Network Security Reference

Architecture
Alex Samonte – Director of Technical Architecture

1
Network Security Architecture Components
Open Ecosystem Scalable Multi-Formfactor Network & Security Operations & Analytics

Hypervisor

Security Intelligence Identity & Access Management Advanced Response Networking Flexibility

Automated Broad Integrated

Network Security Critical Capabilities

Threat Protection Content Visibility

• Threat Protection • Networking Flexibility

• Content Visibility • Network & Security Operations
• Identity & Access & Analytics
Management • Scalable Multi-Formfactor
• Security Intelligence • Open Ecosystem
Antivirus IPS ATP Anti-Spam Anti-Botnet SSL Reputation App Content • Advanced Response
Inspection Control Filter (cusomization, automation)

2
Network Security Reference Architecture
Threat Feeds

Multi-Cloud
Enterprise

Data Center

Network Security Critical Capabilities

Threat Protection Content Visibility

• Threat Protection • Networking Flexibility

• Content Visibility • Network & Security Operations
• Identity & Access & Analytics
Management • Scalable Multi-Formfactor
• Security Intelligence • Open Ecosystem
Antivirus IPS ATP Anti-Spam Anti-Botnet SSL Reputation App Content • Advanced Response
Inspection Control Filter (cusomization, automation)

3
Fortinet Network Security Architecture Components
Open Ecosystem Scalable Multi-Formfactor Network & Security Operations & Analytics

Hypervisor FortiAnalyzer

FortiManager
FortiSIEM

Security Intelligence Identity & Access Management Advanced Response Networking Flexibility

Automated Broad Integrated

Network Security Critical Capabilities

Threat Protection Content Visibility

• Threat Protection • Networking Flexibility

• Content Visibility • Network & Security Operations
• Identity & Access & Analytics
Management • Scalable Multi-Formfactor
• Security Intelligence • Open Ecosystem
Antivirus IPS ATP Anti-Spam Anti-Botnet SSL Reputation App Content • Advanced Response
Inspection Control Filter (cusomization, automation)

4
Segmentation Architectures
Use Cases Summary
Segmentation Architectures

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

6
Today – Border Security
Problem NGFW NGFW Establishing Trust

• Protect business from

Outside
⚫ Network
NetworkAddress
Address
outside threats ⚫ User
User Identity
Identity
• Protect users from the Inside ⚫ Business Logic
internet ⚫ Fabric Connectors
• Keep users productive ⚫ Applications
Applications
⚫ Device Identity

Solution Advanced Security

• Apply all security at the ⚫ SSL Inspection

internet edge ⚫ IPS
❖ Flat network provides no ⚫ Antivirus
Antivirus
internal security ⚫ Application
ApplicationControl
Control
❖ Visibility into the network ⚫ Web Content
ContentFilter
Filter
severely limited ⚫ Data Loss Prevention
❖ Risk of compromise is ⚫ Secure Email Gateway
very high ⚫ Denial of Service Protection
⚫ Web Application Firewall
⚫ Cloud Access Security Broker
⚫ Advanced Threat Protection
⚫ Endpoint Protection

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

7
Use Case – Reducing Attack Surface
Problem NGFW NGFW Establishing Trust

• Flat internal network

Outside
⚫ Network Address
Network Address
• No internal visibility ⚫ User Identity
User Identity
• No internal security Inside ⚫ Business Logic
⚫ Fabric Connectors
Zone 1-A Zone 1-B
⚫ Applications
⚫ Device Identity

Solution Advanced Security

ISFW ISFW

• Many Enforcement points Zone 2-A Zone 2-B ⚫ SSL Inspection

Inspection
• Create containment ⚫ IPS
zones ⚫ Antivirus
Antivirus
• Inspect SSL ⚫ Application Control
Application Control
• Inspect Applications ⚫ Web Content Filter
• Check for zero-day ⚫ Data Loss Prevention
malware ⚫ Secure Email Gateway
• Protect critical assets ⚫ Denial of Service Protection
⚫ Web Application Firewall
⚫ Cloud Access Security Broker
⚫ Advanced ThreatProtection
Advanced Threat Protection
⚫ Endpoint Protection

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

8
Use Case – Trusted Application Integrity
Problem NGFW NGFW Establishing Trust

• Business critical
Outside
⚫ Network Address
Network Address
applications must be ⚫ User Identity
User Identity
secured Inside ⚫ Business Logic
• Multiple applications ⚫ Fabric Connectors
Fabric Connectors
• Users in many locations ⚫ Applications
Applications
⚫ Device Identity
Device Identity

Solution Advanced Security

ISFW ISFW

• Secure applications with ⚫ SSL Inspection

Inspection
solutions that share ⚫ IPS
security intelligence ⚫ Antivirus
• Utilize security that will ⚫ Application Control
Application Control
work with mobility and ⚫ Web Content Filter
cloud usage ⚫ Data Loss
LossPrevention
Prevention
• Inspect SSL to make sure ⚫ Secure EmailGateway
Secure Email Gateway
only trusted transactions ⚫ Denial of Service Protection
are taking place ⚫ Web Application
ApplicationFirewall
Firewall
• Establish trust with ⚫ Cloud AccessSecurity
Cloud Access Security Broker
Broker
sources inside and ⚫ Advanced Threat Protection
outside the network ⚫ Endpoint Protection

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

9
Use Case – Achieving Compliance
Problem NGFW NGFW Establishing Trust

• Enforcing regulated
Outside
⚫ Network Address
access ⚫ User Identity
User Identity
• Does not follow standard Inside ⚫ Business Logic
Business Logic
network boundaries ⚫ Fabric Connectors
• Critical compliance ⚫ Applications
policies ⚫ Device Identity
Device Identity

Solution Advanced Security

ISFW ISFW

• Multiple enforcement ⚫ SSL Inspection

Inspection
point locations ⚫ IPS
• Endpoint coverage for ⚫ Antivirus
specific needs ⚫ Application Control
• Network coverage for IoT ⚫ Web Content Filter
• Visibility for audits ⚫ Data Loss
LossPrevention
Prevention
• Keep critical systems ⚫ Secure Email Gateway
running ⚫ Denial ofService
Denial of ServiceProtection
Protection
⚫ Web Application Firewall
⚫ Cloud Access Security Broker
⚫ Advanced ThreatProtection
Advanced Threat Protection
⚫ Endpoint Protection
Endpoint Protection

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

10
Use Case – Tiered Cloud Access
Problem NGFW NGFW Establishing Trust

• Unexpected cloud costs

Outside
⚫ Network Address
• Shadow IT ⚫ User Identity
User Identity
• No visibility of cloud data Inside ⚫ Business Logic
⚫ Fabric Connectors
Fabric Connectors
⚫ Applications
⚫ Device Identity

Solution Advanced Security

ISFW ISFW

• Combine cloud usage ⚫ SSL Inspection

statistics with local ⚫ IPS
enforcement ⚫ Antivirus
• Regulate access to cloud ⚫ Application Control
Application Control
resources from ⚫ Web Content Filter
authorized users ⚫ Data Loss
LossPrevention
Prevention
• Maintain audit trails of ⚫ Secure Email Gateway
cloud hosted data ⚫ Denial of Service Protection
• Prevent data exfiltration ⚫ Web Application Firewall
⚫ Cloud AccessSecurity
Cloud Access Security Broker
Broker
⚫ Advanced Threat Protection
⚫ Endpoint Protection

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

11
Use Case – Secure Physical Access
Problem Establishing Trust

• Securing global ⚫ Network Address

employee presence ⚫ User Identity
User Identity
• Different systems control ⚫ Business Logic
different aspects of ⚫ Fabric Connectors
Fabric Connectors
security ⚫ Applications
⚫ Device Identity
Device Identity

Solution Advanced Security

• Integrate different trust ⚫ SSL Inspection

sources ⚫ IPS
• Correlate physical ⚫ Antivirus
Antivirus
location token ⚫ Application Control
Application Control
information with network ⚫ Web Content Filter
login location ⚫ Data Loss Prevention
• Maintain identity and ⚫ Secure Email Gateway
device interrelationships ⚫ Denial of Service Protection
• Prevent targeted attacks ⚫ Web Application
ApplicationFirewall
Firewall
⚫ Cloud Access Security Broker
⚫ Advanced ThreatProtection
Advanced Threat Protection
⚫ Endpoint Protection

Finance Engineering Guest Wireless Corp. Wireless VPN Sales

12