Empowering the MSSP
WHITE PAPER Empowering the MSSP Part 2: End To End Security Services Ecosystem WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Introduction Responding to Real World Customer Needs An increasing number of SMBs and enterprises plan to spend more of their budget with Managed Security Service Providers (MSSP) in the coming years. According to Frost & Sullivan, the overall Managed Security Services (MSS) market is expected to grow from $9B in 2013 to $15B by 2016. The significant MSSP growth numbers show a clear trend, and there’s a growing consensus that outsourcing security is a viable option for small, medium and large enterprises. In our recent white paper, Empowering MSSP: Real World Customer Needs, we have outlined the managed security services that the SMB / enterprise and the residential / SOHO markets require in terms of delivery modes and MSS, as summarized in the following table. Market SMB / Enterprise Residential / SOHO Delivery Mode n CPE n Hybrid n Cloud n Cloud MSS Needed Firewall (incl. Antimalware / IPS / DLP / Application control / Secure fixed & wireless connectivity / Web application FW / Volumetric & application levels DDoS / Advanced Threat Protection (ATP) / SSL & application delivery / Email security “Clean Pipe” (AntiMalware / Application Control / Web Filtering / Parental Control) These represent a set of unique needs, service requirements and challenges that cannot be fully met with just a Next Generation Firewall (NGFW) service, as they are, in general, limited to signature detection and need additional solutions to provide complete protection for unknown malware and zero day attacks. In this solution guide, we will present Fortinet’s end-to-end MSS ecosystem, empowering MSSPs to deliver a wide range of cost competitive, advanced services to both the SMB / enterprise and residential / SOHO markets. 2 www.fortinet.com WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Fortinet’s Ecosystem for MSSP Empowering Managed Security Service Providers “Start with the Firewall as the foundation and expand from there” Fortinet provides MSSPs a full, end-to-end, security ecosystem, based on the Next Generation Firewall (NGFW) FortiGate. FortiGate provides the foundation that deliver essential MSS such as firewalling, VPNs, IPS and more. It defines the perimeter of both enterprise and small and medium businesses and provides the first line of defense. This strong foundation is further enhanced and fortified with a range of purpose-built solutions to enable the scalable delivery of a wide range of security services. These solutions include: n Web Application Firewall (FortiWeb) for web application security n DDoS Attack Mitigation (FortiDDoS) n Secure Application Delivery Controller (FortiADC) for SSL and application delivery optimization and security n Breach detection (FortiSandbox) to isolate malicious code for inspection and increase overall advanced threat protection n Email Security Gateways (FortiMail) for protecting and mitigating email-borne threats. In a perfect world all these security measures would be available in a single, high availability, carrier-grade appliance. However, even with the best hardware available today, the performance impacts of these services put an all-inclusive “super firewall” years away. Fortinet’s ecosystem is more than a set of purpose-built solutions complementing a NGFW: n It is an integrated and intelligent ecosystem that provide security services that are bigger than the sum of its components, such as FortiMail’s and FortiGate’s integration with FortiSandbox for advanced threat protection. n Available as either physical or virtual appliances, the ecosystem adapts for the MSSP’s needs in terms of integration within its virtual infrastructure, agility (scale out) and performance (scale up). n It shares a single intelligent “brain”, FortiOS operating system, that keeps evolving to defend against the changing threat landscape and customers needs via FortiGuard Lab’s automatic update services. n It provides a single pane of management for service configuration, enforcement and reporting. 3 WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Fortinet’s MSSP Ecosystem Products FortiGate Next Generation Firewall (NGFW) physical and virtual appliances provide the core platform upon which many of the security services are provided: Anti-Virus, AntiSpam, Anti-Malware, VPN, Web filtering, Application Control, Intrusion Protection System (IPS) and more. Powered by custom ASIC and the FortiOS security operating system, FortiGate provides unmatched, carrier-grade performance and MSSP multi-tenant capabilities to enable a wide range of MSS. FortiDDoS allows MSSP’s to provide application layer DDoS detection and mitigation for inbound and outbound traffic. With a 100% custom ASIC and behavior analysis approach, FortiDDoS’s unmatched performance enables the detection and mitigation of more DDoS threats, including sophisticated low-volume application layer attacks. FortiWeb delivers a service designed to protect web applications and servers and prevent identity theft, financial fraud and denial of service while monitoring and enforcing government regulations, industry best practices, and internal policies. It provides complete application security against threats from malicious sources and sophisticated attacks like SQL injection and Cross-site scripting. FortiMail is a complete Email Security platform blocking spam and malware before it can clog the MSSP’s customers’ network and affect users. Its outbound inspection technology reduces the loss of sensitive information, providing a single solution to protect against inbound attacks, as well as outbound threats and data loss. FortiADC line of hardware and virtual Application Delivery Controllers allow MSSPs to provide application performance optimization to their customers via Server Load Balancing, SSL Offloading (up to 31,000 transactions per sec), HTTP Compression, Firewall and Link Load Balancing. 4 FortiAuthenticator User Identity Management works with existing authentication and SSO systems, empowering MSSPs to deliver scalable Two-factor Authentication, RADIUS, LDAP and 802.1X Wireless Authentication, Certificate management and Single Sign-on for its customers. FortiSandbox enables MSSPs to deliver an Advanced Threat Protection service via identification of highly targeted and tailored attacks that bypass traditional defenses. Offering a unique dual-level Sandbox, inspection of all protocols and functions in one appliance, and optional integration with the MSSP’s existing FortiGate infrastructure, FortiSandbox delivers highly effective protection against this emerging class of threats. FortiManager & FortiAnalyzer Security management appliances allow the MSSP to centrally manage any number of physical and virtual Fortinet appliances. FortiManager provides the flexibility to logically group devices into thousands of administrative domains (ADOMs) to better control of complex network and multi-tenant environment. FortiAnalyzer Centralized Logging and Reporting Appliances securely aggregate, analyze, and report on network log data. The MSSP can analyze and manage a wide range of data, including security events, network traffic, Web content, and email, to measure your customer’s security posture regulatory compliance. Secure Wireless LAN is Fortinet’s comprehensive, flexible end-to-end unified access security solution that incorporates wireless and wired access, security, authentication, switching and management to help MSSPs deploy and protect wireless networks for their SMB and enterprise customers. The Secure Wireless LAN in anchored in, and managed by FortiGate, delivering comprehensive, threat management and policy enforcement. www.fortinet.com WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Fortinet’s MSSP Cloud Services Fortinet provides the FortiPrivateCloud virtual appliance that allows the MSSP to give portal access to its SMB and enterprise customers to view log events, define, schedule and generate reports, monitor statistics and perform configuration changes (as permitted by the MSSP). From the MSSP perspective, it provides a SOC portal for status monitoring, new customers provisioning and troubleshooting. FortiPresence enables MSSP to deliver to brick-and-mortar retailers real value add from their secure wireless LAN managed service and differentiate themselves from the competition. This service provides retails with insight into customer traffic, window conversion and engagement level for each store. Stores belonging to a chain can be compared using performance indicators like dwell time or loyalty. The solution leverages the MSSP installed Fortinet Secure Wireless LAN at its customer’s shops to detect each customer’s presence, location and movements. This information is processed in the cloud and presented to the retailer or merchant in a simple dashboard format. FortiPresence, enabled by Fortinet’s Secure Wireless LAN is the most comprehensive in the industry and provides real competitive advantage for the MSSP. The service is built in a modular way so that an effective MSSP deployment and SMB/ enterprise adaptation is enabled. 5 WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM MSSP Environment Attributes For overall TCO and to provide the required service Service Level Agreements (SLAs), Fortinet’s ecosystem provides the appropriate enablers for performance, availability, multi-tenancy and virtualization. High Availability (HA) allows the MSSP to assure continuous service delivery and is a basic component of its service offerings and SLA. High availability is provided within the Fortinet ecosystem in multiple levels, from the basic power supply redundancy dual-appliance failover mechanisms to geographical disaster recovery. The following table outlines the HA capabilities provided by the Fortinet ecosystem. High Availability Fortinet offers multiple levels of HA capabilities in both its physical and virtual appliances to ensure MSSP’s continuous service delivery. Appliance FortiGate FortiWeb FortiADC FortiMail FortiDDoS FortiSandbox FortiAuthenticator Power Supplies • • • • • • • Fail-Over Disaster Recovery (including VM appliance) (including VM appliance) • • • • • NA • • • • • • NA • Multi-Tenant support allows the MSSP to share its Fortinet ecosystem resources across multiple SMB and enterprise customers to reduce overall CAPEX and OPEX, increase competitiveness and enhance the Return On Investment (ROI). Fortinet provides Virtual Domains (VDOMs) and Administrative Domains (ADOMs) to enable service delivery in a multi-tenant environment. Multi-Tenant Support Fortinet applliances can be used as a shared or dedicated resources to provide MSS to SMB and enterprise customers in a multi tenant environment. Appliance FortiGate FortiWeb FortiADC FortiMail FortiDDoS FortiSandbox FortiAuthenticator 6 Per Appliance Multi Tenant Support Up to 7,000 SMB and enterprise customers (VDOMs) Up to 64 SMB and enterprise customers (ADOMs) Up to 25 SMB and enterprise customers (VDOMs) Up to 5,000 SMB and enterprise customers (Email Domains) Up to 8 SMB and enterprise customers (Service Protection Profiles) FortiGate and FortiMail Limits via Integration with FortiSandbox Up to 4,000 SMB and enterprise customers (User Groups) www.fortinet.com WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Performance & Scalability is critical to MSSPs as it is one of the most basic enablers of its ability to provide its services in a multi-tenant environment. Fortinet product architecture is based on in-house, custom FortiASIC processors to deliver extremely high performance, ultra-low latency and unmatched scalability. With the combination of FortiOS that provides the intelligence for the Fortinet security appliances, Fortinet provide MSSPs with an ecosystem that not only enable the delivery of the widest range of real-world security services, but does it with appropriate level of performance and scalability so that security does not become a bottleneck to performance. Fortinet Security Appliance Performance Fortinet offers some of the highest performance in the industry to enable MSSPs to provide high performance services in a multi tenant environment. Appliance FortiGate FortiWeb FortiADC FortiMail FortiDDoS Throughput (max) Latency Connections (max) FW: 1.1Tbps IPS: 140Gbps 4Gbps (HTTP) 4 μs 3M new connections/sec 290M concurrent sessions 50Gbps (HTTP) 31K SSL transaction/sec 14M messages/hour (simultaneous AntiVirus & AntiSpam) 24Gbps (full duplex) NA 15,000 files/hour FortiSandbox FortiAuthenticator 40,000 users & FortiTokens 4M simultaneous connections 600K/Sec session setup/teardown NA NA Virtualization is an important aspect in the MSSP’s ability to reduce CAPEX and increase service agility and elasticity. Fortinet’s ecosystem main components are available both as Virtual Machines (VM) and as physical appliances under the same single pane of management. Fortinet Virtual Appliances Fortinet offers many of its products in both hardware and virtual appliance versions. Most products fully support the major virtualization platforms including VMware, Microsoft Hyper-V, Citrix XenServer and Amazon Web Services. Product FortiGate VM FortiGate VMX FortiWeb VM FortiADC VM FortiMail VM FortiAuthenticator VM FortiManager VM FortiAnalyzer VM FortiSandbox VMware vSphere • • • • • • • • • KVM • Amazon AWS • Citrix Xen Server • Microsoft Hyper-V • • • • • • • • 7 WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Fortinet’s MSSP Ecosystem In Action Deployment and Delivery Small and Medium Business / Enterprise Customers Fortinet’s end-to-end solution provides a single security ecosystem enabling the delivery of the widest range of security services in a cost effective and performant fashion so that the MSSP customer’s different requirements can be met with a granular precision and at the appropriate price points to meet both SMB and enterprise needs: n A complete solution from a single vendor to maximize go-to-market and service delivery, ensure interoperability, provide unparallelled performance to ensure full service delivery, simplify overall management and reduce TCO, n Fortinet’s leadership in network security and its range of FortiGate CPEs empowers the MSSP’s CPE and hybrid-based security services delivery modes, n The unmatched performance delivered by Fortinet’s MSSP ecosystem ensure that from SMB to Very Large Enterprises, security needs are met with optimal performance, no service quality impact and maximum Quality of Experience, n The support for a large multi-tenant environment enables the MSSP to maximize the use and ROI of Fortigate’s ecosystem without impacting the quality and performance of the delivered services, n Fortinet support of virtual appliances in multiple virtual OS, assure agile and flexible, on-demand resource deployment. Managed Security Services Scope The SMB/enterprise market includes high profile targets for threats and cyber criminals for their media, financial and other impact, and is in the frontline of an ever evolving threat landscape. From Malware and DDoS attacks through social engineering and Advance Persistent Threats (APT), Fortinet’s MSSP ecosystem provides the widest and most comprehensive range of services to meet the security and regulatory needs of the most demanding customers, such as: n Next Generation Firewall (NGFW) n Application delivery optimization n Intrusion Prevention System (IPS) n Data Loss Prevention (DLP) n Web filtering and application control n Advanced Threat Protection (ATP) n Antivirus / Antispyware / Antimalware n Email security n IPSec & SSL VPNs n Single Sign-On & 2-way authentication n DDoS attack mitigation n Secure wireless n Web Application Firewall (WAF) n Unified Threat Management (UTM) 8 www.fortinet.com WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Security Services On-Demand Fortinet’s MSSP ecosystem support for multi-tenancy via Virtual Domains (VDOMs) and Administrative Domains (ADOMs) provides a dynamic and agile security services on demand consumption model that can be based on the following: n For MSSPs that use or are in the transition to a virtual and hybrid environments, this consumption model can be based on a highly agile and elastic architecture as virtual security appliances can be created on demand based on end user purchased services, performance and segmentation requirements. n MSSPs that are based on existing Fortinet’s physical appliances can provide the same consumption model whereby available resources in existing VDOMs / ADOMs are provisioned on-demand by the customers or new VDOMs and ADOMs are dynamically created and torn down based on on-demand purchased services. n MSSPs have the choice to enable such a consumption model in a hybrid environment where physical and virtual instances of Fortinet’s appliances are dynamically provisioned by SMB and enterprise customers. The decision on the resources to be utilized and provisioned can be based on financial, operational, regulatory and other considerations. Delivery Mode The complexity of SMB and enterprises activities, size, geographical deployment and partner/customer interaction will require the MSSP to deliver security services in all delivery modes: cloud, hybrid and CPE-based: n Cloud-based delivery is suited for any service that, for one of several reasons, does not require a physical security appliance to be installed in the customer’s premises. With Fortinet’s physical and virtual appliances supporting a wide range of virtual OS, performance, agility and elasticity can be all delivered from the MSSP cloud. n Hybrid-based delivery is required in the following examples: Wireless connectivity and security is provided as part of the service. In this example, a minimum of Fortinet’s wireless access points will be installed at the different customer’s premises. These will be managed by the integrated wireless controller in the MSSP cloud-based FortiGate to deliver a secure wireless connectivity to the SMB/enterprise. MSSPs providing Authentication services via the FortiAuthenticator, will provide the SMB/enterprise employees/ partners with physical FortiToken devices to enforce the two factor authentication service. Regulatory compliance, such as PCI, may lead to local appliances (for example firewalls and Web Application Firewalls) installed at the customer premises. These CPEs may also provide, in a single appliance, both wireless connectivity and security and the physical firewalling required by these regulatory laws and standards. The financial services sector and the retail sector are examples of customers where by PCI regulatory compliance will require a hybrid-delivery where some services are provided by the local CPEs while the rest of the services and the overall management is cloud-based. CPE-specific capabilities and performance requirements. This type of CPE-based delivery is managed via the MSSP’s cloud and may be complemented, if required, by additional cloud-based MSS. n n n n Small Office Home Office / Residential Customers This market segment is characterized by a very limited budget and a limited set of required security services. The main advantages of deploying Fortinet solution to provide these MSS are: n FortiGate solution can meet all the residential / SOHO requirements and the firewall and IPS services required by the SMB / enterprise markets to provide a better CAPEX ROI for the MSSP. n Fortinet’s MSSP solution provides both physical, virtual and hybrid ecosystem that facilitates the delivery of security services as an agile and cost-effective cloud service to further reduce MSSP’s CAPEX and OPEX. n FortiGate performance can support hundreds of thousands and millions of residential and SOHO MSS subscribers. 9 WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Therefore, the deployment of Fortinet’s FortiGate as the service enabler for this market should be considered within the larger context of a single vendor and ecosystem enabling the MSSP to provide a complete and flexible security services to all market segments while reducing overall CAPEX and OPEX. Managed Security Services Scope FortiGate enables MSSPs to deliver flexible packages to the residential and SOHO customers. Typically, these would include (but not limited to): n Firewall service to protect against known attacks, viruses and malware n Web filtering for restricting access to undesired content n Application control to block malicious and undesired applications Delivery Mode Cloud-based delivery is the clear delivery solution to this market segment: n Limited range of security services can be effectively provided as Security-as-a-Service n Use of virtualization and Fortigate virtual appliance provides an agile and cost effective solution to reduce MSSP CAPEX and OPEX n Cloud-based delivery facilitates service delivery where the FortiGate appliance serves as security enforcing point for hundreds of thousands to millions of residential and SOHO customers, thus drastically reducing the MSSP’s CAPEX and OPEX 10 www.fortinet.com WHITE PAPER: EMPOWERING THE MSSP. PART TWO: END-TO-END MSS MICROSYSTEM Summary Fortinet’s end-to-end security ecosystem enables MSSPs to build and deliver real-world security services to the SMB/ enterprise and residential/SOHO markets. Its unique attributes empower existing and emerging MSSPs to deliver the widest range of security services, responding to the needs posed by today’s and tomorrow’s threats landscape: Firewall, AntiVirus, AntiSpam, AntiMalware, Intrusion Prevention System (IPS), Application Control, Access & Identity Management, Secure Wireless, Web Application Firewall (WAF), DDoS Protection, Application Delivery, Advanced threat Protection (ATP), and more. To ensure the scalability, superior ROI, customer’s SLA and overall competitiveness, the Fortinet ecosystem provides unmatched performance with ultra low latency in a powerful multi-tenant environment. The wide range of physical and virtual appliance are tailored to meet the needs of small and large MSSP in terms of price/performance and MSS delivery modes. ild and deliver real-world MSS to the residential/SOHO and SMB/enterprise markets. Its unique attributes empower existing and emerging MSSPs to deliver the widest range of services, while reducing both CAPEX and OPEX to maximize their ROI while responding to the needs posed by today’s and tomorrow’s threats. 11 www.fortinet.com GLOBAL HEADQUARTERS Fortinet Inc. 899 Kifer Road Sunnyvale, CA 94086 United States Tel: +1.408.235.7700 www.fortinet.com/sales EMEA SALES OFFICE 120 rue Albert Caquot 06560, Sophia Antipolis, France Tel: +33.4.8987.0510 APAC SALES OFFICE 300 Beach Road 20-01 The Concourse Singapore 199555 Tel: +65.6513.3730 LATIN AMERICA SALES OFFICE Prol. Paseo de la Reforma 115 Int. 702 Col. Lomas de Santa Fe, C.P. 01219 Del. Alvaro Obregón México D.F. Tel: 011-52-(55) 5524-8480 Copyright © 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
© Copyright 2024