Securing Next Generation Carrier Networks Vishak Raman - Regional Director – SAARC
Fortinet Confidential
Protecting the Service Provider’s Infrastructure
MOBILENETWORK
RADIUS SERVER
GGSN
SGSN
2Protecting the customer (Managed Security Service Provider)
Subscriber Network
Subscriber Network
Subscriber Network
1
Two discrete solutions for Service ProvidersTwo discrete solutions for Service ProvidersTwo discrete solutions for Service ProvidersTwo discrete solutions for Service Providers
Security Solutions for Service Providers
Fortinet Confidential
Managed Security Services
Fortinet Confidential
MSS Drivers
DriversDrivers
Domestic RegulationHuge SME uptakeConcerns over ConfidentialityReducing cost & fulfilling corporate requirements
Inhibitors
Perturbations in Financial Markets Lack of Investments in Regional SOCs Localization of Support
Key SuccessFactors
Key SuccessFactors
Service Expertise Quality of Service Cost Reduction Relationship window
Fortinet Confidential
APAC MSS Landscape
Integrators
Telecommunication/Wan ProvidersTelecommunication/Wan Providers
Pure-Play
Inclusion Criteria > 150 customer FW/IPS/Web/Mail GW in APAC Or 50 Customers in APAC
HQ or Major RO in APAC
Channel presence in 2 of 6 APAC Regions
2 reference accounts to Gartner
Fortinet Confidential
APAC MSS Pointers
Market Growth Rate in 2009
Number of devices 24%
Client Base 16%
Deal Size APAC EMEA<$150K 57% 12.5%
Between $150K and $750K
30% 25%
Between $750K and $1.5M
_______ 25%
>$1.5M _______ 37.5%
Type No of Devices in 2009
CPE ( Customer Premise) 20,010
ITC (In The Cloud ) 2,760
Beyond “Device Management”
Fortinet Confidential
NOC/SOC
CPE / Client Based MSS
7
Internet
Fortinet Confidential
Cloud Based Services
• Per Customer Virtual Domain▪ Application Control▪ Web Filtering▪ AntiVirus / AntiSpyware▪ Data Leak Prevention▪ AntiSpam▪ Intrusion Protection▪ VPN (IPSec / SSL)▪ Firewall▪ Dynamic Routing
8
Fortinet Confidential
Access Layer Virtualization Services
Virtualized Secure Remote Access Service to End Users in Public (IPSec / SSL)
- Virtualized Firewall catering to Virtual Network
- Independent Access Policies
- Virtualized IPS Sensor Policies
- Added advantage with Application control
Protecting VoIP servers and connections from Threat and targeted DoS Attacks
ACCESS CONTROLSecure Authentication and Access
vUTM services in Select Markets
Fortinet Confidential
Virtualization in FortiGate
Super Admin
VDOM Admin
FortiGate Hardware
FortiOS
Firewall
VPN(IPSec/SSL)
IPS / App Ctrl
WCF / G AV
Routing
VLANs
Firewall
VPN(IPSec/SSL)
IPS / App Ctrl
WCF / G AV
Routing
VLANs
Individual VDOMs
. ..
Root VDOMM
GM
T
MG
MT
Firewall
IPS / App Ctrl
WCF / G AV
Routing
VLANs
VPN(IPSec/SSL)
Fortinet Confidential
Dynamic Security Profiles
Fortinet Confidential
Provides an authenticated bypass of the Service Restrictions Within a domestic environment
Both end-points (users) are behind the same NAT boundary Clientless solution to differentiate access – no software to ‘hack’ Parental control is maintained
DSL
Home user 1(Adult)
NAT
DSL
Home user 2 (Child)
Dynamic Security Profiles- In Home Parental Control*
DYNAMIC SECURITY PROFILES
DYNAMIC SECURITY PROFILES
*FortiOS Carrier 4.1
www.badsite.com
Fortinet Confidential
• Per end-point Black / White List− End points (users, MSISDN) can have their own black white list− No requirement for end user to access FortiGate infrastructure
• Can be populated on Self Service Portal• Dynamically configured on FortiGate as end points attach
− RADIUS VSA Extension, no fixed limit for URLs
DSL+3G
RADIUS
Dynamic Security ProfilesEnd-Point customisation
DYNAMIC SECURITY PROFILES
DYNAMIC SECURITY PROFILES
Self ServicePortal
*FortiOS Carrier 4.2www.badsite.com
Fortinet Confidential
Infrastructure protection
Fortinet Confidential
Mobile Operator Threat Evolution
Pre-IMS IMS
voice
SMS
VOIP
Media
IPTV
IMMMS
Rapid ApplicationDeployment
Web
Web
Fortinet Confidential
Security Considerations – What?
InterrogatingCSCF
InterrogatingCSCF
ServingCSCF
ServingCSCFFixed
Wireline
WifiWiMax
MobileWireless
ProxyCSCFProxyCSCF
App ServerPresence / IM App Server
Presence / IM
IPNetwork
App ServerPush-to-talk App Server
Push-to-talk
App ServerETC…
App ServerETC…
IPNetwork
SIPSIP
IMS SIPCore
IMS SIPCore
h.248h.248
DIAMETERDIAMETER
PDFRACSRACF
PDFRACSRACF
CarrierPeer IP
Network
A-BGFA-BGF I-BGFI-BGF
I-BCFI-BCF
PSTNMedia
GatewayMedia
Gateway
h.248h.248
SIPSIP
SIPSIP
SIPSIP
MediaMedia MediaMediaMediaMedia
FortiGateFortiGate
Access-Voice Security moves all the way to the handset
-Encryption/Compression/Authentication (open up payload)-IPS capabilities (msg flood, header tampering)
- Network Denial of Service-Antivirus
-Same HTTP/SMTP offerings as pre-ims at Internet Egress
Applications-Rapid app delivery
-Host Attacks
Peering-Open Internet (Traffic Anomaly)
-IPS (msg flood, proto conformance)-QoS-VPN
-Antivirus-Protocol translations (L3 and L4)
-NAT ALG services-Overlapping Subnets-Virtualization per peer
Handsets-FW/VPN/IPS/AV
Fortinet Confidential
FortiOS Carrier Security Highlights
Dynamic Profiles Per user services via a RADIUS API Protection Profile derived from RADIUS record
Session Initiation Protocol (SIP) Security Stateful SIP tracking, Malicious SIP message protection , SIP Rate Limitation SIP Transparent or SIP NAT mode, IP Topology Hiding, RTP Pinholing Geographical Redundancy, SIP Stateful High-Availability
Multimedia Message Service (MMS) Security Antivirus, Antispam/Antifraud, Antiphising (via Web Filtering) Sender and Admin notification
GPRS Tunneling Protocol (GTP) Firewall 3GPP 29.060 version 6.9.0, including Overbilling Protection Protocol Anomaly Checks, IMSI/APN/IE filtering
Dynamic Profiles Per user services via a RADIUS API Protection Profile derived from RADIUS record
Session Initiation Protocol (SIP) Security Stateful SIP tracking, Malicious SIP message protection , SIP Rate Limitation SIP Transparent or SIP NAT mode, IP Topology Hiding, RTP Pinholing Geographical Redundancy, SIP Stateful High-Availability
Multimedia Message Service (MMS) Security Antivirus, Antispam/Antifraud, Antiphising (via Web Filtering) Sender and Admin notification
GPRS Tunneling Protocol (GTP) Firewall 3GPP 29.060 version 6.9.0, including Overbilling Protection Protocol Anomaly Checks, IMSI/APN/IE filtering
Fortinet Confidential
• Global presence with 30+ offices worldwide• 5,000+ channel partners• 500,000 units shipped worldwide • 75,000+ customers (including the majority of the
Fortune Global 100)• 1,200+ employees• IPO Nov 2009 – FTNT• Consistently strong sequential growth• Profitable: $259+ million cash balance & cash flow
positive
Fortinet: An Established Security Vendor
Fortinet Confidential
Security Vendor of The Year in APAC
• Fortinet awarded 2010 Security Vendor of the Year by Frost & Sullivan for Asia Pacific
• Competitors: Juniper, Check Point, Cisco
[…] an achievement that was undoubtedly driven by the foresight of Fortinet in expounding and leveraging on the rapidly emerging trend of technology convergence.
The combination of effective go-to-market and product strategies was pivotal in cementing Fortinet’s position as a major player in the network security market in the Asia Pacific region.
Edison Yu, Asia Pacific Information & Communication Technologies Practice, Frost & Sullivan
””
““
““
””
Fortinet Confidential
Fortinet High-End Traction
20
International UTM Revenue Share, 2009$50,000-99,999 Price Band
Source: IDC Worldwide Security Appliance Tracker, Q3 2009*International = Western Europe + Japan +Asia Pacific
Fortinet Secures:
• 7 of Top 10 Fortune 500
• 5 of Top 10 Global 500 in EMEA
• 7 of Top 10 Global 500 in APAC
• 6 of Top 10 Global 500 Commercial & Savings Banks
• 7 of Top 10 Global 500 Aerospace & Defense
• 2 of Top 5 Global 500 in IT Services
Fortinet Confidential
India
2009 UTM Market – 31.26 M$2009 UTM Market – 31.26 M$2009 Security Appliances Market 2009 Security Appliances Market – 85.23 M$– 85.23 M$
Fortinet Confidential
Fortinet TelCos/xSPs Customers Success
…and others rely on Fortinet’s protection
Fortinet Confidential
Thank You
23