Descarga la aplicación para disfrutar aún más
Vista previa del material en texto
Fortinet Confidential FortiToken – Time Based One Time Password Enabling 2-factor authentication Fortinet Confidential + PIN •Confidential data is compromised when users misplace passwords or their identity is stolen •Remote users and those accessing confidential information should provide multiple forms of identification •Authentication can be made more robust by requesting Two or more forms of credentials Stronger Authentication Is Needed 1 2 This is the basic idea behind 2-factor authentication Fortinet Confidential Time-based Token Authentication Login: Bob Password: fortinet Token: 080485 Token code: changes every 60 seconds Something you know Something you have •Token codes can only be used ONCE •Shoulder Surfing and Snoop will NOT work Someone you are Fortinet Confidential Additional login question FortiClient, SSL Client and Weblogin have been augmented to request for additional token information if the user profile has been configured for 2-factor Authentication. OS Version FortiToken Enabled FortiOS 4.0MR3 FortiClient* 4.0MR3 *On the roadmap for Q2, 2011 Fortinet Confidential A Closer Look at Time Synchronization SeedTime 080485 FortiGate Token Algorithm SeedTime 080485 Algorithm Same Seed Same Time •The very first time the token code may not matchup with FortiGate code due to possible clock drift •FortiGate will ask for a 2nd code to adjust its clock window with token Fortinet Confidential HA SYNC ForitGate Secondary FortiGate Primary Serial numbers and seed files automatically synchronized between HA pairs FortiManager can be used to Sync multiple non-HA FortiGates Fortinet Confidential FortiToken 2-factor Authentication Available for: Fortinet Confidential Feature Benefit Positive identification of users Authentication ensures security for VPN & Admin access Compatible with any FortiGate and a 2-factor Authenticator Fits all customer sizes – a unique Fortinet benefit Easy to use Separate Box to ask for user login investment protection Tokens Never Expire Your existing FortiGate install base can be upgraded Flexibility Works without any additional boxes or changes to authentication infrastructure FortiToken Benefits Fortinet Confidential FortiToken vs. RSA SecureID FortiToken-200 RSA-Secure ID Tokens don’t expire SecureID tokens expire OTP only when button pushed One-time password always shown Long battery life Limited battery life FortiGate validates token External Ace server required Scalable to all customer sizes Server cost high for certain markets Affordable token pricing Expensive tokens Fortinet Confidential FortiToken – One-time Password Generator FortiToken-200 Time-based one time password generator Specifications Display 6 characters LCD screen Security Processing Time-Based: passwords provided are time-synchronized between the authentication server and the client. Software Support Planned with FortiOS v4.3 Power Supply Lithium battery Expected Life Span 3-5 years License cost Perpetual License for life Fortinet Confidential Initial Setup Fortinet Confidential SSL-VPN web login example 1) IT purchases a pool of tokens and enters each tokens Serial number into the FortiGate GUI or CLI 2) FortiGate validates the serial numbers against FortiGuard Center and securely downloads and stores the seed files in encrypted format 3)In HA mode the Token Seed and Serial numbers are automatically synchronized 1 2 HA Sync (serial # & Seed) 3 Fortinet Confidential SSL-VPN web login example 4) After seed files download, the tokens are activated and ready for assignment to users. IT selects each user that should undergo 2-factor authentication 5) IT selects which one of the 4 services should ask for 2-factor authentication 2 4 1. IPSEC VPN 2. SSL VPN 3. Captive Portal 4. FortiGate Administration 5 Fortinet Confidential User Logon Process Fortinet Confidential SSL-VPN web login example 1) User connects to SSL-VPN login page and Enters username and password 2) FortiGate validates the username and password with the normally configured backend database Active Directory LDAP Radius 1 2 Bob Password! Fortinet Confidential Scaling FortiToken Management For complete list of supported platforms, please visit the Maximum Values Matrix: http://docs.fortinet.com/FortiGate-t/handbook/FortiGate-max-values- 40-mr2.pdf FortiGate Platform Maximum # of FortiTokens FortiGate-50B FortiGate-50B 20 FortiGate- 60B/C FortiGate-80C 500 FortiGate -110C/111C FortiGate-200B FortiGate-310 FortiGate-620 FortiGate-800 1000 FortiGate-1240 FortiGate-3016B FortiGate-3040B FortiGate-3600A 5000 FortiGate-3810 FortiGate-3950 FortiGate-5001A/5001B 5000 http://docs.fortinet.com/fgt/handbook/fortigate-max-values-40-mr2.pdf Fortinet Confidential Thank you! Thank you
Compartir