1 / 36

教育網路聯合安全防護最佳化

教育網路聯合安全防護最佳化. Jacob Chen Fortinet Taiwan SE. 校園資訊防護範圍. 規劃建置範圍 : 資訊中心 ( 包括中心機房主機群、辦公室、電腦教室 ) 安全防護系統,能有效控制單位內部 網路之存取 、 即時偵測 及 阻絕電腦病毒 與 駭客攻擊 … 等功能。 校園網路安全 ( 泛指非資訊中心以外所有電腦對電腦的資訊活動 ) ,控制單位內部 網路之存取 、 即時偵測 及 阻絕電腦病毒 與 駭客攻擊 … 等功能,並且包含規劃建置各校 無線網路之安全傳輸 與 身份認證機制 ,包括強化無線網路使用之安全。

lana-combs
Download Presentation

教育網路聯合安全防護最佳化

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 教育網路聯合安全防護最佳化 Jacob Chen Fortinet Taiwan SE

  2. 校園資訊防護範圍 • 規劃建置範圍: • 資訊中心 (包括中心機房主機群、辦公室、電腦教室) 安全防護系統,能有效控制單位內部網路之存取、即時偵測及阻絕電腦病毒與駭客攻擊…等功能。 • 校園網路安全(泛指非資訊中心以外所有電腦對電腦的資訊活動) ,控制單位內部網路之存取、即時偵測及阻絕電腦病毒與駭客攻擊…等功能,並且包含規劃建置各校無線網路之安全傳輸與身份認證機制,包括強化無線網路使用之安全。 • 規劃建置上述各項設備之統一管理平台,同時具備分散式與集中式管理機制,以達到有效、易於管理之目的,達成區域聯防網路安全機制。

  3. 校園網路資安應用 • 無線網路使用者身分認證與傳輸加密 • 弱點防護,防止Backdoor、Spyware惡意軟體 • Layer3、4安全政策制訂 • 優化網路頻寬的使用(QoS) • 防止DoS、DDoS網路攻擊 • 封鎖不當網頁與掃除釣魚網站 • 過濾網路病毒,隔離異常電腦,遏止問題擴散 • 防治垃圾郵件 • 加強對於IM/P2P管控 • 建立中央控管機制 新式的網路威脅-混合型攻擊 成為主流 整合型資安閘道器UTM= Unified Threat Management 防火牆、防毒、入侵偵測防禦(IPS) VPN(IPSec VPN,SSL VPN)、防垃圾信、網頁過濾、IM/P2P

  4. The Power of Security + Performance The FortiASIC™ Family • Network ASIC (NP) • Firewall acceleration • VPN (IPSEC and SSL) • IPS anomaly • Application ASIC (CP) • Antivirus (+Antispyware) Acceleration • Web Filtering and Antispam Advantage from Accelerated AV scanning • Traffic Shaping

  5. FortiGuard Center FortiGuard Security Centre • Central Dashboard • Real-Time • Detailed Information per Threat Category • Security Threat Visibility • Web URL and Antispam IP checking • Top 10 Viruses • Spyware • Spam • Phishing • Web Content Categorization • Mobile Threats

  6. Antivirus (AV) (Includes Anti-Spyware) Intrusion Prevention System (IPS) Antispam(AS) • Dual-pass scanning • Greater than 97.4% spam catch rate • Less than 0.18% false positive rate 零時差全球同步防護技術能力 Global Infrastructure Ensures Rapid Response即時有效的安全防護,全球同步自動更新 Web Filtering (WF) • FortiGuard Security Subscription enables customers to realize the full potential of the FortiGate product family • 82+ offensive and dangerous categories • Over 2 Billion rated web pages • Best Accuracy and Coverage in the Industry! • 3-hr AV response SLA Available • 24 x 7 Global Threat Research Team Source: FortiGuard™ Subscription Service

  7. FortiGate 網路實用規劃

  8. 部署4: 金流--信用卡刷卡機IPVPN資安解決方案(PCI DSS Compliant) (FG60M)

  9. 部署5: 證券電子交易系統資訊安全規劃架構圖

  10. 部署6: 大型產險/壽險業UTM解決方案 (HA架構) 使用虛擬防護同時保護Inside與DMZ • 狀態: • 在一台設備上切分兩個虛擬保護區,同時保護Inside與DMZ網路 • 備援: • 兩台UTM(Fortigate)做AA(Active-Active)備援。除了不會有設備閒置外,管理者只需設定Master設備,Slave會自動同步所有設定;同時提供外部服務的DMZ區也有備援機制 • 故障率: • 以一台以故障率10%及網路設備以HA方式介接故障率為相乘計算,故障率為10% X 10% + 10%= 11% • User使用效能: • 三台設備=2個節點,所有 User流量在經過FG的load balance mode後能得到更充份利用 • 效益: • 兩台可作HA的FG價錢並不高於一台NS+一台FG,效能卻遠遠超出

  11. 部署7: Data Center 備援中心 UTM

  12. 部署8: 半導體晶圓廠 Fab Security 網路資安整體架構

  13. 部署9: Case Study : Japan Carrier VPN ⇔Internet • At GW of Carrier’s Data center Provide security Service for each customer using VDOM

  14. 部署10: IDC Server Farm for Online Game

  15. MPLS-VPN 企業內部安全防護(FW, AV & IPS) HQ Supervising Group Company A Taiwan HQ Group Company B Contractor FortiAnalyzer FortiManager Regional Site MSSP SOC Attacker

  16. Internet Intranet Internet 上網安全防護 (未架設前) WAN Router WANRouter WANConnectivity WANConnectivty External Connectivity Internal Connectivity

  17. Internet FortiGate FortiGate FortiAnalyzer Intranet FortiAnalyzer Internet 上網安全防護 (架設FortiGate) WAN Router WANRouter WANConnectivity WANConnectivty External Connectivity Internal Connectivity

  18. High Availability HA statistics

  19. Internet IPsec VPN Internet Firewall – Fortigate with FREE SSL VPN • Clientless VPN for remote access • No pre-installed client software • Utilizes client’s browser • Embedded support for SSL support • Application aware VPN • Creates SSL session between client and gateway • Tunnels (encapsulates) application protocols over SSL session • Simplified deployment • User only requires network login and URL

  20. FortiGate 支援 3G Modem • FortiGate-60B and FortiWiFi-60B 以上機型皆支援 3G Modem Card. • Tested devices in FortiOS 3.0 MR5 • PC Cards modems: • Merlin S620 (EV-DO) • Merlin S720 (EV-DO) • Sierra AC595 (EV-DO) • Novatel S720 (EV-DO) • Pantech PX-500 O2 (EV-DO) • Sierra Aircard 850 (HSDPA, UMTS, EDGE, and GPRS networks) • Sierra Aircard 875 (HSDPA) • ZTE MY39 (EV-DO) • USB • Sierra 595U (EV-DO) • Novatel U720 (EV-DO) http://kc.forticare.com/default.asp?id=3150

  21. 線路備援與機動性… • One of the basic application is to use EVDO links as primary lnternet connection. • FG-60B and FW-60B support the use of EVDO as a primary or secondary link. • What is primary and what is secondary is just a network interface configuration setting • Policy-based routing can be used to split the traffic load between Wan1 and Wan2 links. EVDO can take over for a failed load balanced ethernet link. • FG-60B and FW-60B protect the communication. • All the standard protection features (Firewall, VPN, IPS, Antivirus, AntiSpam, URL Filtering) work and apply to an EVDO link. ADSL EVDO

  22. FGT1000A FGT1000A FW+IPS+AV FW+IPS+AV Relational DB FGT300A FGT300A FW+IPS+AV+ Spam+URL Filter+IM/P2P FGT300A FW+IPS+AV+ Spam+URL Filter+IM/P2P FW+IPS+AV+AS+URL Filter+IM/P2P AQM

  23. Relational DB SSL VPN SSL VPN

  24. Fortinet UTM 帶給客戶的好處

  25. 國際資安認證(ICSA, EAL4+, FIPS, NSS, VB)

  26. FortiNet 公司簡介 • IDC “Fortinet Ranked the Fastest Growing Major Security Vendor” • Unified Threat Management (UTM) Security Solutions • Company Stats • Founded in 2000 by Ken Xie (Former Netscreen Founder) • Headquarters@Sunnyvale, California, Silicon Valley, offices worldwide • Funding to Date • 1000 employees / > half in R&D, more than 100 SE in field • 300,000+ FortiGate devices shipped worldwide • Market Leadership • Six ICSA certifications (FIRST and ONLY security vendor) • Government Certifications (FIPS-2, Common Criteria EAL4+) • Virus Bulletin 100 approved (2005 to 2008) • 60+ Industry Awards

  27. PaloAlto沒有通過任何一項ICSA認證

  28. FortiGate 通過 ICSA: Firewall/IPSec/IPS/SSL/Spam/AntiVirus

  29. FortiOS 4.0 通過認證

  30. 最高等級 EAL4+

  31. 獲得相同認證的產品還有: • IBM Proventia Network Multi-Function Security MX-3006 • IBM Proventia Network Multi-Function Security MX-5010 • IBM Proventia Network Multi-Function Security MX-1004

  32. Thank You! For more information please visithttp://www.fortinet.com

More Related