building secure access solution - infosecurity vip...fortinet secure access approach captive portal,...
TRANSCRIPT
![Page 1: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/1.jpg)
© Copyright Fortinet Inc. All rights reserved.
Building Secure Access SolutionComo crear una estrategia de acceso seguro
▪ 2017
Ricardo Guzman – Systems Engineer Caribbean
![Page 2: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/2.jpg)
2
Borderless Attack Surface
Clinics Hospitals
Data Center
Remote Office
Mobile
PoS
IoT
There’s more ways in
More ways out
![Page 3: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/3.jpg)
3
[Digital Transformation]
DXis the integration of digital technology into all
areas of a business, resulting in fundamental
changes to how businesses operate and how
they deliver value to customers
![Page 4: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/4.jpg)
4
The Cybersecurity Problem…TODAY 2020
1.5BILLION
PEOPLE
Breaches will
affect over
6.9BILLION
Connected “things” on business
networks
256DAYS
To detect an external breach
11MILLION
Records compromised
in June 2017
2.4BILLION
Connected “things” on business
networks
THE TRUE
CHALLENGE = 1
UNCONTAINED
THREAT
OPEN
NETWORK
PORT
UNKNOWN
DEVICE
NoDECLINE No decline in sight
IT ONLY TAKES
ONE
![Page 5: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/5.jpg)
5
[Security Transformation]
SXis the integration of security into all areas of
digital technology, resulting in a Security
Architecture that provides a Continuous
Trust Assessment
![Page 6: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/6.jpg)
6
Device Domain — Where Vulnerability Starts
SECURITY MUST START at the Network Domain and Continue in the Service and Application Domains
Lack of
Standardization
Headless
Cost
GTMDevices
Vendors
Security
![Page 7: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/7.jpg)
7
El Primer Reto: Conectividad
Network Admin en su estado natural
![Page 8: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/8.jpg)
8
A super-fast network without control and security
![Page 9: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/9.jpg)
9
El Segundo Reto: Seguridad
![Page 10: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/10.jpg)
10
When Security Interrupts Business
![Page 11: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/11.jpg)
11
The Solution: Integrated Secure Access
SECURE ACCESS SOLUTION
![Page 12: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/12.jpg)
12
SECURE ACCES BUILDING BLOCKS
![Page 13: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/13.jpg)
13
Medio de acceso?
![Page 14: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/14.jpg)
14
Donde?
https://krebsonsecurity.com/2014/02/target-hackers-broke-
in-via-hvac-company/comment-page-3/
![Page 15: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/15.jpg)
15
3 Steps for a better network
Learn
Trusted or Not Trusted
Segment
Define a Policy
Control & Protect
Everything
Reducing the Attack Surface
![Page 16: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/16.jpg)
16
Fortinet Secure Access Approach
Captive Portal, 802.1x—Radius /shared key
Assign users and devices to their role
Examine traffic to remove threats
Apply policy to users and applications
Identify applications and destinations
Reports on policy violations, application usage, destinations and PCI DSS
Ensures Business traffic has priority
Corporate Wi-Fi
![Page 17: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/17.jpg)
17
PRIMEROS PASOS
![Page 18: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/18.jpg)
18
Autenticación
Original Standard - 1997 WEP Protection802.11i – 2004
WPA2
WPA 3
Wi-Fi security through the years…
![Page 19: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/19.jpg)
19
Secure Wireless LAN Guest Access
Temporary user provisioning
and guest WLAN access
▪ Allow non-IT staff to create
Guest account via web portal
▪ Assign time quota
▪ Generate temporary password
▪ Distribute guest credentials:
▪ SMS
▪ Batch guest users
creation option
![Page 20: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/20.jpg)
20
Identificación: Misma red pero diferentes perfiles
Colaboradores Gerentes
EjecutivosVisitantes
![Page 21: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/21.jpg)
21
Internal Segmentation
WAN
Internet
Cloud
Home
Office
Internal
Segmentation
(ISFW)
Internal
Network(100 Gbps+)
Branch
Office
Private
Cloud
Edge
Gateway
Data Center
ISFW
ISFWISFW
ISFWISFW
ISFW
External
Internal
![Page 22: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/22.jpg)
22
Application & Bandwidth Control
Bandwidth Control
▪ Uses Layer-7 inspection
▪ Ensures business critical applications are prioritized
▪ Ensures bandwidth allocation is fair
▪ Critical for optimization of WAN links
Fortinet Application Control Sensors
▪ Over 3,000+ Apps Identified, 16 Categories
▪ Advanced IM & P2P control
▪ Application Control Traffic Shaping
▪ SSL Content Inspection
Client #1 Client #2
Priority
App
Non-
Priority
App
Non-
Priority
App
INTERNET
FortiGate
FortiAP
![Page 23: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/23.jpg)
23
Visibility: Who, What, Where, When
SCHOOL 3
LIVE INVENTORY OF
NETWORK
CONNECTIONS
(LINC)
SCHOOL 2
SCHOOL 1
![Page 24: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/24.jpg)
24
Visibility
![Page 25: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/25.jpg)
25
Central monitoring of the Fabric
![Page 26: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/26.jpg)
26
Respond
![Page 27: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/27.jpg)
27
▪ How it works» A devices is detected as compromised by
one element of the fabric
» Switches and APs can automatically quarantine the device at the access layer
▪ Why it’s important» Compromised IoT devices are no longer a
threat to the wider network
» Guest devices (if infected) will be dealt with automatically
Automated response to compromised devices
![Page 28: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/28.jpg)
28
Security Fabric and NAC
Switch
Firewall
Access
Point
Router SIEM IDS/IPS
Challenges▪ Connected “things” on business networks
▪ Lack of Network Visibility
▪ Regulation & Audit
![Page 29: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/29.jpg)
29
Security Fabric and NACChallenges▪ Connected “things” on business networks
▪ Lack of Network Visibility
▪ Regulation & Audit
Switch FirewallAccess
Point
Router SIEM IDS/IPS
Network Sentry
Protocols:
SNMP CLI Radius Syslog API
SolutionFortiNAC
Visibility: Discover all endpoints
▪ Identify and profile every endpoint
▪ Multi-vendor wired & wireless connectivity
▪ Self-registration to simplify guest management
Control
▪ Automated Authentication & Authorization
▪ Dynamic network access control
▪ Enable network micro-segmentation
Automated Response
▪ Bridge the SOC & NOC
▪ Rapid security event triage
▪ Accelerate threat investigations
▪ Granular containment options
![Page 30: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/30.jpg)
30
▪ Device Classification» Automatic or Manual
▪ Sponsor Notification
» Device Type
» Confirm on Connect
» Disable if Confirmation Fails
▪ 13 Profiling Methods» More Methods =
Higher Trust
Visibility: Endpoint Identification
![Page 31: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/31.jpg)
31
Continuous device profiling
1. Printer connected
to network
2. MAC notification
trap triggers
FortiNAC
1. User brings
infected laptop to
work
3. FortiNAC
Profiles device as
printer
2. FGT sends event
to FortiNAC
3. FortiNAC
quarantines the laptop
at access layer
4. Virus contained
at switch node
4. FortiNAC
Informs Fabric to allow
Printer-type access to network
Containment of lateral threats at Edge
![Page 32: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/32.jpg)
32
Que mas necesitamos
![Page 33: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/33.jpg)
33
Educación
![Page 34: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/34.jpg)
34
Mejora Continua
![Page 35: Building Secure Access Solution - INFOSECURITY VIP...Fortinet Secure Access Approach Captive Portal, 802.1x—Radius /shared key ... Segmentation (ISFW) Internal Network (100 Gbps+)](https://reader036.vdocuments.us/reader036/viewer/2022062317/5ec8daaedeb7a255c45123db/html5/thumbnails/35.jpg)