Professional Documents
Culture Documents
Network Endpoint
Applications
Campus
Data
NGFW
Data Center
People
Branch DCFW
Office UTM
PoS
IoT
Internal External
2
Fortinet Security Fabric – Protecting from IoT to Cloud
Global Intelligence
Scale
Awareness
Client Security Alliance Partners
Security
Actionable IoT Cloud Security
Open
Fortinet
Security Fabric
Application
Secure LAN Access Security
Local
Intelligence
Secure WLAN Access
Network Security
3
Email is *the* critical threat vector
Malware Phishing Compliance & Data Loss
• Targets unskilled users therefore • Targets an interest group, • Sending of Personally Identifiable
often volumetric attacks organization or individuals (spear Information (PII) via Email
• Use of social engineering phishing) within the organization • Sending of corporate confidential
techniques to get users to open • Customised content based on information out of the organization
email and execute malware user interests or role • Corporate espionage
• Some zero day, mostly a numbers • Often targeted at C-levels • Failure to encrypt sensitive emails
game (whaling) • Failure to backup/save/archive
• Zero day malware or social emails to comply with corporate
engineering to divulge financial or standards
credential information • IRS – 7 years
• PCI – 1 year
• 12% users click on malicious • State depts – 3 years
attachments or links in such mails* • HIPPA – 6 years
Lack of email security and management can lead to direct financial impact through fraud or indirect impact
through regulatory fines and negative PR.
5
Protection from Email-based Threats
Primary Challenges Solution
Email common entry point for attackers FortiMail Email Security
Spam, attachments, phishing Inbound and outbound threat protection
Targeted attacks Data loss prevention and encryption
FortiSandbox FortiSandbox integration
Compliance, privacy and data control
Users are major contributing factor to Advantages
risk 42 consecutive VBSpam awards
44 VB100 awards
Highest performance in industry
FortiMail
FortiGuard
Email Server
6
FortiMail Overview
7
Behavior-based Detection of the Unknown
“99% of malware hashes are seen for only 58 seconds or less. This reflects how quickly
hackers are modifying their code to avoid detection.” *
FortiGuard IP Reputation
* Source: Verizon 2016 Data Breach Investigations Report
8
Key Features
Anti-Spam/Anti-Phishing
FortiGuard Reputation Databases
» Cloud database query to identify know spam IP
and content
FortiGuard Antivirus, Anti-Spam and URL Filtering
FortiGuard IP Reputation including Botnets
» Removes volumetric spam at low cost
Advanced Filtering Techniques
» Detects new Spam campaigns using a variety of
dynamic techniques
Header Analysis
Dynamic Heuristics
Behavior Analysis
Sender Reputation
Suspicious Newsletter
DKIM / SPF / DMARC
Greyware Scanning
9
Key Features
Take Action Based on Profiles
File discarded, option to Quarantine and event logged
Anti-Malware
FortiGuard Anti-Malware (On-box) Outbreak detection
FortiGuard Data
» One-to-many signature matching (CPRL) Analytics
» Heuristic detection
» Code emulation & Behavioural analysis Behavioral Analysis
10
Key Features
11
Key Features
FortiMail actively mitigates threats by queuing emails whilst waiting for a FortiSandbox result
12
Key Features
FortiSandbox
15
Key Features
16
Deployment Options
17
Deployment Options
Gateway Mode
• Most common deployment scenario
•Mail is delivered to FortiMail, scrubbed of threats and forwarded to
destination mailserver
Transparent Mode
• Deployed as a bump in the wire. No configuration changes required
to the email infrastructure.
•Commonly utilised in the ISP and Carrier environment.
Server Mode
• FortiMail acts as a full mailserver providing POP3, IMAP, Webmail
and calendaring in addition to security functions.
18
Deployment Options
Active-Passive Cluster
• Two-devices, full failover protection
•Heartbeat and Service Monitoring
•Full mailbox, archive, quarantine, log and queue synchronization
Config Only HA
•Linear scalability suitable for the largest ISPs and Carriers
•Centralized quarantine, management and IBE
•Enables DR and geographic redundancy
•Load balanced option using FortiiADC or third party load balancer
19
Deployment Options
Solution
» FortiMail can be deployed alongside Office 365 in
the Microsoft Azure Cloud for enhanced security
and content protection.
20
Case Studies
Case Study: Utility
Why We Won
Better price/performance and features INTERNET
Fully unified single vendor solution
VBSPAM and VB100 reports
Who We Beat
Replaced McAfee, beat Cisco
22
Case Study: Higher Education
Why We Won
Effective at catching targeted Emails “Since we deployed FortiMail, we have had no
compromised accounts, and have been able to give
Easy to install and manage
more attention to programs that impact student
Continued roadmap innovation
outcomes.”
23
Case Study: Financial Services
Organization and Challenge
Electronic payment manufacturer/processor DATA CENTER
Ensure compliance with PCI and, more importantly,
FortiSandbox
increase data protection
FortiMail
Who We Beat FortiGate
25
Case Study: Government Contractor
FortiMail Secure Email Gateway
agents
Upgrading datacenter to 40Gbps, also concerned about FortiSandbox
security and availability FortiMail
FireEye, McAfee
FortiGate
Why We Won
FortiiDDoS
INTERNET
Who We Beat
Cisco Ironport
Policy routing
Port 25
Why We Won
FortiMail Outbound Blacklisting protection
ISP Core
Scalability and no per mailbox licensing (millions of
subscribers)
Network WAN
28
Product Line
FML-VM32
FML-3200E
FML Cloud
Performance & Scalability
FML-3000E
FML-1000D
FML-VM16
FML-VM08
FML-400E
FML-200E FML-VM04
FML-60D FML-VM02
FML-VM01
FML-VM00
Email Routing
3.6K 80k 157k 680k 1.5M 1.8M
(Msgs/hr)*
AS+AV Perf.
2.7K 61k 126k 500k 1.3M 1.5M
(Msgs/hr)*
Recommended Mid/Large Large Enterprise, ISP, Large Enterprise, ISP,
Demo/Home Small Office Mid Enterprise
for Enterprise Carrier, University Carrier, University
*Note: Performance numbers are for physical appliances only.
29
Comparative Position
Capability
Fortinet ProofPoint Cisco Symantec Microsoft
Transparent Mode P P X X X
Gateway Mode P P P P X
Server mode P X X X P
Physical Appliance P P P P X
Virtual Appliance P P P P P
Cloud Appliance (Azure) P X X X X
Managed Service P P P P P
Fully inclusive IBE P X X X X
VBSpam validated P X X X X
30
Comparative Position
Capability
“High End” Models Fortinet ProofPoint Cisco Microsoft
IDC Marketplace Report Leaders Major Players Leader Not rated
Highly effective P P X X
anti-spam
Appliance Options Hardware, VM, Cloud, SaaS Hardware, VM, SaaS Hardware, VM, SaaS Software, SaaS
(different products)
31
Why FortiMail?
Fortinet provide an end-to-end portfolio of sandbox
integrated solutions with simple licensing model
FortiMail is proven best of breed for anti-spam, antivirus
and sandboxing
» 99.997% Spam catch rate / 0% False Positives
IDC MarketScape “Leaders”
FIPS 140-2 and Common Criteria NDPP Certified
Fortinet are leading the market for advanced email
threat prevention
https://www.virusbulletin.com/uploads/pdf/magazine/2016/201605-vbspam-comparative.pdf 32
Additional Resources
Technical challenges
» Architecture and high level of performances
» MTA flexibility – To adapt any network/mail environment
» Multi-tenancy (virtualization) – To adapt any customer requirement, independently from each other
(per customer settings)
» Mass provisioning
Simplify customer provisioning
Easily scale configuration for multiple thousands of customers
» Offering what the customer needs – a diversity of services
» Delegate administration tasks to customers
Tiered administration and role-based management
36
Managed Email Services
Service Options
37
MSSP – In the cloud – Clean Pipe
Scenario 1 OUTGOING
MAIL
INCOMING
MAIL
PROTECTION OF MULTIPLE
CUSTOMER DOMAINS ON A
SHARED APPLIANCE
38
MSSP – In the cloud – Clean Mailbox
Scenario 2 OUTGOING
MAIL
INCOMING
MAIL
FortiMail in relay or transparent mode
» In transparent mode there is no need to
modify the MX records of the customer
PROTECTION OF MULTIPLE
domains CUSTOMER DOMAINS ON A
SHARED APPLIANCE
» Common requirement to prevent IP Blacklisting
in a carrier/ISP environment
39
Key Features
Domain D
40
Key Features
43
Multi-tenant architecture
Employee Domain Hosted Domain Clean Pipe Domain
44
Multi-tenant architecture - Domain policies
Per domain protection policies:
» Antispam, antivirus, content, encryption
Per domain authentication policies:
» SMTP authentication server
» Webmail authentication server
Per domain resource allocation:
» Rate of new connections for each source IP
» Concurrent connections for each source IP
» Number of concurrent connections addressed to a customer domain
45
Multi-tenant architecture - Domain policies
RESOURCE ALLOCATION
BASED ON THE
DESTINATION VIRTUAL IPS
46
Multi-tenant architecture – Administration
Tiered administration
» Admin accounts can be defined on a per domain basis
» Delegation of management on a per domain basis
Role-based management
» Different roles can be assigned to admin accounts:
Policy management and domain settings
Quarantine
BWL
Report* configuration and log access*
47
Multi-tenant architecture – Role-based management
ASSIGN A DOMAIN TO AN
ADMIN ACCOUNT
ASSIGN A
MANAGEMENT
PROFILE TO ADMIN
ACCOUNT
48
Access management profiles – Customization
49
Mass Provisioning – Scenario 1
50
Mass Provisioning – Scenario 2
51
Configuration scalability, scenario 1 – LDAP domains
When FortiMail receives a mail for an unknown domain It queries LDAP to:
» determine if the recipient domain is listed (i.e: if it is an internal domain to protect)
» retrieve the server IP for mail delivery
52
LDAP domains – Benefit for scenario 1 and 2
LDAP is used as the central repository for domain and policies
» New customer enrollment does not require to change FortiMail settings
» Operation and maintenance tasks are minimized
The LDAP server may connect to another backend database if customer provisioning is not
performed on LDAP:
» i.e: LDAP connector is used to query a backend SQL database
» This allows to interface FortiMail with other provisioning databases
User provisioning is done only once – during customer registration
No duplicate management efforts
Benefit:
» Manage 40k domains on one appliance and do not configure any customer domain
» Split mail processing into multiple appliances but still centrally manage configuration
53
MSSP service class – Examples
Scenario Clean pipe (#1) Hosted (#2)
Service class Bronze Silver Gold Bronze Silver Gold
Customer
Enterprise size Small Medium Large Small Medium Large
Custom
Number of users <500 500< >5000 >5000 <500 500< >5000 >5000
Template remote.bronze remote.silver remote.gold hosted.bronze hosted.silver hosted.gold
Recipient verification Customer MTA Central LDAP
Domain settings
Custom disclaimers ✗ ✗ ✗ ✗ ✗ ✗ ✓
Virtual host IP-bronze IP-silver IP-gold IP-bronze IP-silver IP-gold
Custom
Resource allocation Session profile Low Medium Large Low Medium Large
MTA ✗ ✓ ✓ ✓ ✓ ✓ ✓
Outbound relay
Roaming users ✗ ✗ ✓ ✓ ✓ ✓ ✓
Antivirus ✓ ✓ ✓ ✓ ✓ ✓ ✓
Antispam ✓ ✓ ✓ ✓ ✓ ✓ ✓
Filtering services
Content ✗ ✗ ✓ ✗ ✗ ✓ ✓
Quarantine ✗ ✓ ✓ ✗ ✓ ✓ ✓
Encryption ✗ ✓ ✓ ✗ ✓ ✓ ✓
Advanced services
Archive ✗ ✗ ✓ ✗ ✗ ✓ ✓
Quarantine (webmail) ✗ ✓ ✓ ✗ ✓ ✓ ✓
Authentication Secure mail (webmail) ✗ ✓ ✓ ✗ ✓ ✓ ✓
SMTP (roaming users) ✗ ✗ ✓ ✓ ✓ ✓ ✓
Domain and policies ✗ ✗ ✗ ✗ ✗ ✗ ✓
Administration Quarantine ✗ ✗ ✗ ✗ ✗ ✗ ✓
Delegation BWL ✗ ✗ ✗ ✗ ✗ ✗ ✓
Log*, report* ✗ ✗ ✗ ✗ ✗ ✗ ✓
54
Template Policies
55
Configuration performance
56
Service Opportunities – Identity Based Encryption
Available on any FortiMail appliance (small to high-end)
» Does not require any specific new hardware
57
Service Opportunities – Identity Based Encryption
A message is encrypted according to defined policies
» Policy-based encryption are defined using IP addresses, email addresses, domain names, keywords in
subject line, headers or mail content, etc.
The recipient receives the message and can decrypt it regardless of his/her environment
» Identity Based Encryption is clientless
No need for software/plugin to read a Secure Email
Interoperability with any email client (Lotus Notes, Outlook, Thunderbird, Webmail such as Gmail, Yahoo, Hotmail,
etc.)
» Messages an be read at any location through a browser-based interface
A browser-based method allows recipients to decrypt and read the secure message
58
Identity Based Encryption – Pull method
③ ENCRYPTED MAIL IS
STORED ON FORTIMAIL
IN A SECURE MAILBOX
④ A NOTIFICATION EMAIL IS SENT
TO THE RECIPIENT WHICH
INCLUDES A WEB LINK
② MAIL MATCHES AN
ENCRYPTION
POLICY
4
① MAIL IS SENT BY
EMAIL CLIENT 3
6
7
⑤ RECIPIENT ACCESSES
MTA
THE EMBEDDED URL
⑥ RECIPIENT IS
1 REGISTERED &
AUTHENTICATED
⑦ MESSAGE IS DISPLAYED
TROUGH A WEBMAIL 5
INTERFACE
59
Identity Based Encryption – Push method
③ MESSAGE IS
ENCRYPTED IN
HTML FORMAT
④ A NOTIFICATION IS SENT TO
THE RECIPIENT WITH THE HTML
PAYLOAD AS ATTACHEMENT
② MAIL MATCHES AN
ENCRYPTION
POLICY
4
① MAIL IS SENT BY 3
EMAIL CLIENT
6
7
⑦ MESSAGE IS DISPLAYED
TROUGH A SECURE 5
WEBMAIL INTERFACE
60
Key properties to answer MSSP objectives
61