Selling in the Telco sector

JOSE GRANDMOUGIN EMEA SENIOR CONSULTANT

26. 11. 2009

Protecting the Service Provider’s Infrastructure

MOBILENETWORK

RADIUS SERVER

GGSN

SGSN

2Protecting the customer (Managed Security Service Provider)

Subscriber Network

Subscriber Network

Subscriber Network

1

Security Solutions for Service Providers

• Two discrete solutions for Service Providers

Managed Security Services

NOC/SOC

Traditional CPE / Client Based MSS

4

Internet

Virtualized Services

• Per Customer Virtual Domain• Application Control

• Web Filtering

• AntiVirus / AntiSpyware

• Data Leak Prevention

• AntiSpam

• Intrusion Protection

• VPN (IPSec / SSL)

• Firewall

• Dynamic Routing

5

Security Processing Modules

ADM-XE2 and ASM-CE4

• Intrusion Prevention Offloading• Inspects traffic traversing network

interfaces for network-based attacks• Provides protocol anomaly and signature-

based inspection• Multi-Gigabit performance

• Firewall Offloading• Inspects traffic traversing network

interfaces and blocks/allows according to firewall policy

• Line-Rate performance

• IP Multicast Offloading• Accelerates and routes IP Multicast traffic• Contributes to improved performance of

video, voice, and other IP Multicast applications

ASM-CE4

ADM-XE2

NP4 Based Dual Wide AMC Module

• Compatible with 5001A/3810A• Firewall and IPSec offload• 4 x 10G SFP+ Interfaces• Includes 2xSR SFP+

transceivers

• 20G Firewall Processing• 8G IPSec VPN Processing

7

ADM-XD4

Value Added Internet Access Services

COMPETITION

• Juniper• CrossBeam• Cisco

WINNING FACTORS

• Protection Profiles and Virtualization• Routing flexibility• Hardware scalability

Customer 1

Customer 2

Customer 3

Internet

8

Value Added RAS

COMPETITION

• Cisco• Juniper

WINNING FACTORS

• Features Integration, IPSec, SSL VPN Antivirus, Web Filtering• Self Service Management Portal

Internet

Client

CPE

Internet

9

3G High-Performance VAS

COMPETITION

• Cisco• Juniper

WINNING FACTORS

• Features Integration, Fast Antivirus services• Self Service Management Portal• 10Gb real throughput

Internet3G Network

10

Management Interfaces in the Cloud

11

Provisioning Billing

Troubleshooting Monitoring

NOC / SOC

NetworkNetworkSelf Service

Portal

Device Group

Device Group

JSON API

XML API

XML API / GUI

CLI / SNMP / GUI

LOG / ARCHIVEQUARANTINE

MGMT

GUI

CUSTOMERS

FortiManager Portal User

• Portal Customization• Development Toolkit

• Provides a full set of customization options

• Function, content, and branding

• Secondary database interfaces

• Consumer Portal• Simplified option set

• Uses Development Toolkit

• Targets consumer opportunities

• Linked with Dynamic Profile Featureon FortiOS Carrier

Virtualized Management

Device Group 2

Device Group 1

Admin 2

Admin 1

Customer 1

Customer 2

Multiple Administrative Domains• Administrative Domain (ADOM)• Per Customer / Device Group Policy Management

• Per Customer / Device Report Generation

• Supports VDOM groups and physical device groupsin any combination

Dynamic Security Profiles

Applies to two key target service provider markets • Managed Security and Mobile

Allows user “Self-Service” automation• RADIUS Accounting Record attributes used to create a context for a source IP

address

• Context can associate IP address with any other RADIUS attribute• Username, MSISDN, Service Name

• Protection Profile also extracted from the RADIUS record

• Assumes an authentication event has occurred within the Carriers network• Typical in both fixed (DSL) and mobile environments

RADIUSSERVER

Radius Accounting Message Dynamic Policy Created

Dynamic Security Profiles

Portal Provisioning

PORTALSERVER

DYNAMIC SECURITY PROFILES

DYNAMIC SECURITY PROFILES

Provides an authenticated bypass of the Service Restrictions Within a domestic environment

Both end-points (users) are behind the same NAT boundary Clientless solution to differentiate access – no software to ‘hack’ Parental control is maintained

DSL

Home user 1(Adult)

NAT

DSL

Home user 2 (Child)

Dynamic Security ProfilesIn Home Parental Control*

DYNAMIC SECURITY PROFILES

DYNAMIC SECURITY PROFILES

*FortiOS Carrier 4.1

www.badsite.com

• Per end-point Black / White List• End points (users, MSISDN) can have their own black white list

• No requirement for end user to access FortiGate infrastructure

• Can be populated on Self Service Portal•Dynamically configured on FortiGate as end points attach• RADIUS VSA Extension, no fixed limit for URLs

DSL+3G

RADIUS

Dynamic Security ProfilesEnd-Point customisation

DYNAMIC SECURITY PROFILES

DYNAMIC SECURITY PROFILES

Self ServicePortal

*FortiOS Carrier 4.2www.badsite.com

Infrastructure protection

FortiOS Carrier 4.0 Highlights

Dynamic ProfilesPer user services via a RADIUS APIProtection Profile derived from RADIUS record

Session Initiation Protocol (SIP) SecurityStateful SIP tracking, Malicious SIP message protection , SIP Rate LimitationSIP Transparent or SIP NAT mode, IP Topology Hiding, RTP Pinholing Geographical Redundancy, SIP Stateful High-Availability

Multimedia Message Service (MMS) SecurityAntivirus, Antispam/Antifraud, Antiphising (via Web Filtering)

Sender and Admin notification

GPRS Tunneling Protocol (GTP) Firewall3GPP 29.060 version 6.9.0, including Overbilling ProtectionProtocol Anomaly Checks, IMSI/APN/IE filtering

20

FortiCarrier SIP Security

SoftswitchSIP

Application Server (AS)

Signalling Control(SIP)

Media Control(RTP)

All Traffic – Access and Peering

- Hosted NAT Traversal- Call Admission- Interoperability- Interworking (IWF)- Media Pinholing and Policing

- Call Control- Routing- Features- Billing

NGN Network Topology

SIPRTP

SIP Firewall

SIP RTP

Session Border controller

OptionalRTP bypass

- SIP aware Firewall- Denial of Service prevention- Message Filtering- Message rate limiting- IPS detection and prevention

VOICE SECURITYVOICE SECURITY

Mobile Security

• FortiCarrier also provides:• MMS Antivirus• MM1/3/4/7

• Monitor mode

• Intercept, Archive, Quarantine, Block Actions

• Sender Notification and alerting

• MMS Antispam• MM1/4

• Duplicate Message, Sender Flooding

• Admin Notification

INTERNET

OTHEROPERATOR

MMSC

MM3

MM1 MM4

CONTENTPROVIDER

MM7

MOBILE SECURITYMOBILE SECURITY

Cloud / Endpoint Managed Services

Global Service Offerings

• FortiGuard™ Global Research Team provides original security intelligence via FortiGuard subscriptions• Antivirus

• Intrusion Prevention

• Web Filtering

• Antispam

• FortiCare™ Support services provides technical assistance anywhere, anytime• Multiple service levels to meet

customer requirements

FortiMail – Email Security

• Role Based Administrative Domain Management• Thousands of domains

• LDAP Profiling• Outsourced policy management / service enablement

• Inbound and Outbound Antivirus and Antispam• Centralised Quarantine•Multiple Operating Modes• Server, Gateway/Relay and Transparent

• Unlimited License Model• Not per mail box or domain

• Integrated with FortiManager and FortiAnalyzer• Chassis Blade and Appliance Form Factor

24

FortiClientDesktop Access to FortiGuard Services

• Antivirus & Antispyware Protection• Personal Firewall• Content Filtering• Windows Registry Monitor• IPSec VPN Client

• Private Label Branding• Microsoft MSI installer for rapid

deployment to many clients• Client lockout to prevent

unauthorized configuration• License Control

FortiMobile Security Client Software

• Symbian Series 60• 2nd Edition: v7.0s, V8.0a, v8.1a• 3rd Edition: v9.1, v9.2, v9.3

• Windows Mobile• 2003 SE: Pocket PC, PPC Phone• 5.x: Pocket PC, PPC Phone, Smartphone* • 6.x: Professional, Standard, Classic

• Capabilities include• Personal Firewall• VPN (IPSec, SSL)• Incoming Call Filter • SMS Antispam• Antivirus• Phone Security

• (Contact / SMS / Call Log / Data Encryption)• Multi-Language Support

Smartphone support to be added in 4.3

Questions?