Simplifying Wi-Fi and your Deployment Options · 2018-02-03 · from network security, Fortinet...

© Copyright Fortinet Inc. All rights reserved.

Simplifying Wi-Fi and your Deployment Options

November 2016

Perry Correll Fortinet, Dir. Product Marketing - Wireless

2

What Does This Say About Wi-Fi?

3

Agenda

• Current State of Wi-Fi Today

• Understanding the Technology

• Fortinet’s Secure Access Solution

• Summary

• Q&A

4

The Need for Wi-Fi is Growing, Everywhere

5

State of Today’s Wi-Fi

SOURCE: Cisco VNI Mobile, Dell’Oro Group, Wireless LAN Report Five Year Forecast 2014-2018, Gartner, Gartner Strategy Analytics, Morgan Stanley Research

5

The average

smartphone

will generate

of traffic

per month

by 2019 4GB of users say that bad Wi-Fi has

kept them from doing their job 84%

of users think 76%

62% still use it

Public Wi-Fi is not secure

6.5M

New Wi-Fi devices ship everyday

Globally, mobile data

traffic will reach

24.3 per month by 2019

Exabytes

25B

connected things by 2020

Understanding Wi-Fi Technology

7

Wi-Fi’s Rapid Technology Evolution

• Every 2-3 years there is a new evolution of 802.11

• New technology is focused in the 5GHz band

8

Wi-Fi’s Available Spectrum

9

Wi-Fi’s Data Rate Growth

Year Technology 2.4GHz Technology 5GHz

1997 11 2Mbps

1999 11b 11Mbps 11a 54Mbps

2004 11g 54Mbps

2007 11n 2x2 300Mbps 11n 2x2 300Mbps

2011 11n 3x3 450Mbps 11n 3x3 450Mbps

2013 11ac 3x3 Wave 1 1.3Gbps

2015 11ac 4x4 Wave 2 3.47Gbps

~2019 11ax ~30Gbps

10

Wi-Fi Client Evolution

Model Released Wi-Fi Mode 2.4GHz 5GHz Antennas Max Rate

iPhone June 2007 11g ✔ 1 54 Mbps

iPhone 3G July 2008 11g ✔ 1 54 Mbps

iPhone 3GS June 2009 11g ✔ 1 54 Mbps

iPhone 4 June 2010 11n ✔ 1 65 Mbps

iPhone 4S Oct 2011 11n ✔ 1 65 Mbps

iPhone 5 Sept 2012 11n ✔ ✔ 1 150 Mbps

iPhone 5S / 5C Sept 2013 11n ✔ ✔ 1 150 Mbps

iPhone 6 / 6 Plus Sept 2014 11ac ✔ ✔ 1 433 Mbps

iPhone 6S / 6S Plus / 7 Sept 2015 11ac ✔ ✔ 2 866 Mbps

11

The Reality of your Wi-Fi network

4

= 2.4GHz

= 5GHz 2.4G and 5G

2.4G and 5G

=

=

2.4G and 5G =

12

Wi-Fi’s Evolving Use Case

2010 – Traditional Wi-Fi

• Secondary network

• < 1 device per users

• Design for Laptops & coverage

• Designed for Access

• 2.4GHz centric

• Application focus – Web & Email

- I can Connect, so it works

2016 – Performance Wi-Fi

• Primary network

• 3+ devices per users (IoT)

• Design for handhelds & Performance

• Must design for Secure Access

• 5GHz and 2.4GHz - both required

• Application focus – Anything (real-time)

- If I can’t do what's needed, it’s broken!

Fortinet Secure Access Solution

14

Networks are Vulnerable Recent data breaches point to network weaknesses

US FAA cites In-flight wireless entertainment systems open to

cyberattacks.

» GAO-15-370 Report to Air Traffic Control Report

Hackers breach Wi-Fi to keylog targeted executive’s devices –

specifically those in the defense industry.

» Darkhotel hackers zero day hack

Large loss of credit-card data was brought about because of lax

wireless LAN security.

» TJ Maxx security breach

Recent survey of 1490 respondents point to WLAN as the Most

Vulnerable IT infrastructure

» 49% cite Wireless as ‘Most Vulnerable’

» 13% Totally Open - not using passwords for guest access

» Wireless Security Survey 2015

Endpoint

Corenetwork

infrastructure

Wireless Databases Applications Storage Email

Worldwide 45% 29% 49% 25% 17% 11% 25%

Americas 43% 28% 50% 27% 17% 12% 23%

EMEA 47% 27% 52% 22% 17% 10% 24%

APAC 43% 31% 44% 25% 18% 10% 29%

0%

10%

20%

30%

40%

50%

60%

Source: Fortinet Security Census 2015, 1490 respondents

WLAN Ranked as the Most Vulnerable IT infrastructure

15

CIOs Know it Too

16

Wi-Fi Isn’t Enough, Security is Required

Gartner 2016 Magic Quadrant for Unified Threat Management Gartner 2016 Magic Quadrant for Wired and Wireless LAN

17

Security (NGFW/UTM)

Access (Enterprise)

Security and Enterprise Access Combined

Need More Speed

Migration to 802.11ac

Device

Growth

Seamless

Unified Experience

Application

Growth

Move to wireless

Including IoT

Unified Network

Operations

18

Fortinet Secure Access

Architectural Choices

Access Choices

Clients

19

Secure Access: Enterprise Campus HQ

Solution Overview

Distributing the FortiGate Controllers

throughout the network/campus

improves capacity scaling for high-

density, high performance and high

capacity, especially as you migrate to

802.11ac.

This design also distributes the WLAN

and security processing load across the

multiple resources.

AP traffic is tunneled to the nearest

controller, and optionally may be dual

homed to allow failover to a second

controller for resiliency.

20

Secure Access: Enterprise Edge Gateway

Solution Overview

Smaller environments can use a single

FortiGate for WLAN management as well

as to secure your network at the edge.

In this deployment model, each FortiAP

uses CAPWAP tunnels to connect to a)

FortiGate for policy processing and

forwarding.

The FortiGate Firewall function provides

protection from network threats, whether

they originate from the Internet or from

wireless device

21

Secure Access: Distributed Enterprise

Solution Overview

The Distributed Enterprise will vary

significantly in size and scope, so the

FortiNet Secure Access solution offers

multiple deployment options, several

identified here.

Using a FortiGate, acting as a wireless

controller and security gateway and

connecting to the remote sites.

Some sites may consist of just FortiAPs,

tunneled back to the HQ for WLAN

policy enforcement and security.

To reduce the traffic load heading to your

HQ or data center, onsite FortiGate can

be deployed and configured to handle

policy enforcement and security locally.

22

Secure Access: SOHO with Centralized Control

Solution Overview

Another deployment model is the

centralization of one or more FortiGates

in your data center to support the

aggregation of many APs deployed in

remote locations that do not have

a local FortiGate.

In this model the remote FortiAPs

connect back to the FortiGate cluster via

a CAPWAP tunnel over the internet and

appear to the controller like any other

connected AP.

23

Secure Access: Small Branch

Solution Overview

Small branches, retail or SMB models

are also supported and in these

deployments it is typically not necessary

to deploy a FortiGate onsite.

One or more FortiAPs can be installed

independently. Each AP discovers its

remote controller and sets up a

CAPWAP tunnel to it. The traffic passes

over the tunnel and terminates on the

FortiGate for security processing and

forwarding.

However the use of split tunneling or

bridge mode allows traffic destined for

the local LAN hairpin the traffic through

the remote FortiGate

24

Secure Access: Campus/Enterprise

Solution Overview

When customers prefer to separate the

management of network access layer

from network security, Fortinet address

this with our FortiWLC controller solution.

In this case you would also distribute the

WLAN controllers at the access layer,

providing support for the highest density.

This model improves capacity scaling,

especially as you migrate to 802.11ac,

and spreads the WLAN processing load.

AP traffic is tunneled to the nearest

controller.

The addition of a FortiGate, with SSID

traffic mapped through it will complete

the Secure Access Solution

25

Secure Access: Enterprise Edge Gateway

Solution Overview

Smaller environments can be managed

by a single controller and all APs traffic

will be tunneled back for policy

processing and forwarding.

For security, SSIDs are mapped to

different VLANs in the standalone

FortiGate, then subjected to your defined

security inspection policies.

Once again the FortiGate will provide

protection from the wireless edge as well

as Internet.

26

Secure Access: Large Branch

Solution Overview

Large branches require just as robust a

WLAN solution as the Enterprise. In this

model you can use a FortiWLC , with an

FortiGate to provide complete threat

protection at all sites.

SSIDs are mapped locally to VLANs on

the FortiGate to provide security for all

traffic, regardless of its destination.

Distributing processing at the branches

improves performance, reduces the

volume of traffic forwarded to HQ by

keeping local traffic local.

27

Secure Access: Small Branch

Solution Overview

In small branch office or home office

deployments, an on-site FortiWLC may

be cost-prohibitive. Yet you still want to

secure Internet traffic.

In this case, APs can be installed without

a local controller, allowing non-local

traffic to be tunneled back to your HQ,

where the controllers reside.

Traffic should then be forwarded to your

centralized FortiGate for security

processing before it is forwarded to the

Internet, and vice versa.

28

Secure Access: Cloud Managed

Solution Overview

FortiCloud provides provisioning,

configuration and analytics, designed to

enable simple and rapid deployment of a

fully managed wireless network.

Via a single dashboard for managing the

WLAN and security for the entire

network, it offers unlimited network

scalability with all the benefits of

centralized management, and avoids the

cost of controller and management gear.

The FortiAP-S series APs include

FortiCloud registration functionality in

their firmware, which enables zero-touch

provisioning. When installed, the APs will

discover and connect to FortiCloud and

provision themselves, automatically.

29

Fortinet Secure Access

Architectural Choices

Access Choices

Clients

Fortinet Security Fabric

Questions