Solution and technologies
LAN Edge and Security Driven Networking
It is important to remember that Wi-Fi networks exist to service Wi-Fi devices, but Wi-Fi devices fall into a wide range of who they belong to and how they should be secured. The nature of a campus deployment is not just the large physical size of the network, but the greater complexity of who and what is using that network. As the network grows in size, security needs usually become more complex with more categories of end devices. At Fortinet we call this the LAN Edge.
Physically, the LAN Edge is just the access layer, but securing the access layer now has to account for a bewildering mix of devices: enterprise owned, end user owned, guest users, known users, IoT devices with no associated users, etc. Unlike other vendors, Fortinet takes a security first approach to WLANs (and wired LANs with our FortiSwitch line), or Security Driven Networking.
Fortinet's Security-driven Networking strategy tightly integrates an organization's network infrastructure and security architecture, enabling the network to scale and change without compromising security. This next generation approach is essential for effectively defending today's highly dynamic environments—not only by providing consistent enforcement across today's highly flexible perimeters, but by also weaving security deep into the network itself in a Security Fabric.
FortiGate Integrated Wi-Fi controller
A FortiGate is not only an industry leading Next Generation Firewall, but a multi-purpose Security and Networking Appliance (also available as a Virtual Machine) that includes a fully capable Wi-Fi controller. The unification of Wi-Fi controller and cyber security in a single appliance increases and simplifies cyber security for the entire network.
A FortiGate Secure Wireless Controller serves as the central Wi-Fi management system for Campus WLANs and deployed FortiAPs. All WLAN functions can be configured, managed and secured from the same FortiGate browser-based management interface. The FortiGate Wireless Controller supports multiple architectural options, but the default, and recommended in the majority of cases, is that all WLAN traffic is tunneled to the controller and then forwarded/routed from the controller onto the campus network.
With WLAN traffic tunneled to a FortiGate, the instant an SSID (WLAN) is created, it is automatically security isolated from other network traffic without any need to configure and deploy VLANs on the intervening campus switch network. All SSIDs are created as interfaces on the FortiGate, such that all traffic is VLAN/subnet isolated without the need to actually deploy those VLANs or even map to existing VLANs. A single existing subnet serves to carry all management and data traffic to the FortiGate WiFi Controller.
Tunneled data traffic—also known as the Data Plane—can then have all desired and necessary security policies applied before any communication with the rest of the network. Firewall policies, content inspection, anti-virus, role assignments, device identification, traffic shaping are applied and all WLAN traffic is inspected. The essence of Security Driven Networking
FortiGate Integrated Wi-Fi Controller Key Features
Integration with FortiOS/FortiGate Operating System and Security Fabric - Fortinet's Security Fabric, via the FortiLink tunneling protocol, extends coordinated security policies to the very edge of the wireless network where there are the most vulnerabilities. Maximized end-to-end security, via a true single-pane-of-glass for wireless and security configuration.
Support for Wi-Fi 6 FortiAPs and the latest Wi-Fi standards - In addition to Wi-Fi 6 technology, FortiAPs are equipped with three Wi-Fi radios to enable continuous RF monitoring, including
-
Integrated Bluetooth
-
support for presence analytics,
-
Band (radio) balancing,
-
AP Balancing
-
UTM series FortiAPs support dual 5 GHz settings for advanced channel plans
High Scalability and reliability - Due to Security and Network Processing Units (SPU and NPU) hardware, FortiGates have unmatched scalability and reliability, as well as High Availability support.
Seamless Roaming - With controllers that support more than 4000 APs, all tunneled traffic goes to a single state machine, avoiding complex tunneling through multiple intermediary controllers.
Integrated Guest Access Management - Local FortiGate hosted guest portals, or integration with 3rd party portals, guest/lobby administrator support, and guest email self-registration.
Integrated WIDs - Rogue AP identification and management and Over-the-Air attack identification.
Device fingerprinting and FortiLink NAC - device fingerprinting identifies all client devices by type, operating system, and other factors. FortiLink NAC can then use that information to assign devices to designated VLANs, whether company owned or BYOD or IoT.
Remote troubleshooting - From the management console, easily run Spectrum analysis or packet captures from associated APs regardless of location.
Layer 7 application visibility and control - FortiOS Application Control is part of FortiOS, and therefore fully integrated and built-in to the Wireless LAN controller. Layer-7 deep inspection with over 4,000 application signatures to provide bandwidth guarantees and prioritization of critical applications is fully available.
Automated Channel and power selection - FortiOS DARRP (Distributed Automatic Radio Resource Provisioning) technology optimizes channel selection and AP Tx power. FortiAPs continuously monitor the RF environment for interference, noise, and signals from neighboring APs, and the FortiGate WLAN Controller optimizes the entire campus network.