FORTINAC AND THE FORTINET SECURITY FABRIC

EXECUTIVE SUMMARY
Outdated endpoint access security solutions leave mobile and Internet of Things (IoT) HIGHLIGHTS
devices vulnerable to targeted attacks that can put the entire network at risk.
nnComprehensive network visibility
To protect valuable data, organizations need next-generation network access control
(NAC). As part of the Fortinet Security Fabric, FortiNAC provides comprehensive nnProfiles
and classifies all devices
device visibility, enforces dynamic controls, and orchestrates automated threat and users
responses that reduce containment time from days to seconds. It enables policy-
nnProvides policy-based access
based network segmentation for controlling access to sensitive information.
controls

THE NEED FOR THIRD-GENERATION NAC nnExtends dynamic segmentation

Enterprise networks are undergoing dramatic change through the widespread adoption to third-party devices
of bring-your-own-device (BYOD) policies, loT, and multi-cloud technologies. When this nnOrchestrates automated threat
is coupled with a highly mobile workforce and geographically dispersed data centers, responses
the security challenges multiply. With endpoint devices remaining a top attack target,
nnContains potential threats in seconds
organizations must address the outdated access controls that leave their networks
exposed to undue risk. nnSimplifies
guest access and
The first generation of NAC solutions authenticated and authorized endpoints (primarily onboarding
managed PCs) using simple scan-and-block technologies. Second-generation NAC
nnLow TCO—maximizes existing
products solved the emerging demand for guest network access—visitors, contractors,
security investments
and partners.
But securing dynamic and distributed environments now requires security and networking
that share intelligence and collaborate to detect and respond to threats. As part of the
Fortinet Security Fabric architecture, FortiNAC offers a third-generation NAC solution
that leverages the built-in commands of network switches, routers, and access points to
establish a live inventory of network connections and enforce control over network access.
FortiNAC identifies, validates, and controls every connection before granting access.

COMPREHENSIVE DEVICE AND USER VISIBILITY

As a result of BYOD and IoT proliferation, security teams must now protect countless
devices that aren’t owned, managed, or updated by corporate IT. FortiNAC addresses this
challenge in a couple of different ways. First, it enables detailed profiling of even headless
devices using multiple information and behavior sources to accurately identify everything
on the network. Comprehensive agentless scanning automatically discovers endpoints,
classifies them by type, and determines if the device is corporate-issued or employee-
owned. Second, the user is also identified in order to apply additional role-based policies.

SOLUTION BRIEF
SOLUTION BRIEF: FORTINAC AND THE FORTINET SECURITY FABRIC

DYNAMIC NETWORK CONTROL HOW IT WORKS

Once devices and users are identified, FortiNAC assigns the As an integrated Security Fabric solution, FortiNAC helps to provide
appropriate level of access while restricting use of non-related additional layers of protection against device-borne threats. For
content. This dynamic, role-based system logically creates detailed example, if a customer is using FortiSIEM, FortiNAC provides
network segments by grouping applications and like data together complete visibility and policy-based control for network, mobile, and
to limit access to specific groups of users. In this manner, if a device IoT devices, while FortiSIEM provides the security intelligence.
is compromised, its ability to travel in the network and attack other FortiNAC offers complete visibility into all of these devices, gathers
assets will be limited. Security Fabric integration allows FortiNAC the alerts, and provides the contextual information—the who, what,
to implement segmentation policies and change configurations on where, and when for the events. This increases the fidelity of the
switches and wireless products, including solutions from more than alerts and enables accurate triage.
70 different vendors.
FortiNAC sends the event to FortiSIEM to ingest the alert, then
FortiNAC also streamlines the secure registration process of guest FortiSIEM directs FortiNAC to restrict or quarantine the device if
users while keeping them safely away from any parts of the network necessary. FortiSIEM and FortiNAC communicate back and forth to
containing sensitive data. When appropriate, users can self-register compile all relevant information and deliver it to a security analyst.
their own devices (laptops, tablets, or smartphones), shifting the
workload away from IT staff.

AUTOMATED RESPONSIVENESS
Automation is the “holy grail” of an integrated security architecture.
Policy-based automated security actions help Security Fabric
solutions share real-time intelligence to contain potential threats
before they can spread. FortiNAC offers a broad and customizable
set of automation policies that can instantly trigger containment
settings in other Security Fabric elements such as FortiGate,
FortiSwitch, or FortiAP when a targeted behavior is observed.
This extends to all Fabric-integrated products, including
third-party solutions.
Potential threats are contained by isolating suspect users and
vulnerable devices, or by enforcing a range of responsive actions.
This in turn reduces containment times from days to seconds—
while helping to maintain compliance with increasingly strict
standards, regulations, and privacy laws.

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS
Fortinet Inc. 905 rue Albert Einstein 8 Temasek Boulevard #12-01 Sawgrass Lakes Center
899 Kifer Road 06560 Valbonne Suntec Tower Three 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 038988 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65-6395-7899 Tel: +1.954.368.9990
Tel: +1.408.235.7700 Fax: +65-6295-0015
www.fortinet.com/sales

Copyright © 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other
results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied,
except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in
such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal
lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. August 31, 2018 12:32 PM
Macintosh HD:Users:bhoulihan:Documents:_Projects:Solution Brief:Solution Brief - FortiNAC:sb-fortiNAC:sb-fortiNAC