and forensic analysis » Upfront and partly permanent Vulnerability Assessment and Penetration Testing » Anti-Spam, Anti-Virus and Content Filtering services » Traffic Shaping » Application Control, to differentiate what is really running on port 80 » Web Filtering, not allowing all sites to be visited » Data Leakage Prevention, stopping sensitive data at the internal border » Risk Assessments of the Information Security » WAN Optimization and Web Caching » VoIP Security » Data Archiving and Restoration » On-Site Consulting
  • 25. 25 FortiGate HA – vistrual clusters
  • 26. 26 FortiManager – admin profiles Administrator PKI adom1 Can connect only from customer’s network Must posses specific certificate
  • 27. 27 „admin” – main administrator sets global policies e.g. to management network, so that local ADOM administrator can’t remove access to Fortimanagera Admin „adom1” can’t change global policy, just his adom specific policies.
  • 28. 28 Managing and Reporting FortiManager can be used to configure, alter settings and change configuration through its interface towards • internal provisioning systems (industrialized provisioning) • external users (standard portal interface) • external users via Web Server backend (SDK)
  • 29. 29 JSON API : Anatomy of a JSON API Request
  • 30. 30 JSON API : Methods method use get retrieve a current list or status of an object add create an object; it won’t overwrite existing objects update modify existing objects; it won’t create them for you set create or overwrite an existing object it will forcefully create or overwrite anything you tell it to (use with caution) delete remove objects; for most objects this can be done via the name on the URL move move policies around within a package clone clone a policy or object exec log in, log out, copy and install policy packages, etc. The JSON API supports the methods below:
  • 31. 31 • Fortinet in telco ecosystem • How projects start – tests and features development • But we do need a platform • MSSP – reselling expertise and performance • Assuring quality and business continuity Agenda
  • 32. 32 FortiGuard Minute Per Minute Updates Per Week 72,000 Spam emails intercepted 210,000 Network Intrusion Attempts resisted 68,000 Malware programs neutralized 310,000 Malicious Website accesses blocked 67,000 Botnet C&C attempts thwarted 34 Million Website categorization requests 53 Million New & updated spam rules 100 Intrusion prevention rules 920,000 New & updated AV definitions 1 Million New URL ratings 8,000 Hours of threat research globally FortiGuard Database 150 Terabytes of threat samples 17,000 Intrusion Prevention rules 5,800 Application Control rules 250 Million Rated websites in 78 categories 151 Zero-day threats discovered Based on Q4 2014 data
  • 33. 33 Fortinet Support Centers Vancouver, Canada Sophia Antipolis, France Prague, Czech Republic Bangalore, India Beijing, China Tokyo, Japan Kuala Lumpur, Malaysia Global Support 24/7
  • 34. 34 Fortinet Confidential THANK YOU !!! Konkurs !!! Pytanie: Podaj wybrane dwie funkcjonalności FortiAsic NP6, które wyróżniają go w porównaniu ze starszą generacją NP4. Odpowiedzi można wpisywać na odwrocie wizytówki i zostawić ją na stoisku Fortinet. Wśród osób, które dostarczą prawidłowe odpowiedzi, rozlosowane zostaną 3 nagrody.