Selling in the Telco sector
JOSE GRANDMOUGIN EMEA SENIOR CONSULTANT
26. 11. 2009
Protecting the Service Provider’s Infrastructure
MOBILENETWORK
RADIUS SERVER
GGSN
SGSN
2Protecting the customer (Managed Security Service Provider)
Subscriber Network
Subscriber Network
Subscriber Network
1
Security Solutions for Service Providers
• Two discrete solutions for Service Providers
Managed Security Services
NOC/SOC
Traditional CPE / Client Based MSS
4
Internet
Virtualized Services
• Per Customer Virtual Domain• Application Control
• Web Filtering
• AntiVirus / AntiSpyware
• Data Leak Prevention
• AntiSpam
• Intrusion Protection
• VPN (IPSec / SSL)
• Firewall
• Dynamic Routing
5
Security Processing Modules
ADM-XE2 and ASM-CE4
• Intrusion Prevention Offloading• Inspects traffic traversing network
interfaces for network-based attacks• Provides protocol anomaly and signature-
based inspection• Multi-Gigabit performance
• Firewall Offloading• Inspects traffic traversing network
interfaces and blocks/allows according to firewall policy
• Line-Rate performance
• IP Multicast Offloading• Accelerates and routes IP Multicast traffic• Contributes to improved performance of
video, voice, and other IP Multicast applications
ASM-CE4
ADM-XE2
NP4 Based Dual Wide AMC Module
• Compatible with 5001A/3810A• Firewall and IPSec offload• 4 x 10G SFP+ Interfaces• Includes 2xSR SFP+
transceivers
• 20G Firewall Processing• 8G IPSec VPN Processing
7
ADM-XD4
Value Added Internet Access Services
COMPETITION
• Juniper• CrossBeam• Cisco
WINNING FACTORS
• Protection Profiles and Virtualization• Routing flexibility• Hardware scalability
Customer 1
Customer 2
Customer 3
Internet
8
Value Added RAS
COMPETITION
• Cisco• Juniper
WINNING FACTORS
• Features Integration, IPSec, SSL VPN Antivirus, Web Filtering• Self Service Management Portal
Internet
Client
CPE
Internet
9
3G High-Performance VAS
COMPETITION
• Cisco• Juniper
WINNING FACTORS
• Features Integration, Fast Antivirus services• Self Service Management Portal• 10Gb real throughput
Internet3G Network
10
Management Interfaces in the Cloud
11
Provisioning Billing
Troubleshooting Monitoring
NOC / SOC
NetworkNetworkSelf Service
Portal
Device Group
Device Group
JSON API
XML API
XML API / GUI
CLI / SNMP / GUI
LOG / ARCHIVEQUARANTINE
MGMT
GUI
CUSTOMERS
FortiManager Portal User
• Portal Customization• Development Toolkit
• Provides a full set of customization options
• Function, content, and branding
• Secondary database interfaces
• Consumer Portal• Simplified option set
• Uses Development Toolkit
• Targets consumer opportunities
• Linked with Dynamic Profile Featureon FortiOS Carrier
Virtualized Management
Device Group 2
Device Group 1
Admin 2
Admin 1
Customer 1
Customer 2
Multiple Administrative Domains• Administrative Domain (ADOM)• Per Customer / Device Group Policy Management
• Per Customer / Device Report Generation
• Supports VDOM groups and physical device groupsin any combination
Dynamic Security Profiles
Applies to two key target service provider markets • Managed Security and Mobile
Allows user “Self-Service” automation• RADIUS Accounting Record attributes used to create a context for a source IP
address
• Context can associate IP address with any other RADIUS attribute• Username, MSISDN, Service Name
• Protection Profile also extracted from the RADIUS record
• Assumes an authentication event has occurred within the Carriers network• Typical in both fixed (DSL) and mobile environments
RADIUSSERVER
Radius Accounting Message Dynamic Policy Created
Dynamic Security Profiles
Portal Provisioning
PORTALSERVER
DYNAMIC SECURITY PROFILES
DYNAMIC SECURITY PROFILES
Provides an authenticated bypass of the Service Restrictions Within a domestic environment
Both end-points (users) are behind the same NAT boundary Clientless solution to differentiate access – no software to ‘hack’ Parental control is maintained
DSL
Home user 1(Adult)
NAT
DSL
Home user 2 (Child)
Dynamic Security ProfilesIn Home Parental Control*
DYNAMIC SECURITY PROFILES
DYNAMIC SECURITY PROFILES
*FortiOS Carrier 4.1
www.badsite.com
• Per end-point Black / White List• End points (users, MSISDN) can have their own black white list
• No requirement for end user to access FortiGate infrastructure
• Can be populated on Self Service Portal•Dynamically configured on FortiGate as end points attach• RADIUS VSA Extension, no fixed limit for URLs
DSL+3G
RADIUS
Dynamic Security ProfilesEnd-Point customisation
DYNAMIC SECURITY PROFILES
DYNAMIC SECURITY PROFILES
Self ServicePortal
*FortiOS Carrier 4.2www.badsite.com
Infrastructure protection
FortiOS Carrier 4.0 Highlights
Dynamic ProfilesPer user services via a RADIUS APIProtection Profile derived from RADIUS record
Session Initiation Protocol (SIP) SecurityStateful SIP tracking, Malicious SIP message protection , SIP Rate LimitationSIP Transparent or SIP NAT mode, IP Topology Hiding, RTP Pinholing Geographical Redundancy, SIP Stateful High-Availability
Multimedia Message Service (MMS) SecurityAntivirus, Antispam/Antifraud, Antiphising (via Web Filtering)
Sender and Admin notification
GPRS Tunneling Protocol (GTP) Firewall3GPP 29.060 version 6.9.0, including Overbilling ProtectionProtocol Anomaly Checks, IMSI/APN/IE filtering
20
FortiCarrier SIP Security
SoftswitchSIP
Application Server (AS)
Signalling Control(SIP)
Media Control(RTP)
All Traffic – Access and Peering
- Hosted NAT Traversal- Call Admission- Interoperability- Interworking (IWF)- Media Pinholing and Policing
- Call Control- Routing- Features- Billing
NGN Network Topology
SIPRTP
SIP Firewall
SIP RTP
Session Border controller
OptionalRTP bypass
- SIP aware Firewall- Denial of Service prevention- Message Filtering- Message rate limiting- IPS detection and prevention
VOICE SECURITYVOICE SECURITY
Mobile Security
• FortiCarrier also provides:• MMS Antivirus• MM1/3/4/7
• Monitor mode
• Intercept, Archive, Quarantine, Block Actions
• Sender Notification and alerting
• MMS Antispam• MM1/4
• Duplicate Message, Sender Flooding
• Admin Notification
INTERNET
OTHEROPERATOR
MMSC
MM3
MM1 MM4
CONTENTPROVIDER
MM7
MOBILE SECURITYMOBILE SECURITY
Cloud / Endpoint Managed Services
Global Service Offerings
• FortiGuard™ Global Research Team provides original security intelligence via FortiGuard subscriptions• Antivirus
• Intrusion Prevention
• Web Filtering
• Antispam
• FortiCare™ Support services provides technical assistance anywhere, anytime• Multiple service levels to meet
customer requirements
FortiMail – Email Security
• Role Based Administrative Domain Management• Thousands of domains
• LDAP Profiling• Outsourced policy management / service enablement
• Inbound and Outbound Antivirus and Antispam• Centralised Quarantine•Multiple Operating Modes• Server, Gateway/Relay and Transparent
• Unlimited License Model• Not per mail box or domain
• Integrated with FortiManager and FortiAnalyzer• Chassis Blade and Appliance Form Factor
24
FortiClientDesktop Access to FortiGuard Services
• Antivirus & Antispyware Protection• Personal Firewall• Content Filtering• Windows Registry Monitor• IPSec VPN Client
• Private Label Branding• Microsoft MSI installer for rapid
deployment to many clients• Client lockout to prevent
unauthorized configuration• License Control
FortiMobile Security Client Software
• Symbian Series 60• 2nd Edition: v7.0s, V8.0a, v8.1a• 3rd Edition: v9.1, v9.2, v9.3
• Windows Mobile• 2003 SE: Pocket PC, PPC Phone• 5.x: Pocket PC, PPC Phone, Smartphone* • 6.x: Professional, Standard, Classic
• Capabilities include• Personal Firewall• VPN (IPSec, SSL)• Incoming Call Filter • SMS Antispam• Antivirus• Phone Security
• (Contact / SMS / Call Log / Data Encryption)• Multi-Language Support
Smartphone support to be added in 4.3
Questions?