FortiMail

Secure Email Gateway

Adhitio Ardiyanto – System Engineer

Updated for FortiMail 6.0

© Copyright Fortinet Inc. All rights reserved.
 Email is *the* critical threat vector
Malware
• Targets unskilled users therefore
often volumetric attacks
• Use of social engineering
techniques to get users to open
email and execute malware
• Some zero day, mostly a numbers
game
• 92.4% of malware is delivered via
the email vector*
* Source: Verizon 2018 Data Breach Investigations Report
Phishing
• Targets an interest group,
organization or individuals (spear
phishing) within the organization
• Customised content based on
user interests or role
• Often targeted at C-levels
(whaling)
• Zero day malware or social
engineering to divulge financial or
credential information
• 4% users click on malicious
attachments or links in such mails*
Email Based Threats
Compliance & Data Loss
• Sending of Personally Identifiable
Information (PII) via Email
• Sending of corporate confidential
information out of the organization
• Corporate espionage
• Failure to encrypt sensitive emails
• Failure to backup/save/archive
emails to comply with corporate
standards
• IRS – 7 years
• PCI – 1 year
• State depts – 3 years
• HIPPA – 6 years
2
It is just email. What’s the problem?

Lack of email security and management can lead to direct financial impact through fraud or indirect impact
through regulatory fines and negative PR.
3
 Protection from Email-based Threats
Primary Challenges Solution
Email common entry point for attackers FortiMail Email Security
 Spam, attachments, phishing  Inbound and outbound threat protection
 Targeted attacks  Data loss prevention and encryption
FortiSandbox  FortiSandbox integration
Compliance, privacy and data control
Users are major contributing factor to Advantages
risk  42 consecutive VBSpam awards
 44 VB100 awards
 Highest performance in industry

FortiMail

FortiGuard
Email Server

4
 FortiMail Overview

 Consolidated email security platform to prevent threats and data loss

in a single high performance appliance
» Top-rated threat prevention
» Integrated data loss protection and encryption
» Enterprise class/service provider management
» Advanced threat prevention integration with FortiSandbox
» FortiGuard Labs security services
» High performance physical and virtual appliances as well as cloud services
» Appliance based licensing rather than per mailbox*
» Advanced features such as IBE, DLP and archiving included in base license
Independent Validation

* FortiMail Cloud is licensed per mailbox

5
Top-rated Traditional and Advanced Threat Prevention

Anti-Spam/Anti-Phishing Advanced Threat Prevention

 Cloud-based Reputation Databases  Anti-Malware
» FortiGuard Anti-Spam and IP Reputation » One-to-many signature matching (CPRL)
» FortiGuard URL Filtering (Phishing, Malware, Newly Registered) » Heuristic detection
» FortiGuard IP Reputation including Botnets » Code emulation & Behavioural analysis
 Outbreak Protection  Outbreak Protection
» Real-time data analytics on every request
» Real-time data analytics on every request
 Advanced Filtering Techniques » Pre-signature hashes
» Deep Header Analysis
» Dynamic Heuristics
 Content Disarm & Reconstruction
» Behavior Analysis » Strip active HTML content and attachments from emails
» Sender Reputation » Deliver neutralized version and forward original to archive
» BEC & Impersonation detection
 Decrypt Archives, PDFs and Office Docs
» Suspicious Newsletter
» Password list and body passwords
» DKIM / SPF / DMARC Sandboxing
» Newsletter (greymail) detection
 Physical/virtual appliance, public/hosted cloud service
» Analyzes attachments and URLs
» Generates and distributed intelligence in real-time
6
 Behavior-based Detection of the Unknown
“99% of malware hashes are seen for only 58 seconds or less. This reflects how quickly
hackers are modifying their code to avoid detection.” *

Threat Known Probably Might be Completely Somewhat Very Known

Good Good Good Unknown Suspicious Suspicious Bad
Continuum
Domain Safelists Header Analysis
Security User Safelists Heuristics
Sender Reputation
Technologies Newsletter Detection FortiSandbox
Suspicious Newsletter
DKIM / SPF / DMARC
Outbreak Protection Greyware Scanning FortiGuard Antivirus
Behavioral Analysis Impersonation Analysis FortiGuard Anti-Spam
URI Click Protection FortiGuard URL Filtering
Content Disarm & Reconstruct

FortiGuard IP Reputation

7
Feature Details
Key Features
Anti-Spam/Anti-Phishing

 FortiGuard Reputation Databases

» Cloud database query to identify know spam IP and content
 FortiGuard Antivirus, Outbreak, Anti-Spam and URL Filtering
 FortiGuard IP Reputation including Botnets
» Removes volumetric spam at low cost
 Advanced Filtering Techniques
» Detects new spam and phishing campaigns using a variety of techniques
 Header Analysis
 Dynamic Heuristics
 Behavior Analysis
 Sender Reputation
 Suspicious Newsletter
 DKIM / SPF / DMARC
 Greyware Scanning

 Targeted Attack Protection

» URI Click Protection
» Business Email Compromise - Impersonation Analysis

9
Key Features Take Action Based on Profiles
FortiGuard
File discarded, option to Quarantine and event logged
Anti-Malware
Malware Outbreak detection
 FortiGuard Anti-Virus (On-box)
» One-to-many signature matching (CPRL)
» Heuristic detection
Virus Outbreak detection
» Code emulation & Behavioural analysis

 Malware Outbreak Protection (Cloud based)

» Real-time data analytics on every request to the FortiGuard Behavioral Analysis
network to identify 0-day threat outbreaks in minutes

 Virus Outbreak Protection (Cloud based)

Code Emulation

 Active Threat Neutralization

» Strip active HTML content and attachments from emails to Decryption/unpacker System
neutralize potential threats

 Decrypt Archives and PDFs Signature Match

» Password list and body passwords (CPRL/Checksum)

File Sample
10
Key Features
Defending Against Emerging Threats

 FortiGuard Virus & Spam Outbreak

Protection
» FortiGuard data analytics sees millions of emails
per hour from thousands of devices and is able to
identify new spam and malware threats in
minutes.
» Suspicious attachments detected in known spam
are blocked until full evaluation by FortiGuard
Labs.
» Cyberthreat Alliance, FortiSandbox Cloud
Collaboration, FortiGuard Pre-Signiture hashes

 Behavioural Analysis
» Machine learning engine based on previous
detections
» Is behaviour similar to recent signature based
detections? If it walks like a duck…….

11
Key Features Remove macros

Targeted Attack Prevention

 Content Disarm & Reconstruction

» Select URI category to strip when disarming HTML
» Select a URL filter to selectively disarm URLs in Neutralize URLs
CDR
 Password Decrypt Office Docs Remove embedded
content
» Password decryption of archives, PDF and Office
docments
» Passwords automatically identified
 Common password list
 Admin defined password list
 Detect passwords in email body

12
Key Features
Targeted Attack Prevention

 URI Click Protection

» Rewrite URLs to point at FortiMail
» FortiMail rescans when links are clicked to
detect status change since first rating
» Extends security to the desktop
» FortiMail continues to add value with Outbreak
Protection feature license

13
Key Features
Management

 FortiView
» User and threat real time statistics

 Log Search Enhancements

» Search logs from Mail Queues and Quarantine
» Message Tracking view
» Cross search across all logs
» Millisecond log resolution
» Logs display in correct order in message
tracking search
» Added "Session ID" field in Mail Queue and
System Quarantine for cross search

14
Key Features
FortiMail is Core to Fortinet’s Advanced Threat Protection Framework

Hand off :
High risk items
Known Threats FortiGate, FortiSandbox &
• Reduce Attack Surface FortiMail & everything that
• Inspect & Block Known Threats everything that analyzes
can enforce a behavior
security policy
Unknown Threats
• Identify Unknown Threats
• Assess Behavior & Identify Trends
Hand off : Hand off :
Response Security Ratings
• Identify scope updates & results
• Mitigate impact
FortiGuard teams and automation

FortiMail actively mitigates threats by queuing emails whilst waiting for a FortiSandbox result

15
 Key Features
FortiSandbox Threat Analysis *
FortiMail
 On-Premise and Cloud options
» FortiSandbox Cloud included in Enterprise ATP
(4) Risk rating returned,
Bundle message handled by policy
Targeted Email

 FortiMail queues email and submits files and (1) Email queued

URLs to FortiSandbox for analysis

(2) Attachment/URL
» AV Pre-filtering sent to FortiSandbox
» Cloud results lookup - is sample already known
bad
» Analyze objects in a virtual sandbox environment
» Callback detection – does sample try to call home (3) Object analyzed
for instructions in Sandbox
environment
» Assign and return a rating for the submission
» FortiMail maintains a cache of FortiSandbox FortiSandbox
results

* Optional but a core part of an ATP solution

16
Key Features
Data Protection and Compliance

 Data Loss Prevention

» Preset HIPAA, GLBA, SOX, PCI dictionaries for easy compliance policy
creation
» File fingerprinting via manual upload and Windows Fileshare scanning
» Smart identifiers for high accuracy
 TLS & S/MIME Encryption
 Identity Based Encryption
» No additional license required
» No encryption key exchange,
minimal key management
 Per Mailbox Policy-based Archiving
» Sender/recipient, Subject/body/attachment filename keywords
» Archive to remote system
» Microsoft Exchange Journal Archiving

17
Key Features
Data Protection and Compliance

 Dynamic Adult Image Analysis

» 2.5 billion emails per day contain pornographic content (8% of total emails)
*
» 70% of employees admit to viewing or sending adult-oriented personal e-
mail at work. *
» New service detects adult content in images using various patented
techniques allowing blocking or logging.

» Protect Brand and Company Reputation

» Provide a duty of care to your employees, prevent hostile working
environments and avoid sexual harassment lawsuits
» Stop offensive content from being archived

* Source: NFO Worldwide

18
Key Features
Quarantine, End User Digest, Junkmail/Newsletter Folders

 Central quarantine
» Easy administration
» Can be consolidated
across devices

 Self-service personal quarantine digest

» Sender and subject
» Release or delete links

 Automatic tagging and delivery

 Newsletter and junk categories
» Client filters to appropriate folder

19
Key Features
Testing & Certification

 Independent Testing
» ICSA – Advanced Threat Defense
» NSS – Breach Prevention Systems
» Gartner – SEG Market Report

 Certification
» FIPS 140-2
» NDcPP

20
 Deployment Options
Flexible Deployment Options

Wide range of appliances Virtual Appliances Public Cloud FortiMail Cloud

SaaS

21
Deployment Options
Multiple Deployment Scenarios

Gateway Mode
• Most common deployment scenario
•Mail is delivered to FortiMail, scrubbed of threats and forwarded to
destination mailserver

Transparent Mode
• Deployed as a bump in the wire. No configuration changes required
to the email infrastructure.
•Commonly utilised in the ISP and Carrier environment.

Server Mode
• FortiMail acts as a full mailserver providing POP3, IMAP, Webmail
and calendaring in addition to security functions.

22
 Deployment Options
High Availability and Scalability Options

Active-Passive Cluster
• Two-devices, full failover protection
•Heartbeat and Service Monitoring
•Full mailbox, archive, quarantine, log and queue synchronization

Config Only HA
•Linear scalability suitable for the largest ISPs and Carriers
•Centralized quarantine, management and IBE
•Enables DR and geographic redundancy
•Load balanced option using FortiiADC or third party load balancer

23
Deployment Options
The move to the Office365

 Office365 is a compelling argument

» Microsoft have made the move to Office365 a compelling
story – simplicity, low TCO, OPEX costs only……
» Built in anti-malware and anti-spam not always
adequate….. Even with Exchange Online Protection.
» Encryption and DLP features in Office 365 are lacking

 Solution
» FortiMail can be deployed alongside Office 365 in the
Microsoft Azure Cloud for enhanced security and content
protection.

24
Deployment Options
Bundle Licensing
 Multiple Bundle options
Base Bundle (@ 50% HW list)
- 24x7 FortiCare Support
- FortiGuard AV
- FortiGuard AS
- FortiGuard Virus Outbreak Protection
- Identity Based Encryption
- Data Loss Prevention
- Archiving
Enterprise ATP Bundle (@ 80% HW list)
- 24x7 FortiCare Support
- FortiGuard AV
- FortiGuard AS
- FortiGuard Virus Outbreak Protection
- Identity Based Encryption
- Data Loss Prevention
- Archiving
- FortiCloud Sandbox
- Content Disarm and Reconstruction (CDR)
- Time of Click Protection
- Business Email Compromise – Impersonation Detection
25
 Product Line

FML-3200E
Performance & Scalability

FML Cloud
FML-3000E FML-VM32

FML-2000E
FML-VM16

FML-VM08
FML-1000D

FML-VM04

FML-400E

FML-VM02
FML-200E

FML-60D FML-VM01

FML-VM00

Email Routing
3.6K 80k 157k 680k 1.5M 1.8M
(Msgs/hr)*

AS+AV Perf.
2.7K 61k 126k 500k 1.3M 1.5M
(Msgs/hr)*
Large Enterprise, Large Enterprise,
Recommended Mid/Large
Demo/Home Small Office Mid Enterprise ISP, Carrier, ISP, Carrier,
for Enterprise
University University

*Note: Performance numbers are for physical appliances only. 34

Why FortiMail?
 Fortinet provide an end-to-end portfolio of sandbox
integrated solutions with simple licensing model
 FortiMail is proven best of breed for anti-spam, antivirus
and sandboxing
» 99.997% Spam catch rate / 0% False Positives
 IDC MarketScape “Leaders”
 FIPS 140-2 and Common Criteria NDPP Certified
 Fortinet are leading the market for advanced email
threat prevention

https://www.virusbulletin.com/uploads/pdf/magazine/2016/201605-vbspam-comparative.pdf 37