Cybersecurity for Communications Service Providers

Communications service providers’ (CSPs) branch locations need access to fast, reliable, and scalable network connectivity. Frequently, retail locations must perform troubleshooting and repairs for their customers, which requires them to have rapid access to customer data and the ability to perform diagnostic tests that need a stable, reliable network connection.

Deploying this connectivity via traditional multiprotocol label switching (MPLS) lines is an expensive and inflexible solution. In comparison, software-defined wide-area networking (SD-WAN) provides the reliability guarantees of MPLS but operates over a broadband connection. By optimizing usage of multiple transport media, SD-WAN offers faster connection speeds with a lower total cost of ownership (TCO). Optimization of the network infrastructure improves network performance and decreases load at the enterprise data center, increasing operational efficiency. This enables CSPs to meet their service-level agreements (SLAs) while minimizing operational expenditure (OpEx).

One consideration when deploying SD-WAN is that it requires additional security provisions. In order to make full use of SD-WAN’s capabilities, it is necessary to deploy security at the network edge that results in multiple point products. That is unnecessary with Fortinet Secure SD-WAN, an SD-WAN solution that is unlike other solutions on the market, which offers an all-in-one solution for SD-WAN that includes robust SD-WAN threat protection. The built-in next-generation firewall (NGFW) provides security controls for Layer 3 through Layer 7 and industry-leading performance in an appliance with the industry’s first purpose-built SD-WAN application-specific integrated circuit (ASIC) chip. The Fortinet Secure SD-WAN appliance also includes an integrated intrusion prevention system (IPS), providing full traffic inspection at the branch location. This enables traffic to be routed directly to its destination, improving network performance, especially of cloud-bound traffic, without sacrificing security.

Fortinet Secure SD-Branch lays the groundwork for extending branch location security with Fortinet SD-Branch. Fortinet SD-Branch centralizes visibility and management of security infrastructure at branch locations from the internet down to the switching layer. This increases the efficiency of security operations, simplifies security control enforcement and data collection for compliance activities, and improves visibility and security of the enterprise WAN. This enables CSPs to decrease overhead and optimize OpEx. Part of Fortinet SD-Branch, FortiAP wireless access points provide high-performance, secure network connectivity for business and guest networks, while FortiNAC provides automated identification and access control for all devices connecting to the network.

With the reliable and secure network connectivity provided by Fortinet Secure SD-WAN, branch locations can also deploy Voice over IP (VoIP) in place of a separate phone service without concerns about bandwidth consumption, availability, or quality of experience. Here, FortiVoice offers an easily configured and flexible VoIP solution that can be isolated from other business and public Wi-Fi networks using the switching and access control capabilities built into Fortinet SD-Branch. To ensure connectivity in the event of a network outage, FortiExtender offers a 3G/4G/LTE/5G backup solution.

When selecting a networking solution, CSPs require a solution that enables them to meet their performance and security benchmarks, providing features such as:

• Over 5,000 signatures for automatic recognition and optimal routing of application traffic
• Malware signature updates from FortiGuard Labs for application databases
• Integrated next-generation firewall (NGFW), antivirus, intrusion prevention system (IPS), and application control for complete threat protection
• High-throughput inspection of secure sockets layer (SSL) and transport layer security (TLS) traffic for high-performance, comprehensive threat protection
• Integrated web filtering, making a standalone secure web gateway (SWG) unnecessary
• Scalable, high-throughput overlay virtual private network (VPN) tunnels to ensure encryption of confidential traffic

Fortinet SD-Branch enables CSPs to expand their centralized security visibility and management to branch locations with features such as:

• Automated discovery and security for connected Internet-of-Things (IoT) devices using FortiGate NGFWs and FortiNAC
• Full security integration for wired and wireless networks
• Zero-touch device provisioning with single-pane-of-glass visibility and management
• Firewalls, Ethernet switches, and WLAN interfaces managed from a single location

Communications service providers (CSPs) are a common target for malware attacks. A foothold on a CSP’s network is used to spread malware to its customers by taking advantage of their trusted relationship. CSPs need to be able to detect and block malware operating on their networks. However, according to analysis performed by FortiGuard Labs, 40% of new malware detected each day is zero day or previously unknown.                                                          

Advanced threat protection requires a multilayered defense, including features such as:

• Identification and protection against both known and unknown threats
• Detection and remediation of internal threats
• Automatic quarantine and analysis of suspicious content within sandboxes
• Leveraging deception techniques to identify internal threats
• Artificial intelligence (AI)- and machine learning (ML)-driven real-time threat intelligence
• Continuous threat intelligence and malware signature updates

Using data derived from analysis of over 10 billion security events per day, FortiGuard Labs rapidly collects, analyzes, and classifies threats with an extremely high degree of accuracy. It leverages AI and ML to write malware signatures and publish them across the entire Fortinet Security Fabric. The integration provided by the Fortinet Security Fabric across the organization’s network also enables security teams to leverage the latest in security orchestration, automation, and response (SOAR).

The widely distributed networks of CSPs offer many possible avenues for unknown threats to gain access, including public Wi-Fi, mobile devices, and connected Internet-of-Things (IoT) devices. Any suspicious content detected by a FortiGate next-generation firewall (NGFW) is forwarded to FortiSandbox for quarantine and inspection—including decryption of secure sockets layer (SSL)/transport layer security (TLS) content— before it reaches the network. Threat intelligence generated by FortiSandbox is then shared with other security elements via the Fortinet Security Fabric. FortiEDR (endpoint detection and response) advanced endpoint protection provides advanced endpoint protection—with a lightweight footprint—with high-availability guarantees, making it capable of protecting even business-critical systems.

Of course, cyber threats are not limited to external attackers. Using FortiDeceptor, an organization can identify malicious insiders or attackers who have gained access to the network. The user and entity behavior analytics (UEBA) features of FortiInsight help to identify anomalous, noncompliant, or suspicious behavior by endpoints or users that may threaten the business.

Organizations are increasingly embracing cloud services for business-critical data storage and applications, and these resources require robust security. While most cloud service providers offer built-in security settings, they are often incorrectly configured by organizations, leaving sensitive data vulnerable to exfiltration. A common cause of this is misunderstandings of the cloud shared-responsibility model, which outlines the security responsibilities assigned to the cloud service provider, customer, and what is shared between them.

Achieving centralized visibility and consistent security configuration management is also complex in the cloud, with every cloud vendor offering different built-in security controls and interfaces. Securing the cloud requires centralized visibility across on-premises and cloud deployments and security solutions that are designed to provide consistent security and policy management for cloud-based applications across multi-cloud environments.

The first step in securing a multi-cloud network requires networkwide visibility and centralized configuration management. The Fortinet Security Fabric natively integrates with major cloud providers and over 250 third-party security solutions. This enables it to break down the silos between different cloud deployments—offering centralized visibility and enforcement of security policies across the entire network. This centralized control makes it unnecessary for security teams to manually configure the security settings offered by each cloud service provider.

Once full visibility into an organization’s cloud deployment has been achieved, the next step is securing cloud-based applications. Many regulations, like the Payment Card Industry Data Security Standard (PCI DSS), require a web application firewall (WAF). Under PCI DSS Requirement 6.6., a WAF is required in DevOps environments unless an organization performs a full code review upon every modification to an application.

The WAF, as a result, is a vital part of a company’s cloud security deployment. FortiWeb WAF is available as a physical appliance, a virtual machine (VM), or as a Software-as-a-Service (SaaS) offering for cloud-native protection of the organization’s websites, payment portals, and web application programming interfaces (APIs).

Organizations also must manage access to their cloud deployments as a whole. FortiCASB and FortiCWP provide cloud-native access control and workload protection, simplifying visibility and security management across multi-cloud deployments. Finally, FortiGate next-generation firewalls (NGFWs) are available in a cloud-native Infrastructure-as-a-Service (IaaS) form factor, offering scalable security for any deployment environment.

Applications and data storage are not the only cloud-based assets that an organization needs to secure. Organizations are increasingly taking advantage of cloud-based SaaS email solutions such as Google Mail or Microsoft Office 365. FortiMail enables an organization to protect both SaaS and on-premises email deployments with the same email gateway.

In summary, Fortinet adaptive cloud security solutions include the features needed to secure even multi-cloud environments, such as:

• Native integration with security features of all major cloud service providers
• Networkwide visibility and management of multi-cloud environments from a single pane of glass
• Cloud-native website protection, email, and firewall solutions
• Real-time, artificial intelligence (AI)-driven threat intelligence distributed throughout the security infrastructure
• Automated identification of 5,000 types of application traffic, including encrypted cloud application data
• Secure, high-performance connectivity to cloud resources with Secure SD-WAN