FortiMail Email Security Appliances - Roberto Naretto Senior IT Security Eng - Passport by Exclusive
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
FortiMail Email
Security Appliances
Roberto Naretto
Senior IT Security Eng
FortiMail Overview
Summary Trusted Solution
FortiMail e-mail and Fortinet email security solutions
messaging security trusted by over 50,000 customers
• Industry leading price/performance
• Flexible deployment modes and
architectures support the widest
range of organizations
• Multi-layer threat detection delivers
highest level of user protection
• Scalable solution delivers long
term investment protection
• Data Leak Prevention, and Policy
Based Encryption and Archiving
enable compliance with SOX, Independent Validation
GLBA, HIPAA, PCI DSS
• FortiGuard Threat Research and
Response Network
The FortiMail Family
Virtual Appliances Physical Appliances
€1.9k FortiMail-200D Small Deployments
VM01
€4.5k Recommended for up to 500 users
1 x vCPU (BDL) 1 x 1TB HD
FortiMail-400C Mid-Enterprise
VM02 €7.4k
€8k Recommended for up to 3,000 users
2 x vCPU (BDL) 2 x 1TB HD
Software RAID Support
FortiMail-1000D Mid-Enterprise
€25k Recommended for up to 5,000 users
VM04 €20k (BDL) 2 x 2TB HD (Additional 2 x 2TB optional)
4 x vCPU Hardware RAID Support
FortiMail-3000D Large-Enterprise and Carrier/Service Provider
€40k Recommended for up to 10,000 users
(BDL) 2 x 2TB HD (Additional 6 x 2TB optional)
Hardware RAID Support
VM08 €84k
8 x vCPU
FortiMail-5002B Carrier/Service Provider Deployments
Supported Hypervisors: €90k ATCA Chassis Form Factor
VMWare, Hyper-V (Q2 2014) (BDL) 2 x 900GB HD
Deploying FortiMail
Gateway
Deployment Deploy on-site or in the cloud to
relay mail to destination
Options
Full email server at
no extra cost
Transparent Inline Server
Network and application Full mail server and groupware
transparent functionality
Advanced layered Spam and Anti-Malware Protection
• Multi layer Protection based on:
– Local filters
– Central FortiGuard Database
Global Spam Content
Greylisting Database
Global FortiGuard IP
SMTP flow limiting Mail Content URL Filtering –
Reputation
Adult, SPAM, Malware URLs
Global FortiGuard Botnet SMTP syntax verification
Virus/Malware/APT detection
Database SMTP error control
Newsletter Detection
Local Dynamic Sender SPF/DKIM verification
Reputation Image Spam detection
Antispoofing verification
Black/White lists Dynamic Heuristic Detection
Recipient address check
Dictionary content filter
Header Analysis
Bayesian Filtering
Advanced Spam and Anti-Malware Protection
FortiGuard Threat Research
Security experts working
for you 24x7!
Cloud based antispam and
antimalware service
Visibility of millions of messages per
day with global feedback
Discovers zero day threats and tracks
global botnets www.fortiguard.com
Advanced Spam and Anti-Malware Protection
Industry Leading Catch Rate
Industry validated solution
ICSA Certified Anti-Spam and Anti-
Virus
27 VB100 Awards
Fortinet 21 VB Spam Awards with 99.86%
catch rate*
Common criteria EAL2+ certified for
Government use
* http://www.virusbtn.com/ May 2012 VB Spam Report
Excellent spam cath rate and False Positive rate
VBSpam (march 2014)
Advanced Multi layered Malware Protection
• FortiGuard Antivirus
– Award winning independently verified AV
• Malicious URL Filtering
– Detect and block malicious URLs
• Advanced Persistent Threat Detection
– Real-time Local sandbox provides On-box behavioural
analysis
– FortiSandbox integration for in-depth APT analysis
• Provides APT mitigation with file blocking and quarantining
Advanced Spam and Anti-Malware Protection
Layered Spam Detection
Connection Level Filtering:
Discard spam as early as possible
for greatest performance
Global FortiGuard IP Reputation
FortiGuard Botnet Tracking Database
Dynamic Sender Reputation
Connection Rate LimitingAdvanced Spam and Anti-Malware Protection
Layered Spam Detection
Header Filtering:
Verify valid destination
Support for latest RFCs
Recipient verification
RFC Compliancy
SMTP Error Rate Control
Sender White / Black Lists
DHA Protection
SPF/DKIM Support
GreylistingAdvanced Spam and Anti-Malware Protection
Layered Spam Detection
Full Content Filtering:
Multiple Detection Methods
FortiGuard Spam DB
Heuristic Detection
Bayesian Filtering
Newsletter Detection
Anti-Malware Detection
Web Content FilteringFortiMail differentiators
• All in one – get much more than AV/AS
– Embedded IBE encryption at no additional licence cost
• Deliver encrypted email to recipients without plugin requirement
– Lower Capex (no dedicated HW, no additional cost/licence)
– Lower Opex (no user management)
– Embedded archiving
• Generic compliance policy, Investigation against individual,
Maintain copy of communication to key accounts
– Lower Capex (No dedicated HW, no additional cost/licence)
– Embedded quarantine with large disk space
• High availability
– Synchronize email: mail queues, mail quarantine
• Transparent failover (better user experience & no loss of data)
• Remove requirement for central quarantine (simplified
deployment, lower Capex)SpamReport e-Mail Notification
Deploying FortiMail
MSSP Ready Solution
Mail Security Service Provider
in a box!
MSSP Service Framework
• FortiMail White Labelling
• Multi Domain support with per
domain quotas
• Mass provisioning for lower
OPEX
• Delegated administration
• User self serviceDeployment Mode – Gateway/Relay
Gateway mode deployment
INTERNET
INCOMING MAIL
INTERNAL MAIL
OUTGOING MAIL SERVER
• FortiMail is deployed as a mail relay/gateway on a firewall DMZ
• Gateway mode means:
– FortiMail is the destination IP for mail traffic
– It then delivers filtered email to the destination mail server
• Main market:
– CPE deployment: SMB to large Enterprise (onsite deployment)
– Cloud-based deployment: MSSPGW mode – SMB, Enterprise – Highlights
• Main project requirement
– Antispam and antimalware to protect
staff/network
– Optionally: DLP, encryption and archiving
• To protect loss of data
• To attain compliance (HIPAA, SOX, PCI, GLBA)
• Typical deployment: GW mode
• Why Fortinet?
– Cost effective, non-per seat licensing
– Fully inclusive features with no additional
licensing costs
Enterprise protection at
competitive price pointGW mode – Mobile Operator case
• MMSC is critical
• MMSC is connected to public networks:
MMS COMMUNICATIONS
– Internet WITH EXTERNAL
NETWORKS
– Other Mobile Operators
MOBILE: 3G INTERNET
MM3 (SMTP)
3G MTA
OTHER MOBILE
OPERATOR
MMS
SERVE
R
MMS SERVERGW mode – Enterprise case
SMTP COMMUNICATIONS
WITH EXTERNAL
NETWORKS
MOBILE: 3G/WIFI INTERNET
SMTP
MTA
SMTP
SERVERGW mode – Mobile Operator – Highlights
• Typical Requirement
– Protect the MMS Center from external threats
– Protect the MSSC from overload with rate limiting
(New Year’s Eve / Christmas)
– Queue MMS in case of MMSC unavailability
• MMS generate revenue and can not be lost
• Typical deployment: GW mode
• Why Fortinet
– Extremely high performant MTA
– Extremely high queueing capabilities
– Advanced routing and ACL capabilities
– Cost effective, no seat licensingDeployment Mode – Transparent
Transparent mode – ISP case
ISP NETWORK DESTINATION
INTERNET MAIL SERVER
PBR
REDIRECTION
• FortiMail intercepts mail going out of the ISP network
– Even though the destination is elsewhere on the internet
– Thanks to transparent proxying and Policy Based Routing (PBR)
• Market
– ISP
– Prevent IP BlackListing by filtering outbound spamTransparent mode – ISP case
BLACKLISTED IP
CAN NOT SEND MAIL
IP
ISP NETWORK
INTERNET MAIL SERVER
IP
• Subscriber hosts (3/4G, ADSL, etc.) are controlled by botnets and send
spam
• The source IP of a spam flow is identified and blacklisted by DNSBLs
• Mail servers query DNSBLs before to accept mail
– Reject the connection if the originating IP is a listed spamming IP
• Above certain % of spamming IPs DNSBLs blacklist:
– The full subnet or the full ISP range (= ASN)IP BlackListing and Subscriber impact
• Subscribers using a blacklisted IP can not send mail
– Service denied
• Who is impacted?
– The infected subscriber trying to send legitimate email
– A clean subscriber who dynamically receive a BlackListed IP
– All subscribers within a BlackListed subnet
– All subscribers sharing the same BlackListed public IP (NAT)
– All subscribers connected on a BlackListed Autonomous System
• Autonomous System: the collection of the ISP subnetsISP impact
• Direct cost
– Recurring cost to remove listed IP
•Reputation cost
• Operation cost
– Subscriber
– Subscriber calls to helpdesk
disatisfaction
– Collect listed IPs
– Poor quality of service
– Contact DNSBL services
– Subscribers not
– Justify registration end renewing
• Network cost
– Traffic spikes during
spam campaign,
DDOS attacks, etc.
– Bandwidth, RAM, CPUTransparent mode – FortiMail key differentiators
• No impact for subscribers
– Does not require any modification of user settings
• Unique level of transparency: from L3 to L7
– Higher resistance to BlackListing
• I.E: Fortimail does not expose its own IP address
– Unique design to avoid mail queuing if destination MTA is not
available
• Unique outbound filtering techniques – Purpose built filters
– Subscriber reputation and blacklisting
– Dynamically scores subscribers and block bot computers
• Reports and statistics based on subscriber IDs
– Based on subscriber unique identifier and not just IP addresses
• Top senders, top spam senders, top virus senders, list of bot
computers, etc.Transparent mode – ISP – Highlights
• Requirement
– Outbound spam filtering to prevent blacklisting of IP
ranges and customer dissatisfaction
• Typical deployment: transparent mode
• Why Fortinet?
– Unique transparent proxy implementation
– Efficiency of the dedicated outbound filters
• Usually demonstrated during live POC
– High performance MTA, scalable to millions of emails
per hour
– Cost effective, non-per seat licensingDeployment Mode – Server
Server mode deployment
OUTGOING MAIL
POP3, IMAP
INTERNET
WEBMAIL
INCOMING MAIL
MAIL
SERVER
• FortiMail acts as a full blown email server CALENDAR
– + the same filtering services as GW mode
– Groupware functionalities
• Address books
• Calendar hosting
• FortiMail can be hosted locally or in a datacenter and shared
amongst multiple companies/domains
• Email migration from existing solutions availableServer mode – Market
• Small business
– Corporate mailboxes
• Enterprise and Carriers
– Business applications communicate together by
mail
– Dedicated mail server are required for security
reasons
• i.e: Mailboxes used as repository for messages coming
from web forms (lottery)
• ISPs
– Scalable free mailboxes for Internet subscribers
(user@serviceprovider.com)Server mode – Highlights
• Typical requirement
– Mail server with AV/AS filtering capabilities
– Ease of management
• Typical deployment: server mode
• Why Fortinet?
– All in one: regular mailbox, filtering services,
quarantine mailbox
– Simple management
– Lower TCO than other vendors or cloud-based
mailboxes
• Low capex and opex
• No user based licence - Most providers licence per seatServer mode – 5.0 New features • File upload enhancements • Address Book access through LDAP • Calendar sharing (iCalendar) • Resource allocation/booking • Exchange migration tool
Server mode – Address Book 5.0 • Webmail only • Personal Address Book • Domain Address book • Global Address book
Server mode – Calendar Sharing
• Two types of calendar
− Local calendars: stored on my computer
− Online calendars: stored on a server (FortiMail, Gmail)
• FortiMail Calendars – Supported standard formats and protocols
▪ iCalendar (RFC 2445)
▪ HTTP (RFC 2616)
▪ WebDAV (RFC 4918)
▪ CalDAV (RFC 4791)Server mode – View Shared Calendar (HTTP) • Calendar is now visible by others using Outlook/Thunderbird Calendar
Server mode – Mobile clients support
• FortiMail Server is compatible with most Smartphones and
Tablets
• iPhone iOS and Android both support standard protocols
and formats for Mail, Calendar and Address Book
iOS Android
Mail: SMTP/POP3/IMAP
Calendar Sync: CalDAV Apps Available
Address book: LDAP Apps AvailableServer mode – Migration Tools 5.0
• Global setting on CLI to turn on/off the email migration feature:
config system global
set email-migration-status enable
end
• User migration – how to collect username & password:
− If the list of usernames & pwd is available in plain text list import
− Else, username & password are collected via webmail login or SMTP client login
▪ An authentication profile is defined in a recipient based policy
▪ FortiMail authenticates with the external server (SMTP, LDAP, IMAP, or POP3) and
collects user name and password
• Mail data migration
− After collecting, migration can start for part or all users
− FML acts as IMAP client to login to remote mail server through IMAP or IMAPS
on each user's behalf, and retrieve mail data
− Remote mail server is configurable under "Mail migration settings" within each
domain.Q&A June 25, 2014
FAQ 1 Q.: Esistono delle VM evaluation e come funzionano ? A: Ogni VM Fortinet ha integrato un periodo trial di 15 giorni con funzionalità limitate (limitazione sul numero di policy e profili creabili). C'è la possibilità, compilando un apposito modulo, di richiedere a Fortinet attraverso la nostra struttura commerciale, una evaluation di 30 giorni con funzionalità full-features, per poter testare anche le funzionalità UTM aggiornate.
FAQ 2
Q: Come funziona il listino prezzi delle FML-VM ?
A:
FortiMail-VM
UNIT SKU Description Price 1 Yr Contract
FortiMail-VM software "virtual appliance" designed for virtualization platforms. 1 x vCPU
FortiMail-VM01 € 1.921
FORFML-VM01 core
FORFC-10-0VM01-965-02-DD 8x5 Bundle Renewal € 570
FORFC-10-0VM01-966-02-DD 24x7 Bundle Renewal € 844
FORFC-10-0VM01-100-02-DD Advanced Threat Protection Services (AV, Sandbox, Botnet Blacklist) € 427
FORFC-10-0VM01-114-02-DD AS Service € 308
FORFC-10-0VM01-851-02-DD 8x5 Enhanced FortiCare € 257
FORFC-10-0VM01-248-02-DD 24x7 Comprehensive FortiCare € 427
Bundle (include FortiCare + AntiVirus + AntiSpam)
Virtual Appliance (equivale all’acquisto dell’hardware nelle appliance fisiche)FAQ 3 Q.: A cosa serve il FortiCare nelle VM ? A: Il FortiCare permette non solo la sostituzione dell’hardware (utile solo con le appliance hardware) ma permette di usufruire dei firmware upgrade per mantenere aggiornato il sistema, e per poter ottenere supporto tecnico da Fortinet mediante apposita piattaforma di ticketing 8x5 o telefonicamente 24x7. Il supporto è garantito da Fortinet in lingua inglese e francese.
FAQ 4 Q.: E’ possibile fare HA con FortiMail ? A: Sì, il FortiMail supporta un HA in Active-Passive Mode. Analogamente all’HSRP, occorre predisporre tre IP (uno per unità più un IP aggiuntivo per il clustering).
FAQ 5 Q.: Quale release di firmware è consigliato adottare oggi ? A: - 5.0.6 in Gateway e Transparent mode perché garantisce la massima affidabilità sulle versioni 5.0. - 5.1.3 in Server mode perché possiamo sfruttare le ultimissime funzionalità introdotte nel FortiOS 5 per FortiMail
FAQ 5 Q.: Quale release di firmware è consigliato adottare oggi ? A: - 5.0.6 in Gateway e Transparent mode perché garantisce la massima affidabilità sulle versioni 5.0. - 5.1.3 in Server mode perché possiamo sfruttare le ultimissime funzionalità introdotte nel FortiOS 5 per FortiMail
FAQ 6
Q.: In una delle prime slide si faceva riferimento alle
comparative, da quali link è possibile scaricarle ?
A:
1) VirusBullettin (https://www.virusbtn.com) accesso alle
informazioni a pagamento, comunque il report è quello
mostrato alla slide 8
2) SC Magazine (http://www.scmagazine.com/fortinet-fortimail-
200d/review/3997/)FAQ 7 Q.: Puoi ripetere i valori medi di spam catch-rate e falsi positivi misurati nel 2014 da VirusBullettin ? A: Spam Catch Rate 99.93% False Positives Rate 0.02% (1 ogni 5.000 e-mail analizzate)
FAQ 8 Q.: Puoi ripetere dove possiamo trovare la registrazione delle varie presentazioni Sidin ? A: Troverete la registrazione di questo ed altri eventi all’interno del portale www.sidin.it nella Brand Zone Fortinet, sezione Video Formazione o cliccando su questo link dopo esservi autenticati sul portale www.sidin.it http://www.sidin.it/priv/marchi/Fortinet/VideoFormazione.html
GRAZIE
e-Mail: r.naretto@sidin.it
Skype: r.naretto.sidin
Mob.: 011.2747.685You can also read
