P. 1
Firewall

Firewall

|Views: 568|Likes:
Published by skumar51907740

More info:

Published by: skumar51907740 on Sep 22, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PPT, PDF, TXT or read online from Scribd
See more
See less

11/01/2011

pdf

text

original

防火牆產品介紹

Perry Chang 張佳鴻 Tel: (07) 332-5492 pchang@netstarnetwork.com

Agenda

    

防火牆介紹 -- 什麼是防火牆 Security Policy Implementation Cisco Firewall Product NetSreen Firewall Product Fortinet Firewall Product

什麼是防火牆 (Firewall)?

 防火牆是一個定位用來分隔兩個不同網路的網路
安全裝置,通常是介於機關行號的內部、受信任 的網路和網際網路之間。讓合法的使用者,可正 常的取得公開於網路上的資料;防止非法的使用 者,蓄意破壞、及保護公開與尚未公開的資料等 。網際網路防火牆是一套軟體或硬體,可協助阻 擋試圖透過網際網路進入您電腦的駭客、病毒和 電腦蟲。 以網路應用架構來看,防範外界任意「進出」的 第一道關卡就是「防火牆」。

為何需要防火牆 ?
 網際網路發達,電子郵件應用蓬勃,電腦病毒肆虐,不 
肖駭客橫行,一連串資訊與網路的威脅與危機接踵而來 。 每個防火牆都代表一個單一進入點,所有進入網路的存 取行為都會被檢查、並賦予授權及認證,防火牆會根據 於一套設定好的規則 (Policy) 來過濾可疑的網路存取行 為,並發出警告。 防火牆可在多種惡意攻擊行為於網際網路傳輸到達您的 系統前及造成您系統出現問題前,協助您阻擋其進入您 的伺服器,並對網路管理者做到立刻的通知,產生有效 的警示。 防火牆也能有助於防範他人,在不知情的情況下使用您 的電腦攻擊其他人的伺服器與電腦。

防火牆的種類
 硬體型防火牆:就是一個「 BOX 」,所需的設定軟體已
經內嵌在晶片裡面,使用者在實際安裝設定時,通常會 比軟體防火牆簡易、效能高、快速。

 軟體型防火牆:主要安裝在各種作業平台的伺服器上,
可依據伺服器的等級與效能,提供不同層級的防火牆服 務,而且由於是採用軟體進行設定,因此也較有彈性與 擴充性,所能設定的資料封包規則,可更多元而複雜, 只是這大多需要專業人士來管理。

封包過濾 封包過濾 (packet filtering) 。封包過濾是一種簡單的防火牆機 制。封包過濾常與路由器結合,且大部分的主要廠商都把封包 過濾作為內定的組態。這種防火牆會檢查封包的目的地和來源 的 IP 位址、 TCP/UDP 埠,並根據管理者設定的簡單規則來決 定是否接受或拒絕封包。 封包過濾器的功能為取得每一個封包,經由管理者所設定的規 則去進行過濾,檢查此封包是否允許封包的傳送或是拒絕封包 ,封包過濾器存在於網路階層,並不會影響到封包內的資料。 .Firewall 基本功能 每種防火牆,根據其對網路傳輸處理方式的不同,能提 供不同程度的安全防護與彈性,以下介紹幾種基本的防 火牆種類及其所提供的功能。 1.

Firewall 基本功能 2. 代理伺服器 (Proxy Server) 每一種不同的網路應用層 ( 如 FTP 、 HTTP 、 SMTP 等 ) 都有其代理程式,模擬其網路協定。因為應用層的防火牆不 允許網路之間直接傳輸,所以便可以將通過防火牆的網路傳 輸活動作詳細的紀錄和檢查。應用層防火牆所建立的「虛擬 連線」會自動將內部用戶端電腦的 IP 位址隱藏起來,不讓 Interne 網際網路的人知曉內部網路的架構。 代理伺服器又常被稱為應用程式閘道,允許通過防火牆間接 進入網際網路。 proxy 也多運用在 Http 協定上,它會將使用 者瀏覽過的網頁儲存起來,若有其他使用者也瀏覽到相同位 址的網頁時,則 Proxy Server 將預先儲存起來的資料送予使 用者,如此可大大地減少網路流量,設定於一定時間無人瀏 覽時網頁將刪除,多數主機將一些常瀏覽的網站更新時間設 短如此如可避免使用者,瀏覽到過期的網頁資訊。 .

狀態型封包防火牆 ( 有時稱作智慧型封包過濾 ) 使用與 封包過濾類似的方法來控制網路傳輸,但會進一步地 檢查資料封包流的內容,而不只是單純地過濾封包而 已。狀態檢視封包防火牆根據封包的來源和目的地 IP 位址、埠號碼及所要求的服務來作判斷過濾。這種防 火牆之所以稱作「狀態型」的原因是它們會記住之前 的連線狀態,目的是在記憶體中建立每一個資料流中 ,封包的前後關聯性。防火牆會根據此前後關聯性, 來檢查每一個新收到的封包,並判斷此封包是新連線 或是現有連線的延續。如果是後者,防火牆所進行的 檢查動作會比對新連線的檢查少上許多。 .狀態檢測 (stateful inspection) 3.

未架防火牆的架 構  一般小型企業與個人電腦往往無使用任何的防火牆,其伺服器或是電腦皆直接暴露在網 際網路上,因此易在沒有阻檔下,讓駭客或是病毒可以直接對您的伺服器或是電腦產生 攻擊,造成作系統軟體不正常的運作及中斷伺服器的服務,更有可能被竊取公司或是個 人的重要的資料,所以在未安裝防火牆下,直接暴露在網際網路上,皆是相當危險的。 .防火牆的基本架構 --A.

B. 僅對外使用防火牆:  此種架構僅對外有使用防火牆,適用於一般小型企業與個人電腦使用者,因為 其大部份使用網路主要目的是提供客戶瀏覽 web 伺服器的服務與郵件伺服器的 寄送,並提供內部人員上網查詢資料等,如此的架構即可作到基本的防護,並 可達到其防護的效果。 圖一、伺服器與 PC 在一起。 .

僅對外使用防火牆:  對於內部伺服器、個人電腦的作業系統與防毒軟體,還是要作定期的更新, 避免系統軟體因漏洞,或是個人電腦不當的使用產生中毒,影響內部整個網 路變成一個病毒封包的網路風暴,進而造成伺服器與所有的個人電腦受到影 響,如圖一,使用圖二的架構可防止如圖一產生的問題。 圖二、伺服器存在 DMZ 區, 與 LAN 、 WAN 皆分開。 .B.

Security Policy Implementation  Network security is a continuous process built around a security policy.  Step 1: Secure  Step 2: Monitor  Step 3: Test  Step 4: Improve Improve Secure Security Policy Monitor Test .

access controls. Improve and so on Secure Security Policy Monitor Stop or prevent unauthorized access or activities and to protect information. encryption. Test . patching.Securing the Network Implement security solutions Authentication. firewalls.

Monitoring Security Detect violations to the security policy System auditing and real-time intrusion detection Improve Secure Security Policy Monitor Validates the security implementation in step one Test .

Testing Security Validates effectiveness of security policy implementation Improve through system auditing and vulnerability scanning Secure Security Policy Monitor Test .

make improvements to the security implementation Adjust the security policy as security vulnerabilities and risks are identified Secure Improve Security Policy Monitor Test .Improving Security Use information from the monitor and test phases.

Fortinet Firewall Product .產品介紹 1. Cisco Firewall Product 2. NetSreen Firewall Product 3.

3600. 2600. 7000 series .3600. 2600. 830. 6506 switches Appliances Cisco PIX Cisco PIX firewalls firewalls Cisco Catalyst Cisco Catalyst 6503.1700. 6506 switches switches Appliances Cisco 4200 Series Cisco 4200 Series Cisco PIX Cisco PIX firewalls firewalls Cisco Access Control Server “IBNS” 802. 6506 switches 6503.SOHO 90.Cisco Security Solutions Secure Connectivity Extended Perimeter Security Intrusion Protection Identity Services Security Management Appliances Cisco VPN 3000 Cisco VPN 3000 Series Series Cisco PIX firewalls Cisco PIX firewalls Cisco Catalyst Cisco Catalyst 6503.1700. 7000 series 830. 3700. 3700.1X extensions VPN Solutions Center CiscoWorks VPN/Securiy Managemen t Solution CiscoWorks Hosting Solution Engine Integrated Integrated Host Based Integrated Switch IDS Module Switch IDS Module Switch VPN Module Switch Switch Firewall Switch Firewall Module Module Cisco IOS VPN Cisco IOS Firewall Cisco IOS IDS SOHO 90. 6506 6503.

Perimeter Security—PIX Firewall The Following Are the PIX Firewall Features and Uses:      Typically used for site-to-site VPNs Limited IDS Dedicated hardware appliance Restricts access to network resources Implemented at the physical perimeter between customer intranet and the other company’s intranet direction is authorized  Determines whether traffic crossing in either  Little or no impact on network performance .

PIX Firewall Family PIX 535-UR Price PIX 525-UR PIX 515E-UR PIX 506E PIX 501 Gigabit Ethernet SMB Enterprise SP SOHO ROBO Functionality .

PIX Firewall 501  Designed for small offices and teleworkers  3.500 simultaneous connections  10 Mbps cleartext throughput  133 MHz processor  16 MB of SDRAM  Supports 1 10BaseT Ethernet interface (outside) and a 4-port 10/100 switch (inside)  3 Mbps 3DES throughput  5 simultaneous VPN peers .

PIX Firewall 506E  Designed for small and remote offices  10.000 simultaneous connections  20 Mbps cleartext throughput  300 MHz processor  32 MB RAM  Supports 2 interfaces (10BaseT)  16 Mbps 3DES throughput  25 simultaneous VPN peers .

PIX 515E  Designed for small to medium businesses  128.000 IPSec tunnels .000 simultaneous connections  188 Mbps cleartext throughput  433 MHz processor  64 MB RAM  Supports 6 interfaces  Supports failover  63 Mbps 3DES throughput  2.

000 IPSec tunnels .PIX 525  Designed for enterprise  280.000 simultaneous connections  360 Mbps cleartext throughput  600 MHz processor  256 MB RAM  Supports 8 interfaces  Supports failover  70 Mbps 3DES throughput  2.

PIX 535  Designed for enterprise and service providers  500.7 Gbps cleartext throughput  1 GHz processor  1 GB RAM  Maximum of 10 interfaces  Supports failover  96 Mbps 3DES throughput  2.000 simultaneous connections  1.000 IPSec tunnels .

2)  1 million simultaneous connections  Over 100.0 feature set (some 6.Firewall Service Module  Designed for high end enterprise and service providers  Runs in Catalyst 6500 switches and 7600 Series routers  Based on PIX Firewall technology  PIX Firewall 6.000 connections per second  5 GB throughput  1 GB DRAM  Support 100 VLANs  Support failover .

535 and other supported models caching and decreased image size .0 Overview  Intuitive. 525. DH Group 5 VPN support  H. 515E.323 v3/4 and MGCP support  Improved performance via applet Available on all Cisco PIX Security Appliance models including: • 501. web-based interface for   securely managing a single remote Cisco PIX Security Appliance Powerful Java interface provides rich user experience for configuration and real-time health monitoring Supports all new features found in Cisco PIX Security Appliance software (PIX OS) v6. including:  Virtual interface support (802.1q VLANs)  OSPF dynamic routing  Enhanced ACL editing  Comments in ACLs  Syslog per ACL entry  AES.3. 506E.Cisco PIX Device Manager v3.

PDM . and current throughput Status message Current administrator logged in and their access level (0 – 15) .New “Dashboard” New toolbar gives easy access to primary functions System information including software versions installed. device type and licensed features Current number of active VPN tunnels Current/historical trending data for CPU and memory utilization Historical trending data for connections and traffic going in/out the “outside” interface Current time at the remote Cisco PIX Security Appliance Status of connection to remote Cisco PIX Security Appliance Detailed info for each physical/virtual interface. link status. including IP address.

including IKE and IPsec policies • Authentication policy (shared secret or X.0 Provides Robust Platform Management Features Flexible interface gives complete control over site-to-site VPNs. as well as L2TP/IPsec and PPTP clients • User authentication policies • Primary / backup Easy VPN Servers • DHCP address pools. AES) • Tunnel lifetimes.509 certificate) • Encryption policy (DES. 3DES. NAT traversal. split DNS and split tunneling policies • And much more Configure the Easy VPN Remote (hardware VPN client) feature on select PIX models .Cisco PIX Device Manager v3. keepalive intervals and NAT traversal policies Provides comprehensive remote access VPN support for Cisco hardware and software VPN clients.

Cisco PIX Device Manager v3. SSH and telnet • Authenticated users • DHCP client lease information • PPPoE connection information • User licenses in use (on PIX 501) Provides real-time visibility into site-to-site VPN connections and the variety of remote access VPN methods supported (Cisco Easy VPN. L2TP/IPsec and PPTP) Provides wealth of real-time / historical graphs and exportable data tables for the following: • Memory and CPU utilization • Connections/xlates • IPsec. PPTP VPN tunnels • Attacks detected by type/protocol • Byte/packet counts per interface Also supports creating bookmarks to your favorite. LT2P. commonly used real-time graphs! .0 Provides Comprehensive Device Health Monitoring Provides real-time status of: • Event log (syslog) • Administrative connections to PIX via PDM/HTTPS.

AV integration Resiliency • High availability options at the device level • Network resiliency features • Dynamic routing support Management • Centralized management • Rapid deployment • Central monitoring and reaction Total Cost • Cost effective security solutions • Lower TCO than competing options .NetScreen Security Solutions Core Networks Central Sites Regional Sites Remote Medium Offices Users Small Offices Telecommuter NetScreenRemote Firewall and VPN Intrusion Prevention NetScreenGlobal PRO Security • Integrated security: firewall.Intrusion prevention . VPN and DoS protection • Application-level protection .

Broad Market and Solution Coverage Carrier Cloud Central Site Medium Site NetScreen-50 Small Office Enterprise Telecommut er NetScreen-500 NetScreen-1000 NetScreen-5XT NetScreen-5000 Series NetScreen-200 Series NetScreen-25 NetScreen-5XP NetScree n -Remote NetScreen-Global PRO NetScreen-Global PRO Express .

000 40.000 1. Sessions 1.000 25 100 58 NetScreen-204 / NetScreen-208 NetScreen-50 128.000 Max. F/M1 2A/P NetScreen-5200 1. Virtual Systems 500 Max.000 Max. A/A.000 10 100 NA NA 2 NetScreen-5XP 2.000 4. Policies 40.000 NA 32 18 32.000 1.008 Max. Virtual Routers H A 24 Mini-GBIC OR 6 12Gbps FW Mini-GBIC + 72 6Gbps VPN 10/100 8 Mini-GBIC OR 2 Mini-GBIC + 24 10/100 4Gbps FW 2Gbps VPN 502A/P. Virtual LANs 4. VPN Tunnels 25.000 NA 32 4 NetScreen-25 4 10/100 8. A/A. F/M 502A/P.000 10 100 NA NA 2 (3 with home/ work) NetScreenRemote NA NA 100 NA NA NA NA NA No .008 NetScreen-500 Up to 8 10/100 or 8 700Mbps FW Mini-GBIC or 4 GBIC 250Mnps VPN 8 10/100 (NS-208) 4 10/100 (NS-204) 4 10/100 550Mbps /400Mbps FW 200Mbps VPN 170Mbps FW 50Mbps VPN 100Mbps FW 20Mbps VPN 70Mbps FW 20Mbps VPN 70Mbps FW 20Mbps VPN 20Mbps FW 13Mbps VPN 10Mbps AES for 400MHZ PC 250.000 20.000 10.000 500 NA NA 4 2A/P Lite NetScreen-5XT 1 10/100 Untrust. F/M 27A/P.000 500 4.000 Max. 4 10/100 Trust 2 10 BaseT 2.000 25. 4 10/100 Trust 1 10/100 Untrust. Security Zones 1.000 100 (plus 400 dial up) 25 (plus 100 dial up) 10 1. A/A.NetScreen’s Security Product Line Firewall/VPN Product NetScreen-5400 Interfaces Max.000 100 NA NA 2 2Dial back up 2Dial back up 2No NetScreen-5GT 2.000 Max.000. Throughput Max.000. A/A F/M 7A/P.

Right Part of the Remote Site Network Central Site Performance & IT resource Number of Sites Stand-alone IDP Deep Inspection Firewall Stateful Inspection Firewall Low Importance of integration • • High • • Dedicated devices for network and application attacks Support 50 protocols • • Web. > 1. SMTP. POP. e-mail. IMAP. database. DNS ~ 250 application attacks • • 8 attack detection mechanisms (network and application) Capability/performance optimized solution • • 2 application attack detection mechanisms Integration optimized solution . Web. P2P.800 signatures Integrated device for network and application attacks Support key Internet services.Right Level of Integration. FTP. file transfer & DNS. instant messaging. First release: • • HTTP. etc.

eliminate ambiguity Track sessions Packets 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000 000000000000000000000000000 000000000000000000000000000000000000000 Application Traffic De Insp ep ect io 000000 n 000000000000000000000000000 000000000000000000000000000 00000 000000000000000000000000000 Deny Some Attacks Deny Traffic . normalize.NetScreen Deep Inspection Network and Application Level Protection Protocol conformance Application Attack 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 Deep Inspection Stateful Inspection Application Traffic Reassemble.

DNS Configurable on an attack-specific per policy basis Deep Inspection Signature Service Stateful Inspection Deep Inspection (App Attack Protection) . IMAP. FTP. SMTP.NetScreen Deep Inspection… The Details  Delivered via ScreenOS 5. POP.0  Protection for 258 application level attacks & protocol deviations (at    initial release) Support for key Internet-facing protocols: HTTP.

Deep Inspection Firewall: Pervasive Application-Level Attack Protection  Application aware firewall integrating Branch Office Stateful Inspection and Intrusion Prevention technologies Telecommuter Remote Office  Network & Application-level attack protection for small. remote & branch offices and telecommuters NetScreen-IDP DMZ  Strengthen overall security stance at perimeter with minimal impact to management overhead and network complexity Headquarters Stand-alone IDP Deep Inspection Firewall Stateful Inspection Firewall Central Management .

6 on Solaris now  Embedded antivirus on NetScreen-5GT      Integrated best-of-breed solutions for firewall/VPN and antivirus Cost effective antivirus deployment Transparent to end-user Scans POP3. SMTP and HTTP traffic Pattern File Updates direct from Trend .End-to-End Gateway Antivirus Central Site Regional Site Remote Site Trend Micro Gateway Antivirus Embedded Antivirus  Redirect to antivirus using Trend’s CSP  Improved security at regional offices and central sites  Support on NetScreen-25/-50/-204/ -208/-500  Transparent to end-user  Scans HTTP. SMTP traffic  Trend Server Compatibility • VirusWall 3.

WebTrends 3rd Party . Telnet and SSH Web UI  Web Interface – embedded Web server  HTTP and SSL Global SNMP Syslog  NetScreen Global PRO – proprietary    interface SNMP – Standard MIB & private extension Syslog – standard traffic reporting and alerts 3rd Party – Websense.NetScreen Management Interfaces CLI Including NetScreen25 and 50 NetScreen Management Interfaces  CLI – familiar command line interface  RS232.

Validation of start up config 7.Automatic config update One time password  Lower training costs  No need to enter any CLI commands  4 click installation through WebUI .Secure communication 6.Quickly Deploy Remote Devices  Simplified installation via Rapid Deployment  Eliminate need for pre-staging device  Eliminate need for “technical expertise” at point of installation 1. A Unique ID tracking purposes Untrust Interface configuration Configuration parameters to enable “registration” of device to management server User/Password Configuration to enable secure communications Management Server IP Address/Domain Name 4. 3. Configure device Generate and export startup config file Encrypted startup config file sent to remoteforsite.WebUI download  Reduce provisioning time & cost  Get new devices up and running quickly startup config NetScreen-Security Manager 2004 5. 2.

AV. logging. ports Click to edit or view details.Simple Policy Control Normal firewall policy Multi-Cell Capability Deep Inspection Policy per policy basis Options: NAT. NAT. etc. Log.  Features controlled on  Deep Inspection. URL filtering. etc. Antivirus.  Direct control in the box via WebUI or CLI  Simplifies the management of single device  Simplifies migration of configuration from other vendor products .  Dynamic grouping directly in policy specification for addresses.

integrated 4 managed switch ports. VPN. traffic shaping FortiGate-4000 Performance (Mbps) Performance (Mbps) 4G 2G 1G 300 200 120 95 70 FortiGate-60 FortiManager System FortiGate-3600 Redundant power Gigabit performance Four 10/100/1000 ports Multi-Zone (12 10/100 ports) High Availability Enhanced remote client capacity Integrated Logging (20 Gbyte) FortiWiFi-60 NEW! Virus/Worm Scanning. Content Filtering 30 FortiGate-50/50A Dual USB ports.Fortinet – FortiGate Product Family FortiGate Product Family SOHO Branch Office Medium Enterprise Large Enterprise Service Provider/Telco 20G NEW! FortiGate-3000 FortiGate-1000 FortiGate 800 FortiGate 500 FortiGate-400 FortiGate-300 FortiGate-200 FortiGate-100 DMZ port. Intrusion Detection & Prevention.WLAN Capabilities . Dual WAN connection. Firewall.

Fortinet  Fortinet Positioning: Best-of-breed antivirus gateway • Highest total throughput • Highest Performance & Multifunction per $ .No.1 Antivirus Gateway .

Network Associates WebSense Symantec (5X00) Network-Layer ISS Intruvert (NET). Recourse (SYMC) NetScreen SonicWall. Watchguard CheckPoint Cisco Software-Based ASIC-Based .A Unique Solution Unmatched by any Alternative Application-Layer AntiVirus Content Filtering IDS/IDP VPN Firewall McAfee. Trend.

Network Security Technology Must Evolve INTELLIGENCE & THREAT COVERAGE Email Spam Complete Content Protection Inappropriate Web Content Worms Trojans Viruses Deep Packet Inspection Stateful Inspection Sophisticated Intrusions Denial of Service Attacks Simple intrusions 1990 1995 2000 2005 .

n liberty.To Stop Content-Based Threats Requires More than Deep Packet Inspection COMPLETE CONTENT PROTECTION 1.com/downloads/Gettysburg Four score and BAD CONTENT our forefathers brou ght forth upon this continent a new nation. Compare against disallowed content and attack lists .freesurf. and dedicated to the proposition that all… !! !! ATTACK SIGNATURES 2. and dedicated to the proposition that all DISALLOWED CONTENT BAD CONTENT BAD CONTENT NASTY THINGS NASTIER THINGS Four score and seven years ago our forefathers brought forth upon this BAD CONTENT a new liberty. Reassemble packets into content http://www.

Fortinet Developed a Unique Architecture for Complete. reliable . Real-Time Network Protection CORE TECHNOLOGY •Proprietary Fortinet Chip •Hardware scanning engine •Hardware encryption •Real-time content analysis FortiASIC™ Content Processor FortiOS™ Operating System •Real-time networking OS •High performance •Robust.

Fortinet Developed a Unique Architecture for Complete. Real-Time Network Protection •Instant Attack Updates n sioon/ n Antiv irus tru cti tio I n et e n D reve P FortiASIC™ nt Traffic Sh n te Co ering aping t F il ll VPN •Centralized Management Content Processor FortiOS™ Operating System Ant l itua Vir ms Spa e m yst S a rew Fi •Comprehensive Support .

Real Time Monitoring with Historical Graphical Representation .

Built-in Management Functionality (In every FortiGate Unit) • SNMP – Simple Network Management Protocol • SSH – Secure Shell • CLI – Command-line Interface • Web GUI – Web Graphical User Interface • A “killer app”! • Security through SSL .

Antivirus Feature Highlights  High Performance  High Performance      The world’s only ASIC-based antivirus solution The world’s only ASIC-based antivirus solution No1. ICSA-certified ASIC-based AV gateway Virus scanning Virus scanning Full coverage of the “WildList” viruses Including polymorphic viruses Full coverage of the “WildList” viruses Including polymorphic viruses Quarantine of infected and suspicious files & blocking of oversized Quarantine of infected and suspicious files & blocking of oversized  Policy-based  Policy-based  Rapid threat reaction  Rapid threat reaction  Updated by Threat Response Team & FortiResponse™ Distribution Updated by Threat Response Team & FortiResponse™ Distribution Network Network  Automatic push updates for AV and NIDS definition databases Automatic push updates for AV and NIDS definition databases . ICSA-certified ASIC-based AV gateway No1.

e.g. FTP. GRE. Route. Oracle*8 etc.323 NAT Traversal H. User groups.323 NAT Traversal Authentication. Telnet.g. User groups. LDAP and Radius based Authentication.Firewall Feature Highlights  High Performance  High Performance       ICSA-certified Stateful Inspection Firewall ICSA-certified Stateful Inspection Firewall NAT. LDAP and Radius based Routing for WAN failover Routing for WAN failover Supports over 40 standard and user-defined services Supports over 40 standard and user-defined services •• e. and Transparent mode NAT. FW and VPN tunnels One touch management for AV.  Policy based  Policy based  Control and Management  Control and Management    DHCP Relay and WINS support DHCP Relay and WINS support One touch management for AV. Route. realaudio. FW and VPN tunnels Interoperate transparently with existing Firewall Interoperate transparently with existing Firewall . FTP. GRE. Oracle*8 etc. and Transparent mode H. realaudio. Telnet.

400 known attacks Support for customer self-defined signatures Support for customer self-defined signatures Signature-based attack recognition (most proven solution) Signature-based attack recognition (most proven solution)  Industry leading range of signature support  Industry leading range of signature support      Protocol anomaly detection and prevention  Protocol anomaly detection and prevention  Customizable  Customizable  Attack list & email alart Attack list & email alart  34 attack signatures covering TCP. UDP.Network Intrusion Detection System (NIDS) Highlights  High Performance  High Performance   Network monitoring without performance degradation Network monitoring without performance degradation NIDS supported on all interfaces simultaneously. including sub interfaces NIDS supported on all interfaces simultaneously. ICMP and IP . UDP. including sub interfaces mapped to VLANs mapped to VLANs ICSA-certified ICSA-certified Signature database of close to >1. ICMP and IP 34 attack signatures covering TCP.400 known attacks Signature database of close to >1.

FortiProtect™ Services Ensure Rapid Response to New Threats Fortinet Threat Response Team and Update Distribution Servers FortiResponse Center Web Portal & email Bulletins Automatic Updates Can Reach All FortiGate Units Worldwide in Under 5 Minutes .

Q&A Thank You! .

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->