Category: Fortinet

Customer Perspectives

IT organizations use manageability as a key criterion in selecting security infrastructure. That said, the larger an IT network is, the more critical management efficiency becomes. The Fortinet Fabric Management Center, which combines the FortiManager network management solution and the FortiAnalyzer analytics and log management solution, streamlines deployment and administration across even the largest security infrastructure.

Ensuring Operational Efficiency at Scale

The experience of GPS Hospitality is a case in point. The company owns nearly 500 quick-service restaurants across 11 U.S. states—a size it reached in just seven years by growing through acquisitions. To ensure operational efficiency as it scaled up, GPS Hospitality standardized the IT environment across all its restaurants and engaged IT service provider HonorBuilt for IT deployment and support. 

GPS Hospitality selected Fortinet solutions to secure its geographically dispersed restaurants, in large part because of the Fabric Management Center. Today, each of the company’s restaurants has two FortiSwitch devices, a FortiGate next-generation firewall (NGFW), two FortiAP access points, and a FortiMail secure email gateway. HonorBuilt manages all these solutions, across the entire restaurant footprint, through a single pane of glass.

“For us, as the service provider, global management is the number-one benefit of using the Fortinet solutions,” says Andy Patterson, senior technology consultant for HonorBuilt. “Before using the FortiManager solution, we had no way of pushing out global updates. Now we can do it in minutes, across all 486 GPS Hospitality locations.” HonorBuilt also uses FortiAnalyzer to gain insights into security events across the GPS Hospitality infrastructure.

Just as important as day-to-day management efficiency is the ease with which the Fortinet solutions can be deployed in new locations. Jim Barlow, director of IT for GPS Hospitality, says the Fabric Management Center makes opening a new restaurant “almost cookie-cutter.” This ease of deployment has enabled GPS Hospitality to grow more than 1,000% in its first seven years. 

“Our partnership with HonorBuilt and our use of Fortinet solutions makes it very easy to put our same footprint in every restaurant,” Barlow concludes. “When the technology platform is as standardized as ours, a company can grow very quickly.” 

Visibility and Scalability in Preparation for the Future

Batteries Plus Bulbs has a similar story to tell. Its managed security service provider (MSSP), Leeward Business Advisors, is responsible for the company’s security operations center and network operations center, as well as security, network connectivity, and wireless access in each of Batteries Plus Bulbs’ 740 stores. 

FortiGate NGFWs secure traffic in each store and provide secure software-defined wide-area network (SD-WAN) network connectivity. FortiAP wireless access points provide wireless access within each store, and the FortiGate Unified Threat Management (UTM) bundle gives Batteries Plus Bulbs access to advanced malware protection, web filtering, intrusion prevention system (IPS), and application control. All these solutions rely on threat intelligence from FortiGuard Labs and third-party providers within the Fortinet Security Fabric. 

LeewardBA and Batteries Plus Bulbs staff use the Fabric Management Center to oversee all these solutions. FortiManager VM and FortiAnalyzer “enable us to provide centralized management from a single pane of glass, detailed reporting, workflow automation, and trends analysis,” says Jason Klein, chief technology officer (CTO) for LeewardBA. “This enables the in-house team to get a complete picture of their security posture at a glance, at any time.”

This level of visibility is a major improvement over the company’s legacy security environment, provided by a different MSSP and solution vendor. “We were often in the dark with our prior solution,” says Michael Lehman, vice president and chief information officer (CIO) for Batteries Plus Bulbs. “Our prior MSSP did not provide us with actionable insights about what risks we faced or what we could do about them.”

Dan Dugan, vice president of IT for Batteries Plus Bulbs, sums up the benefits of the Fabric Management Center: “Now we have security information by glancing at a screen, and we can drill down to any level of detail we need. We can take a more proactive stance in managing security. This gives us confidence that we are equipped to manage security threats for the next five to seven years.”

Financial Services Audits Made Easy

The Illinois State Treasurer does not have as many disparate locations as GPS Hospitality or Batteries Plus Bulbs, but as the state’s banking agency, it manages $32 billion in assets. Effective security is imperative—and in order to provide effective security, the agency’s small IT staff requires operational efficiency. That is a primary reason the Treasurer’s office turned to Fortinet. 

The agency deployed FortiGate NGFWs and the FortiSandbox sandboxing solution to protect its infrastructure. The Fortinet Fabric Management Center consolidates information about threat detection and response networkwide, which is essential for securing sensitive data, such as account or routing numbers, and connections with external financial institutions. “Having that single-pane-of-glass visibility makes security management a lot easier,” says Joseph Daniels, CIO for the Illinois State Treasurer. 

To comply with a recent information security audit, Daniels pulled the agency’s weekly FortiGate Cloud security reports, which gave him sufficient information to capably meet the audit requirements. Since then, the agency has deployed FortiAnalyzer analytics, which Daniels says “provides a much deeper dive into our network. … I am looking forward to the next audit that we have. We will be much better prepared.”

The Bottom Line for Automated Network Operations

From state agencies to retail businesses, efficiency is a crucial component of the IT security infrastructure. Many businesses face a resource shortage. Even large organizations may not have large security teams, due to the scarcity of skills available in most job markets. 

Automation, centralization, and other drivers of efficiency in infrastructure management help ensure that network and security teams of all sizes can effectively secure critical resources, potentially across hundreds (or even thousands) of dispersed locations. FortiGate NGFWs reach this level of manageability because of the single-pane-of-glass visibility in the Fortinet Fabric Management Center.

Learn more about how Fortinet’s Fabric Management Center enables enterprise-class automation capabilities while helping network leaders realize industry-leading benefits like improved efficiency, reduced risk, and decreased TCO. 

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.

United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) have published research into the activity of ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’ who have been targeting various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.

The initial attack vectors for this group has been unpatched vulnerabilities in SSL-VPN solutions including Fortinet. One of the vectors used included a vulnerability resolved by Fortinet in May 2019, allowed an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests as disclosed in FG-IR-18-384 / CVE-2018-13379. At the time of the disclosure Fortinet made available patches for all supported releases (5.4, 5.6, 6.0, 6.2).

Customers were notified at the time via the public PSIRT Advisory system of the need to upgrade immediately and highlighted the same in the release notes.  For those unable to upgrade, mitigations were provided.  For additional transparency, this was again highlighted in a blog in August 2019 after the vulnerabilities were disclosed by the researchers at Black Hat 2019.

For all customers Fortinet recommends the following actions are taken immediately.

• Upgrade all FortiGate systems to the latest firmware releases. Using the latest security patches for your release is key to protect against attack.
• Validate that all SSL-VPN local users are expected, with correct email addresses assigned and perform password reset on all users.  If there are any unrecognised local users, follow corporate policy remove them immediately.
• Preferably migrate to using remote directory system (LDAP,RADIUS) for all user authentication
• Use multi-factor authentication (two-factor authentication authentication) to reduce the impact of password compromises.

Additional steps can be taken to secure your network against attack including:

• Prevent and detect lateral movement in your organisation’s networks using tools such as deceptor technology to identify threats early in the threat cycle.
• Employ Endpoint detection and response to identify and block threats before the have a chance to take hold on the network.

Revision History:

2020-07-16 Initial version

Networking and security teams are constantly trying to maintain a balance between security, complexity, and application experience. This situation has become much more challenging with organizations adopting multiple clouds and hybrid cloud environments for their business needs. Fortinet’s new “Secure SD-WAN for Multi-Cloud” solution addresses these challenges by enabling enterprise IT to build a seamless cloud-to-cloud network and security architecture that is consistent and robust across the different clouds.

Multi-Cloud Comes with Multiple Benefits…and Challenges

Cloud infrastructure spend is rapidly becoming a larger portion of the CIO’s budget, and as a result, enterprises are increasingly adopting a multi-cloud approach for their cloud deployments. A multi-cloud strategy enables these organizations to avoid vendor lock-in and to select the best cloud services to meet the requirements of a particular application or workload. Organizations are also able to choose cost-optimized services and leverage geographically dispersed clouds for disaster recovery, to meet data sovereignty requirements, and to improve overall user experience. And, a multi-cloud model also provides redundancy to reduce the risk of downtime. 

For these reasons and more, enterprises are building their new data infrastructure across multiple clouds. And at the same time, IT continues to constantly evolve their cloud network infrastructure to meet new performance, security, scaling, and cost goals that have a tangible impact on their business outcomes.

However, even with so many benefits and use cases, multi-cloud is not without its challenges.

Firstly, the diversity of cloud platforms is a key challenge for IT since it is difficult to find skilled personnel who are experts in every single cloud environment. This skills gap often results in an IT team’s inability to scale adequately to keep up with the different demands of the large number of cloud service providers being used. Due to fundamental differences between cloud providers, IT typically struggles to deploy a consistent network infrastructure for applications and workloads that are deployed in or that span across multiple clouds. This increased complexity can slow down operations.

Secondly, this same problem also increases security risks. A lack of a consistent security infrastructure that can seamlessly span multiple clouds, especially in terms of policy orchestration and enforcement, results in security gaps that prevent end-to-end visibility and uniform security control.

Previously, to overcome these challenges, enterprises have chosen to backhaul cloud traffic to on-prem data centers or network service/colocation provider points of presence. While the goal is for cloud workload traffic to be centrally inspected and routed between the different clouds, these dedicated backhaul connections are often expensive and can quickly become bottlenecks. And this problem can be exacerbated because backhauling traffic over cloud provider VPN gateways to on-prem data centers can add significant latency and degrade application performance.

All these challenges demand a new approach for establishing secure and high-performance connectivity between multiple clouds—especially without increasing cost and complexity.

Fortinet Secure SD-WAN for Multi-Cloud

Fortinet Secure SD-WAN for Multi-Cloud is a new use case built around a FortiGate-VM next generation virtual firewall combined with a FortiManager central management console.

This new offering enables a unified networking and security strategy with a programmable framework to ensure consistent policies for securing and transporting traffic across multi-cloud environments. This application-aware overlay network can be easily deployed, and operates seamlessly across multiple Public and Private cloud virtual networks. It leverages internet connections as well as collocation and leased line connections to each cloud—including public cloud transport services like direct connect, express route, and interconnect—to offer the option of select different links per application and workload. And to reduce complexity and increase agility, the solution also supports repeatable deployments using automation templates and broad support for public cloud and SDN/SDDC integrations.

Next, this solution—supported by Fortinet fabric connectors that enable full integration with and between cloud providers—automatically updates dynamic addresses of workloads as they are spun up and spun down. Appropriate security policies are then dynamically tied to workloads without the need for manual intervention. In addition, cloud-native integrations, such as tag-based segmentation, enables the application of policies to segment workloads. And with pipelined automation that uses Cloud provider serverless functions, IT can decrease response times to security events through automation applied across multiple FortiGate-VM Secure SD-WAN nodes. And finally, deep packet inspection and advanced security, such as IPS and AV, provide deep visibility into any security threats across the multi-cloud deployment.

This solution can work on either cloud provider direct connections or internet links based on predefined or custom application signatures—and it also utilizes encryption to securely transport application traffic using internet links. And its SD-WAN dynamic path selection capability chooses optimal link(s) to deliver the best application experience. FortiGate-VM also offers over 20Gbps of IPsec performance for fast encrypted connections over internet links to reduce operational costs.

Customer Benefits for Deploying Fortinet Secure SD-WAN

Here are a few of the customer benefits Fortinet Secure SD-WAN for Multi-Cloud provides:

• Lowers cybersecurity risks and improves compliance by deploying security policies and advanced protection uniformly across multi-cloud deployments, as well as securing application traffic with high speed encryption and traffic inspection.
• Accelerates time to revenue and improves business productivity by increasing the agility of application deployments across multi-cloud environments, eliminating current limitations while delivering the right application experience at a reduced cost.

Secure SD-WAN for Multi-Cloud Offerings

For those enterprises looking to reduce complexity, increase cost efficiency, and improve application experience when operating multi-cloud environments, Secure SD-WAN for Multi-Cloud offers:

• An overlay transport that creates a single, seamless network that spans different cloud environments
• Consistent security controls and visibility in spite of a dynamic application infrastructure
• High-speed encrypted traffic performance over less expensive internet links and leased lines
• A scalable and future-proof solution, that enables the implementation of business policies and ongoing management and orchestration of connectivity and security from a single, centralized console.

Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud. 

Read these customer case studies to see how Hillsborough Community College and WeLab implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud. 

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.

Customer Perspectives

An IT security infrastructure built to protect a government is incredibly complex. Using the right tools is essential in enabling staff to effectively and efficiently develop and maintain that infrastructure. 

The government was in the midst of an initiative to consolidate IT services across its distributed data center infrastructure. The scale of the initiative was immense. The government employs hundreds of thousands of workers, who regularly use thousands of applications. 

Protecting systems on this scale required a revamp of the network’s security infrastructure. The government’s IT services organization launched a request for proposals (RFP) with hundreds of mandatory technical requirements, including advanced threat protection, sandboxing, intrusion detection and prevention system (IDPS), and secure web gateway capabilities. The new solution also needed to streamline management and provide visibility into security events throughout the government. 

Solutions that met these extensive technical requirements had to demonstrate they could perform at scale. Firewalls needed to support 100 Gigabit-per-second (Gbps) secure sockets layer (SSL) throughput, while maintaining millions of concurrent connections and hundreds of thousands of new sessions per second. They were also required to support up to 100 virtual domains (VDOMs) for segmentation.

FortiGate next-generation firewalls (NGFWs) and the other Fortinet products provided all the requisite security features, so Fortinet submitted a proposal and participated in a proof of concept (POC).

Impressive Performance in Super-Sized POC

The solution Fortinet developed for the POC consists of a stack of clusters, each with four FortiGate NGFWs. Load-balancing capabilities enable the infrastructure to support smaller deployments with 40 Gbps, but also to scale up to 100 Gbps when an agency requires that much bandwidth. A FortiWeb web application firewall (WAF) manages internet traffic, and the NGFWs route suspected threats to a FortiSandbox cluster. 

In the POC, Fortinet enabled every feature of the NGFWs, including sandboxing and full event logging. Fortinet also enabled a new IP reputation capability, through which the NGFW compares IP addresses for all traffic against the Fortinet IP Reputation database. The NGFW denies network access for any traffic from a low-scoring IP address, unless administrators have whitelisted the address. 

With all these features running, the Fortinet solution met the government’s rigorous performance requirements, distributing 100 Gbps of SSL traffic evenly across the stack while demonstrating exceptional security capabilities. The incumbent solution, from another vendor, also met the RFP’s technical requirements. However, it had difficulty matching the performance of the Fortinet solution with all the requisite security features enabled. These results, combined with a compelling TCO, led the government to opt for the Fortinet solution.

Fabric Management Center Streamlines Infrastructure Management

The government’s IT services organization has deployed the Fortinet solution across multiple data centers, and it continues to expand the scope of the installation. To manage its geographically dispersed security infrastructure, the organization uses the Fortinet Fabric Management Center, which consists of the FortiManager centralized management solution and the FortiAnalyzer analytics and log management solution.

The FortiManager solution—deployed in each data center—provides the level of automation necessary to configure and control the large-scale security infrastructure. A Fortinet services team used the powerful FortiManager scripting capabilities to develop more than 50 different scripts for the government’s infrastructure. One simple script builds out an entire data center tenant, including creating the VDOMs and mapping the interfaces in all the NGFWs. Doing this manually would be incredibly time-consuming.

A FortiAnalyzer cluster in each data center provides insights into threats and vulnerabilities throughout the security infrastructure. It also provides customized reporting—based on complex queries developed by the Fortinet services team—to meet the highly specific requirements of the government’s IT services group. 

Meanwhile, the FortiWeb WAF provides common vulnerabilities and exposures (CVE) and Open Web Application Security Project (OWASP) dashboards. If a new strain of malware emerges and the government wants to know whether it has appeared in agencies’ traffic, government IT staff can quickly find out via the CVE dashboard.

The IT organization’s security infrastructure project was successful in large part because of the concerted effort on the part of all team members. The government’s intensive POC process ensured that the Fortinet solution would meet its security and performance needs. During implementation, the Fortinet services team helped the IT organization leverage the automation capabilities within the Fabric Management Center, which is making it easier for staff to protect the huge government infrastructure. 

Learn more about how Fortinet’s Fabric Management Center enables enterprise-class automation capabilities while helping network leaders realize industry-leading benefits like improved efficiency, reduced risk, and decreased TCO. 

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.

Industry Perspectives

The security of operational technology (OT) networks is a growing concern as it involves the world’s factories, utilities, healthcare, public transportation companies, energy facilities, and more—all of which have seen an enormous transformation in recent years. For example, manufacturing and plant operations have become much more efficient, primarily due to a projected $40 billion OT hardware and software market that provides solutions designed to make operations more agile. However, along with these efficiency gains—including supervisory control and data acquisition (SCADA) systems that are now connected to the Internet—comes a sharp rise in cyber risk. That’s because these previously “air-gapped” systems that were once fully isolated from the Internet are now connected to it, exposing its broad attack surface to new cyber risks. 

The challenges of securing industrial control systems (ICS) against cyber threats continue to dominate the everyday to-do lists of OT teams. In spite of almost daily attention from OT leaders, business operations are increasingly at risk, largely thanks to a growing number of intrusion strategies that get more sophisticated as time goes by. And now, in 2020, there is the added challenge of facing the risks presented by COVID-19, including more employees working from home and the adoption of new technologies designed to support a remote workforce. 

To shed light on these and other OT security challenges, Fortinet has released the 2020 State of Operational Technology and Cybersecurity Report. 

Providing Insight on OT Security

The increasing volume of cyber threats impacting ISC/SCADA systems has presented new challenges for OT leaders as they work to address their expanding attack surface and decide which cybersecurity strategies and solutions they should adopt. Understanding these challenges was the focus behind Fortinet’s latest study that exclusively targeted individuals responsible for some aspect of manufacturing or plant operations, and with job titles ranging from manager to vice president. All respondents also work at companies involved in one of four industries, including: 

• Manufacturing 
• Energy and Utilities
• Healthcare
• Transportation

Among the gathered responses, this study highlights four main trends that help illustrate the current state of OT security across organizations:

1. OT Leaders Have a Broad Set of Responsibilities, Including Cybersecurity

OT leaders typically report to higher-ranking individuals within the organization, such as a VP, COO, or the CEO. The overwhelming majority (80%) are also regularly involved in making cybersecurity decisions, with half having the final say in those decisions. 64% of OT leaders have also taken on the responsibility of embedding security within the operations process, and 71% are regularly involved in IT cybersecurity strategy. 

Because cybersecurity is a top priority for these individuals, trends show that matters related to OT security will soon become the responsibility of the CISO, if they are not already. The inevitability of this shift is highlighted by the fact that most (61%) respondents stated that they expect their CISO to take on all OT security responsibilities in the coming year. This is likely due to the increased risk of connected OT systems and their impact on business continuity. 

2. Core Cybersecurity Protection is Not Featured Within All OT Infrastructures

The report also revealed gaps in many OT infrastructures that include security. For roughly 40% – 50% of those organizations surveyed, the following protocols and security features were missing:

While more than half (58%) of organizations are seeing their budgets increase in 2020, it should also be noted that 15% are instead seeing a decrease in funding, which could be connected to COVID-19-related revenue losses.  

3. Security Measurements and Analysis Remain a Challenge for OT Leaders

The Fortinet survey found that between 36% and 57% of organizations lack consistency when it comes to measuring items on a list of standard metrics. Among the most commonly tracked and reported areas are vulnerabilities (64%), intrusions (57%), and cost reduction resulting from cybersecurity efforts (58%). Conversely, less than half of organizations (43%) are known to report on tangible risk management outcomes, and 39% to 50% do not routinely share basic cybersecurity data with senior executive leadership.

Respondents also cited security analysis, monitoring, and assessment tools as among the most essential features in security solutions, with the majority (58%) ranking these specific attributes in the top 3. Despite the prioritization of these features, however, 53% reported that security solutions hinder operational flexibility and half reported that they create more complexity.

4. Most OT Leaders Struggle to Prevent Intrusions

The majority of responding organizations also reported that they had been largely unsuccessful at preventing cyber criminals from exploiting their systems, with only 8% stating that they had had no intrusions over the past 12 months. Among those surveyed, it was also found that: 

• 90% have experienced at least one intrusion in the past year 
• 72% have experienced three or more intrusions in the past year
• 26% have experienced six or more intrusions in the past year

The impact of these exploitations was also noted by respondents, with more than half (51%) documenting lost productivity, 37% seeing operational outages impacting revenue, and 39% having their physical safety put at risk—a significant concern considering the inherent dangers of industrial facilities.  

OT leaders also noted the commonality of specific attack methods, including malware (60%), phishing (43%), hackers (39%), ransomware (37%), denial-of-service (DDoS) attacks (27%), and insider breaches (18%). 

Security Best Practices in Operational Technology

This report also identified two subsets of respondents: those who had no intrusions during the past 12 months (top-tier) and those who experienced more than 10 intrusions during that same time (bottom-tier). Among those top-tier organizations, the following best practices were noted:

1. Top-tier organizations are four times as likely to ensure that their OT activities are centrally visible to their security operations teams. 
2. They are also 133% more likely to track and report on vulnerabilities that were found and blocked. 
3. These organizations are twice as likely to have the CISO or CSO currently responsible for OT security.
4. OT leaders within these organizations are 25% more likely to be directly responsible for embedding security into OT processes. 
5. Top-tier organizations are 25% more likely to have a NOC to ensure centralized visibility and monitoring of network activity.
6. Top-tier OT leaders are 25% more likely to be measured by response time to security vulnerabilities, placing it as either a first or second priority. 
7. And these OT leaders are 25% more likely to report on compliance with industry regulations to executive leadership, suggesting automated compliance reporting that enables a real-time approach.

By following these seven best practices, OT leaders can expect benefits such as higher productivity levels, more robust cybersecurity defenses, and a better chance of keeping up with changes in the industry. 

Final Thoughts

Amidst growing vulnerabilities among ICS/SCADA systems and an increasing volume of significant intrusions, this latest report shows that OT leaders are largely falling behind when it comes to cybersecurity. Many find it challenging to deploy the right security tools and keep up with the increasingly sophisticated cyber threats that await their newly-connected systems. Some, however, are managing their OT cybersecurity with success, as demonstrated by the top-tier organizations referenced in this report. By learning and following their best practices, making a commitment to promoting centralized visibility, and taking a proactive approach to security, organizations can turn the tables on cybercriminals to protect their critical OT infrastructures.

Customer Perspectives

Digital innovation initiatives continue to help organizations improve productivity and customer service, but new technology can also introduce new cyber threats for bad actors to exploit by expanding the potential attack surface. And aging branch VPN infrastructures built around WAN edge routers only compound this problem, leaving companies exposed at the edge.

One Fortune 500 organization recently came to Fortinet with exactly that issue. They needed a VPN infrastructure that could scale across their datacenter and multicloud – something they could not achieve using their legacy networks. They were looking for a robust security solution that could support the evolving needs of their branch locations.

Seeking a new, Integrated Secure SD-WAN Solution

After experiencing numerous failures of the legacy routers and basic network firewalls they had deployed at their remote locations due to age, and realizing their contract on their current solution would expire in less than a year, this large distributed enterprise in the United States began seeking a replacement.

With its advanced networking capabilities that include dynamic routing such as BGP, Fortinet Secure SD-WAN — which integrates Next-Generation Firewall (NGFW) and Secure SD-WAN in a single offering — quickly became the front runner. This solution was able to provide advanced security to protect vulnerable branch locations with direct internet access, while also delivering all the benefits of an SD-WAN solution, including improved performance of business-critical applications, better user experience, and better protection at the WAN Edge.

These advantages impressed this company enough to begin an initial pilot at six locations, during which Fortinet was able to highlight its Zero-Touch Provisioning capabilities for simple and fast deployment and management. For a company like this, this was a huge advantage as they manage their environment internally and are always looking to reallocate their security team’s time and attention to other critical security tasks.

This initial pilot also demonstrated Fortinet’s simple deployment and robust combination of networking and security features, prompting this company to extend the pilot to over 150 more locations, all which proved successful. During this time, Fortinet was further set apart from the competition because they were able to provide an enterprise agreement that added additional value and resources to support the organization’s various needs. These included augmenting MPLS with broadband + LTE and the ability to replace MPLS in future, reducing CAPEX through product consolidation, and reducing OPEX with its centralized management. 

LAN requirements were another need. Their SD-Branch requirements included the need for access points, switches, and 3G/4G connectivity. They also needed advanced support for cloud and other business critical enterprise applications combined with an effective cloud on-ramp strategy.

Choosing Fortinet Secure SD-WAN to Future-Proof Branch Offices

The company’s existing security solution required centralized inspection and filtering, which meant backhauling all traffic to datacenters to ensure security. What they needed was advanced NGFW capabilities at the branch office/WAN edge to make local breakouts for multi-cloud access possible. At the same time, they wanted to avoid all the bandwidth demands required to send traffic to the data center for inspection. After demonstrating the ability to meet, and even exceed, all of the organization’s security and networking requirements, Fortinet was determined to be the right fit.

While Fortinet was not the least expensive solution presented to this price-sensitive organization, they found that Fortinet provided the most value to their company long-term. Fortinet’s integrated platform approach, including Secure SD-WAN, provided their organization with the following benefits:

• Reduced Complexity: In their proof of concept trial, the primary competitive solution under consideration was missing advanced routing features and VPN capabilities. A lack of advanced routing BGP capabilities for faster convergence and route-based path selection, and not being able to build overlay VPN tunnels to same destination address were show stoppers. With Fortinet’s fully integrated Next-Generation Firewall and Secure SD-WAN solution, however, the company was able to reduce the number of devices needed at each location.
• Simple Deployment: With a large installed base of 10,000 branch offices, speed was a priority when it came to deployment and configuration. Fortinet’s Zero-Touch Provisioning reduced deployement time to minutes, saving IT staff resources and eliminating the need deploying additional IT personnel to each site. Additionally, centralized management using FortiManager for network and security needs and analytics provided by FortiAnalyzer enabled easy integration with their NOC and SOC teams for easy problem resolution and troubleshooting. 
• Reduced Bandwidth Requirements: This company was able to establish split tunneling for their traffic at the branch level, enabling web traffic filtering locally while allowing access to corporate applications through VPN to reduce bandwidth requirements.

In addition to the above benefits, the company also valued the opportunity to take full advantage of the ability to extend Secure SD-WAN capabilities into the branch LAN by adding secure switches, wireless APs, and LTE support via Fortinet Secure SD-Branch, effectively future-proofing their solution while continuing to consolidate devices and reduce management overhead.

Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.

Read these customer case studies to see how De Heus and Burger King Brazil implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.

Skills Gap Perspectives

CISOs are challenged with filling critical cybersecurity roles in their organizations due to the shortage of talent and cybersecurity expertise. One untapped resource that organizations looking to fill security roles should pay more attention to in their recruitment efforts is veterans. Veterans have many complementary skills that with the right training can be relevant to a career in cybersecurity. Fortinet’s Veterans Program, part of its Network Security Expert (NSE) Training Institute, focuses on helping veterans transition into a role in cybersecurity. 

Q&A with a Veterans Program Graduate

Michael Beckham is a 21-year veteran of the U.S. Navy who benefited from Fortinet’s Veterans Program, FortiVet. Through the program’s cybersecurity training and other resources, he was successful in securing a career in the field. Below, he shares his experience being part of the program in an interview we recently had with him.   

Can you give us a summary of your background in the military?

I served in the U.S. Navy as a Cryptologic Technician Communications Operator (CTO) for 21 years. My daily routine consisted of ensuring the successful delivery and security of critical messages and traffic, while also maintaining the highly classified equipment that delivered this information highly secure. During that time, I was fortunate to serve with some of the smartest people on the planet. We were able to witness the progression of technology from teletype and tape with blazing speeds of 1200 baud to minicomputers to routers, firewalls and common transport speeds of 100 gigabits and higher. 

How did you get into the Fortinet Veterans program?

I was unemployed at the time for nearly 11 months and I was told about the Fortinet Veterans Program from a fellow veteran. I reached out to Fortinet and went through an interview process and was then accepted into the program. As a result, I had access to mentoring and to the NSE Training Institute resources. 

What do you do now? 

The Fortinet Veteran Program connected me to Walker and Associates, as they’re part of Fortinet’s partner ecosystem, and this is where I now work. I currently work as a Federal Field Systems Engineer responsible for advancing sales of technical products. I focus on advancing a number of technical solutions for the Federal Marketplace, to include Optical, Cybersecurity (primarily Fortinet), Network Infrastructure, Virtual and Hyper Converged Infrastructure, and TDM migration solutions.  

Why do you think the program is important to help fill the talent gap in cybersecurity?

This program helps equip veterans from all branches of the services with the opportunity to fill the skills gap in the cybersecurity industry. It enables veterans like me to leverage their skill sets that are relevant to a career in cybersecurity. Employers benefit from knowing they’re hiring experienced professionals with security clearances. Veterans can also expand their cybersecurity knowledge through training and Fortinet’s Network Security Expert (NSE) Certification Program. 

What would you say are the benefits to a company for hiring someone from the FortiVet program?

Companies benefit from this program by having an array of experienced, proven cybersecurity professionals who can fill the talent gap with disciplined lifelong learners willing to expand their knowledge. 

Closing the Cybersecurity Skills Gap

Veterans trained in the latest cybersecurity techniques can play a key role in filling the talent shortage while adding the valuable attributes that are unique to those who have served in the armed forces. Many veterans possess the mindset, skills, and security clearances that positions in cybersecurity require. This is why training veterans and assisting them in entering a career in cybersecurity can really move the needle in narrowing the cybersecurity skills gap. 

Find out more about Fortinet’s NSE Training Institute programs, including the Network Security Expert program, Network Security Academy program and FortiVet program, which provide critical cybersecurity training and education to help solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.

Customer Perspectives

When network users expect connectivity for devices ranging from personal laptops and mobile phones to gaming systems and smart refrigerators, network administrators require a solid solution for matching each device to the appropriate user, and for confirming that the device meets organizational requirements for secure connectivity. The experience of a midsize Pennsylvania college demonstrates the value of network access control (NAC) technologies in performing both of these functions.

Gettysburg College is a liberal arts school in a location imbued with historical significance. Its 225-acre campus is adjacent to the Gettysburg National Military Park, site of the famous Civil War battlefield. Many buildings on campus are historically relevant as well, but Gettysburg College is not stuck in the past. Far from it.

The school was an early adopter of wireless networking. Two decades ago, it offered wireless bring-your-own-device (BYOD) access as a selling point to attract students. Today, campus-wide Wi-Fi is less effective as a differentiator. Still, Gettysburg College strives to provide an end-user experience that stands out from the crowd. 

Managing a BYOD Wireless Network in a Tourist Town

The college’s IT team works to ensure that students, faculty, staff, and parents can securely connect appropriate devices; that individuals who should not be on the network do not gain access; and that all these processes are as automated as possible. 

“Gettysburg, Pennsylvania, sees tens of thousands of visitors every year,” explains the school’s Vice President of IT, Rodney Tosten. “Our campus interweaves with downtown Gettysburg, and some major roads even cross the campus. Every device in a car passing through tries to connect into our network.”

Moreover, he says, people used to park in the college’s parking lots to access the internet via its wireless network. “That raised concerns about network security,” Tosten says. “It also had implications for campus safety. We worried that free internet might be attracting people who were not necessarily healthy to have hanging around our campus.” 

Finally, IT staff worried about bandwidth. “Being in a tourist town, we knew that having a wide-open network could eventually mean so many people connecting that our internet throughput would fall to pieces for the students, faculty, and staff who needed it,” Tosten says.

Leveraging FortiNAC to Implement Access Policies That Are Both Effective and Efficient

Gettysburg College has long understood these challenges. Eighteen years ago, it deployed the FortiNAC* solution. Thanks to this software, any attempt to connect a computer, tablet, or smartphone to the school’s Wi-Fi network brings up a registration page. Users who have network login credentials enter them on the registration page. The FortiNAC system confirms their identity and scans each endpoint to verify that its operating system and security software are up to date. “We will not grant people access unless the FortiNAC solution verifies that their system is updated and has antivirus protection,” Tosten says. “That ensures only secure devices connect to our network.”

Parents and visiting faculty can connect, but their access is time-limited. The FortiNAC solution maintains an inventory of their accounts. Individuals whose allocated time window has expired will no longer be allowed access. The solution also automatically removes access permissions for any device that has not connected to the network for a period of time.

“Our Wi-Fi network has more than 1,000 access points,” Tosten says. “We have 55,000 devices attempting to connect on an average day, and only about 6,500 of them should actually get in. That is a lot to manage, and two staff members are responsible for all related connectivity issues. The automation in the Fortinet solution, its scanning of devices attempting to enter the network, and its ongoing management of network inventory make it possible for such a small staff to manage our Wi-Fi.”

Allowing Only the Right Things on the Internet with FortiNAC

When students want to connect an Internet of Things (IoT) device, they must complete a manual request. The IT group routinely tests such devices to discover which work well on the network and which do not. They feed this information into the FortiNAC system.

“We test smart speakers, gaming consoles, and all the other gizmos we expect people to try to connect,” Tosten reports. “We want to make sure the devices we allow in will not consume all our bandwidth or overload our access points. If someone tries to connect a device that we do not allow, FortiNAC does not give it access.” 

This approach further improves staff productivity. “It lets us have a conversation up front, rather than bogging down our helpdesk staff trying to support devices that are not going to work,” he adds. “Without a product like FortiNAC, we would not know which devices would have challenges, and figuring out connectivity problems for each individual device would be a much longer conversation.”

Acknowledging the significant improvements in staff efficiency, Tosten emphasizes that the primary benefits of the NAC system accrue to end users. “We have been using the FortiNAC solution for 18 years,” he reiterates. “Throughout that time, it has provided great security for our campus network. Without this product, Wi-Fi access would be like the Wild West. Instead, the FortiNAC system helps us make sure that everyone who is supposed to be on our Wi-Fi can connect, with healthy devices and adequate bandwidth, so that all our end users have a quality experience.”

* In 2018, Fortinet acquired Bradford Networks and their NAC solution which was rebranded as FortiNAC.

Discover how Network Access Control solution (FortiNAC) provides organizations with the ability to see and control all the devices and users connected to the network.

Last year we announced integration with Microsoft Azure Virtual WAN to offer customers a secure cloud on-ramp from both data centers and branches to the Azure cloud. Fortinet Secure SD-WAN for Azure Virtual WAN offers organizations the ideal combination of automated set-up, ease of use, security, and visibility across their distributed infrastructure. The solution offers secure and automated branch-to-branch connectivity using Azure’s global transit network, as well as connectivity from the branch to the Azure Virtual WAN. Fortinet’s Secure SD-WAN solution integrated with the Azure Virtual WAN allows organizations to accelerate cloud on-ramp to Azure by taking advantage of the dynamic path selection feature when both VPN and ExpressRoute connectivity options are utilized in a hybrid cloud environment.

This week, Microsoft Azure has made new routing capabilities in its Azure Virtual WAN offering publicly available. And Fortinet has become the first vendor to announce integration with these enhancements to enable new security use cases, allowing organizations to further secure their Azure VNet deployments. Specifically, FortiGate-VM can now be deployed in a service VNet to secure traffic in all directions.

Deeper Routing Enhancements to Enable Security Inspection

Fortinet’s FortiGate NGFW has leveraged these Azure Virtual WAN routing enhancements to ensure all traffic going from an organization’s Virtual Network deployments to their branch offices (similarly, traffic flowing from branch networks to Virtual networks) can be inspected by the FortiGate-VM. Additionally, FortiGate can now inspect all East-West (VNet -to-VNet) traffic without requiring VNets to directly connect to Azure Virtual Hubs. Fortinet is the first vendor to integrate with these enhancements and fully validate these new use cases.

These new enhancements allow users to create custom route tables, in addition to the default route table that Azure Virtual WAN creates for each virtual hub. A virtual network connection can then be associated with a single route table. Once a connection to a virtual hub is created, it associates and propagates to the Default route table. However, a connection can be associated to a custom route table to allow the traffic to be sent to the destination indicated as routes in that new route table.

Routes can be dynamically propagated from a connection to one or multiple route tables. Additionally, these new enhancements allow static routes to be configured in a virtual network connection to provide a mechanism to steer traffic through a next-hop IP, which could be a Network Virtual Appliance (NVA) provisioned in a Spoke VNet attached to a virtual hub.

Service VNet Integrated with Azure Virtual WAN

The FortiGate Next Generation Firewall (NGFW) can be deployed in security hub VNets connected to an Azure Virtual Hub to inspect all traffic, including VNet-to-branch and VNet-to-internet traffic. The diagram below illustrates how these recent enhancements enable a hub-spoke topology. Specifically, it shows how VNet-to-branch (and VNet-to-internet) traffic can be steered to FortiGate NGFW (NVA).

In this setup, we have two spoke VNets, Spoke1 and Spoke2, a Service VNet that hosts the FortiGate-VM, and an optional VNet5 which can also host a FortiGate-VM, but for the purpose of inspecting VNet-to-internet traffic. There are two branch office networks that are connected to the Azure Virtual WAN through IPSec and ExpressRoute, respectively. The FortiGate-VM in the Service VNet is deployed with two network interfaces. And all four VNETs are connected to the Virtual WAN Hub in the corresponding region. 

Any traffic originating from the Spoke VNets and destined to the branch office is routed through the FortiGate internal interface. This is achieved by using custom route tables that are supported on Azure Virtual WAN. By default, Azure Virtual WAN comes with two route tables: A Default Route Table and a None Route Table. In addition, you would need two route tables to configure the routing correctly. Spoke VNETs will associate to the RT_V2B route table, and the Service VNET hosting the FortiGate-VMs will associate to the RT_Shared route table.

For example, when a resource in Spoke1 needs to communicate with a server in the branch network, the virtual hub looks at the route table t which Spoke1 is associated. In this case, that route table is RT_V2B, which has a static route for the branch network with the next connection hop. Once the traffic is inspected by the FortiGate-VM, it is forwarded back to the virtual hub. This time, the hub makes its routing decision based on the routes in the route table RT_Shared, since the Service VNet connection is associated with that route table. 

As shown in the diagram, the VPN connection to the branch network has propagated routes to the RT_Shared table, allowing the route table to have a route to the branch network. This helps hub1 route the traffic to the final destination in the branch. Similarly, internet-bound traffic can be steered to another VNet (VNet5) that hosts FortiGate-VM, as shown in the diagram.