slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
縱深防禦 PowerPoint Presentation
Download Presentation
縱深防禦

Loading in 2 Seconds...

play fullscreen
1 / 63

縱深防禦 - PowerPoint PPT Presentation


  • 185 Views
  • Uploaded on

縱深防禦. 劉乙 美商 Fortinet 資深技術經理 . AGENDA. 資通安全解決方案 10 min Fortinet Solution & Reference 15 min 討論 15 min 附件 : IDC report / Fortinet 簡介 / 解決方案文件 / 力麗科技簡介. CONFIDENTIAL. 目的與效益. 目的:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '縱深防禦' - lavina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

縱深防禦

劉乙

美商 Fortinet資深技術經理

agenda
AGENDA
  • 資通安全解決方案 10 min
  • Fortinet Solution & Reference 15 min
  • 討論 15 min
  • 附件 :
  • IDC report / Fortinet 簡介 / 解決方案文件 / 力麗科技簡介

CONFIDENTIAL

slide3
目的與效益

目的:

為符合行政院資通安全會報的要求

並提供校園網路資訊安全防禦縱深,

依照各類資安系統等級應執行之工作事項,

提供完整且優惠的解決方案。

效益:

一次到位 節省開支

CONFIDENTIAL

slide4

防禦機制強度

防禦縱深

ISMS推動作業

稽核方式

資安教育訓練(主官、主管、技術、一般)

專業證照

各類資安系統等級應執行之工作事項:

A級

強度等級4

NSOC直接防護/自建SOC、IDS、防火牆、防毒

96年通過第三者認證

每年至少執行二次內稽

每年至少(4,6,18,4小時)

96年資安專業鑑定二張

B級

強度等級3

SOC (Optional)、IDS、防火牆、防毒

97年通過第三者認證

每年至少執行一次內稽

每年至少(4,6,16,4小時)

96年資安專業鑑定一張

C級

強度等級2

IDS、防火牆、防毒

各單位自行成立推動小組規劃作業

自我檢視

每年至少(2,6,12,4小時)

資安專業訓練

D級

強度等級1

防火牆、防毒

推動ISMS觀念宣導

自我檢視

每年至少(1,4,8,2小時)

資安專業訓練

CONFIDENTIAL

slide5
合作模式

配合 專業顧問公司作業

ISMS推動/稽核輔導/教育訓練/專業執照

並由Fortinet原廠提供

防禦縱深:FW/IDP/AV/資安報表 解決方案

1. 原廠專業服務團隊

2. 原廠專業訓練課程與技術轉移合作

CONFIDENTIAL

why fortinet
Why Fortinet?
  • Proven Experience & Leadingin the Security Gateway Market
    • 100,000 units deployed
    • 台中縣網167台FG400, 台北縣網FG3600X2, 中華電信IDC FG800X200台
    • 清華大學FG3600X5,成功大學,陽明大學,靜宜大學, 等60餘所大專院校
    • 景文技術學院FG5020X2,台中市網FG5050,基隆市網FG5050,淡江大學5050X4,高應大FG5050.
  • Best Performancein IDP / Antivirus / Firewall Security Gateway

-3 x priceperformance in IDP / Antivirus / Firewall

- Worldwide No.1 Performance Security Gateway by ASIC

  • Certified : EAL4+,NSS, FISP certified

-5 x ICSA certified – Antivirus, NIDS, Firewall, IPSecVPN,SSLVPN

2005 IT WEEK Dec.年度調查 _ 防火牆 _Fortinet 大專院校市佔率 第 1 名 _ 30%

2005NBL 交大網路測試中心 第 1 名 FG3600- 防毒網安設備 測試評比

2005年 資策會 資安總冠軍 UTM & IM/P2P 第 1 名 & VPN MIS Manager Best Choice

2004-2005 IDC 報告 _ 網安閘道器 _Fortinet 全球市佔率 第 1 名 _ 29.5%

fortinet company overview
Fortinet Company Overview
  • Founded October, 2000
    • Founder, former Pres. & CEO of NetScreen (NASDAQ: NSCN)
  • 550 employees; HQ in Sunnyvale, CA
  • Offices throughout Americas, EMEA and Asia
    • Belgium, France, Germany, Italy, Sweden, UK
    • Tokyo, Seoul, Beijing, Shanghai, Hong Kong, Taipei, Singapore, KL, etc.
  • Creators of world’s only ASIC-powered antivirus systems
    • Addressing the need for real-time network protection
    • More than 100,000 FortiGate units shipped to 2,000 customers
  • Achieved >10x revenue growth in 2003 vs. 2002
    • Among the fastest growing network security companies in history
  • Completed $50 million mezzanine financing Feb 2004
    • Total equity raised $93 million

CONFIDENTIAL

slide8

根據 IT WEEK最新報導,2005年統計

FORTINET在台灣大專院校市場第一名

FORTINET取得30% 遙遙領先Cisco 15%, Netscreen 15%

2005.12.12

1

slide9

根據IDC最新報導,FORTINET在UTM

全球市場以 29.5% 取得No.1

第一名網安市場佔有率

1

fortinet vision t he best utm security gateway
Fortinet Vision The Best UTM Security Gateway

ASIC-Acceleration

Speed / Feature set

ASIC-Accelerated

Content security

Hardware &

Software

Software

2nd

Generation

1st

Generation

3rd

Generation

Next

Generation

fortinet
FORTINET 資訊網路安全解決方案

FortiProtect 提供7x24

即時安全防護與應變中心

FortiMail提供垃圾郵件管理

FortiGate ASIC Base全系列網安閘道器 FG50A/60/100A/200A/300A400A/500A/800F/1000AFA2 3600/5000 滿足顧客網安需求與高速效能

FortiAnalizer提供完整的 安全紀錄與詳盡的統計 分析報表

FortiClient提供desktop

Person firewall & 防毒

防駭 與 VPN 服務

FortiManager提供 集中控管與設定服務

fortinet differentiators products technology service support
Fortinet Differentiators- Products, Technology, Service & Support

And Lowest Total Cost of Ownership

fortigate product family
FortiGate Product Family

FortiGate Product Family

SOHO

Branch Office

Medium Enterprise

Large Enterprise

Service Provider/Telco

FortiGate-5000

Same Feature Set Throughout

FortiGate-3600

FortiGate-3000

Redundant PS, VDom

Gigabit perf

FortiGate-1000

THROUGHPUT

Gigabit Eth

FortiGate 800

High port density

FortiGate 500A

FortiGate-400A

FortiGate-300A

Integrated Logging

FortiGate-200A

FortiGate-100A

High Availability, VLAN support

FortiGate-60 / FortiWifi

FortiGate-50A

fortigate 5050 chassis
FortiGate-5050 chassis

FortiGate-5001 Blade

FortiGate-5001 Blade

FortiGate-5001 Blade

FortiBlade-5003 Blade

FortiBlade-5003 Blade

DC Power Only – External AC to DC power convert Unit required for AC applications

Not shown: shelf management module

fortigate 5050 modules
FortiGate 5050 Modules
  • FortiGate-5001FA2 AntiVirus Firewall Blade
    • Same as in FortiGate-5020
    • Full network security services
      • Firewall, AV, VPN, IDP, etc…
    • Provides Network Interfaces
    • Up to 5 in a FG-5050 chassis
      • Typical installs will have 3 modules
  • FortiBlade-5003 Switch Blade
    • Provides Intra-chassis communications
    • Also used for Inter-chassis HA Interface Links
      • connects multiple chassis together
    • Either 1 or 2 Switch Blades per chassis
      • With 2 Switch Blades the 5050 chassis has no single point of failure
fortigate 5001fa2 module for fg 5000 series
FortiGate Antivirus Firewall on a Blade

Works in any FortiGate 5000 series chassis

8 GigE interfaces per blade

4 SFP removable (SX standard – LX option)

4 10/100/1000 TX

Console access DB9 on current boards

USB x 2 (future use)

Locking handles and thumbscrews

Hot swappable operation and standardized LED status indicators

FortiGate-5001FA2 Module for FG-5000 series

Power

Hard Disk

Access

Status

1 2 3 4 5 6 7 8

Console

Connection

Module

Lock

Mounting

Knot

Gigabit Fiber

10/100/1000

USB

fortigate 5053 power converter ac to dc power converter for fg 5050
FortiGate 5053 Power ConverterAC to DC Power Converter for FG-5050
  • AC power applications require FG-5053 converter unit
    • FG-5050 chassis accepts DC power only
    • 1 RU shelf, mounts above or below FG-5050 chassis
  • 3 hot swappable power supply modules
    • Requires 2 out of 3 to operate chassis
  • Two FG-5053 units can be used for redundant power feeds
    • FG-5050 chassis can accept redundant DC power inputs
agenda1
AGENDA

CONFIDENTIAL

fortigate 1000afa2 highlights
FortiGate 1000AFA2 Highlights
  • 2 Gbps Firewall Throughput
  • 250 Mbps 3-DES VPN Throughput
  • 200 Mbps AV Scanning Throughput
  • 2 Rack Unit Height w/ Dual Power Supplies
  • New Intel Xeon E7520 3.2 GHz CPU
  • 1 GB RAM

Performance

fortigate 1000afa2
FortiGate 1000AFA2

FortiAccel

  • FortiAccel (FA2) option adds two additional SFP ports
  • 10 port 10/100/1000Mbps TX, and 2 SFT.
  • Choice of SX, LX, or TX (copper) SFP modules
  • Provides wire-speed firewall performance at all packet sizes
  • Not field upgradeable, requires different Front Panel assembly
campus network security solution fortinet 20051212
Campus Network Security Solution _ Fortinet20051212

TS

FG3600X2, HA adds Antivirus, IDS/IDP protection for application

FG5050X2, HA adds Antivirus & IDS/IDP protection at Internet as transparent mode behind existing firewall

1

4

1

4

3

3

2

5

2

5

6

FG1000FA2X2, HA provides in-line firewall, Antivirus, IDS/IDP , Firewall functionality to data center

FG5020, provides Antivirus, IDS/IDP and Firewall protection, and traffic shaping functionality for dorms

Intranet / Extranet

Internet

Backbone

校務行政 Services

DMZ

Dorms

Labs

College building

Core Network

Data Center

FG1000FA2add Antivirus, IDS/IDP

as transparent mode behind existing Firewall

電腦教室 及各系所

FG100A/200A/300A 防毒. 防入侵攻擊

fortigate antivirus firewalls a new generation of security platforms
FortiGate Antivirus Firewalls: A New Generation of Security Platforms

Hacker

Email

Spam

X

Viruses

worms

X

FortiGate

Internet

X

Intrusions

X

Banned

content

www.find_a_new_job.com

www.free_music.com

www.pornography.com

Real-Time

Content Security

at the Network Edge

instant reporting
Instant Reporting主要功能
  • 可以針對跨廠牌、多個防火牆系統的events/logs做分析與報表管理
  • 可分別針對In-bound/Out-bound流量、web使用量、 頻寬使用量與入侵攻擊行為等相關資訊做分析
  • 完整的報表分析功能
    • 超過200種預設報表
    • 即時與歷史資料分析
    • 可自訂報表格式與排程產生報表
    • Internet usage, web activities, virus activities and trend analysis
    • 專案實績 : 台北市政府 IDC ( acer eDC )
fortianalyzer v3 0 report example
FortiAnalyzer v3.0 – Report Example
  • Now over 300 different report templates available
slide30

榮獲最多的國際安全認證

ICSA Labs Certified:

Antivirus, Firewall, IPSec, SSL-TLS, IPS

Common Criteria EAL-4+ Certification

NSS Group Certification for IDP &UTM

Virus Bulletin 100 Award

what we do
What We Do
  • Fortinets products span a broad range of applications, from the first multi-gigabit-speed security systems for Internet data centers and service providers all the way to solutions for single telecommuters.
  • Management of Fortinet's security systems and appliances is handled through Forti manager, a scalable appliance platform that enables easy deployment, provisioning and network control.
  • Fortinet, Inc. develops and sells the industry's highest performing security gateways offering integrated firewall, VPN, Antivirus, and Intrusion protection solutions.
antivirus requirement
Antivirus requirement
  • 25%+ of virus infections delivered via Web traffic
    • vs. email
  • Software AV scanning is too slow for Web traffic
  • Only Asic-based AV systems allow real-time network protection
intrusion detection highlights
Intrusion detection highlights
  • Customizable attack list to enable and disable signatures
  • Possibility to import SNORT signature
  • Support for customer self-defined signatures
integrated intrusion detection
Integrated intrusion detection
  • The IDS engine:
    • Hooks into the routing and firewall modules and application layer
    • Coordinates with the FortiASIC to quickly peek into traffic and check for traffic patterns that match specified IDS signatures
protection profile intrusion control
Protection profile – Intrusion control
  • Detection methods:
    • Signatures
    • Anomalies
      • Scanning attacks
      • Flooding attacks
802 1 q vlan support
802.1Q VLAN support
  • FortiGate 60 and above
  • Multiple VLAN based sub-interfaces
    • Definable on every physical port and VLAN trunking support
  • Support for overlapped IP addresses with different VLAN tags
  • Inter-(sub) interface security policies
    • VLAN based AV
    • VLAN based NIDS
    • VLAN based content filtering
    • VLAN based VPN construction
    • VLAN based firewall policy and traffic shaping
  • Virtual Domain
    • Effectively provides partitioned and scalable security service from the same physical security device to serve multiple customers
vlan in routed or transparent mode
VLAN in routed or transparent mode

Routed mode

Routing between VLAN interfaces

10

30

40

20

Trunk interface

Trunk interface

Transparent mode.

FortiGate acts as a bridge. Packets are not routed from one VLAN to another

30

30

40

40

Trunk interface

Trunk interface

high availability highlights
High availability highlights
  • Supported on FortiGate-60 and higher
  • Supported in transparent mode or routed mode
  • Supports both Active-Passive and Active-Active configurations
    • Active-Passive mode provides automatic and transparent failover:
      • Firewall and IPSec session synchronization
      • Failover in less than 3s
      • FortiGate units send an email and SNMP trap, and log the event
    • Active-Active mode provides in addition:
      • Firewall load-balancing between units
      • Antivirus load-balancing between units
  • Link status monitoring and failover
high availability highlights1
High availability highlights
  • HA hearbeats
    • Used to:
      • Communicate cluster session information (firewall sessions and IPSec SAs)
      • Synchronize the cluster configuration
      • Report individual cluster member status
    • Sent on a HA link
  • Redundant HA links:
    • Any interface can be chosen as a HA link
    • An interface already configured to receive user traffic can be configured for HA heartbeat as well
    • Any number of backup HA links can be configured
other high availability enhancements
Other High-availability Enhancements
  • HA Link Security
    • Data encryption between members of a HA cluster
  • Additional model support
    • FortiGate-60/100/200
    • FortiWiFi-60
      • WLAN interface is not a supported HA interface.
  • Active-Active mode
    • Additional support for load balancing of non-AV traffic
      • All TCP sessions will be load-balanced
antispam protection highlights
Antispam protection highlights

S P A M

  • Uses a wide variety of local and network tests to identify spam signatures
    • Source blocking
      • IP address
        • Static lists
        • Dynamic database: RBL & ORDBL
      • Email address
      • FortiShield (IP Address and URI scanning)
    • Content blocking
      • MIME headers
      • Banned word
  • Once identified, the mail is:
    • Tagged as spam for later filtering using the user's own mail user-agent application
      • Enables easy sorting by any email client
    • Or rejected (SMTP)
fortishield antispam service
FortiShield AntiSpam Service
  • Fortinet managed antispam service with “dual pass” scan technology
  • For FortiGate and FortiMail
  • Benefits
    • Greatly reduces processing overhead on email servers and antispam gateways
    • Reclaims bandwidth taken by spam email
    • Supplements any other antispam solution
    • Cost effective managed solution lowers maintenance overhead of managing static content filters
slide46

大型專案實績

Paul Huang

Sales VP Taiwan

(M):0955775318

slide47

大型專案實績 - FORTINET Taiwan

台中市教育網路中心 : FG5050骨幹防毒牆/NIPD/防火牆94.09

基隆市教育網路中心 : FG5050骨幹防毒牆/NIPD/防火牆94.11

淡江大學 : FG5050X4 校園骨幹防毒牆/NIPD/防火牆 94.11

景文技術學院: FG5020X2校園骨幹防毒牆/NIPD/防火牆94.06

朝陽科技大學 : FG5050校園骨幹防毒牆/NIPD/防火牆 94.12

高雄應用大學 : FG5050校園骨幹防毒牆/NIPD/防火牆 94.07

台中縣小學網安: FG400 X 167 台 93.11

slide48

大型專案實績 - FORTINET Taiwan

清華大學 : FG3600x2 郵件防毒牆 / NIPD / 防火牆 94.01

清華大學 : FG3600x2 主機防毒牆 / NIPD / 防火牆 94.09

清華大學 : FG3600 骨幹防毒牆 / NIPD / 防火牆 94.11

實踐大學 : FG3600x2 防毒牆 / NIPD / 防火牆 94.04

開南技術學院 : FG FG3600 防毒牆 / NIPD / 防火牆94.01

長庚技術學院 : FG3600 防毒牆 / NIPD / 防火牆 93.10

聖約翰大學 : FG3600x1 防毒牆 / NIPD / 防火牆 94.12

slide49

大型專案實績 - FORTINET Taiwan

中華大學:FG4000校園骨幹AntiVirus,Firewall/NIDP 93.5

淡江大學:FG3600校園骨幹AntiVirus,Firewall/NIDS 92.9

中央大學遙測中心 : FG3000防毒牆 / NIPD / 防火牆 93.3

台北醫學大學 : FG3000校園骨幹Firewall/不當網頁過濾92.9

輔仁大學:FG3600校園骨幹Firewall/NIDP,FG200AV 92.8

東吳大學:FG3000校園骨幹Firewall/NIDS,FG1000 92.8

(Internet Server Farm Anti-Virus)

真理大學:FG3600 x 2 校園骨幹Firewall/IDP 93.7

slide50

大型專案實績 - FORTINET Taiwan

國防大學 : FG3000x2 防毒牆 / NIPD / 防火牆 93.01

清雲大學 : FG3600x2 防毒牆 / NIPD / 防火牆 93.03

華梵大學 : FG3000 防毒牆 / NIPD / 防火牆 92.11

龍華科技大學:FG3000校園骨幹Firewall/NIDS 92.09

景文技術學院 : FG3000校園骨幹Firewall/NIDS 92.07

亞東技術學院 : FG3000校園骨幹Firewall/NIDS 94.11

slide51

大型專案實績 - FORTINET Taiwan

陽明大學 : FG1000 Firewall / VPN 92.10

陽明大學 : FG3000校園骨幹 IDP 93.10

陽明大學 : FG50A X 16台校園NAT 94.08

銘傳大學:FG3000資管學院Firewall/NIDS 93.09

slide52

大型專案實績 - FORTINET Taiwan

台北師範學院 : FG3600 防毒牆 / NIPD / 防火牆 92.11

FG1000 防毒牆 / NIPD / 防火牆

台北護理學院 : FG3000 防毒牆/NIPD/防火牆/頻寬管理93.03

台北護理學院 : FG1000 防毒牆/NIPD/防火牆/頻寬管理93.12

台北護理學院 : FG800 防毒牆/NIPD/防火牆/頻寬管理 94.04

靜宜大學:FG3600校園骨幹AntiVirus,Firewall/NIDS 93.1

靜宜大學:FG3600校園骨幹AntiVirus,Firewall/NIDS 93.5

靜宜大學:FG3600校園骨幹AntiVirus,Firewall/NIDS 94.3

東海大學:FG3000校園骨幹AntiVirus,Firewall/NIDS 93.6

東海大學:FG3000校園骨幹AntiVirus,Firewall/NIDS 94.3

slide53

大型專案實績 - FORTINET Taiwan

明新科技大學: FG3000校園骨幹AntiVirus,Firewall/NIDS93.12

弘光技術學院 : FG3000 防毒牆/NIPD/防火牆 93.3

勤益技術學院:FG3000 防毒牆/NIPD/防火牆/頻寬管理92.8

永達技術學院:FG3000校園骨幹Firewall/NIDS 92.7

台中技術學院:FG3000校園骨幹Firewall/NIDS 92.9

台中師範學院 : FG400 防毒牆 / NIPD / 防火牆 92.7

FG3600 防毒牆/NIPD/防火牆 93.12

FG50A x 6台 防毒牆 / NIPD / 防火牆 94.04

slide54

大型專案實績 - FORTINET Taiwan

大葉大學:FG3000校園骨幹AntiVirus,Firewall/NIDS 93.12

嘉南藥理:FG3600校園骨幹AntiVirus,Firewall/NIDS 93.6

宜蘭大學:FG800校園骨幹AntiVirus,Firewall/NIDS 93.6

暨南大學 : FG3600校園骨幹AntiVirus,Firewall/NIDS 94.4

南華大學 : FG3600校園骨幹AntiVirus,Firewall/NIDS 94.3

雲林科技大學:FG1000x2 校園骨幹Firewall/NIDS 92.9

台南護專 : FG3000校園骨幹Firewall/NIDS 92.12

slide55

大型專案實績 - FORTINET Taiwan

台灣體育學院 : FG400 防毒牆 / NIPD / 防火牆 93.04

陸軍化校 : FG400 防毒牆 / NIPD / 防火牆 93.04

高雄應用大學 : FG400 防毒牆 / NIPD / 防火牆 93.06

高雄海洋科大 : FG800 防毒牆 / NIPD / 防火牆 93.06

佛光大學 : FG800 防毒牆 / NIPD / 防火牆 93.07

崑山科技大學 : FG800 防毒牆 / NIPD / 防火牆 94.02

空軍官校 : FG1000 防毒牆 / NIPD / 防火牆 93.03

slide56

大型專案實績 - FORTINET Taiwan-

中山醫學大學 : FG-3000 x 1 94.2

達德商工 : FG-1000 x 1 94.3

高苑技術學院: FG-3600 x 1 94.5

南亞技術學院 : FG-3000 x 1 94.6

國立高雄大學 : FG-3600 x 1 94.8

國立聯合大學 FG : FG-3000 x 1 94.8

slide58

蘭陽校區

Internet

TKU Security Network Arch.

化館

商館

台北

工館

FB1000F

FB1000F

FB1000F

FB1000F

行政

FG3600

FB1000F

FG5050+4*FG5001-FA2

FB1000F

ADSL

FB1000F

Vlan Trunk

圖書館

FB1000F

FG60WiFi

FG800

外語

FB1000F

校外宿舍

Cable

宿舍

ADSL

淡江學園

IBM

Application Server farm

fortigate tku
FortiGate _TKU
  • FortiClient for PC/Notebook Antivirus/Personal Firewall/ Spam
  • FG5050 with 4 x 5001FA2 _ for Campus backbone/idc
  • FG3600 _ for I-land campus
  • FG800 _ for IBM campus application servers
  • Fortibridge1000F X 9 _ for Bypass
  • FG200 _ for Le-sui campus building
  • FG60wifi _ for MIS mobile security
  • FortiAnalizer_for Log & Reporter
successful story fg50201
Successful Story 景文技術學院 FG5020

結論

「校園內部網路威脅的防範,困難度遠遠大於防範來自外部的網路威脅。

FortiGate-5020為我們做到了最即時的保護,不僅提供學生一個穩定的網路環境,

也保障了景文電算中心教學資料的安全。」

「只針對病毒、入侵或垃圾郵件等傳統單一的防護方式,已不足以應付現今各式

各樣的網路威脅,特別是校園網路相當普及的點對點應用,對網路安全來說更

是一大威脅。Fortinet的整合式網路威脅管理系統FortiGate-5020,效益遠遠超

乎我們的預期,不僅兼俱效能與成本優勢,電信等級的防護能力與擴充性,更

讓景文技術學院能隨時掌控校園網路的危安狀況。­」

--景文技術學院電算中心主任羅光志博士

key success factors
Key Success Factors

Significant Market Opportunity

Differentiated Technology

Superior Customer Value Proposition

Solid Execution

Scalable Business Model

Visionary and Experienced

Leadership Team