A fortress in a box

FortiGate 3600 offers a smorgasbord of security services on one machine

We finally have it — an appliance that combines practically every information technology security feature you can think of.

We obtained one of Fortinet Inc.'s new FortiGate 3600 units and decided to see if combining a smorgasbord of security services on one machine can work in an enterprise setting. This device integrates six functions in one box: antivirus, firewall, Web and e-mail content filtering, virtual private networking, network-based intrusion detection and prevention, and network bandwidth controls or traffic shaping.

The FortiGate 3600 offers a Web-based and a command line interface to configure the device. We give the FortiGate a thumbs up for ease of use. On the left side of the main screen there are buttons generally corresponding to each of the six major functions, plus one button for a monitor screen and one for reporting. Each of these buttons has a drop-down list for subfunctions. The design team made sure that a minimal number of mouse clicks are needed to navigate the system.

Once installed, the device can be managed by users with read and write permissions and by users with read-only permissions. This allows the most experienced analysts to configure the device and then train less experienced staff to respond to FortiGate alerts. This spreads out the work, ensuring that a few administrators are not overloaded with security chores, which often happens.

The FortiGate 3600 is the top of the line of 10 FortiGate appliances that begins with an appliance designed for small office use. Because the 3600 model is the powerhouse with six separate gigabit interfaces, we wanted to test it in the most complex environment possible. Although we were not able to test with gigabit traffic, we did provide diversity. We placed the FortiGate between a class C subnetwork and the rest of an enterprise. The subnet had about 150 hosts, including Microsoft Corp.'s Windows 95/98/ 2000 and XP systems. We added a Windows 2000 Advanced Server, a Novell Inc. NetWare 6.0 server and a Linux server behind the device to simulate the services provided by a server farm.

First we tried attacking the FortiGate box itself. We were pleased to see that the designers had added a feature to allow management from only a few trusted hosts.

Many large organizations allow users to have separate communication systems installed without permission, such as Microsoft's Outlook Express or an instant messaging (IM) system. Because such systems are a common source of viruses that circumvent the enterprise mail systems, we were interested in how FortiGate would handle the problem. We configured one of our test workstations to pull mail from a public mail server that was not part of our corporate network.

After simple configuration through the FortiGate Web interface to ensure that infected e-mails would be blocked, we attempted to pull an e-mail through IM with the Netbus Trojan virus attached. The FortiGate stripped off the virus and sent our configured message to its place. Our problems with rogue users were solved in one stroke.

Because the FortiGate device can filter viruses obtained through HTTP and FTP protocols, we decided to try downloading the same Trojan virus from a Web server located outside our network. Immediately, we were given the message that we were not allowed to download the infected file.

To test the HTTP content-filtering capabilities, we filled our blocked-word list with a multitude of unmentionable words found on some unsavory Web sites. When we browsed a few sites that contained words from this banned list, we were immediately given our preconfigured message that the Web pages we were trying to read contained banned words.

Fortinet automatically downloads signatures for both antivirus and intrusion-detection systems from their Web site to the FortiGate system.

The next order of business was to subject the FortiGate to a real-world reconnaissance attack. Our favorite tool for this work is the Nessus vulnerability scanner. In the right configuration, the impact of such a scanner can be like machine-gunning tin cans off a log. But we contented ourselves with simple information gathering. We pointed the Nessus scanner outside our protected network toward three servers located behind the FortiGate device. Immediately, the FortiGate attack log began to fill, and FortiGate generated an e-mail alert. The detailed log allowed us to quickly and easily determine the IP address of the host performing the attack and block further access.

Although the intrusion-detection system did not have some of the bells and whistles we have seen on other, specialized products, their absence is not necessarily a bad thing. A staff of security experts will want granular packet-by-packet control on a device of this type. But if your staff consists of network administrators who may not be security experts, then simplicity is often a good thing.

The FortiGate 3600 has far too many features to cover here. The device can easily be integrated with existing Lightweight Directory Access Protocol or Remote Authentication Dial-In User Service servers. This is an important feature because most organizations already have some form of these technologies for authentication, so it simplifies FortiGate's integration into existing networks.

Perhaps the product's greatest value lies in its ability to examine network traffic at the application layer. This gives the network administrator control over content that is passed through the network. No longer is there a need to fight with the mail administrator about installing antivirus or content-filtering tools on the mail server. If mail content needs to be checked, FortiGate makes it easy to add a rule to look for a subject line or virus in messages.

Overall, we consider the FortiGate 3600 to be a good value for the money. But as true believers in multilayered security, we cannot recommend FortiGate as a substitute for a comprehensive antivirus system even though the price may be less than what you are currently paying for enterprisewide antivirus protection alone.

Greer and Bishop are network analysts at a large Texas state agency. They can be reached at Earl.Greer@dhs.state.tx.us.

REPORT CARD

FortiGate 3600

Fortinet Inc.
(408) 235-7700
www.fortinet.com

The North America list price for the FortiGate 3600 is $29,995.

The FortiGate series of appliances comprise 10 models scaled to serve from the smallest offices to the largest enterprises. Each box combines six major information technology security functions. The top-of-the-line FortiGate 3600 works as advertised, is relatively easy to use and is platform-independent.

NEXT STORY: Maryland tech incubator opens

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.