Skip to main content

Help us improve the Digital Marketplace - send your feedback

Khipu Networks Limited

Fortinet FortiNAC Zero-Trust Network Access Control and IoT Security

Network Access Control (NAC) is a critical component in the modern-day network. NAC offers organisations the ability to deploy Zero-Trust Network Solutions and Secure SD-Branch Deployments. It also ensures IoT, BYOD and user devices are profiled, only allowing access to approved resources and periodically reviewed for compliance.

Features

  • Public and private cloud support
  • Broad integration with over 150 vendors
  • Agent and agentless scanning for detection and classification
  • Event reporting to SIEM with detailed contextual data
  • Enforce dynamic network access control and enable network segmentation
  • Centralised Architecture for easier deployment and management
  • Automate polices to reduce detection and containment time
  • Integration to the Fortinet Security Fabric
  • Centralise inventory for all connected devices, including IoT
  • Extensive support for Captive-Portal Guest and BYOD deployments

Benefits

  • Centralise BYOD, IoT and User on-boarding across network infrastructure
  • Automate device checking before network access is granted
  • Deploy Zero-Trust Network Architecture using a centralised model
  • Agentless Scanning support for IoT devices
  • Optional agent-based scanning for deep device-based information
  • Easy scalability through centralised and distributed architecture options
  • Utilise 17 profiling methods to identify a device
  • Flexibility to deploy on private and public cloud services
  • Reduce management overhead with automated device onboarding
  • Flexible license options for different use-cases

Pricing

£2,754.78 a server

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Sales-UK@khipu-networks.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

7 0 4 4 8 7 1 7 4 1 3 9 2 3 2

Contact

Khipu Networks Limited Sales Team
Telephone: 0345 272 0900
Email: Sales-UK@khipu-networks.com

Service scope

Service constraints
The service is limited to Fortinet products on supported platforms, as published by Fortinet on respective datasheets.
System requirements
  • Virtual machines require a minimum resource allocation
  • Some clouds are unsupported by some products (See Datasheet)
  • Some features are dependent on license (See Datasheet)

User support

Email or online ticketing support
Yes, at extra cost
Support response times
KHIPU delivers support packages with associated SLAs. The response time SLA is linked to the priority of the incident. Response times can vary from 30 minutes (Priority 1) to 4 hours (Priority 4), depending upon the severity of the support call logged. We can also offer bespoke support packages that allow the initial response time to be tailored to the environment if required. The initial response time does not differ based upon the time of day nor day of the week.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
KHIPU’s ethos is to provide outstanding technical and after sales support, both during and after a project implementation. To evidence this, we have a number of exceptional customer references should customers wish to speak with them. For all supplied solutions we provide maintenance and support services, with all of the proposed equipment being supported and maintained by KHIPU to the required level based upon the customers’ cover. The following is included within our available support/maintenance services:

• Maintain Services is KHIPU's 'break fix' level of support.
• Monitor Services offer “Pro-Active” monitoring and alerting via KHIPU's “KARMA” service.
• Fully Managed Service, KHIPU assumes full responsibility for the running of your devices.
• Co-Managed Service, KHIPU assists with the running of your devices.
• KHIPU SOC Service offers a complete, detection and response service protecting your critical infrastructure from cyber-attacks.

• All services are available 8am to 6pm Monday to Friday, or 24x7x365(366)
• Telephone, Email, Secure Portal and Remote Access Support

KHIPU would also assign a Technical Account Manager to every customer, who would be responsible for ensuring that SLA's are met in the event that customers call upon the agreed support service.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
For the delivery of the service, KHIPU follows our ‘Project Process’ which has the following primary stages:

• Stage 1 – Service scope
• Stage 2 – Assessment
• Stage 3 – Report correlation.

This process is KHIPU’s way of providing an effective service to implement your solution efficiently and to a high standard, in accordance with our ISO accreditations. Initially, we will set up a call to discuss the implementation of your service, what will take place, and any pre-requisites that need to be met. This will also provide end-users with the opportunity to speak to one of our fully qualified engineers who will discuss all aspects of the of the service and answer any questions that they may have. A set of project and technical documentation is then created, based upon the discussion. It is then circulated with the customer for their feedback and signature. From this point there is an agreed change control process for anything necessary which is under the control of both KHIPU and the customer.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
No data is held outside of the user’s organisation / chosen location for storage. After the contracted licensing period ends, the user may extract any retained syslogs via the web interface. Support portal accounts can be deleted upon request.
End-of-contract process
Once the licensing period ends, the virtual machines will continue to operate but no new devices or users can be registered. The user will lose access to support services (TAC) along with updates to features including, but not limited to Firmware, Anti-Virus Database, IPS Database, Global Threat Data, Application Signatures, Website Classifications, Anti-Spam Signatures, Internet Services Database (ISDB) updates, device vendor UIDs. Users have the option to extract configurations and logs for retention / re-use.

Using the service

Web browser interface
Yes
Using the web interface
Once the virtual machine is provisioned into the cloud environment, administrators have complete control of features and configuration for the virtual machine. All common and frequently used features are available through the web interface (GUI), along with remote access to the Command Line Interface (CLI) where lesser used or niche features can be configured.

The Web Interface allows for the configuration and on-going management of the virtual machine, along with access to remote, system events and log information.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Once the virtual machine is built the web interface is accessible through the IP configured to the Virtual Machine (typically the vNIC IP or Public IP).
Web interface accessibility testing
Not Known / Not Tracked.
API
Yes
What users can and can't do using the API
REST API is supported for the configuration and monitoring of Virtual Machines.
Most administration and configuration functions are available through REST API. Some limitations exist for certain Virtual Machines. Therefore, if the user is looking to integrate through API it is recommended they consult their Account Manager / TAC.
API automation tools
  • Ansible
  • OpenStack
  • Other
Other API automation tools
Any Automation tools that support JSON API
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
  • Other
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
Configuration of the FNAC appliance should be undertaken using either REST API or the GUI as best practice. CLI access to the NAC and underlying Operating System is best served for troubleshooting and initial deployment of the FNAC VM.

Scaling

Scaling available
Yes
Scaling type
Manual
Independence of resources
Services are built within customer cloud ecosystem with no external dependencies on infrastructure. Central signatures and updates may be cached to eliminate dependency on update servers.
Usage notifications
Yes
Usage reporting
  • API
  • Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Authenticated users by type
  • Authenticated devices
  • Inventory
  • Customised reports
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Fortinet

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
Configuration & Database
Backup controls
Users can take backup copies of the configuration and database via the Web Interface. This is done through manual or scheduled tasks.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users schedule backups through a web interface
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Customers have the option of using Cloud based analytics or Sandboxing. In the event these options are chosen, data-in-transit is encrypted using SSL end-to-end. Data transfer between update servers and the virtual machines is completed via SSL end-to-end.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Customers have the option of using Cloud based analytics or Sandboxing. In the event these options are chosen, data-in-transit is encrypted using SSL end-to-end. Data transfer between update servers and the virtual machines is completed via SSL end-to-end.

Availability and resilience

Guaranteed availability
As only individual virtual machines are being provided, no formal SLA is offered with regards to platform uptime as this would dependent on the end-user or a third-party cloud-provider.
Approach to resilience
Datacentre infrastructure is used to provide updates to signature databases and in some cases (where the customer chooses) process files or emails for zero-day threats or spam. Fortinet have a global network of highly available data centres, which are used to push updates or provide services. Utilisation of these service is done via a 'closest regional model'. However, should Fortinet lose a region the service will automatically default to the next available region, unless the user opts out.
Outage reporting
Individual virtual machines can report errors and outages through various means (including, API, Email, Web Interface, SNMP).

In the event of an error to fetch an update, the local system will report this failure via the above methods. Service Status of the datacentre is available publicly on Fortiguard.com.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Administrators who access the Virtual Machine(s) are authenticated against a Username and Password set by the customer’s administrator.
Access restriction testing frequency
Never
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
Management access to the Virtual Machines is controlled by the customer. Options for limiting access include static accounts, using username and password, LDAP integration, Trusted Host access via specific subnet or IP.
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
No audit information available
Access to supplier activity audit information
No audit information available
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Lloyd's Register Quality Assurance
ISO/IEC 27001 accreditation date
Original Approval: 6th May 2010, Current Expiry: 5th May 2025
What the ISO/IEC 27001 doesn’t cover
All areas of KHIPU's business is covered under ISO27001 certification.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
KHIPU adhere to ISO policies and procedures. We are certified to ISO9001 (Quality Management), ISO27001 (Information Security Management), ISO14001 (Environmental Management) and ISO45001 (Occupational health and safety). Any potential breach or risk of security or process is highlighted to senior management including the board of directors immediately.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes to the configuration of the service are managed through an ITIL based Change Control Process. This looks at technical suitability, security risks and impact to service; the output from which is clearly communicated to the customer where the ultimate decision will be made to proceed or not. This takes into account any commercial considerations necessary and provides an audit trail, ensuring that all aspects of the change are considered.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We work closely with the manufacturers of the deployed services to ensure that any reported/disclosed vulnerabilities are patched during the next maintenance window. Should a major flaw occur, an emergency change process would be invoked to patch the service within 48 hours. In the event that multiple vulnerabilities become apparent, they will be addressed in severity order (highest first), until all are mitigated.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Potential compromises are detected via various means including monitoring tools, manual check, service degradation, reported issues and regular vulnerability assessments. In the event of a suspected compromise, they are acted upon with high priority until they are proven to be benign or corrective action is needed to be taken to mitigate the problem. Immediate responses are provided if an issue appears to be critical within the end users’ environment. These procedures are in line with our ISO27001 processes.
Incident management type
Supplier-defined controls
Incident management approach
As part of our support/managed service procedure, the customer is provided with full details of how to log a support call, including all logging methods and the required information for the servicedesk. Once the call has been logged, it is then managed by the team under the servicedesk based on severity (major issue = service affecting, minor issue = query). All service affecting calls are escalated accordingly to the 2nd/3rd line teams including the assigned account and technical manager. Escalations procedures are provided as part of the onboarding process.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
No

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
KHIPU utilises the ARK Cody Park Data Centre.

ARK is part of the Climate Neutral Data Centre Pact (CNDCP) Refer: https://arkdatacentres.co.uk/sustainability/

Power: All Ark facilities are powered by 100% renewable energy. Renewable energy has been purchased for up to 3 years ahead for their facilities.

Standby Power: By the end of 2023 Ark had replaced the diesel in their standby generators with Hydrotreated Vegetable Oil (HVO).

Cooling: The facility utilises innovative direct air evaporative cooling capability that dramatically lowers energy consumption and can provide compressor free cooling for 99% of the year. This ensures that data centre cooling adapts to IT load in real time to reduce wasted energy and deliver the appropriate amount of cooling to each rack.

Reduced Water Consumption: Ark has developed a ‘water buffering and saving mode’ for the cooling equipment which has reduced original peak water usage by 85%. Employing this approach with established rainwater harvesting designs it is possible for the Ark data centre evaporative cooling systems to operate solely on harvested rainwater.

IT Infrastructure: Servers are virtualised wherever possible to reduce the amount of hardware required. End-of-life equipment is decommissioned, removed, and recycled.

Social Value

Social Value

Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

Fighting climate change

KHIPU is committed to monitoring and reducing our environmental footprint. We are an ISO14001 Environmental Management certified company and complete an internal audit annually which provide updated targets for our company and supply chain to aim for.

We update our initiatives on our website: https://www.khipu-networks.com/khipu-is-green/.

• Employees and our supply chain are made aware / reminded of their environmental impact.
• We regularly review our products, services, and suppliers to ensure we are using the most suitable environmentally friendly options.

KHIPU and our supply chains are committed to minimising impact to the environment from our solutions by reusing, recycling, and adopting processes that conserve raw material, energy, and water.

The company is part of a movement called “techies go green” (https://www.techiesgogreen.com), aimed at increasing awareness and we are committed to decarbonising our businesses and making them green and verifiably sustainable.

Where possible, we work with customers remotely to reduce travel costs and for each day an engineer installs / supports a customer remotely we plant 10 trees. Tracking of our progress is available here: (https://moretrees.eco/forest/khipu/).

Covid-19 recovery

Our plans and processes provide mitigation against a wide range of potential incidents including the unforeseen events mentioned.

The procedures have been regularly tested both theoretically and in real events. In 2017 we activated the plans as part of an office relocation, we had no loss of services or unexpected downtime.

On the 9th March 2020, we activated our Pandemic Policy which was created during the original SARS threat. This was activated across our UK and South Africa offices in advance of the UK and SA Government lockdown. We successfully had 98% of staff working from home, 2% of staff worked in our UK office.

The business managed to offer and operate the majority of our services remotely. We continued to provide on-site resources to customers running critical life supporting systems (i.e. Healthcare / Social Services).

Since the removal of lockdown restrictions, we have moved to a hybrid operation where staff aim for a minimum of 3 days in the office, 2 working remotely. KHIPU invested in a new HQ building during 2021-2022 and modelled our offices to support the most flexible ways of working.

Tackling economic inequality

As a business we understand that we can make a difference in tackling economic inequality, with KHIPU being fortunate to operate in the Technical Business Sector which is a robust market. This allows the company to invest into our workforce, both in terms of relatively high salaries and also support services (pension contributions, healthcare, dental care, welfare support, regular health checks, training, team building, career options).

We offer flexitime to the workforce, offer hybrid working, provide a very good maternity / paternity scheme, invest in apprentices, and also graduates and have workforce age from ~19 – 70 years of age. Over 40% of our senior staff identify as female and we support all of our staff in any way we can.

Outside of our business, KHIPU invests into charitable causes, we have invested in building a computer laboratory in a township school in South Africa. We invest in youth sports and various health related charities.

Equal opportunity

KHIPU has a strong ethos on diversity and inclusion with our main objective being that our company and staff understands and promotes equality, diversity, and inclusivity internally and externally with suppliers and customers.

We have not set any specific target; however, we have found that our organisation has organically grown in a manner fully supportive of our main objective for equality, diversity, and inclusivity.

This organically grown culture exists across our UK and South Africa based offices, we also ask our supply chain to confirm their commitment to supporting our own objective in this manner.

Wellbeing

KHIPU has a very active “People Operations” department with representatives across our main offices in the UK and South Africa. They provide a wide range of help and support to all staff, including their families as appropriate. Our team have trained first aiders and also have received mental health awareness training. All staff have access to our internal support team and can also be referred to 3rd party experts (via our company-wide healthcare scheme). The company invests in an annual health check (optional but recommended for all staff) by a 3rd party company, this also offers advice on mental health, fitness, diet etc.

The company has invested in excellent office facilities, both in terms of general office location and facilities within our offices. This allows staff multiple options for stress reduction, teamwork or relaxation as required. We suggest that all staff walk around and do not sit too long at their desks, offer stand-up desk workstations and we try to cater for any staff members working preferences.

Pricing

Price
£2,754.78 a server
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Sales-UK@khipu-networks.com. Tell them what format you need. It will help if you say what assistive technology you use.