vectorusa and fortinet next generation network security

Next Generation Network Security and why you need it for your business!

Patrick Luce, CISSP, CISMDirector of Consultative Services, VectorUSA

August 18, 2016

What is Next Generation Security?

Why is it important for your organization?

How is Next Generation Security evolving?

How does Fortinet approach protecting customers from emerging threats?

Agenda

Next Generation Security - History

To have a next generation, there needs to be a previous generation.

OUTSIDE (INTERNET)

INSIDE

Inside Computer

10.0.X.X (Internal)

150.151.X.X (Internet)

www.yahoo.com206.190.36.105

Port 80

Network Address Translation (NAT)

Stateful Packet Inspection Outside Computer

Virtual Private Networking (VPN)

“First Generation” Firewalls – Three Features

www.yahoo.com206.190.36.105Port 80

Outside Computer

OUTSIDE (INTERNET)

Inside Computer

INSIDE

10.0.X.X (Internal)

150.151.X.X (Internet)

Hackers expose all kinds of security flaws…

Application port designations become unreliable.

No control over where inside computers choose to connect to the outside world.

No control over the payload that outside computers deliver.

Weak security practices when configuring inside workstations and servers.

OUTSIDE (INTERNET)

INSIDE

Inside Computer

www.yahoo.com206.190.36.105

Port 80

Firewall

Intrusion Prevention System (IPS)

Web (URL Filter)

Mail Filter (antispam, antivirus)

Basic Application Inspection

(FTP, SMTP, HTTP)

INSIDE

OUTSIDE (INTERNET)

Inside Computer

www.yahoo.com206.190.36.105Port 80

Here comes the calvary…

New technologies require upkeep of signatures. - This costs money…forever…

Traffic delays from processing packet streams multiple times.

- When life was web, file transfer and mail, no problem.- With live video and audio, big problem.

Questions about real need, compliance, etc.

Now we have new problems…

Enter, Unified Threat Management (UTM)

FortiGate UTMApplication

Control Antivirus

AntiSpamWeb Filtering

Next Generation Firewall

WAN AccelerationTraffic Optimization

VPNIPSDLP

WiFi Controller↑

↑↑

↑↑

↑↑

↑↑

↑↑

According to Gartner…(sigh)…

“Non-disruptive in-line bump-in-the-wire configuration”

“Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.”

“Integrated signature-based IPS engine”

Enter, Next Generation Firewall NGFW??

“Application awareness, full stack visibility and granular control”

“Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.”

“Upgrade path to include future information feeds and security threats”

“SSL decryption to enable identifying undesirable encrypted applications”

Now we had new problems continued …

What’s the difference?

Brilliant marketing.(image via https://blog.anitian.com.)

Security Control NGFW/UTM Feature

PCI-DSS Requirement

HIPAA Requirement California Civil Code

Install and maintain a stateful inspection firewall

Firewall 1.1 (All), 1.3.6,1.4

Implement Perimeter Intrusion Prevention

IPS 11.4A § 164.312(c)(1)

Implement Antivirus/Antimalware Antivirus 5.1-5.4 § 164.308(a)(5)(ii)(B)

Explicitly authorize outbound traffic to Internet

Web Filtering 1.3.5 § 164.312(c)(1)

Enforce encryption of sensitive data DLP 4.1 § 164.312(e)(2)(ii) § 164.312(a)(2)(iv)

1798:29FIPS 140-2

Secure end user messaging technologies

Application Control

4.1.1 1798:29

Retain and review audit logs Logging/Reporting

10 (all) § 164.308(a)(1)(ii)(D)

Current Compliance Requirement and NGFW/UTM

Common Sense NGFW Applications

Sandbox Inspection- Code emulation, OS sandboxing

Reputation Analysis- IP and Domain

Mobile Security

Embedded Vulnerability Assessment

Coming to a NGFW near you (or already here)

Talk to Patrick Luce about your Network SecurityPluce@vectorusa.com310-436-1000