End to End Protection Case study - isaca.org April 2016 - End t… · End to End Protection ... Eco...
Transcript of End to End Protection Case study - isaca.org April 2016 - End t… · End to End Protection ... Eco...
End to End ProtectionImplementing Best Practice Concepts
Sutjipto Budiman & Jeremy Andreas
27 April 2016
Economy Central Banks Hackers Lurked inBangladesh Central Bank’sServers for WeeksCybercriminals usedmalware, hacking tools andkeylogger software tobreach system, FireEyereport says
The Attack Surface Has Increased DramaticallyToday’s Security is Borderless
Internal External
Mobile
Endpoint
Branch Office
NGFW
Campus
Data Center
DCFW
UTM
IoT
PoS
Network
Applications
Data
People
Too Many Point Solutions
Net
wo
rkin
gB
asic
Sec
uri
tyA
dva
nce
d S
ecu
rity
Routing
Switching
Wi-Fi Controller
Firewall
VPN
IPS/ App Control
Web Filtering
Antivirus
Advanced Threat Protection
Cloud Application Control
End to End Segmentation Critical
Internal External
Cloud
On Demand
Data Center
SDN Orchestration
Mobile
Endpoint
Branch Office
NGFW
Campus
Data Center
DCFW
UTM
IoT
PoS
Secure Access Network Security Application Security
Actionable Threat Intelligence
Security
Client Security Cloud Security
Fortinet - Cooperative Security FabricProtects the Entire Attack Surface
Users Data
IoT Applications
Scalable Awareness
Eco System
CPU
Key Fabric AttributesEco Systems Alliance Partners
ActionableSecurity AwarenessScalabilityScalability
CPU
Device Access Network Cloud
Scalable from IoT to Cloud
BYOD EndpointIoT
Single Pane of Glass (Management)
Single Source of Security Updates
Single Network Operating System
WLAN LAN WAN ATPData Center & SDN
Enterprise Edge SegmentationAppSec
Hybrid Cloud Public Cloud
On Demand
Network Security for Access, Networks and Cloud
Single Pane of Glass (Management)
Single Source of Security Updates
Single Network Operating System
Device Access Network Cloud
DistributedEnterprise
Edge SegmentationBranch
Data CenterNorth-South
Carrier Private Cloud IaaS/SaaSWLAN / LAN
Rugged
Embedded System on a Chips Content Processor ASIC Packet Processor ASIC Hardware Dependent
Device>1G
Appliance>5G
Appliance>30G
Appliance>300G
Chassis>Terabit
Virtual MachineSDN/NFV
Virtual MachineOn Demand
Client
Endpoint
Security for the CloudVirtualizationHypervisor Port
Hypervisor
Private CloudSDN - Orchestration Integration
CloudOn-Demand (Pay-as-you-Go)
CloudConnector API
East-West North-South
Flow
NGFW WAF Management Reporting APT
Parallel Path Processing (PPP)
PacketProcessing
ContentInspection
PolicyManagement
Security for the Network
Slow is Broken
CPU Only
Policy Management
Packet Processing
Deep Inspection
More Performance Less Latency
Less Power Less Space
CPU
Security for AccessWLAN LAN
InfrastructureOn Premise Management
IntegratedOn Premise Management
CloudCloud Management
321Network Security
Platform
Switch
Key Fabric AttributesEco Systems Alliance Partners
ActionableSecurityScalability AwarenessSecurity
CPU
Global and Local SecurityApp Control Antivirus Anti-spam
IPS Web App Database
WebFiltering
VulnerabilityManagement
BotnetMobileSecurity
CloudSandbox
DeepApp Control
Partner
Threat Researchers
Threat Intelligence Exchange
AdvancedThreat
Protection
EndpointSecurity
Network Security Platform Email Security
Web & XML Application Firewall
NSS Labs Certification
Product 2012 2013 2014 2015 2016
Breach Detection Recommended Recommended
Data Center IPS Neutral
Firewall Recommended
NGFW Neutral Recommended Recommended Recommended
IPS Recommended Neutral
WAF Recommended
NGIPS Recommended
Endpoint Protection Recommended
$100 $80 $60 $40 $20 $0
100%
80%
70%
60%
50%
40%
90%
Products Tested
Next Generation Firewall (NGFW) Security Value MapTM
TCO per Protected Mbps
Ave
rage
Average
Secu
rity
Eff
ecti
ven
ess
Cyberoam
Juniper
Feb
ruar
y 20
16
Cisco ASA
WatchGuard
NSS Labs Rating
Palo Alto Networks
Forcepoint
Barracuda
Cisco FirePOWER
Dell SonicWALL
Check Point
Huawei
HillstoneFortinet
Key Fabric AttributesEco Systems Alliance Partners
ActionableSecurityScalability AwarenessAwareness
CPU
A Learning Mode
Complexity is the Enemy
MONITOR AND LEARN
User Identification
Who is connected?
Device Identification
What devices do we have?
Physical Topology
How are they connected?
Network & Application Topology
What Policies do we need?
Fabric Awareness Critical
Secure Access
Network Security
Application Security
USERS
Client Security Cloud Security
DATA
Topology and Data Flow
Partner
Access PointIoT
Edge Firewall
IaaS FirewallSeg FW
Seg FW
Seg FW
Sandbox
192.1.2.08Port 442Cloud App 1Domain
PolicyLogs
Cooperative Security Fabric
FSA3500D
FGT 100D
FGT 1500D FGT 3700D
FGT VM
FGT API
FGT 100D
Key Fabric AttributesEco Systems Alliance Partners
ActionableSecurityScalability Awareness Actionable
Incident Response Services Single Pane of Glass Migration to Cloud Based Systems
Technical SupportCloud-based Wireless and
Security Management
Real time Security Services
Advances Threat protection
Cloud Based Management of NGFW + Access Point
Cloud Based Management of NGFW + Access Point
Cloud Based Management of NGFW + Access Point
Threat Intelligence Advanced ThreatProtection
Actionable Threat Intelligence
WAN Data CenterAccess
IoT Mobile
PoS Windows
Centralized Device Management
Multiple Levels of Fabric API’s for Partner Integration
Cooperative Security Fabric
SIEM
SDNEndpoint
CloudVirtual
Management
Eco System Alliance Partners
Practical Solutions That Solve Customer Problems
* Note there are specific Telco/MSSP solutions also
Enterprise Firewall
ATP Framework
Data Center Security Cloud Security
Secure Access Architecture
Connected UTM (SMB)
Extensive Range of NetSec Hardware, Virtual and Cloud options
Different perrsonalities for each Deployment mode
Advanced Threat Protection – Sandbox
Network+Email+Web+Client Security
North - South (High Speed Appliance) + East West (Virtual & SDN)
Application Security
Public Cloud Security (AWS, Azure …)
Hybrid Cloud
WLAN Access
LAN Access
All In One Security
Cloud Management
Management, Analytics & APIs (Appliance, Virtual machine & Cloud)
1 2 3 4 5 6
ENTERPRISE FIREWALL
SDN
IPS
SWG
Identity Based Access Solution
Centralized Device
Management
Centralized Logging
and ReportingNetwork Security
Platform
Rugged
Cloud
Virtual
Physical
5.4
Specialize Network CPU
Real time Security Services
Single Network Operating
System
ADVANCED THREAT PROTECTION FRAMEWORK
CloudVirtual
Physical
5.4
Single Network Operating System
Real time Security Services
Web & XML
Appl ication Firewal l
Central ized Device Management
Central ized Logging and Report ing
Advances Threat
proctetion
Email Security
Network Secur i ty Plat form
Endpoint
Security
DATA CENTER SECURITY
VirtualPhysical VirtualPhysical
VirtualPhysical
5.4
VMX
Network Security Platform
Network Security Platform (VMX)
Centralized Logging and Reporting
Centralized Device Management
Single Network Operating System
Real time Security Services
ProcessorSecurity
Dynamic Software-Defined Networking
Virtua
lV
irtual
Virtua
l
Ph
ysic
al
Ph
ysic
al
Ph
ysic
al
Ph
ysic
al
Ph
ysic
al
DATA CENTE R S ECURIT Y
Application Delivery Controllers
Web & XML Application Firewall
Email Security
Database Security Anti DDoS
Real time Security Services (IP Rep, WAF, AV)
FortiAnalyzer FortiManager
FortiSandbox FortiGate VMX
FortiGate
VirtualCloud VirtualCloud
VirtualCloud
CLOUD SECURITY
FortiOSFortiGuard
5.4
SoftwareSecurity
Real time Security Services
Centralized Logging and Reporting
Centralized Device Management
Network Security Platform (VMX)
Advances Threat proctetion
Network Security Platform