Jacob Chen Fortinet Taiwan SE 教育網路聯合安全防護最佳化 Jacob Chen Fortinet Taiwan SE

校園資訊防護範圍 規劃建置範圍: 資訊中心 (包括中心機房主機群、辦公室、電腦教室) 安全防護系統，能有效控制單位內部網路之存取、即時偵測及阻絕電腦病毒與駭客攻擊…等功能。 校園網路安全 (泛指非資訊中心以外所有電腦對電腦的資訊活動) ，控制單位內部網路之存取、即時偵測及阻絕電腦病毒與駭客攻擊…等功能，並且包含規劃建置各校無線網路之安全傳輸與身份認證機制，包括強化無線網路使用之安全。 規劃建置上述各項設備之統一管理平台，同時具備分散式與集中式管理機制，以達到有效、易於管理之目的，達成區域聯防網路安全機制。

校園網路資安應用 新式的網路威脅-混合型攻擊 成為主流 整合型資安閘道器UTM= Unified Threat Management 無線網路使用者身分認證與傳輸加密 弱點防護，防止Backdoor、Spyware惡意軟體 Layer3、4安全政策制訂 優化網路頻寬的使用(QoS) 防止DoS、DDoS網路攻擊 封鎖不當網頁與掃除釣魚網站 過濾網路病毒，隔離異常電腦，遏止問題擴散 防治垃圾郵件 加強對於IM/P2P管控 建立中央控管機制 新式的網路威脅-混合型攻擊 成為主流 整合型資安閘道器UTM= Unified Threat Management 防火牆、防毒、入侵偵測防禦(IPS) VPN(IPSec VPN,SSL VPN)、防垃圾信、網頁過濾、IM/P2P

The Power of Security + Performance The FortiASIC™ Family Network ASIC (NP) Firewall acceleration VPN (IPSEC and SSL) IPS anomaly Application ASIC (CP) Antivirus (+Antispyware) Acceleration Web Filtering and Antispam Advantage from Accelerated AV scanning Traffic Shaping

FortiGuard Center FortiGuard Security Centre Central Dashboard Real-Time Detailed Information per Threat Category Security Threat Visibility Web URL and Antispam IP checking Top 10 Viruses Spyware Spam Phishing Web Content Categorization Mobile Threats

Global Infrastructure Ensures Rapid Response 即時有效的安全防護，全球同步自動更新 零時差全球同步防護技術能力 Global Infrastructure Ensures Rapid Response 即時有效的安全防護，全球同步自動更新 Antivirus (AV) (Includes Anti-Spyware) Web Filtering (WF) FortiGuard Security Subscription enables customers to realize the full potential of the FortiGate product family 82+ offensive and dangerous categories Over 2 Billion rated web pages Best Accuracy and Coverage in the Industry! Intrusion Prevention System (IPS) Antispam (AS) Dual-pass scanning Greater than 97.4% spam catch rate Less than 0.18% false positive rate 3-hr AV response SLA Available 24 x 7 Global Threat Research Team Source: FortiGuard™ Subscription Service

FortiGate 網路實用規劃

部署4: 金流--信用卡刷卡機IPVPN資安解決方案 (PCI DSS Compliant) (FG60M)

部署5: 證券電子交易系統資訊安全規劃架構圖

部署6: 大型產險/壽險業UTM解決方案 (HA架構) 使用虛擬防護同時保護Inside與DMZ 狀態: 備援: 兩台UTM(Fortigate)做AA(Active-Active)備援。除了不會有設備閒置外，管理者只需設定Master設備，Slave會自動同步所有設定;同時提供外部服務的DMZ區也有備援機制 故障率: 以一台以故障率10%及網路設備以HA方式介接故障率為相乘計算，故障率為10% X 10% + 10%= 11% User使用效能: 三台設備=2個節點，所有 User流量在經過FG的load balance mode後能得到更充份利用 效益: 兩台可作HA的FG價錢並不高於一台NS+一台FG，效能卻遠遠超出

部署7: Data Center 備援中心 UTM DR Center 災難備援中心

部署8: 半導體晶圓廠 Fab Security 網路資安整體架構

部署9: Case Study : Japan Carrier VPN ⇔ Internet At GW of Carrier’s Data center Provide security Service for each customer using VDOM

部署10: IDC Server Farm for Online Game

企業內部安全防護 (FW, AV & IPS) MPLS-VPN MSSP SOC HQ Supervising Group Company A Taiwan HQ Group Company B Contractor Regional Site FortiAnalyzer FortiManager MSSP SOC Attacker

Internet 上網安全防護 (未架設前) Intranet WAN Router WAN Router WAN Connectivity WAN Connectivty External Connectivity Internal Connectivity

Internet 上網安全防護 (架設FortiGate) Intranet WAN Router WAN Router WAN Connectivity WAN Connectivty FortiGate FortiAnalyzer External Connectivity Internal Connectivity

High Availability HA statistics 21

Firewall – Fortigate with FREE SSL VPN Clientless VPN for remote access No pre-installed client software Utilizes client’s browser Embedded support for SSL support Application aware VPN Creates SSL session between client and gateway Tunnels (encapsulates) application protocols over SSL session Simplified deployment User only requires network login and URL IPsec VPN Internet

FortiGate 支援 3G Modem http://kc.forticare.com/default.asp?id=3150 FortiGate-60B and FortiWiFi-60B 以上機型皆支援 3G Modem Card. Tested devices in FortiOS 3.0 MR5 PC Cards modems: Merlin S620 (EV-DO) Merlin S720 (EV-DO) Sierra AC595 (EV-DO) Novatel S720 (EV-DO) Pantech PX-500 O2 (EV-DO) Sierra Aircard 850 (HSDPA, UMTS, EDGE, and GPRS networks) Sierra Aircard 875 (HSDPA) ZTE MY39 (EV-DO) USB Sierra 595U (EV-DO) Novatel U720 (EV-DO) http://kc.forticare.com/default.asp?id=3150

線路備援與機動性… One of the basic application is to use EVDO links as primary lnternet connection. FG-60B and FW-60B support the use of EVDO as a primary or secondary link. What is primary and what is secondary is just a network interface configuration setting Policy-based routing can be used to split the traffic load between Wan1 and Wan2 links. EVDO can take over for a failed load balanced ethernet link. FG-60B and FW-60B protect the communication. All the standard protection features (Firewall, VPN, IPS, Antivirus, AntiSpam, URL Filtering) work and apply to an EVDO link. ADSL EVDO

FGT1000A FGT300A FGT1000A FGT300A FGT300A FW+IPS+AV FW+IPS+AV+ Spam+URL Filter+IM/P2P FGT300A FGT1000A FW+IPS+AV FGT300A FW+IPS+AV+ Spam+URL Filter+IM/P2P FW+IPS+AV+AS+URL Filter+IM/P2P FGT300A Relational DB AQM

Relational DB SSL VPN SSL VPN

Fortinet UTM 帶給客戶的好處 企業對於資安的需求, 不應該只是一昧地添購單一功能的設備, 而是必須了解資安是多面相的, 是需要被嚴密管理的, 是需要環環相扣相互支援的, 而不是單兵作戰. 唯有整合式的資安產品才能夠提供縱深防禦, 真正做到彈性佈署企業資安聯防.

國際資安認證 (ICSA, EAL4+, FIPS, NSS, VB)

FortiNet 公司簡介 IDC “Fortinet Ranked the Fastest Growing Major Security Vendor” Unified Threat Management (UTM) Security Solutions Company Stats Founded in 2000 by Ken Xie (Former Netscreen Founder) Headquarters@Sunnyvale, California, Silicon Valley, offices worldwide Funding to Date 1000 employees / > half in R&D, more than 100 SE in field 300,000+ FortiGate devices shipped worldwide Market Leadership Six ICSA certifications (FIRST and ONLY security vendor) Government Certifications (FIPS-2, Common Criteria EAL4+) Virus Bulletin 100 approved (2005 to 2008) 60+ Industry Awards

PaloAlto沒有通過任何一項ICSA認證

FortiGate 通過 ICSA: Firewall/IPSec/IPS/SSL/Spam/AntiVirus

FortiOS 4.0 通過認證

最高等級 EAL4+

獲得相同認證的產品還有: IBM Proventia Network Multi-Function Security MX-3006 IBM Proventia Network Multi-Function Security MX-5010 IBM Proventia Network Multi-Function Security MX-1004

For more information please visit http://www.fortinet.com Thank You! For more information please visit http://www.fortinet.com 36