Upload File

fortios carrier

4
www.fortinet.com FortiCarrier TM 5.0 Software Specialized security for service providers FortiCarrier 5.0 — Consolidated Security for Carriers and Service Providers Faced with explosive growth in the number of devices and applications being added to today’s mobile networks, carriers and service providers are turning to FortiGate appliances running FortiCarrier OS to provide high-performace/high-capacitance security solutions, offering long-term scalability and reliability. Security Gateway (SeGW) Platform FortiCarrier OS provides the GTP and SCTP firewall functionality to secure software interfaces in both older 2G/3G GPRS core mobility networks, as well as current LTE evolved packet core (EPC) environments. Growth in supporting the large numbers of deployed evolved NodeB (eNB) platforms in the form of microcells is supported by FortiCarrier OS’s high-performance/high-density VPN support. The use of virtual domains (VDOMs) in FortiCarrier OS deployments simplifies the segregation of SeGW functions into 3GPP software interfaces and device roles. FortiCarrier 5.0 Security Features IPv6-ready Stateful Firewall Dynamic Security Profiles and Groups Managed Security Voice Security MMS Security GPRS Tunneling Protocol (GTP) SCTP Firewall High-Performance and High Density VPN Concentrator – IPSec and SSL SSL-encrypted Traffic Inspection Antivirus/Antispyware and Antispam Intrusion Prevention System (IPS) Data Loss Prevention (DLP) Application Control Web Filtering Botnet Protection Client Reputation Tracking Endpoint Network Access Control (NAC) Vulnerability Management WAN Optimization Wireless Controller Monitoring, Logging and Reporting Virtual Domains High Availability Layer 2/3 Routing Services FortiGuard Security Updates FortiCare Worldwide 24x7 Support support.fortinet.com FortiGuard Threat Research & Response www.fortiguard.com

Upload: mropo

Post on 27-Dec-2015

5 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: FortiOS Carrier

www.fortinet.com

FortiCarrierTM 5.0 SoftwareSpecialized security for service providers

FortiCarrier 5.0 — Consolidated Security for Carriers and Service ProvidersFaced with explosive growth in the number of devices and applications being added to today’s mobile networks, carriers and service providers are turning to FortiGate appliances running FortiCarrier OS to provide high-performace/high-capacitance security solutions, offering long-term scalability and reliability.

Security Gateway (SeGW) PlatformFortiCarrier OS provides the GTP and SCTP firewall functionality to secure software interfaces in both older 2G/3G GPRS core mobility networks, as well as current LTE evolved packet core (EPC) environments. Growth in supporting the large numbers of deployed evolved NodeB (eNB) platforms in the form of microcells is supported by FortiCarrier OS’s high-performance/high-density VPN support. The use of virtual domains (VDOMs) in FortiCarrier OS deployments simplifies the segregation of SeGW functions into 3GPP software interfaces and device roles.

FortiCarrier 5.0 Security Features

• IPv6-ready Stateful Firewall•Dynamic Security Profiles and Groups•Managed Security•Voice Security•MMS Security•GPRS Tunneling Protocol (GTP)•SCTP Firewall •High-Performance and High Density

VPN Concentrator – IPSec and SSL•SSL-encrypted Traffic Inspection•Antivirus/Antispyware and Antispam• Intrusion Prevention System (IPS)•Data Loss Prevention (DLP)•Application Control•Web Filtering•Botnet Protection•Client Reputation Tracking•Endpoint Network Access Control (NAC)•Vulnerability Management•WAN Optimization•Wireless Controller•Monitoring, Logging and Reporting•Virtual Domains•High Availability•Layer 2/3 Routing Services•FortiGuard Security Updates

FortiCareWorldwide 24x7 Supportsupport.fortinet.com

FortiGuardThreat Research & Responsewww.fortiguard.com

Page 2: FortiOS Carrier

2

Voice Security

The Session Initiation Protocol (SIP) Signaling Firewall included with FortiGate appliances running FortiCarrier OS protects voice infrastructure interfacing with untrusted access, peering and trunking

networks. Compatible with IP Multimedia Subsystem (IMS) and pre-IMS deployments, the FortiCarrier platform helps to ensure Quality of Service (QoS) by preventing flooding and network availability attacks. The SIP firewall integrates seamlessly with the FortiCarrier 5.0 intrusion prevention system, protecting voice infrastructure from Denial of Service (DoS) attacks and other network-based threats.

FortiCarrier 5.0 — Complete Content and Network Protection for Service ProvidersService providers including MSSPs, voice operators and mobile operators will benefit from the hundreds of security-related features included with FortiCarrier 5.0. As networks migrate to IPv6 and service providers expand their portfolios to unlock new business opportunities, FortiGate consolidated security appliances running FortiCarrier OS are ready to deploy and scale as needed. FortiCarrier 5.0 includes all of the security features available in FortiOS 5.0 (see FortiOS 5.0 brochure) plus additional features benefitting service providers, some of which are highlighted below:

Mobile Provider Security

FortiGate appliances running FortiCarrier can protect mobile network infrastructures with integrated GPRS Tunneling Protocol (GTP) Firewall functionality, which includes support for GTPv2, ensuring compatibility

with a broad range of deployment scenarios. Fully integrated intrusion prevention blocks an array of GTP attacks. MMS Scanning inspects traffic on MM1/3/4/7 interfaces, and includes antivirus, flood detection, email antispam, data leakage prevention, and mobile content filtering to block phishing attacks.

Dynamic Contexts

As their customer bases grow, carriers and services providers find themselves managing hundreds of security policies and thousands of end-users. With Dynamic Contexts, administrators can apply security

policies to end-users automatically, greatly reducing the need for manual provisioning and lowering operating expenses.

Gi Firewall (GiFW) PlatformBYOD devices accessing the Internet and other data center and cloud-based packet data networks (PDNs), combined with the performance demands of today’s HPSA+, LTE, and Advanced-LTE networks, GiFW solutions need to be capable of scaling to support the security requirments of many thousands of concurrent users. FortiCarrier OS provides NGFW and UTM support for IPv4/IPv6 networks, dynamic contexting of subscribers and device-type policies. Included in FortiOS Carrier is support for MMS Scanning, which extends the content filtering, antimalware, and data leaking prevention (DLP) capabilities of FortiOS into MMS-based services.

Simplified ManagementIn addition to supporting a rich set of built-in GUI/CLI-based management, including internal logging and reporting, FortiCarrier OS is fully supported by FortiManager device management and FortiAnalyzer logging and analysis platform. FortiGates running both FortiCarrier OS and FortiOS devices can be managed together within a common management environment.

How FortiCarrier OS is LicensedPrior to FortiOS 5.0, running FortiCarrier OS required the use of dedicated FortiCarrier hardware models, which included the following:

• FortiCarrier3810A• FortiCarrier3950B• FortiCarrier5001A-DW

Customers with dedicated FortiCarrier hardware may continue to purchase these models, as well as upgrade to FortiCarrier 5.0.

However, with the release of FortiOS 5.0, certain FortiGate models running FortiOS 5.0 can be upgraded to run FortiCarrier 5.0 with the application of a FortiCarrier Upgrade License. This is a one-time upgrade, with no additional support or recurring costs other than the initial upgrade. Currently, the FortiGate models supported by the FortiCarrier Upgrade License include:

• FortiGate3240C• FortiGate3600C• FortiGate3700D• FortiGate3950B• FortiGate5001B• FortiGate5001C• FortiGate5101C

??

Page 3: FortiOS Carrier

3

features

Managed SecurityDynamic Contexts• AssignmentofServicePolicybyUser

(upto600,000users)

• ServicePolicycandefinethesettingsforanyoftheAdvancedSecurityServicesprovidedbyFortiOS Carrier

• EnablesParentalControlandOpt-outServices

Virtual Domain (VDOM)• SupportforhundredsofEnterpriseCustomersper

PhysicalBlade/Appliance,scalingtothousandsofEnterpriseCustomersperChassis

Consolidated Security• Firewall(ICSALabsCertified)

• IPSecVPN(ICSALabsCertified)

• SSL-VPN

• IntrusionPreventionSystem(ICSALabsCertified)

• GatewayAntivirus(ICSALabsCertified)

• WebFiltering(over2billionURLscategorized)

• AntispamFiltering

• ApplicationControl(thousandsofapplicationscategorized)

• DataLossPrevention(DLP)

• L2/L3RoutingwithRateLimiting

• SSL-BasedTrafficInspection

Centralized Logging and Alerting• ProvidedbyFortiAnalyzerAppliances

• AllLogandAlertFunctionsconfigurablepercustomer

• ConsolidatesSecurityandSystemEventLogs

• EventCorrelation,GraphicalReports,NetworkData Statistics

Centralized Management• ProvidedbyFortiManagerAppliances

• DeploymentConfiguration/Provisioning

• Real-TimeMonitoring

• Device&SecurityPolicyMaintenance

• LocalizedSecurityContentUpdateServer&RatingDatabaseforManagedDevices

Voice SecuritySIP Signalling Firewall• StatefulandSIPProtocol-AwareFirewall

• HardwareAcceleratedRTPProcessingforReducedPacketLoss,PacketLatency,andJitter

• SIPTransparent(InspectOnly)&NAT(RewriteSIPHeader)OperatingModes

• SupportsSIPServersinProxyorRedirectOperating Mode

• ConfigurableRTPPinholingSupport

• SupportsComplexSource&DestinationSIPNATEnvironments(SIP&RTPProtocols)

SIP Signalling Firewall (continued)• NATIPPreservationRetainsOriginatingIPAddress

forAdministrativePurposes(e.g.Billing)

• SIPTrackingoverSessionLifespan

• SIPSessionFailoverforActive-PassiveHigh Availability

• SIPSessionLoadBalancing(viaVirtualIPLoad Balancing)

• GeographicalRedundancySupport

• SIPRateLimitingtoPreventSIPServerFlooding/Overload

• IPTopologyHidingofSIP&RTPServer(viaNATand NAPT)

• ConfigurableSIPCommandControlBlocksUnauthorizedSIPMethods

• ConfigurableSIPBlockingforMessagesthatExceedDefinedMaximumHeaderLength

• SIPRegistrarExclusivelyOptiontoAvoidSpoofingofClients

• SIPCommunicationLoggingtoFortiAnalyzerAppliances

• SIPStatistics(ActiveSessions,TotalCalls,CallsFailed/Dropped,CallSucceeded)

Additional Voice Security Technologies• IntrusionPreventionSystemwithVoIPProtocol

Anomaly&VoIPProtocolAwareSignature-BasedInspectionCapabilities

• DenialofService(DoS)SensorProtectsTrustedZonesfromFloodingAttacks

• IntegratedIPSecforSecuredTunnelsBetweenTrustedZones

• VirtualDomain(VDOM)SupportforAdditionalIsolationofInfrastructurewithintheSamePhysical Environment

Mobile SecurityDynamic Security Profiles• AssignmentofServicePolicybyMSISDN

(Mobile Station)

• ServicePolicycandefinethesettingsforanyoftheAdvancedSecurityServicesprovidedbyFortiOS Carrier

• EnablesParentalControlandOpt-outServices

MMS General• SupportforMultipleMMSPolicyProfilesfor

ConsolidatedorMVNODeployments

• CustomizableNotificationMessages(perMVNO)

• MSISDNHeaderParsing(includingCookieExtraction&Hex-basedConversionsforMM1/MM7messagetypes)

• MMSFileIntercepttoFortiAnalyzerAppliancesforForensicAnalysis

• MMSContentArchive(FullMMSMessageArchivingtoFortiAnalyzerApplianceswithHTTP/SMTPTransportHeaders)

• PerMSISDN&PerMobileStationTypeReportingofMaliciousActivityviaFortiAnalyzerAppliances

MMS Antivirus• MonitorOnly&ActiveBlockingModes(per

Interface Type)

• SimultaneousMalwareScanningofMM1/MM3/MM4/MM7MessageTypes

• RemoveMaliciousContentOnlyOption(allowsMessageTransactiontocomplete)

• FileTypeAnalysiswithConfigurableBlockorInterceptActions(FileExtensionIndependent)

• ConfigurableRetrieveMessageScanning(MM1)toAvoidRedundantInspection

• PerSenderScanningwithConfigurableBlock/Archive/InterceptActions

• MM1/MM7Client&ServerComforting

MMS Antispam/Antifraud• MM1/MM4FloodDetectionwithThreeConfigurable

ThresholdswithDiscreteActions

• MM1/MM4DuplicateMessageDetectionwithConfigurableThresholdsandActions

• ConfigurableAlertNotificationtoAdministratorofSpamorFraudActivity

• MM1/MM7BannedWordScoringwithConfigurableBlock/PassActions

GTP Firewall• IntegratedIntrusionPreventionInspectionfor

GTP Payloads

• ForGn/GpInterfaces(older3GPP)andS11&S5/S8Interfaces(LTE)

-GTPPacketSanityCheck,LengthFiltering&Type Screening

-GSNTunnelLimiting&RateLimiting

-GTPStatefulInspection

-HangingGTPTunnelCleanup

-GTPTunnelFail-OverforHighAvailability

-GTPIMSIPrefix(upto1000)&APN(upto2000)Filtering

-GTPSequenceNumberValidation

-IPFragmentationofGTPMessages

-GGSN&SGSNRedirection

-DetectingGTP-in-GTPPackets

-GTPTrafficCounting&Logging

-Anti-OverbillingTogetherwithGiFirewall

-EncapsulatedTrafficFilteringwithAntispoofing Capabilities

-GTPProtocolAnomalyDetectionandExploit Prevention

-HandoverControltopreventSessionHijacking

• ForGiInterface

-Anti-OverbillingtogetherwithGn/GpFirewall

Page 4: FortiOS Carrier

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA SALES OFFICE

Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086 United StatesTel: +1.408.235.7700 Fax: +1.408.235.7737

120 rue Albert Caquot06560, Sophia Antipolis, FranceTel: +33.4.8987.0510Fax: +33.4.8987.0501

300 Beach Road #20-01The ConcourseSingapore 199555Tel: +65.6513.3730Fax: +65.6223.6784

Prol. Paseo de la Reforma 115 Int. 702Col. Lomas de Santa Fe,C.P. 01219 Del. Alvaro ObregónMéxico D.F.Tel: 011-52-(55) 5524-8480

Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FST-PROD-DS-FCR FCR-5.0-DAT-R2-201404

services

FortiOS NetworkingNetworking/Routing• MultipleWANLinkSupport

• PPPoESupport

• DHCPClient/Server

• Policy-basedRouting

• DynamicRoutingforIPv4(RIP,OSPF,IS-IS,BGP&Multicastprotocols)

• DynamicRoutingforIPv6(RIP,OSPF,&BGP)

• Multi-ZoneSupport

• RouteBetweenZones

• RouteBetweenVirtualLANs(VLANs)

• Multi-LinkAggregation(802.3ad)

• IPv6Support(Firewall,DNS,TransparentMode,SIP,DynamicRouting,AdminAccess,Management)

• VRRPandLinkFailureControl

• sFlowClient

Traffic Shaping• Policy-basedTrafficShaping

• Application-basedandPer-IPTrafficShaping

• DifferentiatedServices(DiffServ)Support

• Guarantee/Max/PriorityBandwidth

• ShapingviaAccounting,TrafficQuotas

Virtual Domains (VDOMs)• SeparateFirewall/RoutingDomains

• SeparateAdministrativeDomains

• SeparateVLANInterfaces

• 10VDOMLicenseStd.(morecanbeadded)

Data Center Optimization• WebServerCachingTCPMultiplexing

• HTTPSOffloadingWCCPSupport

High Availability (HA)• Active-Active,Active-Passive

• StatefulFailover(FWandVPN)

• DeviceFailureDetectionandNotification

• LinkStatusMonitor

• Linkfailover

• ServerLoadBalancing

WAN Optimization• Bi-Directional/GatewaytoClient/Gateway

• IntegratedCachingandProtocolOptimization

• AcceleratesCIFS/FTP/MAPI/HTTP/HTTPS/GenericTCP

• RequiresaFortiGatedevicewithHardDrive

FortiOS ManagementManagement/Administration Options• WebUI(HTTP/HTTPS)

• Telnet/SecureCommandShell(SSH),andCommandLineInterface(CLI)

• Role-BasedAdministration

• Multi-languageSupport:English,Japanese,Korean,Spanish,Chinese(Simplified&Traditional),French

• MultipleAdministratorsandUserLevels

• SystemSoftwareRollback

• ConfigurablePasswordPolicy

• CustomizableDashboardWidgets(WebUI)

• CentralManagementviaFortiManager(optional)

Logging/Monitoring/Vulnerability Management• NetworkVulnerabilityScanning

• GraphicalReportSchedulingSupport

• GraphicalReal-TimeandHistoricalMonitoring

• LocalandRemoteSyslog/WELFserverlogging

• SNMPSupport

• EmailNotificationofEvents

• VPNTunnelMonitor

• OptionalFortiAnalyzerLogging(includingper-VDOM)

• OptionalFortiGuardAnalysisandManagementService

Firewall User Authentication Options• LocalDatabase

• WindowsActiveDirectory(AD)Integration(w/FSAE)

• ExternalRADIUS/LDAP/TACACS+Integration

• XauthoverRADIUSforIPSECVPN

• RSASecurIDSupport

• LDAPGroupSupport

• FortiTokenSupport

Wireless Controller• UnifiedWiFiandAccessPointManagement

• AutomaticProvisioningofAPs

• On-wireDetectionandBlockingofRogueAPs

• VirtualAPswithDifferentSSIDs

• MultipleAuthenticationMethods

Product sKu DescriptionFortiCarrierUpgrade FCR-UPG FortiCarrier Upgrade License Certificate for supported FortiGate models (3240C, 3600C, 3700D, 3950B, 5001B, 5001C, 5101C).

OrDer infOrmatiOn


Fortigate Fortios Handbook 40 Mr3

FortiOS Handbook: Hardware Acceleration for FortiOS 5.2docs.fortinet.com/uploaded/files/2151/fortigate-hardware-accel-521.pdf · Fortinet Technologies Inc. Page 6 FortiOS™ Handbook

FortiOS v4.0 MR1 Release Notes

Sicherheit ohne Kompromisse -  · Fortinet Founded Began Global Sales FortiManager FortiOS 3.0 FortiOS 4.0 FortiAP FortiOS 5.0 & SoC2 1st 40GbE Port Security Appliance FortiASIC NP6

CLI Reference for FortiOS 5.2

FortiOS Handbook: Authentication for FortiOS 5.0

FortiOS Handbook: User Authenticationpub.kb.fortinet.com/ksmcontent/Fortinet-Public/... · FortiOS Handbook FortiOS™ Handbook v3: User Authentication 01-433-122870-20111216 3 Contents

ASIC-ACCELERATED PROTECTION · Began Global Sales FortiManager FortiOS 3.0 FortiOS 4.0 FortiAP FortiOS 5.0 & SoC2 1st 40GbE Port Security ... IDC Worldwide IT Security Products Forecast,

FortiOS Release Notes v5.2pub.kb.fortinet.com/.../fortios-5.2.0-release-notes.pdfNew Feature Highlights Page 9 FortiOS v5.2.0 Release Notes SSL VPN Creation SSL VPN configuration has

FortiOS Release Notes v5.0 - Fortinet Knowledge Basepub.kb.fortinet.com/.../FortiOS-v5.0-Patch-Release-2-Release-Notes.… · Upgrading from FortiOS v4.0 MR3 ... Page 6 Change Log

FortiOS 5 Network Security Operating System - Kapsch · FortiOS® 5 Network Security Operating System ... FortiOS also integrates well with third-party solutions such ... (PAP, CHAP,

FortiOS Handbook: Deploying Wireless Networks for FortiOS 5.0

FortiOS 5 Wireless LAN Controller Data Sheet€¦ · FortiOS® 5 Wireless LAN Controller Secure Wireless LAN Access Fortinet Secure Wireless LAN Controllers are powered by FortiOS,

FortiOS Handbook - ver.5.0

FortiOS 5 Network Security Operating System - Optrics · FortiOS® 5 Network Security Operating System For Unified Threat Management FortiOS is a security-hardened, ... your network,

Fortios 5.2.0 Release Notes

FortiOS 5.2 CLI Reference - Fortinet Docs Library · fp-sensitivity ... Fortinet Technologies Inc. Page 9 FortiOS™ - CLI Reference for FortiOS 5.2 custom-language ... 920 central-mgmt

FortiOS Cookbook - Virtual Domains - Fortinet

Fortinet FortiOS 5 Presentation

FortiOS Handbook - Logging and Reporting

FortiOS CLI Reference

FortiOS Handbook WAN Optimization, Web Cache, … · FortiOS™ Handbook WAN Optimization, Web Cache, Explicit Proxy, ... Page 4 FortiOS™ Handbook - WAN Optimization, Web Cache,

FortiGate/FortiOS 6

Fortios v5.0.9 Release Notes

Fortios Handbook 40 Mr3

FortiOS Release Notes - Fortinet Docs Library - Documents, …docs.fortinet.com/.../2203/fortios-v5.2.2-release-notes.pdf ·  · 2015-10-27Table of Contents Page 4 FortiOS v5.2.2

FortiOS v2.80 MR12 Release Notes

Advanced Routing - FortiOS Handbook - Fortinet

FortiOS v404 Release Notes

FortiOS 5 Network Security Operating System - Optrics · FortiOS® 5 Network Security Operating System ... FortiOS also integrates well with third-party solutions such ... (PAP, CHAP,

FortiOS 5.0 Handbook

FortiOS v4.0 MR3 Patch Release 11 Release Notes163.17.235.1/sct/FortiOS-v4.0-MR3-Patch-Release-11-Release-Notes… · FortiOS v4.0 MR3 Patch Release 11 Release Notes November 21,

INTERNAL SEGMENTATION FIREWALL - TRTEC Founded Began Global Sales FortiManager FortiOS 3.0 FortiWiFi FortiOS 4.0 FortiAP FortiOS 5.0 & SoC2 1st 40GbE Port Security Appliance FortiASIC

Fortios Certificate Management

FortiOS™ CLI Reference · 2012. 4. 13. · FortiOS™ CLI Reference FortiOS 4.0 MR3 Visit to register your FortiOS product. By registering you can receive product updates, technical