Acta-8-Anexo-FortiToken-200-Product-Presentation-March2011-Septiembre-19

Vista previa del material en texto

Fortinet Confidential
FortiToken – Time Based One Time Password
Enabling 2-factor authentication
Fortinet Confidential
+ PIN
•Confidential data is compromised when users 
misplace passwords or their identity is stolen
•Remote users and those accessing 
confidential information should provide multiple 
forms of identification
•Authentication can be made more robust by 
requesting Two or more forms of credentials
Stronger Authentication Is Needed
1 2
This is the basic idea behind 2-factor authentication
Fortinet Confidential
Time-based Token Authentication
Login: Bob
Password: fortinet
Token: 080485 
Token code: 
changes every 
60 seconds
Something you know
Something you have
•Token codes can only 
be used ONCE
•Shoulder Surfing and 
Snoop will NOT work 
Someone you are
Fortinet Confidential
Additional login question
FortiClient, SSL Client and Weblogin have been augmented to 
request for additional token information if the user profile has been 
configured for 2-factor Authentication. 
OS Version FortiToken 
Enabled
FortiOS 4.0MR3
FortiClient* 4.0MR3
*On the roadmap for Q2, 2011
Fortinet Confidential
A Closer Look at Time Synchronization
SeedTime
080485
FortiGate
Token
Algorithm
SeedTime
080485
Algorithm
Same Seed
Same Time
•The very first time the token code may not matchup with FortiGate code due to 
possible clock drift 
•FortiGate will ask for a 2nd code to adjust its clock window with token
Fortinet Confidential
HA SYNC
ForitGate 
Secondary
FortiGate 
Primary
Serial numbers and seed files 
automatically synchronized 
between HA pairs
FortiManager can be used to Sync multiple non-HA FortiGates
Fortinet Confidential
FortiToken 2-factor Authentication Available for: 
Fortinet Confidential
Feature Benefit
Positive identification of users Authentication ensures security for 
VPN & Admin access
Compatible with any FortiGate 
and a 2-factor Authenticator
Fits all customer sizes – a unique 
Fortinet benefit
Easy to use Separate Box to ask for user login
investment protection Tokens Never Expire
Your existing FortiGate install base 
can be upgraded
Flexibility Works without any additional boxes or 
changes to authentication 
infrastructure
FortiToken Benefits
Fortinet Confidential
FortiToken vs. RSA SecureID
FortiToken-200 RSA-Secure ID
Tokens don’t expire SecureID tokens expire
OTP only when button pushed One-time password always shown
Long battery life Limited battery life
FortiGate validates token External Ace server required
Scalable to all customer sizes Server cost high for certain 
markets
Affordable token pricing Expensive tokens
Fortinet Confidential
FortiToken – One-time Password Generator
FortiToken-200
Time-based one time password 
generator
Specifications
Display 6 characters LCD screen
Security 
Processing
Time-Based: passwords provided are 
time-synchronized between the 
authentication server and the client.
Software 
Support
Planned with FortiOS v4.3
Power Supply Lithium battery
Expected Life 
Span
3-5 years
License cost Perpetual License for life
Fortinet Confidential
Initial Setup
Fortinet Confidential
SSL-VPN web login example
1) IT purchases a pool of tokens and enters each 
tokens Serial number into the FortiGate GUI or CLI
2) FortiGate validates the serial numbers against 
FortiGuard Center and securely downloads and stores 
the seed files in encrypted format 
3)In HA mode the Token Seed and Serial numbers are 
automatically synchronized 1
2
HA Sync 
(serial # 
& Seed)
3
Fortinet Confidential
SSL-VPN web login example
4) After seed files download, the tokens are activated 
and ready for assignment to users. IT selects each 
user that should undergo 2-factor authentication
5) IT selects which one of the 4 services should ask 
for 2-factor authentication
2
4
1. IPSEC VPN
2. SSL VPN
3. Captive Portal
4. FortiGate Administration
5
Fortinet Confidential
User Logon Process
Fortinet Confidential
SSL-VPN web login example
1) User connects to SSL-VPN login page 
and Enters username and password
2) FortiGate validates the username and 
password with the normally configured 
backend database
Active Directory
LDAP
Radius
1 2
Bob
Password!
Fortinet Confidential
Scaling FortiToken Management
For complete list of supported platforms, please visit the Maximum 
Values Matrix:
http://docs.fortinet.com/FortiGate-t/handbook/FortiGate-max-values-
40-mr2.pdf
FortiGate 
Platform
Maximum # of 
FortiTokens
FortiGate-50B
FortiGate-50B
20
FortiGate- 60B/C
FortiGate-80C
500
FortiGate -110C/111C
FortiGate-200B
FortiGate-310
FortiGate-620
FortiGate-800
1000
FortiGate-1240
FortiGate-3016B
FortiGate-3040B
FortiGate-3600A
5000
FortiGate-3810
FortiGate-3950
FortiGate-5001A/5001B
5000
http://docs.fortinet.com/fgt/handbook/fortigate-max-values-40-mr2.pdf
Fortinet Confidential
Thank you!
Thank you