DEPLOYMENT GUIDE
FortiAP-S Series Deployment Guide
Secure Cloud-managed Wireless LAN Solution
DEPLOYMENT GUIDE: Secure Cloud-managed Wireless LAN Solution
Overview
Distributed enterprises, dissatisfied with the cost and complexity of traditional controller-based
enterprise WLAN solutions, are turning to cloud-managed Wi-Fi as a more practical alternative.
But most Cloud Wi-Fi solutions fall short on content and application security, leaving
businesses vulnerable to cyber-threats. Fortinet’s secure cloud-managed Wi-Fi addresses this
shortcoming completely.
Cloud Wi-Fi Evolution
Distributed enterprises such as retail, hospitality, health clinics and managed care facilities
have historically been poorly served by enterprise WLAN vendors. Traditional controller-based
solutions are generally too complex and too expensive for small businesses or those with
multiple sites requiring only a few APs each.
To address this growing market, enterprise WLAN vendors have ported their management and
controllers to the cloud, simplifying management and reducing CAPEX. With a cloud-managed
Wi-Fi architecture customers now only need to buy and configure APs, not controllers or
management servers.
But, the apparent simplicity of cloud-management has not come without a price. Security
beyond standard Wi-Fi access control is invariably lacking. In large enterprises, content and
application security is normally provided through specialized security appliances for IPS, web-
filtering, anti-virus and so on. But in Cloud-Wi-Fi these functions are absent. The result is cloud-
managed Wi-Fi solutions are inherently not as secure as controller-managed WLANs.
Secure Cloud Wi-Fi
Fortinet’s secure cloud-managed
WLAN solution is unlike any
other Cloud Wi-Fi offering. It
offers the same network security
capabilities found in Fortinet’s
controller-managed enterprise
WLAN solution with the
convenience and low CAPEX of
cloud-based management.
2
DEPLOYMENT GUIDE: Secure Cloud-managed Wireless LAN Solution
Beyond Wi-Fi Security
How important is security beyond WLAN access control? Today’s
Wi-Fi authentication and encryption standards (WPA2, 802.1X etc.)
are generally accepted as robust Wi-Fi access control mechanisms.
Why does anyone need more security than that? Well, the threat
landscape has moved up the stack, and it is constantly evolving.
Our growing dependence on the Internet and cloud services, along
with BYOD has resulted in exponential growth in potential threat
vectors and targets.
Threats enter your network through common applications like
email, web browsers and social networking tools, as well as
seemingly innocent apps and games on the mobile devices
belonging to your staff, or customers. Worms and virus on an
infected mobile device can infect other Wi-Fi attached devices,
even without either of them accessing the Internet.
Securing business communications, personal information, financial
transactions, and the mobile devices of your users, involves
much more than Wi-Fi access control. It requires scanning for
malware, preventing access to malicious websites, and controlling
application usage. But typical Cloud Wi-Fi solutions do not cater
to these requirements. Fortinet has a novel approach which
completely addresses this shortcoming in all existing Cloud Wi-Fi
offerings.
traffic through centralized security devices on the corporate LAN,
and often hairpin it back to where it came from. All this adds
latency and burns the capacity of your network links, forcing
premature costly upgrades.
Doing this is not only complicated, it also masks your visibility of
client and user behavior, as it requires entire VLANs, not unique
sessions to be mapped from one security appliance to the next, to
process security in multiple passes through different devices. It is
highly inefficient.
Distributed enterprises in hospitality, retail and healthcare which
have large numbers of guests would rather not be tunneling video,
gaming and other high-bandwidth traffic from their guests through
the corporate network. But if they want to control application
usage, such as preventing a guest from watching inappropriate
content in their coffee shop, or if they want to fully protect devices
from cyber-threats they’ve had no alternative, until now.
Many vendor’s controller-managed WLAN solutions, including
Fortinet’s solution, allow split routing at remote offices whereby
corporate traffic is tunneled over the WAN to undergo security
processing at the head office or data center, while Internet traffic
goes directly to the Internet. But this Internet traffic is no longer
protected by corporate IPS, antivirus, and web filtering appliances.
Fortinet Secure Cloud-managed Wi-Fi
Fortinet’s Cloud Wi-Fi solution is unlike any other Cloud Wi-Fi
offering. Based on the FortiCloud provisioning and management
service, and a new class of access points the - the FortiAP-S series - it
offers the same network security capabilities typically found only
in controller-managed enterprise WLAN solutions combined with
supplementary security services.
Normally, if you want to apply comprehensive security for all types
of traffic from access points in remote offices, you need to tunnel
Alternatively, all traffic from authenticated corporate users may be
tunneled through the WAN, while only guest traffic goes directly
to the Internet. In this case only guest traffic is unprotected and
uncontrolled. Still, neither approach is ideal.
With the FortiAP-S series all traffic from any type of user can be
protected and controlled regardless whether it is corporate or
Internet traffic, without tunneling everything through the corporate
WAN. Not only is this efficient and cost-effective, it is also the most
secure and least complex of all options.
3
DEPLOYMENT GUIDE: Secure Cloud-managed Wireless LAN Solution
What makes the FortiAP-S series access points so special is they contain advanced security functions embedded in the AP hardware. This
new class of AP is equipped with extra memory and twice the processing power of typical thin APs, which enables them to perform real-
time security processing at the network access edge, not in the cloud or on the corporate LAN. Processing L2-L7 security at the AP in one
pass is efficient. Plus it allows exceptionally granular user and device policies and preserves complete visibility of session level behavior.
Traditional Cloud Solution Fortinet Cloud Solution
Connection
Credential Lookup
Authentication
Gap in Security Protection
Continue to Wire
Fig 1. Fortinet Approach to WLAN and Application Security Enforcement.
Connection
Credential Lookup
Authentication
IPS, AV, Botnet
URL Filter, App Control
Continue to Wire
4
Loading...