Title: B
1Bütünlesik Güvenlik Çözümü beyaz.netMart,
2006
2Sorular
- Bilgisayarlariniza kaç virüs veya trojan bulasti?
- Güvende oldugunuzdan emin misiniz?
- Kaç çesit güvenlik çözümü kullaniyorsunuz?
- Güvenlik çözümlerini kayitlarini takip edip önlem
alabiliyor musunuz?. - Güvenlik çözümlerindeki sikintilari tesbit
edebiliyor musunuz?
3Güvenlik saldirilarinin sayisi hizla artiyor
Raporlanan saldiri sayisi
Source CERT Coordination Center, Carnegie
Mellon University, Feb 2004
4Güvenlik Tercihleri
5Güvenlik Maliyetleri
Attacks in 2003
Year-on-year change 2002-2003
Hacking 13.5
Virus 91.1 Cost 67.1
companies are paying more efforts to minimize
the impact of the attacks
Source HKCERT Information Security Survey 2003
6Tehdit ve Çözümler
Spam
Banned Content
Worms
Trojans
SPEED, DAMAGE ()?
CONTENT-BASED
Viruses
Intrusions
CONNECTION-BASED
Hardware Theft
PHYSICAL
1970
1990
2000
1980
7Tehditler
8Yeni Tehditler
Example Sobig.F
Propagation
Vector
Function
Payload
Kendi SMTP sunucusu ile bilgisayardaki bilgileri
kullanarak mail gönderme
.PIF veya .SCP eklentisi olarak email
Email adreslerini toplama
20 farkli siteden birinden dosya indirerek
çalistirma.
9Maliyetler
Source mi2g 02/04
10Bütünlesik Tehdit Yönetimi
11Tam güvenlik için farkli farkli çözümlere ihtiyaç
duyariz
Hacker
Malicious email
Viruses, worms
Intrusions
Banned content
www.find_a new job.com www.free
music.com www.pornography.com
12Birçok yeni tehdit standart güvenlik tehditlerini
asabilmistir
- Slammer, LovSan/MSBlaster, SoBig, MyDoom
- Birçok antivirus ve IDP tesbit edememistir.
- Neden?
- Antivirus sistemler sadece belli portlari
filtrelerler - Mail (SMTP, POP3, IMAP), Web (HTTP), File
Transfer (FTP)? - Yeni bazi tehditler antiviruslerin kontrol
etmedigi protokolleri kullanirlar - RPC, TFTP, SQL, vb.
- Intrusion Prevention sistemler genelde güçlükle
yönetilirler. - Yeni ve farkli tipte saldirilar hizli güncelleme
gerektirmektedir. - Saldirilarin ilk giriste tesbiti önem kazanmistir.
13Stateful Inspection Firewall'larin isleyisi
Stateful Inspection firewall network
seviyesindeki saldirilari engeller
Content Filter
Firewall / VPN
IDS/IDP
Antivirus
IDS/IDP
14Firewal genelde içerik kontrolü yapmaz
DATA PACKETS
http//www.freesurf.com/downloads/Gettysburg
Four score and BANNED WORDS our forefathers brou
ght forth upon this continent a new nation,
n liberty, and dedicated to the
proposition that all
Yakalanamayan saldirilar (Worm)?
Paket basligi (TO, FROM, TYPE OF DATA, etc.)?
Paket datasi
15Deep Packet Firewall
Deep Packet Inspection IDS/IDP sistemlerle
Stateful Inspection firewall çözümlerini
birlestirir.
Content Filter
Firewall / VPN
IDS/IDP
Antivirus
IDS/IDP
16Bazi saldirilar yakalanamayabilir
DEEP PACKET INSPECTION
Paketin içine tek tek bakar, paket parçali ise
yakayalamaz
http//www.freesurf.com/downloads/Gettysburg
Four score and seven years ago our for BANNED
WORDS forth upon this continent a new nation,
n liberty, and dedicated to the
proposition that all
17Komple Koruma
Firewall, IDS/IDP, AV, CF birarada
çalistirilmasidir.
Content Filter
Firewall / VPN
IDS/IDP
Antivirus
IDS/IDP
18Içerik bazli saldirilari tesbit edebilmek için
Deep Packet Inspection yeterli degildir.
BÜTÜNLESIK IÇERIK ENGELLEME
1. paketlerin içeriklerinin tekrardan
olusturulmasi gerekmektedir.
http//www.freesurf.com/downloads/Gettysburg
Four score and BANNED WORDS our forefathers brou
ght forth upon this continent a new nation,
n liberty, and dedicated to the
proposition that all
!!
!!
19Stateful / Deep Packet Inspection / Complete
Content Protection
20Bütünlesik Çözüm daha güçlü donanim gerektirir
Email Spam
Complete Content Protection
1000
Inappropriate Web Content
Worms
100
Trojans
Viruses
Sophisticated Intrusions
Deep Packet Inspection
10
Denial of Service Attacks
Simple Intrusions
Stateful Inspection
1
1990
2000
1995
2005
21Komple Koruma
Hacker/Malware
X
Malicious email
X
Viruses, worms
X
Intrusions
X
Banned content
www.find_a new job.com www.free
music.com www.pornography.com
22Karsilastirma
23Genel Güvenlik Altyapisi
Bütünlesik çözüm
Yüksek performans
Antivirus Intrusion Detection Intrusion
Prevention Firewall VPN Web Content
Filtering Email Content Filtering
Hardware (ASIC) Based Platforms
Comprehensive Security Approach
Hizli güncelleme
Real-Time Update Network
24Yeni Jenerasyon Içerik ve Saldiri Güvenligi
25Fortinet Uygulamalari
26Genis ürün yelpazesi
Price Points from 500 to 30,000
FortiGate Product Family
FGT-2000
Service Provider/Telco
Medium Enterprise
Large Enterprise
SOHO
Branch Office
4G
FortiGate-3600
2G
Redundant power
FortiGate-3000
FortiGate-1000
1G
Gigabit performance
FortiManager System
Four 10/100/1000 ports
FortiGate 800
Performance (Mbps)?
FortiGate 500
300
Multi-Zone (12 10/100 ports)?
FortiGate-400
High Availability
200
FortiGate-300
Enhanced remote client capacity
FortiGate-200
120
FortiGate-100
Integrated Logging (20 Gbyte)?
95
DMZ port, traffic shaping
FortiGate-60
70
Dual USB ports integrated 4 managed switch
ports Dual WAN connection
FortiGate-50
30
Virus/Worm Scanning, Firewall, VPN, Intrusion
Detection, Content Filtering
Capabilities
27Kenar korumasi
28Gartnet Raporu
Firewalls must provide a wider range of
intrusion prevention capabilities, or face
extinction
Fortinet has demonstrated its investment in
powerful network processing technology by
filtering viruses in-line, which requires an
unprecedented level of packet assembly and
filtering.
29Özellikler
- Firewall
- Anti-Virus, Anti-Malware
- IDS - IDP
- VPN
- Content Filtering
- FortiASIC, FortiOS
- Trafic Shaping
- Load Balance
30FortiASIC
Content Assembly Scanning Memory
FortiAsic Content Processor
Signature Memory (Virus, Worm, Keywords, etc.)?
General Purpose CPU(s)?
System Management (CLI, Web, SNMP, AutoUpdate)?
FortiOS Operating System
System Bus
Physical Interfaces (10/100, GigE, etc.)?
31Network ve Firewall Özellikleri
- Multiple WAN Link
- Multi Zone Support
- Routing
- Static Routing
- OSPF, RIP
- Policy based routing
- Policy Based NAT
- Virtual Domains
- VLAN tagging
- H.323 NAT Traversal
- DNS, WINS, DHCP, PPPoE, Dynamic DNS support
- NAT, Route, Transparent mode
32Antivirus Özellikleri
- High Performance
- The worlds only ASIC-based antivirus solution
- First and only ICSA-certified, hardware-based AV
gateway - Policy-based
- Virus scanning
- Full coverage of the WildList viruses Including
polymorphic viruses - Quarantine of infected and suspicious files
blocking of oversized - Rapid threat reaction
- Updated by Threat Response Team FortiResponse
Distribution Network
33IPS Özellikleri
- High Performance
- Network monitoring without performance
degradation - NIDS supported on all interfaces simultaneously,
including sub interfaces mapped to VLANs - Industry leading range of signature support
- Signature database of close to 1,400 known
attacks - Support for customer self-defined signatures
- Signature-based attack recognition
- Protocol anomaly detection and prevention
- 34 attack signatures covering TCP, UDP, ICMP and
IP - Customizable
- Attack list
- e-mail alerts
34VPN Özellikleri
- PPTP, L2TP and IPSEC
- Dedicated Tunnels
- Des, 3Des, Aes encryption
- SHA-1, MD5 Authentication
- IKE Certificate Authentication
- IPSec NAT Traversal
- DialUp Support
- SSL VPN
35Kullanici Özellikleri
- Local users
- LDAP, RADIUS support
- Active Directory support
- Xouth over RADIUS support for IPSec VPN
- IP/MAC address binding
- Admin Users
- Role based administration
- Multiple administration level
- Web and CLI interface (HTTPS and SSH)?
36Yedekli Kullanim Özellikleri
- Fortigate Clustering Protocol
- Active-Active
- Active Passive
- HA in transparent mode
- Stateful failover for both firewall and VPN
traffic within 3 seconds - Link status monitoring and failover
- HA Alert
- During failover, the FortiGate units in an HA
group send an email and SNMP trap, and log the
event.
37Diger Özellikler ve Ürünler
- Anti Spam
- Traffic Shaping
- IM and P2P Filtering (Block and Limit)?
- Logging
- Integration
- FortiAnalyzer
- FortiMail
- FortiManager
- FortiClient
38Referanslar
- Istanbul Büyüksehir Belediyesi
- I.S.K.I.
- BELBIM
- I.E.T.T.
- Marmara Üniversitesi Hastanesi
- Haydarpasa Numune Hastanesi
- Istanbul Maden ve Metal Ihracatçi Birlikleri
- Gebze Fatih Devlet Hastanesi
- Madicana Bahçelievler Hastanesi
- Medicana Avcilar Hastanesi
- NöroPsikiyatri Istanbul Hastanesi
- Bursa Devlet Çocuk Hastanesi
- Rize Sar Hospital
- Alanya Can Hastanesi
- Istanbul Hava Limanlari
- M.S.B. Kalite Yönetim Baskanligi
- Arsan Dogalgaz
- Kadin Koordinasyon Merkezi
- Final Dersaneleri
39Tesekkürler!