Deep Data Security

MANAGING NETWORK SECURITY is a time-consuming affair. Appliances make the work somewhat easier, but each firmware-based appliance typically addresses a narrow range of security needs. The alternative is a robust, configurable integrated appliance, usually based on a PC platform.

But the most highly integrated appliances are expensive and complicated to manage, and most still deliver only a narrow set of functions.

Fortinet’s FortiGate line of security appliances sets new standards for price, performance, and versatility. These devices boast standard security capabilities such as firewall, NAT (network address translation), VPN, and intrusion detection. They also fend off DoS (denial of service) and DDoS (distributed DoS) attacks, and they perform traffic-shaping to give streaming packets higher priority. The units also break open network data packets to scan for viruses, worms, banned text, cookies, scripts, and blacklisted URLs.

Four qualities set FortiGate devices apart from other appliances: speed, cost, expandability, and breadth of standard features. The FortiGate series is a stunning first effort. Most exciting is the room Fortinet has reserved for future capabilities. This is not a one-shot appliance that you’ll have to replace in a year. It is an extensible platform with lots of room to grow.

Not your daddy’s appliance

The Fortinet FortiGate line of security appliances is unique in many ways. These firmware-based devices are as versatile and configurable as any PC-based solution, but they enjoy the greater reliability, reduced size, and the power/cooling conservation only firmware provides.

We tested the FortiGate-400, a silent, 1U rack-mount device. Fortinet’s architecture performs even demanding tasks such as 3DES (Data Encryption Standard) and AES (Advanced Encryption Standard) encryption at speeds that most PC-based platforms can’t touch. It’s hard to believe that all of FortiGate’s features are enabled out of the box and that a nearly identical set of features is implemented in all members of the product line, from the $700 SOHO-grade FortiGate-50 to the $39,995 carrier-grade FortiGate-2000.

The FortiGate-400 has four 10/100Mbps Ethernet ports. If you need more ports or faster ones, the FortiGate-500 has 12 10/100 ports and the FortiGate-2000 has four 1 Gbps ports (two copper, two fiber). The suggested configuration uses one port each for the external network (Internet), internal network, DMZ (demilitarized zone) network, and a fail-over circuit to another FortiGate unit. But all ports are fully configurable. If your topology has two Internet circuits instead of one, or if you want to use the FortiGate’s availability port to connect another internal network segment, that’s allowed.

The FortiGate splits your network into user-defined zones (internal, external, and DMZ by default) for flexible configuration. Most security settings and policies are applied according to connections between zones.

A matter of scale

It’s reasonable to expect a firmware-based device to have limited capabilities compared with a PC security platform. Surprisingly, that’s not so.

When configured, the FortiGate downloads updated virus signatures and intrusion/DoS/DDoS rules nightly. The anti-virus engine tracks HTTP, SMTP, POP, and IMAP traffic, not only cracking packets on the fly but reassembling them so that the entire transferred file can be scanned. The device identifies thousands of viruses, worms, and network attacks, with lots of room for expansion. The banned-word list and URL blacklist are empty by default. You can upload and download these lists at will, and the lists can be huge.

Most security appliances — whether they are bought preconfigured or built using Linux or BSD — degrade network performance so badly that companies limit their use to the edge of the network. Internet connections usually run at a fraction of the internal LAN’s speed, so the degradation is acceptable. But Internet links are getting faster, and some companies want to monitor, filter, and prioritize traffic passing from one LAN segment to another.

For example, you might want to put a FortiGate between your desktop LAN and your server network, or between users handling classified information and those who do not. You wouldn’t do that with most appliances, but with the enterprise-grade FortiGate units, you can. The FortiGate-400’s hardware can blast packets through the firewall at 300Mbps. If you apply 3DES encryption to every packet, the FortiGate-400 “slows” to 100Mbps, more than enough to keep one port running at full speed. At the top end, the FortiGate-2000 has the capacity to run 3DES encryption at a blistering 500Mbps.

It’s hard to find fault with the FortiGate-400. The Web-based configuration interface can be a little difficult to navigate, but there are so many settings, we can’t envision a better arrangement.

Fortinet should supply some uploadable sample configurations for faster startup; the current factory defaults are not useful. But overall, the FortiGate is an unbelievably affordable, expandable, and powerful little box. If you saw a trade-show demonstration, you’d be looking under the tablecloth for a supercomputer.

Intel has ambitious plans for a network content filtering chip similar to Fortinet’s chip, the FortiASIC. But the anticipated cost of the chip alone matches the list price for the complete FortiGate-50.

There is no reason to wait. The FortiGates are worth buying for what they can do now.