View
546
Download
6
Category
Tags:
Preview:
DESCRIPTION
What's next in next generation firewalls and testing. Fortinet / Ixia presentation, Ottawa, June 20, 2013.
Citation preview
1
What’s Next in Next-Gen Firewalls and Testing?
Ottawa. June 20th, 2013
2
AGENDA
11:30 am Lunch
12:00 pm Welcome
12:10 pm Video: John Pescatore (SANS) –NGFW and ATAs
12:25 pm Fortinet / Ixia Live Demonstrations
1:00 pm Wrap Up / Q+A
What’s Next in Next-Gen Firewalls and Testing?
3
Fortinet’s Evolution: Comprehensive & Integrated Security
Layer 1-2:PHYSICAL
Layer 3-4:CONNECTION
Layer 5-7:CONTENT & APPLICATION
ANTI-SPYWARE
ANTISPAM
WEB FILTER
ANTIVIRUS
VPN
IPS
FIREWALL
LOCK & KEY
SPYWARE
WORMS
SPAM
BANNED CONTENT
TROJANS
VIRUSES
INTRUSIONS
HARDWARE THEFT
1980s 1990s 2000s Today
Pe
rfo
rma
nc
e
-
Da
ma
ge
Layer 8:USER
ENHANCED USER EXPERIENCE
4
April 10, 2023
ELIMINATE GUESSWORK
Security Exposed
5
Video
6
7
Demonstration
8
Demonstration Equipment
FortiGate-3600C Next Generation Firewall
Ixia BreakingPoint FireStorm ONE
9
Demo Set: Physical and Logical ViewP
hys
ica
lL
ogic
al
1x 10Gbps Fibre
Inbound traffic
Outboundtraffic
10
Live Demonstrations
• Test 1 NGFW Bandwidth Throughput
• Test 2NGFW BW + Attacks
-Same throughput as Test 1
Bidirectional attacks added (1757 in each direction) Standard BP strike level 4 Blocked strikes retry and retransmit
• Test 3 NGFW BW + Attacks (but no detection)
Still same throughput as before Bidirectional attacks go through FW only rules (no IPS or App control)
11
Test Lab and Certification ResultsSeparate 3rd Party Facts from Vendor Claims
12
Fortinet Competitive Advantages
12
13
Over 150 New Features & Enhancements
Securing Mobile Devices------------------------------------ Device Identification Device Based Policy Endpoint Control
Making Smart Policies------------------------------------- Secured Guest Access Visibility & Reporting Identity-Centric
Enforcement More Intelligence
Fighting Advanced Threats-------------------------------------- Client Reputation Advanced Anti-malware
Protection
FortiOS 5 - The World’s Most Powerful Network Security Operating System
More Security
More Control
14
What’s Next in Next-Gen Firewalls and Testing?
15
Fortinet’s Answer to What’s Next - FortiOS 5The World’s Most Powerful Network Security OS just got even better!
Advanced SecurityAdvanced Threat Protection and Remediation Technologies to break the Threat life Cycle
Contextual VisibilityEmpowering organization to gain deep insights to real-time and historical network use by Application, by User and by Device (BYOD)
Feature SelectInstantly fine-tune Fortigate based on desired deployment needs using feature presets
16
Feature Select: Enabling Flexible, Optimized Configurations
• Deploy specific security functions per network location requirements
HQ(Enterprise Core)
Branch Office(Distributed Enterprise)
NGFW+ATP
NGFW+ATPWF
ATPNGFW
NGFW
INTERNET
Retail Outlet /Kiosk(Distributed Enterprise)
Data Center
FW
NGFW
UTM
Management
Endpoint Control
17
Feature Select Presets - Flexible Configuration
Allow administrators to easily set up GUI that is relevant to
the unit’s deployment
Further customizations
18
Context Visibility - Network Activities
NAT’ed IP and Port
Applications and their usage
Device & User Info
Concurrent Session & New session per sec
Geo IP Info
FortiGuard Encyclopedia Integration
19
Context Visibility – Threat Status
DRILL DOWN
Display top clients that is
associated with most threats
20
Advanced Targeted Attacks
• Advanced Targeted Attacks (ATA)» Target specific organizations» Infiltrate from multiple vectors» Remain stealthy for lengthy periods of
time before exfiltrating data• ATA is the accepted term for viruses
» Advanced Persistent Threats (APT) also used• Modified Infection Lifecycle
» Zero day vulnerabilities» Fresh Malware» Phishing emails» Password hacks
21
Fortinet Advanced Threat Protection
Once compromised, systems can be
controlled remotely
Botnets
Infection via web downloads,
phishing or watering hole attacks
Malicious Websites
Viruses and other malware evolve to
avoid detection
Polymorphic Malware
Host machines can become infected by viruses, trojans, etc.
Traditional Viruses, etc.
Identifies and blocks suspicious
websites
Identifies zero-day malware via
cloud-based AV sandboxing
Prevents command and control from remote systems
through IP reputation
Web Filtering Malware Sandboxing Botnet DB Blacklist
Fo
rtin
et A
TP
Advanced AV Engine
Uses heuristic techniques and OS independent local
sandboxing
Infected hosts take orders from the
Internet
Potential initial host infection vector
Avoids traditional signature-based AV
detection
Destructive behavior or backdoor installation
22
Capacity & Performance
FG-100-800 Series FG-1000-3000 Series FG-5000 Chassis System
Enterprise Branch Enterprise Core Data Center
Enterprise Product Offering
ATP NGFW NGFW+ATP
10G InterfacesDual power supplies
Multi-gigabit NGFW performance
Highly scalable
WFNGFW NGFW+ATP
Compact 1 RU
NGFWFW
23
THE CURRENT THREAT LANDSCAPE IS CHANGING EVERYTHING
24
Test Evaluate Next-Gen Technologies
Rightsize Technology Investments
Reduce Deployment Risk
Optimize Performance
AssessCertify Security Posture
Predict Impact of Change
Evaluate Threat of New Attacks
Measure Wi-Fi Coverage
Optimize Scalability and Reliability
ACCELERATE & SECUREAPPLICATION DELIVERY
Optimize Deliver Packets to
Monitoring Tools
Eliminate Bottlenecks
Filter Application Traffic
De-duplicate Packets
Identify Security Threats
25
NETWORK PERFORMANCE MONITOR
INTRUSION DETECTION SYSTEM
APP PERFORMANCE MONITOR
NETWORK DATA RECORDER
NETWORK ANALYZER
IXIA ANUENET TOOL OPTIMIZER (NTO)
ANUE: Complete Visibility
26
SIMULATION AND TESTING
APLICATION & THREAT INTELLIGENCE
BreakingPoint: Performance & Security
Evaluate Next-Gen
Technologies
Rightsize Technology
Investments
Reduce Deployment
Risk
Optimize Performance
Network Surveillance
Strategic Relationships
Carrier Feeds
Research
27
ACTIONABLE SECURITY INTELLIGENCE
Unprecedented Performance• 120 Gbps blended application traffic• 90M concurrent TCP sessions• 3M TCP sessions/second• 640K concurrent SSL sessions
Real World Applications
• 200+ application protocols• Social media, peer-to-peer, voice, video• Web and enterprise applications, gaming• Custom applications• Frequent updates
Real Attacks• 5,000+ live security attacks• 30,000+ pieces of live Malware• 100+ evasions• DDoS and Botnet simulation• Custom attacks• Research and frequent updates
NEWEVERY2 WEEKS
26 NEWbiweekly updates Applications DDoS/APT attacks
28
SecuritySOLUTIONS
29
Storage SAN
HOLDING YOURVENDORS ACCOUNTABLE
METRIC
Transactions
Concurrent Flows
Average Latency (microseconds)
Attacks Blocked (Ixia Security Level 1)
GOAL
10,000
30,000
5,000
80%
FIREWALL A
12,243
32,684
5,114
47%
FIREWALL B
8,832
57,908
1,308
91%
FIREWALL C
N/A
14,618
235,648
78%
Met Specification Missed Specification by 5% or less Missed Specification by more than 5%
Key:
Wireless Wi-Fi
Next-Gen Security Devices
Massive Performance Routing
Port Density Switching
Ethernet 100G
DEVICEEVALUATION
30
APP FLOOD
SYN FLOOD
USERS
Router Firewall Load Balancer
App Server Switch Database Server
APPLICATION RESILIENCY
NETWORK RESILIENCY DATA CENTER RESILIENCY
DDOS RESILIENCYTESTING
31
Best-in-class solutions to test, assess and optimize networks and data centers
Complete visibility into your network, data center, and the applications that fuel your business
From the lab to the network to the cloud, Ixia solutions optimize networks and data centers to accelerate,
secure, and scale the delivery of your applications.
Actionable insight to eliminate guesswork for optimal and predictable application & service delivery
Only Ixia Provides
32
Questions?
Recommended