1 / 63

縱深防禦

縱深防禦. 劉乙 美商 Fortinet 資深技術經理 . AGENDA. 資通安全解決方案 10 min Fortinet Solution & Reference 15 min 討論 15 min 附件 : IDC report / Fortinet 簡介 / 解決方案文件 / 力麗科技簡介. CONFIDENTIAL. 目的與效益. 目的:

lavina
Download Presentation

縱深防禦

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 縱深防禦 劉乙 美商 Fortinet資深技術經理

  2. AGENDA • 資通安全解決方案 10 min • Fortinet Solution & Reference 15 min • 討論 15 min • 附件 : • IDC report / Fortinet 簡介 / 解決方案文件 / 力麗科技簡介 CONFIDENTIAL

  3. 目的與效益 目的: 為符合行政院資通安全會報的要求 並提供校園網路資訊安全防禦縱深, 依照各類資安系統等級應執行之工作事項, 提供完整且優惠的解決方案。 。 效益: 一次到位 節省開支 CONFIDENTIAL

  4. 防禦機制強度 防禦縱深 ISMS推動作業 稽核方式 資安教育訓練(主官、主管、技術、一般) 專業證照 各類資安系統等級應執行之工作事項: A級 強度等級4 NSOC直接防護/自建SOC、IDS、防火牆、防毒 96年通過第三者認證 每年至少執行二次內稽 每年至少(4,6,18,4小時) 96年資安專業鑑定二張 B級 強度等級3 SOC (Optional)、IDS、防火牆、防毒 97年通過第三者認證 每年至少執行一次內稽 每年至少(4,6,16,4小時) 96年資安專業鑑定一張 C級 強度等級2 IDS、防火牆、防毒 各單位自行成立推動小組規劃作業 自我檢視 每年至少(2,6,12,4小時) 資安專業訓練 D級 強度等級1 防火牆、防毒 推動ISMS觀念宣導 自我檢視 每年至少(1,4,8,2小時) 資安專業訓練 CONFIDENTIAL

  5. 合作模式 配合 專業顧問公司作業 ISMS推動/稽核輔導/教育訓練/專業執照 並由Fortinet原廠提供 防禦縱深:FW/IDP/AV/資安報表 解決方案 1. 原廠專業服務團隊 2. 原廠專業訓練課程與技術轉移合作 CONFIDENTIAL

  6. Why Fortinet? • Proven Experience & Leadingin the Security Gateway Market • 100,000 units deployed • 台中縣網167台FG400, 台北縣網FG3600X2, 中華電信IDC FG800X200台 • 清華大學FG3600X5,成功大學,陽明大學,靜宜大學, 等60餘所大專院校 • 景文技術學院FG5020X2,台中市網FG5050,基隆市網FG5050,淡江大學5050X4,高應大FG5050. • Best Performancein IDP / Antivirus / Firewall Security Gateway -3 x priceperformance in IDP / Antivirus / Firewall - Worldwide No.1 Performance Security Gateway by ASIC • Certified : EAL4+,NSS, FISP certified -5 x ICSA certified – Antivirus, NIDS, Firewall, IPSecVPN,SSLVPN 2005 IT WEEK Dec.年度調查 _ 防火牆 _Fortinet 大專院校市佔率 第 1 名 _ 30% 2005NBL 交大網路測試中心 第 1 名 FG3600- 防毒網安設備 測試評比 2005年 資策會 資安總冠軍 UTM & IM/P2P 第 1 名 & VPN MIS Manager Best Choice 2004-2005 IDC 報告 _ 網安閘道器 _Fortinet 全球市佔率 第 1 名 _ 29.5%

  7. Fortinet Company Overview • Founded October, 2000 • Founder, former Pres. & CEO of NetScreen (NASDAQ: NSCN) • 550 employees; HQ in Sunnyvale, CA • Offices throughout Americas, EMEA and Asia • Belgium, France, Germany, Italy, Sweden, UK • Tokyo, Seoul, Beijing, Shanghai, Hong Kong, Taipei, Singapore, KL, etc. • Creators of world’s only ASIC-powered antivirus systems • Addressing the need for real-time network protection • More than 100,000 FortiGate units shipped to 2,000 customers • Achieved >10x revenue growth in 2003 vs. 2002 • Among the fastest growing network security companies in history • Completed $50 million mezzanine financing Feb 2004 • Total equity raised $93 million CONFIDENTIAL

  8. 根據 IT WEEK最新報導,2005年統計 FORTINET在台灣大專院校市場第一名 FORTINET取得30% 遙遙領先Cisco 15%, Netscreen 15% 2005.12.12 1

  9. 根據IDC最新報導,FORTINET在UTM 全球市場以 29.5% 取得No.1 第一名網安市場佔有率 1

  10. Fortinet Technology Advantages

  11. Fortinet Vision The Best UTM Security Gateway ASIC-Acceleration Speed / Feature set ASIC-Accelerated Content security Hardware & Software Software 2nd Generation 1st Generation 3rd Generation Next Generation

  12. FORTINET 資訊網路安全解決方案 FortiProtect 提供7x24 即時安全防護與應變中心 FortiMail提供垃圾郵件管理 FortiGate ASIC Base全系列網安閘道器 FG50A/60/100A/200A/300A400A/500A/800F/1000AFA2 3600/5000 滿足顧客網安需求與高速效能 FortiAnalizer提供完整的 安全紀錄與詳盡的統計 分析報表 FortiClient提供desktop Person firewall & 防毒 防駭 與 VPN 服務 FortiManager提供 集中控管與設定服務

  13. Fortinet Differentiators- Products, Technology, Service & Support And Lowest Total Cost of Ownership

  14. FortiGate Product Family FortiGate Product Family SOHO Branch Office Medium Enterprise Large Enterprise Service Provider/Telco FortiGate-5000 Same Feature Set Throughout FortiGate-3600 FortiGate-3000 Redundant PS, VDom Gigabit perf FortiGate-1000 THROUGHPUT Gigabit Eth FortiGate 800 High port density FortiGate 500A FortiGate-400A FortiGate-300A Integrated Logging FortiGate-200A FortiGate-100A High Availability, VLAN support FortiGate-60 / FortiWifi FortiGate-50A

  15. FortiGate-5050 chassis FortiGate-5001 Blade FortiGate-5001 Blade FortiGate-5001 Blade FortiBlade-5003 Blade FortiBlade-5003 Blade DC Power Only – External AC to DC power convert Unit required for AC applications Not shown: shelf management module

  16. FortiGate 5050 Modules • FortiGate-5001FA2 AntiVirus Firewall Blade • Same as in FortiGate-5020 • Full network security services • Firewall, AV, VPN, IDP, etc… • Provides Network Interfaces • Up to 5 in a FG-5050 chassis • Typical installs will have 3 modules • FortiBlade-5003 Switch Blade • Provides Intra-chassis communications • Also used for Inter-chassis HA Interface Links • connects multiple chassis together • Either 1 or 2 Switch Blades per chassis • With 2 Switch Blades the 5050 chassis has no single point of failure

  17. FortiGate Antivirus Firewall on a Blade Works in any FortiGate 5000 series chassis 8 GigE interfaces per blade 4 SFP removable (SX standard – LX option) 4 10/100/1000 TX Console access DB9 on current boards USB x 2 (future use) Locking handles and thumbscrews Hot swappable operation and standardized LED status indicators FortiGate-5001FA2 Module for FG-5000 series Power Hard Disk Access Status 1 2 3 4 5 6 7 8 Console Connection Module Lock Mounting Knot Gigabit Fiber 10/100/1000 USB

  18. FortiGate 5053 Power ConverterAC to DC Power Converter for FG-5050 • AC power applications require FG-5053 converter unit • FG-5050 chassis accepts DC power only • 1 RU shelf, mounts above or below FG-5050 chassis • 3 hot swappable power supply modules • Requires 2 out of 3 to operate chassis • Two FG-5053 units can be used for redundant power feeds • FG-5050 chassis can accept redundant DC power inputs

  19. Competitive Comparison FortiGate 5050

  20. AGENDA CONFIDENTIAL

  21. FortiGate 1000AFA2 Highlights • 2 Gbps Firewall Throughput • 250 Mbps 3-DES VPN Throughput • 200 Mbps AV Scanning Throughput • 2 Rack Unit Height w/ Dual Power Supplies • New Intel Xeon E7520 3.2 GHz CPU • 1 GB RAM Performance

  22. FortiGate 1000AFA2 FortiAccel • FortiAccel (FA2) option adds two additional SFP ports • 10 port 10/100/1000Mbps TX, and 2 SFT. • Choice of SX, LX, or TX (copper) SFP modules • Provides wire-speed firewall performance at all packet sizes • Not field upgradeable, requires different Front Panel assembly

  23. Competitive Comparison FortiGate 1000FA2

  24. The New Generation of Security Solutions

  25. Campus Network Security Solution _ Fortinet20051212 TS FG3600X2, HA adds Antivirus, IDS/IDP protection for application FG5050X2, HA adds Antivirus & IDS/IDP protection at Internet as transparent mode behind existing firewall 1 4 1 4 3 3 2 5 2 5 6 FG1000FA2X2, HA provides in-line firewall, Antivirus, IDS/IDP , Firewall functionality to data center FG5020, provides Antivirus, IDS/IDP and Firewall protection, and traffic shaping functionality for dorms Intranet / Extranet Internet Backbone 校務行政 Services DMZ Dorms Labs College building Core Network Data Center FG1000FA2add Antivirus, IDS/IDP as transparent mode behind existing Firewall 電腦教室 及各系所 FG100A/200A/300A 防毒. 防入侵攻擊

  26. FortiGate Antivirus Firewalls: A New Generation of Security Platforms Hacker Email Spam X Viruses worms X FortiGate Internet X Intrusions X Banned content www.find_a_new_job.com www.free_music.com www.pornography.com Real-Time Content Security at the Network Edge

  27. Instant Reporting主要功能 • 可以針對跨廠牌、多個防火牆系統的events/logs做分析與報表管理 • 可分別針對In-bound/Out-bound流量、web使用量、 頻寬使用量與入侵攻擊行為等相關資訊做分析 • 完整的報表分析功能 • 超過200種預設報表 • 即時與歷史資料分析 • 可自訂報表格式與排程產生報表 • Internet usage, web activities, virus activities and trend analysis • 專案實績 : 台北市政府 IDC ( acer eDC )

  28. Instant Reporting

  29. FortiAnalyzer v3.0 – Report Example • Now over 300 different report templates available

  30. 榮獲最多的國際安全認證 ICSA Labs Certified: Antivirus, Firewall, IPSec, SSL-TLS, IPS Common Criteria EAL-4+ Certification NSS Group Certification for IDP &UTM Virus Bulletin 100 Award

  31. World Class Services and Support

  32. What We Do • Fortinets products span a broad range of applications, from the first multi-gigabit-speed security systems for Internet data centers and service providers all the way to solutions for single telecommuters. • Management of Fortinet's security systems and appliances is handled through Forti manager, a scalable appliance platform that enables easy deployment, provisioning and network control. • Fortinet, Inc. develops and sells the industry's highest performing security gateways offering integrated firewall, VPN, Antivirus, and Intrusion protection solutions.

  33. Antivirus requirement • 25%+ of virus infections delivered via Web traffic • vs. email • Software AV scanning is too slow for Web traffic • Only Asic-based AV systems allow real-time network protection

  34. Intrusion detection highlights • Customizable attack list to enable and disable signatures • Possibility to import SNORT signature • Support for customer self-defined signatures

  35. Integrated intrusion detection • The IDS engine: • Hooks into the routing and firewall modules and application layer • Coordinates with the FortiASIC to quickly peek into traffic and check for traffic patterns that match specified IDS signatures

  36. Protection profile – Intrusion control • Detection methods: • Signatures • Anomalies • Scanning attacks • Flooding attacks

  37. 802.1Q VLAN support • FortiGate 60 and above • Multiple VLAN based sub-interfaces • Definable on every physical port and VLAN trunking support • Support for overlapped IP addresses with different VLAN tags • Inter-(sub) interface security policies • VLAN based AV • VLAN based NIDS • VLAN based content filtering • VLAN based VPN construction • VLAN based firewall policy and traffic shaping • Virtual Domain • Effectively provides partitioned and scalable security service from the same physical security device to serve multiple customers

  38. VLAN in routed or transparent mode Routed mode Routing between VLAN interfaces 10 30 40 20 Trunk interface Trunk interface Transparent mode. FortiGate acts as a bridge. Packets are not routed from one VLAN to another 30 30 40 40 Trunk interface Trunk interface

  39. High availability highlights • Supported on FortiGate-60 and higher • Supported in transparent mode or routed mode • Supports both Active-Passive and Active-Active configurations • Active-Passive mode provides automatic and transparent failover: • Firewall and IPSec session synchronization • Failover in less than 3s • FortiGate units send an email and SNMP trap, and log the event • Active-Active mode provides in addition: • Firewall load-balancing between units • Antivirus load-balancing between units • Link status monitoring and failover

  40. High availability highlights • HA hearbeats • Used to: • Communicate cluster session information (firewall sessions and IPSec SAs) • Synchronize the cluster configuration • Report individual cluster member status • Sent on a HA link • Redundant HA links: • Any interface can be chosen as a HA link • An interface already configured to receive user traffic can be configured for HA heartbeat as well • Any number of backup HA links can be configured

  41. Other High-availability Enhancements • HA Link Security • Data encryption between members of a HA cluster • Additional model support • FortiGate-60/100/200 • FortiWiFi-60 • WLAN interface is not a supported HA interface. • Active-Active mode • Additional support for load balancing of non-AV traffic • All TCP sessions will be load-balanced

  42. Antispam protection highlights S P A M • Uses a wide variety of local and network tests to identify spam signatures • Source blocking • IP address • Static lists • Dynamic database: RBL & ORDBL • Email address • FortiShield (IP Address and URI scanning) • Content blocking • MIME headers • Banned word • Once identified, the mail is: • Tagged as spam for later filtering using the user's own mail user-agent application • Enables easy sorting by any email client • Or rejected (SMTP)

  43. FortiShield AntiSpam Service • Fortinet managed antispam service with “dual pass” scan technology • For FortiGate and FortiMail • Benefits • Greatly reduces processing overhead on email servers and antispam gateways • Reclaims bandwidth taken by spam email • Supplements any other antispam solution • Cost effective managed solution lowers maintenance overhead of managing static content filters

  44. 大型專案實績 Paul Huang Sales VP Taiwan (M):0955775318

  45. 大型專案實績 - FORTINET Taiwan 台中市教育網路中心 : FG5050骨幹防毒牆/NIPD/防火牆94.09 基隆市教育網路中心 : FG5050骨幹防毒牆/NIPD/防火牆94.11 淡江大學 : FG5050X4 校園骨幹防毒牆/NIPD/防火牆 94.11 景文技術學院: FG5020X2校園骨幹防毒牆/NIPD/防火牆94.06 朝陽科技大學 : FG5050校園骨幹防毒牆/NIPD/防火牆 94.12 高雄應用大學 : FG5050校園骨幹防毒牆/NIPD/防火牆 94.07 台中縣小學網安: FG400 X 167 台 93.11

  46. 大型專案實績 - FORTINET Taiwan 清華大學 : FG3600x2 郵件防毒牆 / NIPD / 防火牆 94.01 清華大學 : FG3600x2 主機防毒牆 / NIPD / 防火牆 94.09 清華大學 : FG3600 骨幹防毒牆 / NIPD / 防火牆 94.11 實踐大學 : FG3600x2 防毒牆 / NIPD / 防火牆 94.04 開南技術學院 : FG FG3600 防毒牆 / NIPD / 防火牆94.01 長庚技術學院 : FG3600 防毒牆 / NIPD / 防火牆 93.10 聖約翰大學 : FG3600x1 防毒牆 / NIPD / 防火牆 94.12

  47. 大型專案實績 - FORTINET Taiwan 中華大學:FG4000校園骨幹AntiVirus,Firewall/NIDP 93.5 淡江大學:FG3600校園骨幹AntiVirus,Firewall/NIDS 92.9 中央大學遙測中心 : FG3000防毒牆 / NIPD / 防火牆 93.3 台北醫學大學 : FG3000校園骨幹Firewall/不當網頁過濾92.9 輔仁大學:FG3600校園骨幹Firewall/NIDP,FG200AV 92.8 東吳大學:FG3000校園骨幹Firewall/NIDS,FG1000 92.8 (Internet Server Farm Anti-Virus) 真理大學:FG3600 x 2 校園骨幹Firewall/IDP 93.7

  48. 大型專案實績 - FORTINET Taiwan 國防大學 : FG3000x2 防毒牆 / NIPD / 防火牆 93.01 清雲大學 : FG3600x2 防毒牆 / NIPD / 防火牆 93.03 華梵大學 : FG3000 防毒牆 / NIPD / 防火牆 92.11 龍華科技大學:FG3000校園骨幹Firewall/NIDS 92.09 景文技術學院 : FG3000校園骨幹Firewall/NIDS 92.07 亞東技術學院 : FG3000校園骨幹Firewall/NIDS 94.11

More Related