Add to collection(s) Add to saved
  1. No category
Uploaded by cristian.ionica1993

Fortinet ZTA Solution Overview Presentation

advertisement 
Identify, Authenticate, and Monitor the Users and Devices on
and off the Network
Peter Newton
Sr. Director of Products and Solutions
Enterprise Access Trends
Single
Authentication
Continuous Verification
of Identity & Risk
By 2024, 70% of application access will
use MFA, up from 10% today1
Teleworker
Workforce shifts from 4% teleworking to
30% teleworking by end of 20212
IoT
BYOD
Transition to Dynamic Hybrid Cloud
On-prem
Data center
By 2025, there will be 12B installed
IoT devices3
On-prem
Data center
Private
Cloud
Public
Cloud
Since nearly every organization needs it,
hybrid IT use-case requirements have become
more common among Gartner clients.4
1 Gartner Magic Quadrant for Access Management, 12 August 2019
2 Global Workplace Analytics
3 Gartner IoT Forecast
© Fortinet Inc. All Rights Reserved.
4 Gartner Magic Quadrant for Public Cloud Managed Services, 4 May 2020
2
Architectures Change
SaaS
Remote
Remote
DMZ
HQ
Data
Center
Campus
Private
Cloud
Data
Center
Branch
Public
Cloud
© Fortinet Inc. All Rights Reserved.
3
Zero Trust Principles
For users and devices
• Verify
• Authenticate and verify– on an ongoing basis
• Give minimal access

• Segment the network to create small zones of control
• Control access to applications, data, resources
• Grant least privilege access based on need or role
• Assume Breach
• Plan as if attackers are inside and outside the network
• Forget the concept of a “trusted zone”, e.g., ‘in the office’
© Fortinet Inc. All Rights Reserved.
4
Fabric Management
Center
Fortinet
Security
Fabric
NOC
SOC
Adaptive Cloud
Security
Broad
visibility and protection of the entire
digital attack surface to better
manage risk
Zero Trust
Access
FORTIOS
Integrated
solution that reduces management
complexity and shares threat
intelligence
Automated
self-healing networks with AI-driven
security for fast and efficient
operations
FortiGuard Threat
Intelligence
© Fortinet Inc. All Rights Reserved.
Security-Driven
Networking
Open
Ecosystem
02012021
5
Zero Trust Access
Multi-Cloud
Endpoints
Mobile
Data
Center
Campus
Home
Call
Center
Factory
Knowing and
Controlling
Everyone and
Everything on and
off the Network
Ensures consistent security
policy across the network, the
cloud, and off-network
Operational
Technologies
Branch
Edge Compute
Partners
IoT
Customers
© Fortinet Inc. All Rights Reserved.
6
Zero Trust Access Use Cases
User Identity and
Access Control
Device Discovery and
Dynamic Control
Teleworker/Off-Network
Access
Application Access
Management /
VPN evolution
Multi-Cloud
© Fortinet Inc. All Rights Reserved.
7
Use Case 1
Knowing who is on the network
Zero Trust Access—User Identification
Knowing who is on the network
IDENTITY IS A CORNERSTONE OF EFFECTIVE
SECURITY POLICY
• Who is the user?
• Employee?
• Guest?
• Contractor?
• Vendor?
• How do you know?
• What access should they get?
• User’s Role determines access rights and security services
• A Least Access Policy allows access only to resources
necessary for the role/job
© Fortinet Inc. All Rights Reserved.
9
Zero Trust Access—User Identification
Knowing who is on the network
SAML 2.0
SaaS
FortiAuthenticator
Certificate Server
FSSO
Fortinet Single Sign On
Guest Portal
Internet
FortiToken
Zero Trust
Network Access
Generic
Source
REST API
RSSO
RADIUS Accounting
Syslog
Two-Factor
Authentication
Role-based Access
Single Sign On
Establish identity though
user log-in, certificate,
and/or multifactor input
Provide information from
authentication source for
use in privileged access
Reduce end user fatigue
while maintaining security
© Fortinet Inc. All Rights Reserved.
10
Use Case 2
Knowing what is on the network
Zero Trust Access—Device Proliferation
Knowing what is on the network
FortiNAC
FortiNAC
FortiNAC
Security
Devices
Remote Location
SNMP
Data Collection
CLI
Radius
Syslog
API
DHCP
Corporate
Headquarters
Switch
Router
Access
Point
Firewall
SIEM
Remote Location
IDS/IPS
Remote Location
Visibility
Dynamic Control
Continuous Response
Device identification, profiling,
and vulnerability scanning
Dynamic micro-segmentation
Supports intent-based
segmentation
Automated response and
network orchestration
Extends Security Fabric
© Fortinet Inc. All Rights Reserved.
12
What are the Key Use Cases of Network Access Control?
User Access Control
Device Discovery and Control
Knowing and Controlling
Everything that is on the network
Policy-based user access
controls that include who, where,
when, and how metrics
BYOD & Guest Access
Device Risk Assessment
Onboarding guests and personal
devices in a consistent,
automated, and secure manner
Ensure managed devices onboard
with approved firmware profiles,
including remote VPN access
© Fortinet Inc. All Rights Reserved.
13
Visibility
Endpoint Identification
Device Classification
 Automatic or Manual
> Sponsor Notification
 Device Type
 Confirm on Connect
 Disable if Confirmation Fails
20 Profiling Methods
 More Methods = Higher Trust
© Fortinet Inc. All Rights Reserved.
14
Continuous Device Profiling
1. Printer connected
to network
2. MAC notification trap
triggers FortiNAC
3. FortiNAC Profiles
device as printer
Containment of Lateral Threats at Edge
1. User brings infected
laptop to work
2. FGT sends event
FortiNAC
3. FortiNAC
quarantines the laptop
at access layer
© Fortinet Inc. All Rights Reserved.
4. FortiNAC Informs
Fabric to allow
Printer-type access
to network
4. Virus contained
at switch node
15
Key Platform Differentiators
Broad Device Awareness (and Enforcement)
• Supports more than 2,800 network infrastructure devices
• Bidirectional APIs for integrating FortiNAC with other 3rd party platforms (150+ vendors)
• Device identification in seconds
• Device sponsorship
Wired and Wireless Capability
• Not reliant on 802.1x for discovery or enforcement
• Consistent experience, equally effective on switching and wireless networks
Scalable Architecture
• Architecture does not require viewing network traffic, thus eliminating the need to deploy an
appliance (virtual or physical) on every site in a multi-site installation
• Can be readily deployed by Service Providers and MSSPs due to virtual machine and cloudbased deployment options
© Fortinet Inc. All Rights Reserved.
16
Use Case 3
On-net, off-net protection
Zero Trust Access—Device Visibility & Control
On-net, off-net risk reduction
FortiClient
Fabric Agent
Branch
HQ/Campus
Remote Workers
Endpoint Visibility
Hygiene Control
Secure Remote Access
Security posture Assessment
Endpoint Telemetry
Applications
Vulnerability scanning
Web Filtering
Patching Policy
Dynamic grouping
Dynamic Access control
VPN
Single Sign On (SSO)
© Fortinet Inc. All Rights Reserved.
18
Use Case 4
Application Access Management
Zero Trust Network Access (Application Access)
A better VPN connection
ZTNA
Private
Cloud
Public
Cloud
Data Center
Transparent Tunnels
MFA as necessary
On-prem or remote
Replacing VPN
FOS
Policy
Access
Proxy
Safe, Granular Control
Match Users to Applications
Role-Based Application Access
Device posture check
Location Independent
Campus
Branch
Remote
© Fortinet Inc. All Rights Reserved.
On-prem, branch, remote
Cloud, Public Cloud, On-prem
Hide Applications from Internet
20
ZTNA Automatic Secure Connections
Data Center
Private Cloud
Public Cloud
Leveraging Existing
Infrastructure
FortiClient EMS
Continuous Reassessment
& Enforcement
Policy
Auto-on secure ZTNA tunnels
(HTTPS/SSH)
FortiClient
FortiClient
FortiClient
Campus
Branch
Remote
© Fortinet Inc. All Rights Reserved.
21
ZTNA Process
Private
Cloud
Public
Cloud
Data Center
ZTNA Telemetry
Fabric Sync
Tunnel & Posture
Check
Access
FortiClient EMS
Policy
FortiClient
FortiClient
FortiClient
Campus
Branch
Remote
© Fortinet Inc. All Rights Reserved.
22
Fortinet’s ZTNA
What’s it made of? Existing Fortinet Security Fabric Products
Core Elements
FortiGate
• FortiGate builds the secure tunnel, maintains user group/application
access table (FOS 7.0)
• FortiClient EMS configures the ZTNA agent in FortiClient for the secure
connection back to the FortiGate (FortiClient 7.0)
FortiClient / FortiClient EMS
• Authentication Solution
• FortiAuthenticator, FortiToken or any 3rd party supported by the Security Fabric
© Fortinet Inc. All Rights Reserved.
23
Fortinet ZTNA advantages
Complete coverage vs. other ZTNA solutions
• Leveraging existing investments in on-prem Firewalls
• Most ZTNA solutions are SASE-only options with expensive charges
for company-wide coverage
• Leverage SD-WAN, SD-Branch capabilities
• Improved Security (“Secure ZTNA”)
• Extend FortiGate protection to wherever you are
• Traffic traversing Industry-leading FortiGate technology
• No Licenses Required
• Simply a feature in FOS & FortiClient to turn on!
© Fortinet Inc. All Rights Reserved.
24
Evolution of VPN tunnels
Bringing Zero Trust principles to remote access
• Ongoing verification
• Per session user identity checks
• Per session device posture checks (OS version, A/V status,
vulnerability assessment)
• More granular control
• Access granted only to specific application
• No more broad VPN access to the network
• Easier user experience
• Auto-initiates secure tunnel when user accesses applications
• Same experience on and off-net
© Fortinet Inc. All Rights Reserved.
25
Recap
Zero Trust Access Value Prop
CHALLENGES
BENEFITS
Weak and Stolen Passwords
Increase Security with 2-Factor
Authentication (2FA)
Controlling applications across
hybrid cloud architectures
Granular control of application access
per user, independent of location
Growing IoT Attack Surface
Automate discovery and onboarding
of users and devices
Visibility& Control of Remote Workers
Off-network telemetry and
policy enforcement
© Fortinet Inc. All Rights Reserved.
27
Zero Trust Access
Multi-Cloud
Endpoints
Mobile
Data
Center
Campus
Home
Call
Center
Factory
Knowing and
Controlling
Everyone and
Everything on and
off the Network
Ensures consistent security
policy across the network, the
cloud, and off-network
Operational
Technologies
Branch
Edge Compute
Partners
IoT
Customers
© Fortinet Inc. All Rights Reserved.
28
Endpoint Product Positioning
Network Buying Center (NetOps)
Security Operations Buying Center (SecOps)
Secure Access
Endpoint Security
Virtual Private Network
Endpoint Protection
Zero Trust Network Access
Endpoint Detection and Response
SASE
Posture
Posture
Encryption
Split Tunnel
Per-Session
Access
Encryption
Auto-set up
ML
Antivirus
FWaaS
Device Control
Root Cause
Web Filtering
XDR
Threat Hunting
App Firewall
Remediation
IOC
Prevention
focused
Endpoint
Telemetry
Behavioral based
detection
Endpoint
Hardening
FortiEDR
FortiClient
© Fortinet Inc. All Rights Reserved.
30
Fortinet ZTA and ZTNA in Context
Forrester Zero Trust Model
•
•
•
•
•
•
•
Devices
People
Networks
Workloads
Data
Visibility & Analytics
Automation & Orchestration
Fortinet ZTA – Pillar
•
•
•
Endpoint Access & Control
Device Access (NAC)
Identity Management
Fortinet ZTNA
•
User application access control
•
•
© Fortinet Inc. All Rights Reserved.
Utilises same identity management controls
Introduces new secure-remote access
method replacing VPN
31
Related documents
FortiAnalyzer Administrator 7.2 Course Description
FortiAnalyzer Administrator 7.2 Course Description
Installing a memory card
Installing a memory card
FortiAnalyzer Analyst 7.2 Course Description
FortiAnalyzer Analyst 7.2 Course Description
FortiAnalyzer-200D
FortiAnalyzer-200D
ISC Letter Fast Track FGT
ISC Letter Fast Track FGT
FortiGate-VMX
FortiGate-VMX
FortiGate Security 7.2 Course Description
FortiGate Security 7.2 Course Description
FortiGate-501E
FortiGate-501E
brochure
brochure
Download
advertisement