Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
© Copyright Fortinet Inc. All rights reserved.
Simplifying Wi-Fi and your Deployment Options
November 2016
Perry Correll Fortinet, Dir. Product Marketing - Wireless
2
What Does This Say About Wi-Fi?
3
Agenda
• Current State of Wi-Fi Today
• Understanding the Technology
• Fortinet’s Secure Access Solution
• Summary
• Q&A
4
The Need for Wi-Fi is Growing, Everywhere
5
State of Today’s Wi-Fi
SOURCE: Cisco VNI Mobile, Dell’Oro Group, Wireless LAN Report Five Year Forecast 2014-2018, Gartner, Gartner Strategy Analytics, Morgan Stanley Research
5
The average
smartphone
will generate
of traffic
per month
by 2019 4GB of users say that bad Wi-Fi has
kept them from doing their job 84%
of users think 76%
62% still use it
Public Wi-Fi is not secure
6.5M
New Wi-Fi devices ship everyday
Globally, mobile data
traffic will reach
24.3 per month by 2019
Exabytes
25B
connected things by 2020
Understanding Wi-Fi Technology
7
Wi-Fi’s Rapid Technology Evolution
• Every 2-3 years there is a new evolution of 802.11
• New technology is focused in the 5GHz band
8
Wi-Fi’s Available Spectrum
9
Wi-Fi’s Data Rate Growth
Year Technology 2.4GHz Technology 5GHz
1997 11 2Mbps
1999 11b 11Mbps 11a 54Mbps
2004 11g 54Mbps
2007 11n 2x2 300Mbps 11n 2x2 300Mbps
2011 11n 3x3 450Mbps 11n 3x3 450Mbps
2013 11ac 3x3 Wave 1 1.3Gbps
2015 11ac 4x4 Wave 2 3.47Gbps
~2019 11ax ~30Gbps
10
Wi-Fi Client Evolution
Model Released Wi-Fi Mode 2.4GHz 5GHz Antennas Max Rate
iPhone June 2007 11g ✔ 1 54 Mbps
iPhone 3G July 2008 11g ✔ 1 54 Mbps
iPhone 3GS June 2009 11g ✔ 1 54 Mbps
iPhone 4 June 2010 11n ✔ 1 65 Mbps
iPhone 4S Oct 2011 11n ✔ 1 65 Mbps
iPhone 5 Sept 2012 11n ✔ ✔ 1 150 Mbps
iPhone 5S / 5C Sept 2013 11n ✔ ✔ 1 150 Mbps
iPhone 6 / 6 Plus Sept 2014 11ac ✔ ✔ 1 433 Mbps
iPhone 6S / 6S Plus / 7 Sept 2015 11ac ✔ ✔ 2 866 Mbps
11
The Reality of your Wi-Fi network
4
= 2.4GHz
= 5GHz 2.4G and 5G
2.4G and 5G
=
=
2.4G and 5G =
12
Wi-Fi’s Evolving Use Case
2010 – Traditional Wi-Fi
• Secondary network
• < 1 device per users
• Design for Laptops & coverage
• Designed for Access
• 2.4GHz centric
• Application focus – Web & Email
- I can Connect, so it works
2016 – Performance Wi-Fi
• Primary network
• 3+ devices per users (IoT)
• Design for handhelds & Performance
• Must design for Secure Access
• 5GHz and 2.4GHz - both required
• Application focus – Anything (real-time)
- If I can’t do what's needed, it’s broken!
Fortinet Secure Access Solution
14
Networks are Vulnerable Recent data breaches point to network weaknesses
US FAA cites In-flight wireless entertainment systems open to
cyberattacks.
» GAO-15-370 Report to Air Traffic Control Report
Hackers breach Wi-Fi to keylog targeted executive’s devices –
specifically those in the defense industry.
» Darkhotel hackers zero day hack
Large loss of credit-card data was brought about because of lax
wireless LAN security.
» TJ Maxx security breach
Recent survey of 1490 respondents point to WLAN as the Most
Vulnerable IT infrastructure
» 49% cite Wireless as ‘Most Vulnerable’
» 13% Totally Open - not using passwords for guest access
» Wireless Security Survey 2015
Endpoint
Corenetwork
infrastructure
Wireless Databases Applications Storage Email
Worldwide 45% 29% 49% 25% 17% 11% 25%
Americas 43% 28% 50% 27% 17% 12% 23%
EMEA 47% 27% 52% 22% 17% 10% 24%
APAC 43% 31% 44% 25% 18% 10% 29%
0%
10%
20%
30%
40%
50%
60%
Source: Fortinet Security Census 2015, 1490 respondents
WLAN Ranked as the Most Vulnerable IT infrastructure
15
CIOs Know it Too
16
Wi-Fi Isn’t Enough, Security is Required
Gartner 2016 Magic Quadrant for Unified Threat Management Gartner 2016 Magic Quadrant for Wired and Wireless LAN
17
Security (NGFW/UTM)
Access (Enterprise)
Security and Enterprise Access Combined
Need More Speed
Migration to 802.11ac
Device
Growth
Seamless
Unified Experience
Application
Growth
Move to wireless
Including IoT
Unified Network
Operations
18
Fortinet Secure Access
Architectural Choices
Access Choices
Clients
19
Secure Access: Enterprise Campus HQ
Solution Overview
Distributing the FortiGate Controllers
throughout the network/campus
improves capacity scaling for high-
density, high performance and high
capacity, especially as you migrate to
802.11ac.
This design also distributes the WLAN
and security processing load across the
multiple resources.
AP traffic is tunneled to the nearest
controller, and optionally may be dual
homed to allow failover to a second
controller for resiliency.
20
Secure Access: Enterprise Edge Gateway
Solution Overview
Smaller environments can use a single
FortiGate for WLAN management as well
as to secure your network at the edge.
In this deployment model, each FortiAP
uses CAPWAP tunnels to connect to a)
FortiGate for policy processing and
forwarding.
The FortiGate Firewall function provides
protection from network threats, whether
they originate from the Internet or from
wireless device
21
Secure Access: Distributed Enterprise
Solution Overview
The Distributed Enterprise will vary
significantly in size and scope, so the
FortiNet Secure Access solution offers
multiple deployment options, several
identified here.
Using a FortiGate, acting as a wireless
controller and security gateway and
connecting to the remote sites.
Some sites may consist of just FortiAPs,
tunneled back to the HQ for WLAN
policy enforcement and security.
To reduce the traffic load heading to your
HQ or data center, onsite FortiGate can
be deployed and configured to handle
policy enforcement and security locally.
22
Secure Access: SOHO with Centralized Control
Solution Overview
Another deployment model is the
centralization of one or more FortiGates
in your data center to support the
aggregation of many APs deployed in
remote locations that do not have
a local FortiGate.
In this model the remote FortiAPs
connect back to the FortiGate cluster via
a CAPWAP tunnel over the internet and
appear to the controller like any other
connected AP.
23
Secure Access: Small Branch
Solution Overview
Small branches, retail or SMB models
are also supported and in these
deployments it is typically not necessary
to deploy a FortiGate onsite.
One or more FortiAPs can be installed
independently. Each AP discovers its
remote controller and sets up a
CAPWAP tunnel to it. The traffic passes
over the tunnel and terminates on the
FortiGate for security processing and
forwarding.
However the use of split tunneling or
bridge mode allows traffic destined for
the local LAN hairpin the traffic through
the remote FortiGate
24
Secure Access: Campus/Enterprise
Solution Overview
When customers prefer to separate the
management of network access layer
from network security, Fortinet address
this with our FortiWLC controller solution.
In this case you would also distribute the
WLAN controllers at the access layer,
providing support for the highest density.
This model improves capacity scaling,
especially as you migrate to 802.11ac,
and spreads the WLAN processing load.
AP traffic is tunneled to the nearest
controller.
The addition of a FortiGate, with SSID
traffic mapped through it will complete
the Secure Access Solution
25
Secure Access: Enterprise Edge Gateway
Solution Overview
Smaller environments can be managed
by a single controller and all APs traffic
will be tunneled back for policy
processing and forwarding.
For security, SSIDs are mapped to
different VLANs in the standalone
FortiGate, then subjected to your defined
security inspection policies.
Once again the FortiGate will provide
protection from the wireless edge as well
as Internet.
26
Secure Access: Large Branch
Solution Overview
Large branches require just as robust a
WLAN solution as the Enterprise. In this
model you can use a FortiWLC , with an
FortiGate to provide complete threat
protection at all sites.
SSIDs are mapped locally to VLANs on
the FortiGate to provide security for all
traffic, regardless of its destination.
Distributing processing at the branches
improves performance, reduces the
volume of traffic forwarded to HQ by
keeping local traffic local.
27
Secure Access: Small Branch
Solution Overview
In small branch office or home office
deployments, an on-site FortiWLC may
be cost-prohibitive. Yet you still want to
secure Internet traffic.
In this case, APs can be installed without
a local controller, allowing non-local
traffic to be tunneled back to your HQ,
where the controllers reside.
Traffic should then be forwarded to your
centralized FortiGate for security
processing before it is forwarded to the
Internet, and vice versa.
28
Secure Access: Cloud Managed
Solution Overview
FortiCloud provides provisioning,
configuration and analytics, designed to
enable simple and rapid deployment of a
fully managed wireless network.
Via a single dashboard for managing the
WLAN and security for the entire
network, it offers unlimited network
scalability with all the benefits of
centralized management, and avoids the
cost of controller and management gear.
The FortiAP-S series APs include
FortiCloud registration functionality in
their firmware, which enables zero-touch
provisioning. When installed, the APs will
discover and connect to FortiCloud and
provision themselves, automatically.
29
Fortinet Secure Access
Architectural Choices
Access Choices
Clients
Fortinet Security Fabric
Questions