Fortinet: The Leader in Enabling Secure Communications

1
Fortinet The Leader in Enabling Secure
Communications
2
Why Fortinet
Fortinet secures your business communication
infrastructure against an increasing array of
blended cyber threats, while also reducing
security costs
3
Large Installed Base
4
Company Overview

• First and only maker of ASIC-accelerated
  Multi-Threat Security Solutions

• Company Stats
• Founded in 2000
• Silicon Valley based with offices worldwide
• Seasoned executive management team
• 650 employees, 300 RD 100 SE
• Nearly 150,000 FortiGate devices WW
• Independent certifications/3rd party
• Seven ICSA certifications (only security vendor)
• Government Certifications (FIPS-2, Common
  Criteria EAL4)
• Virus Bulletin 100 approved
• 50 Industry Awards

5
Increasing Industry Recognition

• No. 1 in UTM
• WW UTM leader in 2003 2004, fastest growing
  network security segment (IDC)
• Gartner Visionary
• Latest Gartner Firewall Magic Quadrant
• Fastest growing
• Network security appliance vendor with in Q3
  (IDC)
• No. 1 in high end
• Unit shipment leader in high-end UTM systems
  (gt50K) for Q305 (IDC)

Company Rating Threatening Fortinet has
established itself as a strong competitive
threat. -- CurrentAnalysis
6
Threat Evolution

• Malicious code exposing confidential data has
  increased significantly

• Multi and Blended attacks are now a common
  practice.
• Email is the most common delivery mechanism.
• The motive and intent is changing
• Moving from notoriety to financial gain.
• Theft of financial and personal information.
• Traditional security isn't enough

7
Blended Threats
Example Zotob, NetSky, Sobig.F, NIMDA, MyDOOM
Propagation
Vector
Function
Payload
Send email using spoofed source address with
built-in SMTP engine
Email with .PIF or .SCP attachment
Harvest email addresses
At pre-designated time, ping one of 20 sites to
retrieve URL. Download file referenced in URL.
Execute the downloaded program.
8
Trends Driving New Security Requirements
???????
9
A New Security Architecture Approach Is Required

• Antispam
• Reduce unwanted email
• Web filters
• Eliminated unproductive web-browsing
• VPN
• Delivering secure remote access

• Firewall
• Defend against intrusions
• Antivirus
• Protect email from virus infection
• IPS
• Protect against malicious attacks

Servers
Users
10
Multiple Point Solutions Add Complexity

• Perceived Advantages
• Comprehensive security approach
• Quickly react to individual threats

• Real Disadvantages
• Requires multiple products that dont talk to
  each other
• Increases network complexity and operational cost
• Non optimal security implementation

Servers
Users
11
Multi-Threat Security With Fortinet

• Simplifies security management
• Coordinates security alerting, logging, and
  reporting
• Improves detection capabilities

• Fortinet Advantages
• Provides comprehensive security approach
• Minimizes down-time from individual threats
• Reduces number of vendors and appliances

Servers
Users
12
Scalable Solutions Deployable Throughout the
Enterprise

• Perimeter, DMZ, remote office
• Data center / core network
• Host-based security

• Internal outbreak prevention
• New applications
• Wireless, Voice-over-IP

13
Range of Security Systems and Management
14
Fortinet Developed a Unique Technology for
Complete, Real Time Network Protection
CORE TECHNOLOGY

• Real-time networking OS
• High performance
• Robust, reliable

• Proprietary Fortinet Chip
• Hardware scanning engine
• Hardware encryption
• Real-time content analysis

15
Comprehensive, Multi-Threat Protection
Best-in-Class Applications Included in Every
FortiGate
FortiOS Operating System
16
Global Infrastructure Ensures Rapid Response to
New Threats
More than 10 Fortinet Threat Response Teams and
FortiGuard Distribution Servers
FortiGuard Center Web Portal Email Bulletins
- Automatic AV IDP Updates Can Reach All
FortiGate Units Worldwide in Under 5 Minutes -
Real Time Protection for Antispam Web Content
Filtering Services
17
Criteria for Network Security Deployments
???????
18
Summary

• Fortinet offers the only solution built from the
  ground up to handle network and application
  threats
• Security functionality backed up by comprehensive
  subscription services
• No-compromise performance based on leading
  ASIC-based design and a broad product line
• Integrated functionality and management for
  reduced CapEx and OpEx and regulatory compliance
• A trusted security provider to thousands of
  customers worldwide

19
Fortinet Solutions
20
Fortinets End-to-End Security Solution for the
Distributed Enterprise
Fortinets End-to-End Security Solution for
Distributed Enterprises
21
Enterprise Edge Protection

• Deployed at the edge of your network as your
  first line of defense
• Provides Multi and Blended threat security along
  with securing VOIP
• Protects critical VOIP (H.323, SIP) resources
  from attacks

22
DMZ Protection

• Deployed on the DMZ interface of an existing edge
  firewall
• Provides virus, intrusion prevention for critical
  DMZ resources
• Provides URL Filtering services for outbound
  traffic

23
Enterprise Outbreak Containment

• Contains outbreaks to a specific segment vs.
  allowing to spread
• Utilizes 802.1Q VLAN technology to interoperate
  with existing switches

24
Large Enterprise and Core Deployment

• Deployed offline vs. inline to secure specific
  protocols (Web, Email, FTP)
• Interoperates with policy based routing found on
  most switches
• Leverages High Availability Clustering for high
  bandwidth requirements

25
Product Differentiation
26
Fortinet Developed a Unique Technology for
Complete, Real Time Network Protection
CORE TECHNOLOGY

• Real-time networking OS
• High performance
• Robust, reliable

• Proprietary Fortinet Chip
• Hardware scanning engine
• Hardware encryption
• Real-time content analysis

27
Comprehensive, Multi-Threat Protection
Best-in-Class Applications Included in Every
FortiGate
FortiOS Operating System
28
FortiOS Security Inspection Engines

• Antispam
• Static list, FortiGuard Antispam, RBL
• Web Filtering
• Static list, FortiGuard Web Filtering
• Encryption
• IPSec, SSL
• Traffic Shaping
• Guaranteed rate, Max rate, Traffic priority

• Stateful Firewall
• Granular security policies
• Authentication enforcement
• Quality of Service
• Antivirus
• HTTP, FTP, SMTP, POP3, IMAP
• Signatures, Heuristics, Activity
• Intrusion Detection Prevention
• Signature, Anomaly, Activity Inspection

29
Advanced Detection Techniques

• Fortinets detection technology has evolved past
• Stateful Inspection
• Application Inspection
• Deep Packet Inspection
• Innovators of Full Content Inspection Activity
  Inspection with full Content Reassembly

30
Antivirus Detection With Advanced Heuristics

• Fortinets advanced antivirus scanning techniques
  include
• File Analysis
• Worm Inspection
• File Type Analysis
• Signature Inspection
• Heuristic Inspection
• Content Reassembly

31
Why Traditional Firewalls Miss The Latest Attacks
STATEFUL INSPECTION FIREWALL
DATA PACKETS

• OK

http//www.freesurf.com/downloads/Gettysburg
Four score and BAD CONTENT our forefathers brou
Inspects packet headers only i.e. looks at the
envelope, but not at whats contained inside

• OK

ght forth upon this continent a new nation,

• OK

n liberty, and dedicated to the
proposition that all

• OK

Not Scanned
Packet headers (TO, FROM, TYPE OF DATA, etc.)
Packet payload (data)

• Weaknesses Includes
• No Deep Packet Inspection capabilities to spot
  malicious payloads
• Per-Packet forwarding with no packet reassembly
• Malicious applications can be tunneled through
  trusted ports
• Traditionally deployed only at the perimeter and
  cant defend against internal threats

32
How Traditional IDS/IPS Are Missing Modern Attacks
DEEP PACKET INSPECTION
Performs a packet-by-packet inspection of
contents but can easily miss complex attacks
that span multiple packets or fragmented
Undetected

• OK

http//www.freesurf.com/downloads/Gettysburg
Four score and BAD CONTENT our forefathers brou
!

• OK

ght forth upon this continent a new nation,

• OK

n liberty, and dedicated to the
proposition that all

• Weaknesses Includes
• Mirrored traffic analysis, not inline with
  network flow
• Alert only, will not proactively block attack
  traffic
• Damage is done before alert can be responded to
• Deep Packet Inspection IDS/IPS systems may be
  overrun by GB links
• Traditionally deployed at the perimeter

33
Protection With Content Reassembly
COMPLETE CONTENT PROTECTION
1. Reassemble packets into content
http//www.freesurf.com/downloads/Gettysburg
Four score and BAD CONTENT our forefathers brou
ght forth upon this continent a new nation,

n liberty, and dedicated to the
proposition that all
ATTACK SIGNATURES
!!
!!
2. Compare against disallowed content and attack
lists
34
Application-Level Threats Require Complete
Content Protection
35
Complete Content Protection Requires Enormous
Processing Power
Email Spam
Complete Content Protection
1000
Inappropriate Web Content
Worms
100
Trojans
Viruses
Sophisticated Intrusions
Deep Packet Inspection
10
Denial of Service Attacks
Simple Intrusions
Stateful Inspection
1
1990
2000
1995
2006
36
Fortinets Complete Product Family
SOHO/Branch
Medium Enterprise
Large Enterprise
Service Provider
FG5140
FG5050
FG5020
FG3600
FG3000
FG1000A
Redundant PS
FG800
Gigabit perf
FG500A
High port density
Gigabit Ethernet
FG300A FG400A
Integrated Logging
FG200A
FG100A
FG60 FortiWifi
High Availability, VLAN support
FG50A
37
Security Functionality Overview
38
Fortinet Advanced Firewall Functionality

• Stateful inspection Firewall
• Industry standard
• HA- active-active failover
• High end clustering
• Advanced Traffic Shaping
• Traffic control at application level
• Flexible NAT support
• Support all NAT standards.
• Virtual Domains
• Security by segmentation
• Multicast dynamic routing
• Flexibility of integration
• Intuitive GUI

ICSA certificate for Stateful inspection Common
Criteria EAL 4 certificate Stateful/VPN/route
failover, auto configuration sync.
801.3ad P2P, IM applications traffic
shaping 121, 12many, many2many, port mapping,
loadbalancing, VOIP packets Virtual Domains,
virtual routing Role based admin. RIP, OSPF,
BGP, PIM Web based, SSL encrypted, Immediate
configuration
39
Fortinet Advanced IPSec VPN Functionality
ICSA certificate for IPSEC VPN FIPS 140
certificate (US government) 3DES, AES-256
encryption protocols Can combine with carrier
redundancy Multiple gateway failover for
DR Total flexibility and scalability in complex
architectures FortiClient is the only VPN client
with Integrated FW, AV, IPS, URL Inspection of
traffic inside tunnels IPS, AV, URL, FW, AS,
DIFFSERV Marking Prioritising and optimizing

• IPSEC VPN
• Industry standard
• Best of breed encryption
• Supporting high end encryption
• Hub n spoke VPN
• Distributed sites
• Route based VPN
• Scalability and Flexibility
• (Any) Client based VPN
• Mobility
• Integrated security
• Protection inside tunnels
• VPN Traffic Shaping

40
Fortinet Advanced IPS Functionality
NSS certificate for IPS ICSA 0-false positives
certificate 6 priority levels for different
types of Networks. Enables forensic
analysis Pro-active alert system with reporting
and correlation. Vulnerability
assessment FortiGuard Centre is pro-actively
searching for attacks worldwide Hardware based
CPRL pattern match engine and anomaly detection
engine Stateful, Signature, Anomaly, Behavioural
analysis, Custom defined

• Best of Breed IPS solution
• Policy based IPS
• Flexibility
• Packet logging
• Session log of attack
• Alerting Reporting
• Correlation and reporting
• Automatic updates
• From FortiGuard Centre
• ACIS optimized scanning
• Wire speed performance
• World class detection engines

41
Fortinet Advanced Web Filtering Functionality

• Best of breed coverage
• Real time updated
• Best of breed accuracy
• Fewer mistakes
• User based Policy
• User management
• High Performance
• No latency
• Easy installation activation
• One click..
• 56 base categories overrides
• Ease of use
• FortiClient enabled

Currently 28.5 mln urls constantly Updated.
Outperforming market leaders FortiGuard rating
engine outperforming market leaders Integration
with Active Directory Groups, LDAP,
RADIUS Carrier level URL filtering
performance Registrar contract and activate
service No additional hardware installed Flexible
deployment to company policy Deploy desk/laptop
level security policies
42
Fortinet Advanced Antivirus Functionality

• Best of breed AV
• Real time updated
• Multi protocol support
• Full AV traffic coverage
• Anti Malware
• Broad protection
• Inter VLAN AV scanning
• Flexible Network AV deployment
• ASIC accelerated AV engine
• Pure performance
• Automatic updates
• Better protection
• Centralized Quarantine

ICSA certificate on FortiGate Client VB100
(Virus Bulletin) certificate HTTP, FTP, SMTP,
POP3, IMAP, P2P, IM 16 categories spyware,
phishing, trojans, keyloggers, etc. Combining
policies for VLANs Transparent AV scanning Only
ASIC accelerated AV engine in the World.
Signature heuristic scanning Automated updates
through the FortiGuard Center With FortiAnalyzer
43
Fortinet Advanced Antispam Functionality

• Mid to high range platform
• Performance
• 3PAS FortiGuard AS service
• Better detection
• Multi Engine Architecture
• Customized detection improvement
• User Policy based
• Maximum integration in enterprise
• Flexible quarantine system
• Adaptable to any enterprise policy
• Domain based administration
• Customizable services
• Clustering capabilities

Extreme performance and scalability Multiple
million emails per day Combines IP check, URL,
signature checksum. Bayesian, Heuristic, Gray
listing Integration with LDAP, MS
Exchange, Lotus Notes User based reports, web
mail access MSSP enabled solution Scales up
to any email load and 100 availability.
44
Fortinet Product Line Advanced Functionality

• Best of Breed functionalities
• Industry standard
• ASIC Platform
• Better Performance
• Pro active security
• Zero hour protection
• Integrated logging reporting
• Management cost reduction
• End to end control
• From end point to core network
• MSSP enabled solution
• Customizable services
• Same features on all appliances

5 ICSA certifications, NSS, VB100, FIPS140, CC
EAL4. Multi Gigabit, ATCA Standard,
full provisioning on all platforms Combining
multi threat protection, Vulnerability scanning
forensic analysis. Full security logging and
reporting on one platform. Single point of
retrieval Centralized policy deployment on
gateway and clients Full spectrum of security
solutions Central management reporting All
FortiGate run the same featureset
45
Hardware Options Competition Review
Confidential
46
Data Center Security Option 1 Conventional
Point Solutions
Leading Firewall SW on compatible general purpose
HW
Firewall
Leading IDS SW
Leading antivirus SW (10,000 user license) on 4
Dell servers
Data Center
47
Data Center Security Option 2 Integrated
Security Appliance
Integrated security appliance extends existing
perimeter security architecture for one or more
of the following functions
Firewall
Gateway Antivirus Transparent-mode
Firewall Intrusion Detection and Prevention VPN
connectivity Email and Web Content
Filtering Traffic Shaping
48
Acquisition / First Year Costs
49
The Fortinet Solution Advantages Over the
Competition
Requires add-on equipment/software at
additional cost only available on certain units
¹ Not standard additional cost
50
Superior Competitive Portfolio PositioningFortine
t taking market share from all security
competitors
51
SOHO/Branch Office Comparison
52
FortiGate-50A Complete Security and High
Performance for Telecommuters SOHOs
12V DC
Console Serial Connection
Internal/External

• Delivers increased performance
• Up to 50 Mbps Firewall, 10 Mbps 3DES VPN
  throughput 8 Mbps AV
• Easy deployment, includes all key security
  functions
• FW, AV, IDP, VPN, CF, etc
• Dynamic updates against new attacks
• From FortiProtect Network No user action
  required
• Interfaces 1 10/100 LAN port and 1 10/100 WAN
• USB ports for future expansion

53
FortiGate-60 Complete Security for Branch
Offices SOHOs

• Flexibility between broadband and dial-up
  depending on location - Dual WAN interfaces
• FG60M Automatic dial back-up feature
• Integrated analog modem provides robust
  resiliency
• All in one security solution for secure access
  from stores to headquarters

54
FortiWiFi-60 The Ultimate in Secure Wireless
Access

• Deploys as an all-in-one security gateway that
  includes network-level content security
• FW, AV, IDP/IDS, VPN, CF, etc.
• Also includes advanced Wireless Security
  Features
• WEP WPA
• Enforced IPSec encryption for WLAN connections
• MAC address binding
• Wireless Dual band support 802.11b and 802.11g
• Delivers 70 Mbps Firewall, 20Mbps 3DES VPN 10
  Mbps AV
• Dual WAN support with load balancing failover
• Interfaces 4 10/100 ports, 1 DMZ, 2 WAN and WLAN

55
Fortinet Complete Content Protection Solution
Bundles

• Total solution to drive SOHO Unified Threat
  Management
• Competitive solution bundle vs. Sonic Wall and
  Netscreen
• Enables Fortinet to own low-end UTM market
• Simple purchasing one SKU, one price
• Available for FG-50A, FG-60, FWF-60, FG100A
• Includes
• Fortigate Security platform
• 1 Year Forticare Web Support
• 1 Year all FortiGuard Services (AV, IPS,
  Anti-Spyware, Web Filtering Anti-spam)

56
Fortinet Complete Content Protection Solution

• Fortinet Position
• Similar price, more value
• Fortinet wins vs. Sonic Wall Juniper/Netscreen
  because we offer
• Unlimited users, ASIC, faster processor, more
  memory
• Web Filtering and Anti-spam

FortiGate 60
FortiGate 50A
57
Small to Medium EnterprisesFortinet FG-100A,
FG-200A, FG-300A

• Performance results displayed as Mbps
• AV http throughput

58
FortiGate-100A

• Product Positioning DS1C/T1C (2 x T1 3.2 Mbps),
  up to 35 users
• Applications Perimeter Security Gateway (FW, AV,
  IPS, Web Inspection, Anti-spam)
• Interfaces
• 2 x WANs for redundant ISP links
• 2 x DMZs for isolation of critical outward facing
  functions (DNS, E-commerce, Email, etc)
• 4 x 10/100 port switch
• Increased Performance 100 FW, 40 VPN, 25 AV
• Additional redundancy options with HA Clustering

59
FortiGate-100A Competitive Comparison
60
FortiGate-200A

• Product Positioning DS2 (4 xT1 6.3 Mbps), up to
  50 users
• Applications Perimeter Security Gateway (FW, AV,
  IPS, Web Inspection, Anti-spam)
• Interfaces
• 2 x WANs for redundant ISP links
• 2 x DMZs for isolation of critical outward facing
  functions (DNS, E-commerce, Email, etc)
• 4 x 10/100 port switch
• Increased Performance - 150 FW, 70 VPN, 32 AV
• Additional redundancy options with HA Clustering

61
FortiGate-200A Competitive Comparison
62
FortiGate-300A

• Product Positioning DS3/T3 (8 xT1 45 Mbps), up
  to 75 users
• Applications Perimeter Security Gateway (FW, AV,
  IPS, Web Inspection, Anti-spam), Security Zoning
  for 100 Mbps Subnets
• Interfaces
• 2 x tri-speed GigE Copper ports
• 4 x 10/100 Fast Ethernet ports
• Increased Performance 400 FW, 120 VPN, 70 AV
• Additional redundancy options with HA Clustering

63
FortiGate-300A Competitive Comparison
64
Medium to Large EnterprisesFortinet FG-400A,
FG-500A, FG-800

• Performance results displayed as Mbps
• AV http throughput

65
FortiGate-400A

• Product Positioning DS3/T3 (28 xT1 44.8 Mbps),
  up to 200 users
• Applications Perimeter Security Gateway (FW, AV,
  IPS, Web Inspection, Anti-spam), Security Zoning
  for 100 Mbps Subnets
• Interfaces
• 2 x tri-speed GigE Copper ports
• 4 x 10/100 Fast Ethernet ports (user
  configurable)
• Increased Performance 450 FW, 135 VPN, 100 AV
• Additional redundancy options with HA Clustering

66
FortiGate-400A Competitive Comparison
67
FortiGate-500A

• Target Medium - Large Business
• Product Positioning DS3/T3 (28xT1 44.8 Mbps), up
  to 250 users
• Applications Perimeter Security Gateway (FW, AV,
  IPS, Web Inspection, Anti-spam), Security Zoning
  for 100 Mbps Subnets
• Interfaces
• 2 x tri-speed GigE Copper ports
• 4 x 10/100 Fast Ethernet ports (user
  configurable)
• 4 x 10/100 Fast Ethernet Switch ports
• Increased Performance 500 FW, 150 VPN, 130 AV
• Additional redundancy options with HA Clustering

68
FortiGate-500A Competitive Comparison
69
FortiGate-800/800F
4 10/100 ports
4 tri-speed ports
4 10/100 ports
4 SFP ports

• FG-800 GE Copper
• FG-800F GE Fiber
• Providing cost-effective fiber or copper
  connectivity to enterprise organizations up to
  300 users
• 4 10/100 and 4 gigabit ports provides flexibility
  

70
The FortiGate-800 Supports Organizations
Migrating to Gigabit Networks
Tri-Speed Ethernet
71
FortiGate-800 Competitive Advantages
72
Large EnterprisesFortinet FG-1000A, FG-3000,
FG-3600

• Performance results displayed as Mbps
• AV http throughput

73
FortiGate 1000A

• The New Large Enterprise Performance Workhorse
  Platform
• Two versions available FG-1000A and
  FG-1000AFA2
• 10 Copper Gigabit Ethernet 10/100/1000Base-T
  Ports
• FA2 has 2 Optional FortiAccel SFP Ports ( 12
  ports total )

74
FortiGate 1000A Highlights
Performance

• 2 Gbps Firewall Throughput
• 250 Mbps 3-DES VPN Throughput
• 200 Mbps AV Scanning Throughput
• 2 Rack Unit Height w/ Dual Power Supplies
• New Intel Xeon E7520 3.2 GHz CPU
• 1 GB RAM

75
FortiGate 1000AFA2
FortiAccel

• FortiAccel (FA2) option adds two additional SFP
  ports
• Comes standard with SX modules
• Choice of SX, LX, or TX (copper) SFP modules
• Provides wire-speed firewall performance at all
  packet sizes
• Not field upgradeable, requires different Front
  Panel assembly

76
FortiGate-1000A Competitive Comparison
77
FortiGate-3000 Data Center Security
High Performance Transparent AV Gateway

• Deploys easily as a Transparent AV Gateway.
• Also includes advanced Security Features
• URL filtering
• SPAM Filtering
• Intrusion Detection and Prevention
• Delivers 2.25 Gbps Firewall, 530 Mbps 3DES VPN
  250 Mbps HTTP AV
• Redundant Hot Swappable Power Supplies
• Dedicated HA link
• Interfaces 2 Gig fiber ports, 1 Gig Copper port,
  3 10/100 ports

78
FortiGate-3600 The Ultimate in Secure Access
High Performance In-line security

• Deploys as easily as Core Firewall behind dual
  router links
• Also includes advanced Security Features
• Anti-virus Filtering
• URL filtering
• SPAM Filtering
• Intrusion Detection and Prevention
• Delivers 4 Gbps Firewall, 600 Mbps 3DES VPN 250
  Mbps HTTP AV
• Out of band Management port - 10/100
• Redundant Hot Swappable Power Supplies
• Dedicated HA link
• Interfaces 4 Gig fiber ports, 2 Gig Copper ports

79
FortiGate-3600 Competitive Advantages
FortiGate-3600 Offers Capabilities Not Found in
Any Other System
80
FortiGate-5000 Series Robust ATCA Chassis
Architecture

• Advanced Telecom Computing Architecture
• Industry standard specifications for the next
  generation of carrier grade communications
  equipment.
• Intel is a major backer (over 100 companies
  involved)
• Benefits
• High density
• High availability
• Flexibility
• High Scalability
• Up to 14 blades per chassis
• Features
• Designed to meet needs of service provider
  environments
• Serviceability, Reliability, Manageability
• Investment protection as System Grows
• FortiGate modules can work in any FortiGate-5000
  chassis

81
FortiGate-5000 Series Chassis Systems

• Leading Edge Design
• Chassis and Hot Swappable Blade Architecture
• Supports high-availability and clustering for
  added capacity and reliability
• Multi-zone, VLAN and VDOM support for segmented,
  granular security
• Deploys as an all-in-one solution or a
  high-performance antivirus/content-filtering
  gateway

82
FortiGate-5000 Modules

• FortiGate 5001SX Security Module
• FortiGate Antivirus Firewall on a Blade
• Full network security services
• Firewall, AV, VPN, IDP, Anti-Spam, Web Content
  Filtering, Bandwidth Shaping
• Provides 8 GigE ports with 2 GigE backplane HA
  ports
• FortiGate 5001FA2 Security Module
• Same base HW as FG-5001SX
• Adds a two port FortiAccel daughter card for
  small packet performance
• FortiSwitch 5003 Switch Fabric Module
• Supported in FG-5050 and FG-5140 chassis
• Provides Inter-Chassis and Intra-Chassis HA
  communications
• Inter-Chassis provides chassis-to-chassis HA
  cluster
• Intra-Chassis provides FG-5001-to-FG-5001 HA
  cluster
• Either 1 or 2 Switch Modules per chassis
• Two FS-5003 Switch Modules provides no single
  point of failure

83
FortiGate-5020

• Chassis and Hot swappable Blade architecture
• Supports high-availability and clustering for
  added capacity and reliability
• Multi-zone and VLAN support for segmented,
  granular security
• Deploys as an all-in-one solution or a
  high-performance antivirus/content-filtering
  gateway
• Performance Delivers up to 8 Gbps Firewall and
  1.2 Gbps 3DES VPN throughput
• Interfaces 8 GigE interfaces per blade (total
  16)
• 4 SFP and 4 10/100/1000 on each module

84
FortiGate-5020 Competitive Comparison
85
FortiGate-5050 Chassis
FortiGate-5001 Blade
FortiGate-5001 Blade
FortiGate-5001 Blade
FortiGate-5003 Switch Blade
FortiGate-5003 Switch Blade
Shelf Manager
Shelf Manager

• Target Large Enterprises and Service Providers
• Applications High-speed AV Gateway, Managed
  Security Services, Security Zoning
• Up to 5 Blades Supported Combination of FG5001
  and/or FG-5003 modules for a maximum of 40 GigE
  ports per chassis
• Performance Delivers up to 20 Gbps Firewall, 3
  Gbps 3DES VPN, 1.25 Gbps AV, and 2 Gbps IPS
  throughput (non-HA aggregate)

Preliminary Performance Figures
86
FortiGate-5140 Performance Leadership

• Superior Scalability Maximum Flexibility and
  Reliability
• 14 slot chassis for high-density deployments -
  Scales to 112 GE ports
• High-Performance Platform
• 56 Gbps Firewall,
• 8.4 Gbps 3DES VPN,
• 3.5 Gbps AV
• 5.6 Gbps IPS throughput
• Support full chassis and system redundancy with
  FG-5003 Switch modules

87
FortiOS
Confidential
88
Web GUI Configuration tool
89
Firewall highlights

• ICSA-certified Stateful Inspection Firewall
• High performance
• up to 4 Gbps on FG3600
• NAT/Route mode and transparent mode
• Can sit transparently behind another vendors
  firewall
• Apply firewall policies to VPN tunnels
• Apply AV and content filtering as part of
  firewall policies

• Policy-based NAT
• Many-to-one (PAT)
• Many-to-many NAT
• H.323/SIP NAT Traversal
• User group-based authentication
• Local database
• Radius authentication
• LDAP authentication
• Windows AD authentication
• IP/MAC Binding

90
Firewall policy setup
91
Antivirus highlights

• Only ICSA-certified hardware-based AV gateway
• Three services
• Virus detection
• File and email blocking service (oversized files
  or pattern matching file names)
• Quarantine service of infected files
• Supported protocols
• Email traffic SMTP, POP3, IMAP
• Web traffic HTTP (content, downloads, and web
  mail)
• FTP traffic
• IM Traffic (in ver 3.0)
• Supports non-standard ports (SMTP, POP3, IMAP,
  HTTP)
• Scanning methods
• Signature based
• Macro scanning
• Heuristic based (executable PE files)

92
Challenges with Conventional Gateway AV

• Most focus on email (not Web)
• Most do SMTP, but not IMAP and POP3
• Often require network re-config
• Difficult to do high-availability
• Very high cost
• Very low performance
• Cant be used with latency-sensitive applications
  (VoIP, etc.)

DMZ
HEADQUARTERS
93
Fortinet AV Gateway Solution

• Transparent to existing network infrastructure
• Scans Web, Email, FTP IM
• Policy based
• High Performance
• Scalable/High availability
• Real-time updates
• Fraction of software AV cost
• Add on features URL Filtering, Spam Filtering,
  IPS

DMZ
HEADQUARTERS
94
Gateway AV Benefits The power of One
(1 help desk staff per 50 employees)
95
Spyware or Grayware control
96
Fortinet IPSec VPN Highlights

• ICSA-certified IPSec VPN
• Supported protocols
• IPsec
• PPTP, L2TP
• Hardware encryption
• DES, 3DES, and AES
• IPSec VPN traffic controlled by firewall policies
• VPN tunnels decrypted and routed through firewall
  and AV scanning

• VPN NAT traversal
• Dead peer detection (DPD)
• Dial-up monitor/Remote VPN client
• Authentication
• Support for Xauth over Radius
• x.509 Certificate auth
• LDAP for user authentication
• Windows AD
• Interoperability with major VPN vendors
• Hub and Spoke architecture support

97
Fortinets SSL VPN Highlights Release 3.0

• For any customers who need cost effective and
  fully integrated VPN solutions
• Provides secure site-to-site connections (IPSec)
• Provides secure remote access (SSL or IPSec)
• Provides full content security at the desktop or
  host with FortiClient
• Functions as standalone remote access gateway or
  integrated corporate security gateway with
  Clientless VPN (SSL)
• Customizable web portal
• Provided in all FortiGate products offering
  enterprise-class remote access to every market
  segment
• Tremendous value with Fortinets integrated
• UTM functions

98
Intrusion Prevention highlights

• ICSA certified
• High speed performance
• ASIC-based IDP
• Signature database of over 1,400 known hacker
  attacks
• Timely and automated updates of attack signatures
• Through the FortiGuard Distribution Network
• Customizable email alerts
• Alerts can be filtered to avoid generation of
  numerous, redundant alerts from a single attack
• Very easy to configure and easy to maintain
• Dramatically lower cost than stand-alone NIDS

99
Policy-based IPS

• Selective flow scanning
• Applies only where needed
• Significant per- policy granularity
• IDS not limited to interfaces or VLANs!
• Protection profile allows control by attack
  severity
• Resource optimization

100
Real-time Attack Prevention

• Fully automated intrusion attack prevention
  without human intervention
• Real-time intrusion detection AND response
• Any detected attack can be passed, blocked,
  reset, or session cleared

101
IPS 2.80 - Sasser Signatures
102
FortiGuard Web Content Filtering

• Web Content Filtering
• 76 Categories, 8 groups
• Light weight protocol
• Per unit licensing
• Available as 30 day trial on all units

103
Features and Benefits FortiGuard Web Content
Filtering

• Lower Total Cost of Ownership
• Does not require additional hardware or
  maintenance costs, effectively lowering TCO
• Per box pricing (not by of users)
• Allows customers simple and easy licensing, just
  like antivirus functionality
• Integrated with complete network protection
• Antivirus, firewall, VPN, intrusion detection and
  prevention, Anti-spam
• Granular control with over 76 categories
• Integrated control allows Web URL filtering to be
  applied through firewall policies and by users
  and user groups

104
Email Spam Filtering

• Spam Filtering
• Nine Anti-Spam methods available
• Optional FortiGuard RBL subscription service
• Per-unit licensing
• Configurable email append message (SMTP only)

105
How Spam Affects Business

• Lower employee productivity
• Employees spend unnecessary time reading and
  deleting spam
• Unnecessary resource consumption
• Email server resources being taxed by spam
• disk space, CPU cycles
• Spam congestion causes longer response times
• Spam consumes network bandwidth
• Impacts critical business applications (VoIP,
  video conferencing)
• Email is being used as a threat delivery system
• Viruses, worms, trojans, Spyware, and Phishing
  (identity theft)
• Email address books are hijacked to create spam
  lists
• Spam is no longer just a nuisance, it has become
  a dangerous mechanism to deliver threats that are
  financially motivated

106
The Growth Cost of Spam

• 60-70 of enterprise email is spam
• Expected growth of 300 from 2003 to 2004
• Source Gartner
• Spam impacts bottom line
• Lost productivity is estimated to cost
  approximately 2000 per employee per year
• Source Nucleus Research
• Spam traffic is growing
• Over 17 billion pieces of spam are sent each day
• Expected to grow to 23 billion by 2007
• Source IDC
• Malicious intent
• Up to 30 of spam messages contain some form of
  virus, spyware, worms, trojans or phishing
  attacks
• Attacks are shifting from notoriety to financial
  gain

107
FortiGuard AntiSpam Subscription Service

• Fortinet managed antispam service with dual
  pass scan technology for higher accuracy
• For FortiGate and FortiMail appliances
• Benefits
• Greatly reduces processing overhead on email
  servers and antispam gateways
• Reclaims bandwidth taken by spam email
• Supplements any other antispam solution
• Cost effective managed solution lowers
  maintenance overhead of managing static content
  filters

108
FortiGate High Availability
109
High Availability highlights

• Supported on FortiGate-60 and higher
• Supported in transparent mode or routed mode
• Supports both Active-Passive and Active-Active
  configurations
• HA connection acts as a heartbeat, constantly
  checking to see if the other is still operating
  as pass session state info
• Active-Active clustering of units provides both
• Stateful failover
• Effective load balancing to enhance system
  performance
• Link status monitoring and failover
• During failover
• Stateful failover for both firewall and VPN
  traffic within 3 seconds
• FortiGate units send an email and SNMP trap, and
  log the event
• 6 load balancing algorithms supported
• Round robin, weighted round robin, least
  connections, etc.

110
System Management

• FortiOS Supports Web GUI, CLI (Telnet, SSH) and
  SNMP
• Admin profiles provide read/write or read only
  access to major functions
• Virtual Domain (VDOM) feature allows for multiple
  virtual firewall instances to be created and
  managed separately
• Up to 250 VDOMs are allowed
• Supported only on high-end units FG-3000 and
  above
• VDOM feature is licensed based on max number of
  VDOMs supported
• License available for 25, 50, 100, and 250 VDOMs
• Optional FortiManager support for device, policy
  and VPN configuration management
• Optional FortiAnalyzer support for content
  logging, reporting, quarantining, and user
  forensics
• IPsec tunnel support to both FortiManager and
  FortiAnalyzer

111
Routing Protocols
Supports static and dynamic routing
protocols Including RIP v1 and 2, OSPF v2 and BGP
v4
Also support for PIM multicast routing
protocol With support for dense mode and sparse
mode
112
FortiManager
113
FortiManager hardware

• Security-hardened appliance with simplified
  installation and improved system reliability and
  security
• FortiManager 400
• 2x 10/100/1000, 4x10/100
• Unlimited number of managed nodes,
• no license
• Recommendation up to 200 devices
• FortiManager 3000
• 2x10/100/1000
• Unlimited number of managed nodes,
• no license
• Recommendation up to 1000 devices

114
FortiManager modules

• The dashboard gives access to the management
  modules
• System Configuration Manager
• Controls and monitors the operation of the
  FortiManager unit
• Network settings, firmware changes, configuration
  backup and administrator access, etc.
• Policy Device Manager
• Adds FortiGate devices to the FortiManager Server
• Organizes devices into groups
• Allows to configure a single device or a gorup of
  units
• VPN Manager
• Collectively set up and deploy the VPN
  configuration on the managed FortiGate devices
• FortiClient Manager
• Discovers and manages FortiClient installations

115
FortiManager Dashboard
116
System Manager Role-based administration
117
Device Manager Viewing a Config
Device configuration has been changed
118
Policy Manager Inheriting FW rules
119
Real-time Monitor Device views
120
Update Manager Device status
121
FortiAnalyzer
122
Security Monitoring and Reporting is a Big
Challenge for Large Organizations
Vendor A
Vendor B
VPN
Vendor C
123
Fortinet FortiAnalyzer Family

• Easy deployment
• Scalable capacities
• Secure logging
• High availability
• Built-in reporting

124
Enhanced Visibility With FortiAnalyzer

• FortiAnalyzer provides external and centralized
  functions for enterprise-class deployments
• Logging, Reporting, Alerting
• Central Archiving, Quarantine and Vulnerability
  Scanning
• Forensic Analysis
• Network Traffic Analyzer (sniffer)
• Tighter integration with FortiClient FortiMail
  over time
• FortiGate interaction creates single solution
  approach
• FortiGate units can use FortiAnalyzers network
  attached storage to perform the following
• Central logging server
• Central reporting engine
• Content log archiving
• Virus quarantine repair
• Event correlation (identifies attacks and viruses
  by host)
• Repository to upload reports to FortiGate UI for
  display

125
FortiAnalyzer Hardware

• FortiAnalyzer 100A
• 1x Hard Drive 120Gb
• Supports up to 100 devices
• FortiAnalyzer 800
• 4x Hard Drives 120Gb or 400Gb
• Redundant Power Supplies
• Supports up to 500 devices
• FortiAnalyzer 2000
• 6x Hard Drives 120Gb or 400Gb
• Hot Pluggable Drive Bays
• Redundant Power supplies
• Supports up to 750 devices

126
FortiAnalyzer Dashboard

• Centralizes management summary information

127
FortiAnalyzer Report Example

• Now over 300 different report templates available

128
FortiAnalyzer Integration

• FortiGate Integration allows FortiOS to access
  FortiAnalyzer devices for
• Log and content archive access
• Report configuration and access
• Quarantine access
• Support for FortiManager and FortiClient logs
• Device enhancement allows devices to belong in
  multiple groups

129
FortiAnalyzer Content Archiving

• Content Archive Features
• Archive Viewer
• Real-time and historical log review of web, email
  and IM protocol content
• User customizable filters
• Archive Search with basic and advanced search
  capabilities
• Content Archive upload to FTP server

130
Advanced Event Correlation Helps Find Compromised
Hosts and Attackers Faster
131
FortiAnalyzer Vulnerability Scanner

• Vulnerability Scanner
• Provides vulnerability scanning capabilities to
  over 1000 scan modules

132
Traffic Summary Reporting Provides Quick
Snapshots of Network Usage
133

How to secure email communications

• FortiMail Secure Messaging Platform
• Fortinets latest security platform dedicated
  to safer email messaging

134
FortiMail What is it ?

• Dedicated AS/AV appliance for email traffic only
• Three modes of operation
• Gateway mode
• Transparent mode (unique to FortiMail)
• Server mode
• Provides inbound and outbound Antispam/Antivirus
  security
• Supports multiple email domains and servers
• FortiMail is NOT just a derivative of the
  FortiGate product - some code is borrowed, such
  as the AV engine, most code is NEW

135
Not just a FortiGate in a different box

• FortiGate provides limited spam detection methods
  
• FortiMail provides multi-layered spam detection
  methods, including
• FortiGuard-Antispam
• Spam Checksum Blocklist (SHASH)
• Bayesian Filters
• Heuristics
• Forged IP checking
• Greylisting
• FortiMail provides email quarantine support
• FortiMail provides email archiving support
• FortiMail does not provide IPS, Web Filtering, or
  stateful firewall features

136
FortiMail Hardware FE-400

• 4 10/100 ports
• 2 10/100/1000 ports
• Single 2.8 GHz CPU
• 1GB RAM
• 2x 120GB 3.5 IDE drives
• Software RAID (0 or 1)

137
FortiMail Hardware FE-2000

• 4 10/100/1000 ports
• Dual Xeon 2.8 GHz CPUs
• 2GB of RAM
• 6x 120GB 3.5 SATA drives (Hot-swappable)
• Hardware RAID (0, 1, 5, 10 or 50)
• Redundant power supplies
• Hot-swappable fans
• Performance
• 280K per hour (AS only) vs. 86K per hour with
  FE-400
• Thats 6.82 Million emails per day

138
Is FortiMail competitive ?

• In GW/TP mode, absolutely
• Transparent mode is a unique feature to Fortinet
• In Server mode
• Excellent, basic SMTP mail server with integrated
  AV/AS
• Groupware capabilities (directory, address books
  etc)
• FortiMail-400 is competitive in the mid-market
  for price and performance
• We have had success competing against Ironport,
  which is very expensive
• FortiMail-2000 will bring ISP level performance
  at less than half the price of Ironport C-60

139
Competitive Summary
140
Competitive Summary
141
FortiClient
142
FortiClient Advanced Host Protection

• Antivirus Protection
• Antivirus and Spyware detection
• Real-time, scheduled scanning
• Virus quarantine and removal
• Personal Firewall
• User friendly interface with Zone setup
• Preset Safe Application List for less popup
  questions
• Network Intrusion Protection
• Detects and blocks common network based attacks
• Windows Registry Monitor
• Improves detection of trojans, worms, viruses,
  and spyware
• IPSec VPN Client
• IE Popup Blocker
• Multi-Language Support
• Microsoft MSI installer for rapid deployment to
  many clients
• Client lockout to prevent unauthorized
  configuration

143
FortiClient 3.0

• FortiManager/FortiClient integration
• FortiLog support (through FMG integration)
• FortiGuard-Antispam support
• Password locked configuration
• USB token support (for VPN)
• GUI improvements (ease of use related)
• FSAE module for FortiGate AD integration included
  with FortiClient 3.0

144
FortiManager integration

• Provide the ability to centrally manage
  FortiClient
• Register and track FC seats
• Deploy and update configuration settings from
  FortiManager server
• Deploy AV updates from FortiManager server
• Centralized logging and reports using
  FortiManager and FortiLog
• Linked to FortiManager 3.0 project

145
FortiClient Mobile Features at a Glance
Windows Mobile 2003/Second edition
146
FortiGuard and FortiCare Services
FortiGuard Subscription Services
Antivirus
Antispam
IPS
Web Filtering
FortiCare Support
24x7 Telephone
8x5 Telephone
FortiCare Web Support
FortiOS
Operating System
Software Updates
Hardware Maintenance
Includes FW, VPN, TS, VS Return to
Factory or Advanced
Warranty Bundles

• Americas
• Unlimited Web Support Center
• 1 year return to factory parts and labor
• 90 days FortiOS Updates
• 90 days FortiCare email Support
• 30 days FortiGuard Subscription Services

• EMEA
• Unlimited Web Support Center
• 1 year return to factory parts and labor
• 90 days FortiOS Updates
• 90 days FortiCare email Support
• 30 days FortiGuard Subscription Services

• APAC
• 1 year FortiCare basic including
• Unlimited Web Support Center
• FortiCare email Support
• Return to Factory Hardware Repair
• FortiOS Updates
• 30 days FortiGuard Subscription Services

147
Fortinet Training and Certifications

• Fortinet Certified Network Security
  Associate(FCNSA)
• Designed for Network Administrators, Account
  Executives, Product Evaluators
• 1 Day Course Principles of Network Security and
  FortiGate Configurations(Student kits can be
  ordered separately for self-study)
• Fortinet Certified Network Security
  Professional(FCNSP)
• Designed for Network Engineers, Sales Engineers,
  Security Architects
• 3 Day Course Implementing FortiGate Security
  and Content Inspection
• 2 day Course Security Information Management
  using FortiManager and FortiLog(Optional)

148
Fortinet Differentiators- Products, Technology,
Service Support
And Lowest Total Cost of Ownership
149
Fortinet Differentiators

• Only system designed from the ground up for
  integrated network content security
• Not a collection of 3rd party apps on standard
  server or firewall appliance hardware
• Only ASIC accelerated AV system in the world
• Only architecture that supports the same
  capabilities in products ranging from SOHO to SP
• Simplest most attractive licensing model
• All apps bundled with hardware (no extra costs)
• Update subscriptions priced per box (not per user)

150
Thank you!