FortiAuthenticator User Authentication and Identity Management Copyright Fortinet

FortiAuthenticator User Authentication and Identity Management  Copyright Fortinet

FortiAuthenticator User Authentication and Identity Management Copyright Fortinet Inc. All rights reserved. FortiAuthenticator Overview Answering your authentication challenges FortiAuthenticator Authentication and Authorization RADIUS, LDAP, 802.1X, Radius Proxy SSO Mobility Agent Web based login widget FortiAP Two Factor Authentication Two-factor Auth FortiToken, physical and mobile Tokenless, via SMS and email FortiGate Certificate Management X.509 Certificate Signing, Certificate Revocation Remote Device / Unattended Authentication Wireless Auth FortiAuthenticator User Identity FortiAuthenticator Fortinet Single Sign on

Active Directory Agent or agentless Third party systems via RADIUS, Syslog and API Integration FSSO FortiAuthenticator www.brasiline.com.br FortiGate FortiAuthenticator Overview Features & Benefits Secure access to your organizations systems and data with identity based policy and two-factor authentication Control access your intellectual property Enable secure remote and guest network access whilst retaining control over security Two-factor Authentication Allow business to flourish but not to the detriment of security Reduce the operational burden of local and guest user management Identify users and apply granular user policy Integrate with existing user repositories (AD, LDAP) User lifecycle management workflow User Authentication and Identity Management Wireless Authentication www.brasiline.com.br

User Identity Confidential FortiAuthenticator Use Cases Two-factor Authentication Username Token Enable strong password security across your network and application estate Password Secure remote access to critical systems FortiAuthenticator Reduce operational overheads Self-service password reset Integration with existing LDAP and AD databases Built in lost token workflow Migration strategy from thirdparty vendor tokens LDAP/ Active Directory Protected Devices www.brasiline.com.br FortiAuthenticator Use Cases Two-factor Authentication Flexible range of token formats to suit all deployment requirements

OATH compatible TOTP (time) based tokens (FTK200) USB certificate tokens (FTK300) FortiToken Mobile for Android, iOS and Windows Mobile SMS and Email tokens. Physical Mobile Supports any RADIUS capable device Support for wide range of secure authentication methods API Juniper, Cisco, F5 , Array, Citrix etc Microsoft Windows Domain Login and OWA www.brasiline.com.br Tokenless Certificate (BYOD) FortiAuthenticator Use Cases Two-factor Authentication FortiToken Mobile: Supports Android, iOS and Windows Mobile 6 or 8 digit passcode, 30 or 60s refresh Free install, supports other TOTP & HOTP OATH tokens e.g. Google, Dropbox, Amazon QR Code Provisioning support PIN protection enforced from FAC

Perpetual license Can be reissued if device is lost Can be reissued if user leaves the organization www.brasiline.com.br FortiAuthenticator Use Cases Wireless Authentication Centralized WiFi Authentication Authenticate users (PEAP, EAP-TTLS) and machines. Certificate based device authorization (EAP-TLS) for BYOD environments In open guest or visitor networks, FortiAuthenticator can provide captive portal functions FortiAP FortiGate www.brasiline.com.br FortiAuthenticator FortiAuthenticator Use Cases Guest Management User Self-registration Collection of user details Option to SMS login details (proof of identity) Receptionist registration option FortiAuthenticator Time limited accounts

Delete expired accounts FortiAP Support multiple locations Coming soon: Facebook, Google, Linkedin, Twitter login FortiGate www.brasiline.com.br FortiAuthenticator Use Cases Fortinet Single Sign-On Identify users and apply identity based security policy FortiAuthenticator transparent user identification collects and embellishes user identity information Allows FortiGate, FortiMail and FortiCache devices to apply appropriate policy based on user identity and role Granular control of network and application access Staff Admin Corporate Resources Guest Guest Acces Define who can access what and when www.brasiline.com.br FortiAuthenticator Use Cases Fortinet Single Sign-On

Transparent User Identity Active Directory Polling Kerberos with NTLM Fallback TS and AD Collector Agents AD & Windows FortiClient SSO Mobility Agent Login Portal & Widgets REST API Syslog RADIUS Accounting Records Generic Sources FortiAuthenticator FortiGate www.brasiline.com.br FortiAuthenticator Use Cases Certificate Authority

Simplifies the task of certificate management Issue certificates for multiple uses: X VPN Authentication Wireless 802.1X (PEAP, EAP) Windows Desktop Authentication Compatible with FTK300 USB PKI Certificate Store REVOKED www.brasiline.com.br FortiAuthenticator Use Cases Certificate Based VPN Strengthen and simplify VPN security Certificate based VPN enhances traditional pre shared keys with second factor Revoke certificates if device is lost (OCSP) Zero touch certificate distribution (SCEP) Integration with FortiManager to simplify deployment www.brasiline.com.br FortiAuthenticator Use Cases RADIUS Accounting Proxy Integrates Carrier/ISP networks with Fortinet RADIUS Single Sign-on Minimises changes needed to

critical business systems Takes the additional load by duplicating RADIUS Packets Carrier / ISP RADIUS Server RADIUS Accounting RSSO used to apply Identity Policy for FortiGate, FortiMail and FortiCache RADIUS Accounting www.brasiline.com.br FortiAuthenticator Use Cases High Availability and Scalability Active-Passive High Availability Local sync with failover Supports all features Active-Active Config Sync Geographic distribution Load balance across devices (scalability) Supports authentication feature sync (not FSSO) Can be combined with Active Passive HA (A-P Master, standalone slaves) www.brasiline.com.br Case Studies Case Study: Medium Enterprise Identity Management Organization and Challenge Remote Workers

Online retail organization with mobile workforce and widespread BYOD adoption. Incumbent Cisco wireless network, customer thought Cisco was the only option for gateway Identity Policy Who We Beat Cisco Cisco tried to claim that the only way to perform Identity Based Firewalling was using their own ISE and ASA . FortiAuthenticator proved this wrong and have kept Fortinet in the running for the Wifi refresh FortiGate Guests WAN FortiAuthenticator Why We Won Ability to consume user identity from Cisco wireless network (vis RADIUS Accounting) Fully inclusive guest management and registration features What They Bought 2x FortiAuthenticator 200D (HA) 2x FortiGate 600C (HA) Multiple user groups / domains Still in the game for Wifi refresh www.brasiline.com.br Case Study: Local Government Identity Management Organization and Challenge

Remote Workers Regional govt. requiring transparent identity aware firewalling 5,000 users with granular permissions across 3 domain controllers, 2 domains Who We Beat Juniper , CheckPoint, SonicWall FAC gathers user identity and forwards to FGT FortiGate Guests WAN FortiAuthenticator Why We Won Multiple identity detection methods AD Polling combined with RADIUS (VPN) and guest portal Fully inclusive guest management and registration features What They Bought 2x FortiAuthenticator 1000D (HA) 2x FortiGate 1000D (HA) Multiple user groups / domains www.brasiline.com.br Case Study: Enterprise Identity Management 3 Datacenters Organization and Challenge Multinational enterprise with 3 Datacenters, 90 branches and 17,000 users throughout

the world. Mobile workforce means users could be on any site. FortiGate Clusters Who We Beat WAN PaloAlto, Juniper Why We Won FAC gathers user identity and selectively forwards identity to relevant FGT FortiAuthenticator Active Directory Performance and scalability of user identity detection Selective distribution of login events to local site and core What They Bought 3 x FortiAuthenticator 3000D 9 x FortiGate 3600C 90 Remote Sites 90 x FortiGate 110C www.brasiline.com.br Case Study: Enterprise Two-Factor Auth Multiple Datacenters

Organization and Challenge Enterprise organization requiring secure multi-factor authorization for heterogeneous range of devices Integration with existing LDAP/AD infrastructure Who We Beat RSA, Safenet Why We Won FortiAuthenticator Secure provisioning strategy (CD) Physical and Soft token support Support for wide range of client devices and Windows Desktop login Internet Home Workers What They Bought 2 x FortiAuthenticator 400C 100 x FortiToken 200 500 x FortiToken Mobile Network Operations Center www.brasiline.com.br FortiAuthenticator Ordering Information FortiAuthenticator 200D Small / Mid Enterprise Deployments

Support up to 500 users HDD 1 x 1TB 4 x 10/100/1000 Rack Mountable, 1U Single AC PSU FortiAuthenticator 400C Mid Enterprise Deployments Support up to 2,000 users HDD 1 x 1TB 4 x 10/100/1000 Rack Mountable, 1U Single AC PSU FortiAuthenticator 1000D FortiAuthenticator 3000D Large Enterprise/Service Provider Deployments Support up to 10,000 users HDD 2 x 2TB 4 x 10/100/1000 2 x SFP Rack Mountable, 2U Dual AC PSU Large Enterprise/Service Provider Deployments Support up to 40,000 users HDD 2 x 2TB 4 x 10/100/1000 2 x SFP Rack Mountable, 2U

Dual AC PSU FortiAuthenticator VM All Sized Deployments from SME to Service Provider Deployments From 100 to 1M+ users Unlimited CPU Unlimited RAM **Fully Stackable User Licensing** www.brasiline.com.br Competitive FortiAuthenticator vs FortiGate Feature Comparison Area Feature FortiGate FortiAuthenticator Auth Two-factor Auth w. FortiToken Auth Multiple FortiGate per token Auth

Support third party vendors Auth User password reset Auth User self registration Auth Support multiple realms FSSO AD Polling FSSO DC & TS Agent

FSSO Kerberos FSSO RADIUS Accounting (FSSO) (RSSO) (Both) FSSO Syslog www.brasiline.com.br Competitive Landscape Two-factor Auth Wireless Auth FortiAuthenticator User Identity www.brasiline.com.br

Feature Comparison User Identity Feature FortiAuth PaloAlto User-ID Cisco Identity Services Engine Juniper Pulse UAC * Checkpoint Identity Awareness Blade Identity DC Polling Microsoft Windows Environments DC Agent

Terminal Services Agent Kerberos Microsoft Exchange

Identity Endpoint Agent Non-Microsoft Windows Environments Captive Portal Embeddable Widgets

SYSLOG Open API (IF-MAP) RADIUS Accounting LDAP/AD

Local override Authorization * Note that the Pulse Product line is now owned and supported by Pulse Secure www.brasiline.com.br Feature Comparison Two Factor Auth Feature Type Feature FortiAuth Safenet RSA Deployment Appliance

Software Virtual Machine Cloud Physical Token (Time) (Event) (USB Cert) (Time) (Event) (USB Cert) Mobile Token

Desktop Token (Mac) (Win) (Mac) (Win) (Mac) (Win) Tokenless SMS Email SMS Email GrIDsure SMS Email Tokens Agents User Self Service (iOS) (Andriod) (WinMo) (BB)

(iOS) (Andriod) (WinMo) (BB) Windows Domain 2FA Outlook Web Access 2FA Roadmap Sharepoint Integration (iOS) (Andriod) (WinMo) (BB) (Time) Auth Methods

RADIUS LDAP SAML API RADIUS LDAP SAML API External User repositories Local AD LDAP RADIUS AD LDAP RADIUS MSSQL AD LDAP (Oracle only) www.brasiline.com.br Vasco

Recently Viewed Presentations

  • Chapter 4 Reactions in Aqueous (aq) solutions

    Chapter 4 Reactions in Aqueous (aq) solutions

    Separate the process into half-reactions- (Leo Ger) Balance atoms of elements for each half reaction. Balance each half reaction for charge (e-). Multiply each half reaction by an appropriate factor (balance electrons) Add the half reactions to produce the overall...
  • AHRQ Slide Template 2009

    AHRQ Slide Template 2009

    Devereaux PJ, Beattie WS, Choi PT, et al. How strong is the evidence for the use of perioperative beta blockers in non-cardiac surgery? Systematic review and meta-analysis of randomised controlled trials. BMJ 2005;331:313-21. References (II) Duffett M, Choong K, Ng...
  • The Victorians - birdvilleschools.net

    The Victorians - birdvilleschools.net

    The end of the Victorian Era. In the end, the pessimistic writers of the time came closest to anticipating what lay just around the corner: the catastrophe of WWI. In the next century, modernist writers would pick up the torch...
  • Attacks - University Of Maryland

    Attacks - University Of Maryland

    The Netflix attack is a linkage attack by correlating multiple data sources. Can you think of another application or other datasets where such a linkage attack might be exploited to compromise privacy? The Memento and the web application paper are...
  • week1-1a.ppt

    week1-1a.ppt

    Visual Studio.NET Image processing library Image capture source codes New generation computer models and techniques Plenty of research topics Good support of software and hardware Strong support from our Department Experienced supervisor Paper to be published in the International Conference...
  • Gerund Jobs - Polk County School District

    Gerund Jobs - Polk County School District

    Hint Hint: When a Gerund or Gerund Phrase is a subject, it will come at or near the beginning of the sentence. Ex. Fishing is a great pass time. Exception: In the summertime, fishing can be relaxing. Gerunds as Objects...
  • CE319F Elementary Fluid Mechanics

    CE319F Elementary Fluid Mechanics

    CE 319 F Daene McKinney Elementary Mechanics of Fluids Manometry Manometry Pressure can be estimated by measuring fluid elevation U-tube Manometer Example (3.19) Differential Manometer HW (3.20) Example (3.25) HW (3.28) HW (3.32) Example (3.35) HW (3.51) Elementary Mechanics of...
  • Culture and Relationships - Illinois State University

    Culture and Relationships - Illinois State University

    Culture and Relationships Theory & Research in Intercultural Communication—COM 372 John R. Baldwin—Illinois State University A systems explanation A systems explanation Process (Throughput): Communication patterns: Conflict Self-disclosure Power negotiation, etc. Input: Motives/Goals Definitions of relationship Cultures of origin Cultural values,...