Fortinet Integra il Wi-Fi nella Gestione della Sicurezza Bologna, 14 Maggio 2014 Giosuè Vitaglione maggio 20, 2014 1 Channel Accounts Manager Cell: 340 6245 997 gvitaglione@fortinet.com Agenda • Network Security: Recenti Evoluzioni e Rischi. • Punti di Attenzione per le Reti WiFi: Sicurezza. • Domande e Risposte. Discussione aperta. 2 1 The Fortinet Difference 3 Scenarios Carrier Firewall Platform Data Center Firewall (Core, Perimeter, VM) Edge or Core Firewall (NGFW) Cloud/Carrier Data Center Enterprise Campus INTERNET Branch Firewall (NGFW) Distributed Enterprise Branch Office Client Firewall (VPN) 4 Unified Threat Management Remote End Points (UTM) Fortinet - Confidential 2 Annoyware -> CyberCrime 5 IT Security Market: 30 B USD in 2017 (source: Canalys). Server, Personal Computer, ora anche Dispositivi Mobili • Connesso • Penetrabile • CPU • Informazioni sensibili • Non sempre Aggiornabile • Info Personali • Billing (premium call, SMS, etc.) • Account (con billing) • Microfono • Telecamera • Mobile • Etc. 6 3 Mobile Malware 7 Ransomware su Android (Ransom=Riscatto) 8 http://blog.fortinet.com/Security-Digest--May-10th/ http://thehackernews.com/2014/05/police-ransomware-malware-targeting.html 4 Botnet: Torpig.Mebroot 9 Botnet: Zeroaccess 10 5 Esempio Attacco DDOS via Web Slowloris Attack What does it target? What type of traffic? Valid server connection! It’s all about the RFC! GET HEAD POST X-a 11 Rouge WiFi Access Point Access Point dall’Identità Fasulla • Simula di esser parte alla rete WiFi target. • Accesso aperto a tutti, con SSID e criteri di sicuerezza esposti simili alla rete WiFi target. • Uplink cellulare, wired o WiFi (seconda radio). Caratteristiche • Facile da Creare. • Spia traffico utente. • Cattura informazioni sensibili. • Non lascia traccia sui client. 12 6 Rete WiFi: Sfide per l’ICT Manager 1. Come realizzo o estendo la mia rete WiFi ? Ø Stabile, Veloce, Feature-rich, e Sicura. 2. Come gestisco la sicurezza sulla rete fissa e sulla rete wireless ? 3. Posso migliorare la mia sicurezza, rispetto alle reali esigenze della mia azienda ? 4. C’e’ un modo semplice e sicuro per implementare il BYOD ? 5. Come riduco i costi ? 13 Ubiquitous Access Unified Access Layer • User Identification • Access Control Remote Access (RAP, VPN Client) Wired Access DIGITAL ASSET Wireless Access • Content Inspection • Attack Mitigation 14 7 FortiGate + FortiAP = Unified Access Layer Single Management System Overlay Wireless Management system VPN Intrusion Prevention Application Control Web Filtering WAN Optimization Antispam Antivirus Firewall FortiGate FortiAP Wi-Fi Controller Switch Lower cost of acquisition Lower cost of ownership Improves security provisioning 15 Fortinet Secure WLAN Approach No additional licenses needed Corporate Wi-Fi " Captive Portal, 802.1x—Radius /shared key " Assign users and devices to their role " Examine wireless traffic to remove threats " Identify applications and destinations " Apply policy to users and applications " Ensure business traffic has priority " Report on policy violations, application usage, destinations and PCI DSS 16 8 Single Pane of Glass Management 17 Rich Wireless Controller Options … Right-size Deployments § 20+ FortiGate Platforms § 5 AP/100user to 10,000 AP / 32K user capacity 18 9 FortiAP Family – 802.11n and 802.11ac 3x3:3 FAP-320C Dual Radio Dual Band Resiliency and Versatility FAP-320B FAP-223B FAP-222B 2x2:2 Performance FAP-221C Single Radio 1x1:1 Value FAP-221B FAP-28C FAP-210B FAP-14C FAP-11C Remote FAP-112B Outdoor Indoor 19 FortiAP – Simple and Secure VLANs • Traffic flows to controller • Increased control • No trunking • No VLAN management • No Layer-3 roaming, just fast Layer-2 switching • No need to re-DHCP • Controller Redundancy 20 10 24/7 “on-wire” Rogue AP Detection & Suppression § Rogue AP Detection » Determines whether an AP is indeed a Rogue device connected to your physical wired LAN network § Rogue AP suppression » ‘DeAuthentication Frames’ are sent to render unauthorized Rogue AP’s unusable by clients 21 WIDS Wireless Intrusion Detection System • WiFi protocol & RF level attack detection • Detection includes attacks & vulnerabilities such as: » Weak WEP Encryption Usage » Null SSID Probes » Deauth Broadcasts » Various Management , EAP, Auth & Beacon floods 22 11 Problem: Poor Business Application Performance • Clients and applications on wireless networks compete with each other for shared bandwidth • 802.11e, Wireless Multimedia Extensions (WME) doesn't solve this problem, as Business applications like Remote Desktop, VNC, Webex, etc. are not be prioritized differently NonPriority App Priority App x bE We e ub uT Yo NonPriority App Client #1 Client #2 23 Solution: Fortinet Application Control Application Control uses Layer-7 inspection to ensures bandwidth guarantees are provided for business critical applications Fortinet Application Control Sensors • Over 2,700+ Signatures, 16 Categories • Advanced IM & P2P control • Application Control Traffic Shaping • SSL Content Inspection Priority App x be We yA Pr Client #1 it ior pp NonPriority App e ub ut Yo NonPriority App Hi gh Pr io rit yA pp Client #2 24 12 Remote Telecommuter / Road Warrior Headquarters • Automatic connection to HQ • Data is encrypted • Multiple devices can share WiFi Internet 25 BYOD – Device Identification and Policy Identification • Device • User • Application Policies • Enforcement on Device/User/App 26 13 Guest Access to Secure Wireless LAN • Temporary user Provisioning & Access » Allow non-IT staff to create Guest account via web portal » Assign time quota » Generate temporary password » Distribute guest credentials: • Print • Email • SMS » Batch guest users creation option • Enables Guest Access to the Secure WLAN via a Captive Portal. 27 WiFi Secondo Fortinet 1. WiFi Sicuro Ø Sicurezza fornita da un esperti in sicurezza. Ø Wireless allo stato dell’arte. 2. Gestione unificata: wired e wireless. 3. Migliore sicurezza, anche in scenari BYOD. 4. Costi ridotti: CAPEX ed OPEX. 28 14 Q&A 29 Grazie 30 15 Backup Slides 31 Automatic Radio Resource Provisioning • Channel Assignment CH 1 CH 6 CH 11 » Automatically assigns nonoverlapping channels » Selects channels with least noise and interference » Reduces chatter between APs • Auto TX Power » Changes radio transmission power settings automatically 32 16 Automatic Radio Resource Provisioning • Channel Assignment CH 1 CH 6 CH 11 » Automatically assigns nonoverlapping channels » Selects channels with least noise and interference » Reduces chatter between APs • Auto TX Power » Changes radio transmission power settings automatically 33 Automatic Radio Resource Provisioning • Interference Avoidance CH 1 CH 6 CH 11 » Microwave ovens, cordless phones, baby monitors, etc. all emit RF interference » FortiAPs frequently sample RF spectrum for sources of interference » Changes channel and TX power to avoid RF interference impacting Wireless LAN 34 17 Beamforming: FAP-221B/FAP-223B/FAP-320B • Radio “beams” add at the device to enhances the signal and link-rate TX Radio RX TR SW BB / MAC TX RX TR SW Radio TX RX TR S W Radio 35 Wireless Mesh • Dynamic Multi-hop Mesh with resiliency • Point-to-point / Multipoint Bridging 36 18 Granular Visibility and Control Applications 37 Guest User Management Portal 38 19 Live Captive Portal HTML Customization 39 Wireless AP Technical Specifications maggio 20, 2014 40 20 FortiAP Devices and Capabilities FortiAP: Part#: Radios: Antennas: Streams: Max Data Rate FAP-320B 1 BGN 1 AN 3 TX 3 RX 3 900 Mbps FAP-223B 1 BGN 1 AN 2 TX 2 RX 2 600 Mbps FAP-221B 1 BGN 1 AN 2 TX 2 RX 2 600 Mbps FAP-222B 1 BGN 1 AN 2 TX 2 RX 2 600 Mbps FAP-210B 1 ABGN 2 TX 2 RX 2 300 Mbps FAP-112B 1 BGN 1 TX 1 RX 1 150 Mbps FAP-28C 1 BGN 1 TX 1 RX 1 150 Mbps FAP-14C 1 BGN 1 TX 1 RX 1 150 Mbps FAP-11C 1 BGN 1 TX 1 RX 1 150 Mbps 41 Controller Scalability update: now extended for remote AP V5.0 FG/FWF-20C Series FG/FWF-40C Series 5 V5.0 5.0.3 Global FG-600C 256 256+256 FG-800C 256 256+256 FG-1000C 512 512+512 FG-1240B 512 512+512 FG-3016B 1,024 1024+3072 FG-3040B 1,024 1024+3072 FG-3140B 1,024 1024+3072 FG-3240C 1,024 1024+3072 5.0.3 Global 5+5 FG/FWF-60C Series 5 5+5 FG/FWF-80C Series 16 16+16 FG-110/111C – FG VM00 32 32+32 FG-100D 32 32+32 FG-3810A 1,024 1024+3072 FG200B(POE) 32 32+32 1,024 1024+3072 FG310/311B – FG VM01 FG-3950/51B – FG – VM08 256 256+256 FG-5001A-SW/DW 1,024 1024+3072 FG300C / 300D 256 256+256 FG-5001B 1,024 1024+3072 FG-620/621B 256 256+256 FG-5101C 1,024 1024+3072 42 21 FortiAP-221B • 1 x GbE Copper Interface Hardware Performance Target Environment Indoor Number of Antenna 4 internal Number of Radio Tx / RX Stream (802.11n) 2 16 (14 for client access, 2 for monitoring) Simultaneous SSIDs Max Transmission Power PoE Support 17 dBm (50mW) 802.3af 2x2 MIMO with Dual Spatial streams, 600 Mbps Total 43 FortiAP-223B • 1 x GbE Copper Interface Hardware Performance Target Environment Indoor Number of Antenna 4 external Number of Radio Tx / RX Stream (802.11n) 2 Simultaneous SSIDs Max Transmission Power PoE Support 16 (14 for client access, 2 for monitoring) 17 dBm (50mW) 802.3af 2x2 MIMO with Dual Spatial streams, 600 Mbps Total 44 22 FortiAP-320B • 2 x GbE Copper Interface Hardware Performance Target Environment Indoor Number of Antenna 6 Internal Number of Radio Tx / RX Stream (802.11n) 2 16 (14 for client access, 2 for monitoring) Simultaneous SSIDs Max Transmission Power 24 dBm (250mW) PoE Support 802.3af / 802.3at 3x3 MIMO with 3 spatial streams, 900 Mbps Total 45 FortiAP-112B • 2 x FE Interface Hardware Performance Target Environment Indoor/Outdoor Number of Antenna 1 Internal Number of Radio Tx / RX Stream (802.11n) 1 Simultaneous SSIDs Max Transmission Power PoE Support 8(7 for client access, 1 for monitoring) 24 dBm (250mW) 802.3af 1x1 MIMO, 65 Mbps 46 23 FortiAP-222B • 1 x GbE Interface Hardware Performance 16(14 for client access, 1 for monitoring) Target Environment Outdoor Simultaneous SSIDs Number of Antenna 4 Internal Max Transmission Power Number of Radio Tx / RX Stream (802.11n) 2 27 dBm (500mW) PoE Support 802.3at 2x2MIMO, 600 Mbps 47 FortiAP-28C 10x GbE Copper Interfaces Hardware Performance Target Environment Indoor/remote Number of Antenna 2Internal Number of Radio Tx / RX Stream (802.11n) 1 Simultaneous SSIDs Max Transmission Power PoE Support 8 (7 for client access, 2 for monitoring) 17 dBm (50mW) NA 2x2MIMO 300 Mbps Total 48 24 FortiAP-14C 5x FE Copper Interface Hardware Performance Target Environment Indoor/remote Number of Antenna 1 Internal Number of Radio Tx / RX Stream (802.11n) 1 8 (7 for client access, 2 for monitoring) Simultaneous SSIDs Max Transmission Power 17 dBm (50mW) PoE Support NA 1x1 MIMO 65 Mbps Total 49 FortiAP-11C • 2 x FE Interface Hardware Performance Target Environment Indoor Number of Antenna 1 Internal Number of Radio Tx / RX Stream (802.11n) 1 Simultaneous SSIDs Max Transmission Power PoE Support 8(7 for client access, 1 for monitoring) 17 dBm (50mW) 802.3af 1x1 MIMO, 65 Mbps 50 25 FortiAP-Antennas Specification Compatible AP FAP-222B / FAP-223B Type 120 degree sector antenna. Suitable for shopping centers, hallways and courtyards Accessories Mount Kit sold separately FAN-M22. FAN-612N/R Specification FAN-500N Compatible AP FAP-222B Type Directional 12 degree point to point outdoor panel antenna. Suitable for building to building bridging Accessories Includes two 120cm Cables with N connector. Mount Kit sold separately FAN-22. 51 POE Power Source Options Device PoE Ports FortiGate-60C-POE 24 FortiGate-140D-POE 16 FortiGate-200B-POE 8 FortiSwitch-324-POE 24 Fortiswitch-124-POE 12 FortiSwitch-80-POE 4 GPI-115 1 52 26 Sample of Fortinet’s Wireless Customers Distributed Enterprise / Distributed Retail Education Large Enterprise Services / Financial / Healthcare / Gov Outdoor / Mesh 53 27
© Copyright 2024 Paperzz
