Fortinet Security Fabric - White Board Session

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is Karen hook I'm business development manager what in it for exclusive Belgium and welcome to our fortunate security fabric whiteboard session so I have Drew already an internal network of a certain company so we have the internet and we have our perimeter firewall which is a FortiGate a cluster of FortiGate we have our internal network we have the DMZ with 40 male whether it is a 40 mil appliance a 40 mil VM in a data center or 40 mil cloud to protect office 365 meal and we have the 40 web to protect ecommerce sites for instance the internal network can also be a data center when we want to position security fabric at enterprise level and we have our users and this is Bob so first of all the FortiGate we want to position is a next-generation firewall so what is next-generation firewall nowadays it is the consolidation of different security technologies into one intelligent appliance why because security has become very complex hackers nowadays they become very smart and use different different technologies to penetrate the network so we need to have a response to that enough in an affordable way so that's why we will consolidate the different technologies in one appliance so what are the functionalities of the FortiGate next-generation firewall first of all we have antivirus or anti-malware which is signature based in signature-based that means it is very effective against known malware we have our IPS database intrusion prevention system also signature-based against known intrusions we have URL filtering so we can whitelist or blacklist the URLs or websites where our users want to go to we have application control so for instance with the URL filter we can allow or not allow Bob to go to a certain website let us say Facebook and with the application control we can go into the application into Facebook and block farmville for instance one of the games that you can play with in facebook we also have our VPN functionality of course so we can set up side to side VPNs to between different 40 gates or we can have climbed to site VPN so encrypted tunnels of course when Bob for instance want to work remotely from home and also very important functionality nowadays and it comes free of charge it is built within a standard functionality of FortiGate is as their one so we can have connectivity to applications in the cloud for instance connectivity between sites so very good a multi-site environments move to the cloud but with the one connectivity we can also set security policies so that is really a unique feature of fortunate and it comes within the FortiGate so very affordable forty gate can act also as a controller for 40 switch and 40 AP I come to that later because we can integrate switch an AP of fortunate very good into the 49 security fabric and an important functionality that comes also within the FortiGate no additional license needed is SSL inspection as you might know most of the websites nowadays are HTTPS that means when we go to the website and request data the data will be encrypted and now more than 80% of all Internet traffic is encrypted so if we don't have a decent SSL inspection so a decryption and afterwards again an encryption we miss like 80% of all the traffic that goes through the FortiGate and as you might know hackers are very smart of sending malware within our encrypted tunnels but SSL inspection it demands performance most of the fireball vendors they use processors like Intel and that Intel processor who has to do all the work all the handling of network inspection and content inspection that means most of the users that for instance have a checkpoint firewall they turn off the SSL inspection because otherwise they don't have performance or when they want to have SSL inspection in place they need to have an appliance that is twice the cost as a FortiGate and why because of FortiGate they have their purpose-built processors Fortinet has developed their own processor and it goes like this so we have our central cpus and next to the cpu we have network processor and we have our content processor so we can offload the work and the inspection the FortiGate has to do with all the incoming and outgoing data flows network processor it inspects firewall and it does VPN content processor however it will be used for our AV inspection our IDs inspection in SSL inspection so we have really dedicated processor to do that content inspection that means that we can have really good performance at an affordable price and that is really a unique point of fortunate so we have our AV database at the FortiGate we have our our fe database so signature-based within our 40 mil within the 40 web and we have it also in the 40 client client installed at box locked so like I said a V it is signature based so it is very good to detect to identify known Muller but as cyber security and hackers they become more and more smart they use different techniques that means they need to find ways and need to develop malware that is able to bypass our signature based antivirus so they're going to develop zero days zero base our malware that is not identified by the FortiGate it will pass through and then Bob's laptop will become infected so what is a zero day zero day comes in three let us say flavors so the first one are very new several days these are really for the smart hackers because they develop really new coat ain't to attack a certain or a dedicated Enterprise dedicated company or to attack a certain system really forced not hackers but most of the hackers they're a little bit lazy so what they what are they going to do they're going to get a really old malware that is not included in the signature-based limited database within our different solutions because it is limited because if we want to use an extended database then we don't have a good performance anymore so the old variants or the old 0 days we gonna call them vintage it might be a zero day or it might be a malware unknown malware of course off ten years ago they reuse it it passes through the FortiGate and bomb is infected again and then a third zero day is a variance so the hacker is gonna modify a gogoat of an existing malware and when the code is slightly modified it becomes a zero day it's like going to the doctor for your flu vaccine the flu vaccine it has the very ends of last year and maybe the year before of the flu but when there is a whole new variant in the world well the vaccine doesn't work anymore and you become ill so this is the same slightly modified passes through infected so next to our signature based antivirus anti-malware we need to have another solution that can identify the behavior of zero days and we're going to use sandboxing technology so we have 40 sandbox integrated in the security fabric we can have the 40 sandbox on-premise for large enterprises we can have them in VM for data centers or maybe managed service providers but we also have 40 sandbox in the cloud that is part of the UTM bundle that you can have with your FortiGate is part of the enterprise ATP bundle of the 40 mil so you can have 40 sandbox in different variants so how does unboxing technology works and how does 40 sandbox will identify the 0d well it is in five steps step one it will check against an extreme database so how we going to identify the packages to the 40 sandbox with the env well Bob is going to a certain website or a certain application within the cloud and the request comes back FortiGate will check the data flow against ApS AV URL and so on and the data flow can come back to Bob but we cannot stop that data flow to be inspected with the fortisandbox because otherwise Bob will go to his administrator very mad telling ya I have aniseh have a session interruption I cannot work so we can go into duplicate or deviate the data flow to the 40 sandbox and then step one will occur that they tell oh that package according to the policies we can send all packages or certain packages to the sandbox we gotta check it against an extreme database signature-based database so all the known malware where we already have a signature for we'll be checked and if it has been identified that package as being a vintage because then we can really find these vintage surveys then it will already stop after step one and and we already well have it identified a zero day otherwise we go to step two and this is an important one the 40 cent box will communicate with 40 guards in the club 40 guards are the brains of fortunate it's really like the heart of 40 net it's where the truth intelligence relies so fortunate they have a lab of more than 200 engineers scanning the internet on a daily basis collecting all the logs of all the pertinent devices throughout the world to see if they already can find new malware and new 0ds so and this is really important because then we can really talk about a global security fabric first of all 40 net is part of the global threat Alliance and the global threat alliance is an alliance of different security vendors like Fortinet Palo Alto Cisco Trend Micro and so on and they share security information if one of the vendors they have identified a zero-day they will share that intelligence that information with the other security vendors so that 40 net 40 guard can update all the databases throughout the world another really important thing about 40 guard in about the sensors because every sold 40 net appliance act as a sensor is that 40 net is number one in the number of appliances ever sold that means they have sold more appliances than Palo Alto checkpoint and Cisco together and have he sold more than three million appliances one of three security appliances sold throughout the world is fortunate and they are all part of a global security fabric so it's really huge the integration so 40 sandbox will do a cloud query and ask 40 guards if that certain package has already been identified as malware or as suspicious throughout the world so it can happen that of 40 sandbox in America has identified that same package already as being malware a pre signature has been sent from that 40 sandbox in America to 40 guards and 40 guards can communicate with our 40 sandbox and send out three signature to the 40 sandbox saying yes it has been identified as malware so the analysis will stop with step 2 but our 40 sandbox have found nothing so we go to step 3 which is ctrl content pattern recognition language it is called emulation what is the Sun books going to do it is not yet executing the code but interpreting the code of that package the 40 sandbox will check for instance we have been left here that is being checked and in the code it says ok that PDF will remain quiet until after 3 months and then it becomes active a PDF is not allowed to do that or in a code it has been written that that package will contact a commanding control server somewhere or a website with a certain malware so we can really check the code on anomalies and the ctrl is very good at detecting detecting evasion techniques code that is specially specifically written to avoid sandboxing technology because hackers they getting very smart and they use like codes when that certain package is executed in vm that's one of 40 sign books also do when it is executed it becomes a clean package clean code so that's evasion technique and CP RL is very good at detecting that these first three steps can already identify 80% of all zero things and most of the times we don't have to go to step four in step five so these are really really good techniques already in sandbox also because it is always independent we don't we can check nearly all packages that will be sent to the sandbox but after 3040 seconds we have not find anything so we go in to execute the code execute the package in a VM in the same in a safe virtual machine so we can really identify how the behavior or of that code will work and then we can check if that code will make like callbacks to a command and control servers server callbacks to a website that is infected and so on these two extra steps take about two minutes to five minutes depending on the complexity of the code that is being analyzed when we have found something when the fortisandbox found malware it will generate a report and will flag that malware as being a high risk medium risk low risk suspicious and so on and the sandbox will create a pre signature already it's also called called a hash and that hash will be sent to the FortiGate so with that hash with that three signature the FortiGate can update the antivirus database IPS database a URL filter and so on so we can already have a certain level of protection before the real signature has been developed by 40 guard because well it can take up till 24 hours until a real signature has been made so of course fortisandbox will send a three signature to 40 guard as well we're gonna send a three signature to 40 mil and there is something really good about the integration of 40 mil so please position 40 mil as well to your customers as I have said that we cannot interrupt a data flow coming from the internet through the FortiGate to Bob's laptop in order to inspect by the fortisandbox 40 mil use store-and-forward techniques so that means that when a male comes in we can inspect the URL the attachments all call active content of the meal by the fortisandbox and that means we can store the meal we will not deliver the meal already to Bob but start a meal to be inspected if the meal is safe then the mail will be delivered to Bob is the meal not safe then the meal will not be delivered but nothing will be sent to Bob slapped up so this is really important to have the integration with first email as well because 70% of all malware and of all terror days will be sent by email so this is really really important part and of course the information the pre signature will be sent to the Furtick client database the Utley database of the first client on Bob's laptop so what are the other functionalities of fatigue light because you can say well forticlient is like another endpoint protection and we have our Trend Micro or our semantics well firstly clients it is like another endpoint protection but it becomes intelligent when integrated into the security fabric because with the integration of forticlient and FortiGate we can easily block Bob's laptop or block the malware that has come through the FortiGate inspected by the sandbox so we have really an automated response to to quarantine a laptop an IP address and so on so the first declined also has the 88 database also our URL filter but also patch management so we can make sure that Bob's laptop has all the latest updates of all software installed and is his laptop and we can also automate by saying if he doesn't have the latest software updates well Bob cannot go through the photogate to the internet so again for the client as part of the security fabric we can set automated policies also we can have our VPN setup when Bob is working remotely from home he can have that secure tunnel towards the FortiGate to be able to access his data on the network and from the 4000 s 6.2 this is really important it has a direct integration also with 40 sandbox in the cloud so you can have that extended protection against zero days so for T sandbox integrations so as I said already is that you have can have 40 sandbox on premise but it's also part of UTM bundle from the FortiGate but if you have the 40 client within 30 away 6.2 you also have 40 sandbox clouds integrated directly so that means it can communicate with 40 sandbox in the cloud another way of communication when Bob is working from an airport for instance is that the pretty fly client will communicate every time with 40 cards directly to have the latest signatures for the AV database to have the latest updates on our URL filtering and to have the latest patches also so this is really important to have 40 clients also integrated in the security fabric and we can go even further because as I have said 40 Gate can act as a controller for 40 switch and 40 AP we can have an extra layer of protection on layer 2 so if we add our 40 switch NR 48 P then we have that type of extra level of protection so that means well as which is a switch of course a 40 switch is also like a normal switch but integrated into the security fabric we can even block certain ports on the year to then malware or zero-days found on Bob's laptop in like a villain of sales we can say ok we don't want that other feelin's back office teams pre sales team as who has different ports on the switches we don't want that the mall will where we'll spread laterally in the network we can block the ports or we can block box IP address connecting to our 40 AP within a network so these are really really good components to have network security in place and then last but not least of course we need to have a way to have an advanced visibility of what's happening in the network so we can use both the analyzer for bigger environments or alternatively for the SMB market we can work with 40 clouds at customer premise and even within managed services we can have 40 cloud multi-tenant license if our partners want to do security manager security services to their customers so what is the 40 analyzer do it will collect all the locks of the Fatimid solutions within our local security fabric so it will collect the locks of our 30 gates it will collect the logs of our 40 web when we have it installed or 40 mil 40 sandbox and 40 client and these logs will be collected and correlated to see what happens on the networks to raise an alert and send that alert back to the FortiGate so again when a malware has been identified the FortiGate can automate automatically quarantine a certain laptop a certain IP address so visibility can also be used like a sub device Security Operations Center where we can really in international companies see what happens in regen insulin but a really important license an additional license that we can have on our 40 analyzer or on the 40 gate when we combine 40 gate with 40 cloud for instance if the indicators of of compromise the indicators of compromise is an additional license it's a necessary license to be compliant for gdpr for instance because it will raises the visibility even more on what happens on a network so how does indicators of compromise work let us say that Bob yesterday he went to his banking website so he did a request through the 4840 great said yeah you're allowed to go to your banking website so the request comes back and Bob is on the website well today there has been a pre signature or signature that that certain URL that certain website is identified as phishing website so that means that our URL database has been updated and AV signature has been updated in the database because malware has found on that website so all these databases are updated the indicators of compromised will check all the locks of the last seven days and of course Bob going to his banking website is locked also so it will check all the locks against the new updates in our data databases so we can now generate or 40 analyzer can now generate an alert saying Bob went to is banking website yesterday now updated as phishing website so it is possible that Bob is infected so there might be an indicator of compromise and again what we can do is send that alert to the FortiGate and FortiGate either block apart or quarantine lops laptop from the internet again until we have resolved the security issue so that is how the fortunate security fabric works thank you very much
Info
Channel: Exclusive Networks BeLux
Views: 14,522
Rating: undefined out of 5
Keywords: fortinet, Security Fabric, Exclusive Networks
Id: MSWwh5kSi38
Channel Id: undefined
Length: 30min 50sec (1850 seconds)
Published: Thu May 02 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.