© Copyright Fortinet Inc. All rights reserved.
Software-Defined Security FrameworkAgile Cloud & SDNLan & Wan Solutions – Soluzioni Informatiche per Reti Locali & Geografiche
2
Industry Validation for Fortinet’s Data Center Strategy
“Fortinet moves into second due to its strong position and price/ performance, and [should] gain some ground at the very high end of the market.”
Data Center Security Products, Biannnual Market Share, Size & Forecast, Oct 2014
Data Center Security Appliance Market Share
2015 Enterprise Firewall MQ – Fortinet Strengths:“-In addition to enterprise NGFW deployments, Fortinet is well-suited to deployments in carriers, data centers, service providers and distributed enterprises (for example, retail and franchises). -Fortinet has a well-articulated strategy regarding virtualization, public cloud and SDN, and has a promising partnership with VMware NSX.”
3
Data Center Trends
BYOD, Mobility & SaaS Anytime, anywhere access User-centric apps & services Customer/client responsiveness
Big Data & Internet of Things Billions of connected devices Continuous data aggregation Warehousing of petabytes of confidential data
Network Impact Higher core throughput & scalability Higher port density Increased small/mixed packet traffic Low user latency IPv4 to IPv6 migration Increased east-west traffic
Data Center Transformation Server & network virtualization Multi-tenant public clouds Elasticity & agility
4
Data Center Consolidation and SDN EvolutionData Center Firewalls
Deployments Data center edge Top of rack Virtual machine
protection SDN orchestration
Drivers Data center
consolidation Migration 10G to 100G Network segmentation Securing East West
traffic virtualization and SDN
EAST WEST
NORTH
SOUTH
Data Center/SDN VM & SDN SolutionFortiGate VM Series VMware (NSX) Cisco ACI OpenStack AWS Azure KVM Hyper V
DC FW SolutionFortiGate High End Series with 100G+ throughput in an
Appliance
5
Software-Defined Security Vision
Physical & VirtualSecurity
AppliancesFortiGate FortiManagerFortiSandbox FortiAnalyzer FortiWeb FortiADC
Virtualization SDN Cloud (IaaS) Cloud (SaaS)
vSphere
XenServer
Hyper-V NSX
FortiMail
1. Security must integrate with & support underlying SDx Infrastructure, i.e. cloud & SDN IaaS platforms
2. Security is itself fundamental infrastructure that can and should become agile and elastic, i.e. Software-Defined, independent of other SDx transformation
6
Fortinet’s Software-Defined Security Framework
Virtual x86Containers
Hardware-BasedPlatforms
Virtual Appliances/
Services
PlatformOrchestration& Automation
SinglePane-of-GlassManagement
Software-Defined Security Framework
Data Plane Control Plane ManagementPlane
Pla
tform
Ext
ensi
bilit
y
7
Virtual Appliances/Services
Virtual Appliances & VDOM’s Provide Scale-Out Elasticity
Scale-Out
PerformanceBoundary
Benefits
Scal
e-U
p
Elastic FirewallCapacity
East-WestTraffic Visibility
Deployable inPublic Clouds
vSphere
XenServer
Hyper-V
8
Platform Orchestration & Automation
Auto-ScalingFirewall & Rule
Provisioning
SDN FlowVisibility (dynamic
flow control,overlay/
underlay traffic)
Dynamic Policies(follow logical port,
IP, MAC)
Benefits
VM VM VM
VMware
Control PlaneFortinet Service VM
Control Plane Orchestration
Network Visibility Elastic provisioning Distributed Object-based policy
Agility Through Control Plane Integration
NSX
ACI
9
Single Pane-of-Glass Management
Consistent Policies and Posture Across the Hybrid Cloud
Public Cloud Physical Networks Virtualization
Centralized Management and Policy
VM VM VM
VMware
VM
Management & Policy Logging & Analysis SaaS-Based Portal
10
Software-Defined Security Use CasesAuto-Scale/Auto-Provision Protection for Elastic Workloads
Hypervisor Hypervisor
Requirements Solution
Auto-scale virtual firewall capacity to new virtualization hosts
FortiGate-VMX
Auto-provision firewall rules to new workload VM instances
FortiGate-VMX, FortiGate for Cisco ACI
Orchestrate firewall service insertion, service chaining (via SDN flow control)
FortiGate-VMX, FortiGate for Cisco ACI
Orchestrate physical and virtual firewalls
FortiGate for Cisco ACI
Distributed firewall rules across cluster or data center
FortiGate-VMX, FortiGate for Cisco ACI
Scale web apps and social media to connect virally with customers, partners, users at cloud speed, while transparently ensuring data privacy & compliance
IaaS
11
Centralized Policyand Logging/Reporting
Software-Defined Security Use CasesSecure Inter-VM Traffic in Virtual Environments
FortiAnalyzer
North-South
Data Center Edge
East-West
Hypervisor Hypervisor
FortiManagerRequirements Solution
Inter-VM traffic visibility FortiGate-VM or FortiGate-VMX
Stateful firewall session during live VM migration (e.g. vMotion)
FortiGate-VMX
Distributed firewall across cluster (policies follow VM independent of logical IP/MAC)
FortiGate-VMX
Distributed firewall rules across distributed virtual switch
FortiGate-VMX
Inspect VXLAN encapsulated traffic
FortiGate-VMX
Centralized management across physical and virtual firewalls
FortiManager, FortiAnalyzerVirtual Machine Firewall
(East West)
Data Center Firewall(North South)
Overcome visibility and enforcement challenges with inter-VM traffic and logical networks
12
Software-Defined Security Micro-Segmentation in Consolidated Data Centers
Mitigate increasing concentration of data and risk in consolidated and multi-tenant data centers Declarative, whitelist-based policy model Fine-grained honeycomb based on users,
roles, other metadata Deploy into flat, open networks without
disrupting network and infrastructure Leaf nodes
CiscoAPIC
Spine nodes
13
Platform Extensibility & Ecosystem Integration
Virtual x86Containers
Hardware-BasedPlatforms
Virtual Appliances/
Services
PlatformOrchestration& Automation
SinglePane-of-GlassManagement
Software-Defined Security Framework
Data Plane Control Plane ManagementPlane
Pla
tform
Ext
ensi
bilit
y
Cloud/SDNEcosystem
XML
JSON
OtherInterfaces
Logging/Event
SDNControllers
ProgrammableSwitches
CloudManagement
CentralizedPolicy &Analytics
OrchestrationPlatforms
MgmtAPI’s
CLI/Scripting
14
Fortinet Programmable Networking Partnership Ecosystem
ORCHESTRATION PLATFORMS
PROGRAMMABLE SWITCHING
• ACI announced
• vCNS certified
• NSX program
CENTRALIZED POLICY & ANALYTICS
Pla
tform
Ext
ensi
bilit
y
Sof
twar
e-D
efin
ed S
ecur
ity F
ram
ewor
kSDN CONTROLLERS
API’s
Fortinet SolutionsLan & Wan SolutionsInnovare la tua Azienda. La nostra sfida
16
Fortinet Virtual Appliance Platform Support
VMware Citrix Open Source Amazon Microsoft
Virtual Appliance vSphere v4.0/v4.1
vSphere v5.0
vSphere v5.1
vSphere v5.5
XenServer
v5.6 SP2
XenServer v6.0+
Xen KVM AWS Hyper-V 2008 R2
Hyper-V 2012
FortiGate-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔* ✔ ✔
FortiManager-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔
FortiAnalyzer-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔
FortiWeb-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔* ✔
FortiMail-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
FortiSandbox-VM ✔ ✔
FortiAuthenticator-VM ✔ ✔ ✔ ✔ ✔ ✔
FortiADC-VM ✔ ✔ ✔
FortiCache-VM ✔ ✔ ✔ ✔
FortiVoice-VM ✔ ✔ ✔ ✔ ✔ ✔
FortiRecorder-VM ✔ ✔ ✔ ✔ ✔ ✔
FortiGate-VMX ✔
17
Fortinet FortiGate-VMX
• The Challenge»Tight integration with
virtualization/network platform• VMware Network Extensibility APIs (NetX)
»Shared object database for easy creation of security policies
»Automated deployment of security services and policy enforcement
»Easily support live migration(s) of applications within clustered environments
»Dynamic security policy updates for newly created services without normal time lag paper trail requests PO
C (VMworld 2014)
vCNS Certification (Q4
2014)
NSX
Comp Certification
(Q1
2015)
Native
NSX
SDK
Certification (Q3/Q4 2015)
• Demonstrated at VMworld
• FortiOS v5.2
• Full UTM functionality
Proof of Concep
t • Plan for Q4 2014 release
• Support for vSphere v5.5 Update 2
• Certified with vCNS Manager
vSphere
v5.5u2 vCNS
integration
certified
• Plan for Q1 2015 release
• Support for vSphere v5.5 Update 2
• Certified compatible with NSX Manager
vSphere v5.5
u2 vCNS
integration NSX certified
• Support for new NSX SDK
• Will only work with NSX deployments
• Advanced NSX NetX functionality for tighter control of traffic
NSX new SDK
integration
Q4 2014Q3 2014January 2014 2015
18
VMware Kernel VMware Kernel
vDistributed Switch
1. Initiate communication with vCenter Server
2. Register Fortinet as security service with vCNS Manager
3. A
uto-
depl
oy F
ortiG
ate-
VM
X to
all
host
s in
sec
urity
cl
uste
r
4. F
ortiG
ate-
VM
X c
onne
cts
with
For
tiGat
e-V
MX
Ser
vice
Man
ager
5. License verification and configuration synchronization with FortiGate-VMX
6. K
erne
l age
nt c
reat
ion
and
defa
ult r
e-di
rect
ion
rule
s fo
r eac
h ho
st in
clu
ster
7. Real-time updates of object database
8. P
ush
polic
y sy
nchr
oniz
atio
n to
all
Forti
Gat
e-V
MX
dep
loye
d in
clu
ster
Fortinet FortiGate-VMX
19
Cisco ACI Partnership
Source: Infonetics
Technology collaboration with Cisco to bring Fortinet’s data center security to #1 SDN platform sought by enterprise customers Joint PR and demo at RSA Conference
» Integration of FortiGate into Cisco ACI deployment Joint demo at Interop (April 2015) Product launch targeted late Q2 2015
20
Cisco ACI (Application Centric Infrastructure) Overview
Spine nodes
Leaf nodes
ACI Fabric in Datacenter
APIC
VM VM VMVM VM VM
Ext
erna
l
Inte
rnal
NE
T-a
NE
T-b
PoC shows FortiGate service insertion and orchestration in Cisco APIC» APIC (Application Policy Infrastructure Controller) is SDN controller» FortiGate device package contains XML metadata» Customer benefits vary with use case, e.g. auto-provision new workloads in
multi-tenant clouds
21
OpenStack Integration Efforts
Service Providers – Open Source OpenStack» With open source through extensible mgmt API» In production in NEC and other provider clouds
Enterprise – Supportable OpenStack distro» HP Helion OpenStack emerging as frontrunner – need out-
of-box integration» Fortinet announced HP AllianceOne partnership» FG-VM certified HP Helion Ready
VM VM VM
Hypervisor
Software-Defined Security for Service ProvidersLan & Wan SolutionsInnovare la tua Azienda. La nostra sfida
23
Software-Defined Security Framework Extensions for Service Providers
Virtual x86Containers
Hardware-BasedPlatforms
Pla
tform
Ext
ensi
bilit
y
Virtual Appliances/
Services
PlatformOrchestration& Automation
SinglePane-of-GlassManagement
Software-Defined Security Framework Cloud/SDNEcosystem
XML
JSON
OtherInterfaces
Logging/Event
SDNControllers
ProgrammableSwitches
CloudManagement
CentralizedPolicy &Analytics
OrchestrationPlatforms
MgmtAPI’s
CLI/Scripting
Data Plane Control Plane ManagementPlaneSaaS
Multi-TenancyOn-DemandSelf-Service
NetworkFunction
Virtualization
Service Provider Extensions
24
Network Function Virtualization
Firewall VNF Service Chaining – Modular, Interoperable, Scalable
ETSI Multi-Vendor PoC on D-NFV (CPE)
D-NFV Alliance – Commercialized Offering on RAD Hardware
25
Orchestration
Deployment and instantation
Service Insertion into virtual network
On-Demand Self-Service – Utility-Based Pricing/Metering
Benefits
Pricing Options
Hourly/Annual(per-instance)
Five different instance sizes
Bundled support subscription
Utility-based Consumption
Licensing Provisioning Metering Billing
ProtectionOn-Demand Pay-as-you-Go User/Tenant
Self-Service
26
SaaS Multi-Tenancy - FortiPrivateCloud
Lan & Wan SolutionsInnovare la tua Azienda. La nostra sfida