A fortress in a box
- By Earl Greer, Vincil Bishop
- Oct 13, 2003
We finally have it — an appliance that combines practically every information technology security feature you can think of.
We obtained one of Fortinet Inc.'s new FortiGate 3600 units and decided to see if combining a smorgasbord of security services on one machine can work in an enterprise setting. This device integrates six functions in one box: antivirus, firewall, Web and e-mail content filtering, virtual private networking, network-based intrusion detection and prevention, and network bandwidth controls or traffic shaping.
The FortiGate 3600 offers a Web-based and a command line interface to configure the device. We give the FortiGate a thumbs up for ease of use. On the left side of the main screen there are buttons generally corresponding to each of the six major functions, plus one button for a monitor screen and one for reporting. Each of these buttons has a drop-down list for subfunctions. The design team made sure that a minimal number of mouse clicks are needed to navigate the system.
Once installed, the device can be managed by users with read and write permissions and by users with read-only permissions. This allows the most experienced analysts to configure the device and then train less experienced staff to respond to FortiGate alerts. This spreads out the work, ensuring that a few administrators are not overloaded with security chores, which often happens.
The FortiGate 3600 is the top of the line of 10 FortiGate appliances that begins with an appliance designed for small office use. Because the 3600 model is the powerhouse with six separate gigabit interfaces, we wanted to test it in the most complex environment possible. Although we were not able to test with gigabit traffic, we did provide diversity. We placed the FortiGate between a class C subnetwork and the rest of an enterprise. The subnet had about 150 hosts, including Microsoft Corp.'s Windows 95/98/ 2000 and XP systems. We added a Windows 2000 Advanced Server, a Novell Inc. NetWare 6.0 server and a Linux server behind the device to simulate the services provided by a server farm.
First we tried attacking the FortiGate box itself. We were pleased to see that the designers had added a feature to allow management from only a few trusted hosts.
Many large organizations allow users to have separate communication systems installed without permission, such as Microsoft's Outlook Express or an instant messaging (IM) system. Because such systems are a common source of viruses that circumvent the enterprise mail systems, we were interested in how FortiGate would handle the problem. We configured one of our test workstations to pull mail from a public mail server that was not part of our corporate network.
After simple configuration through the FortiGate Web interface to ensure that infected e-mails would be blocked, we attempted to pull an e-mail through IM with the Netbus Trojan virus attached. The FortiGate stripped off the virus and sent our configured message to its place. Our problems with rogue users were solved in one stroke.
Because the FortiGate device can filter viruses obtained through HTTP and FTP protocols, we decided to try downloading the same Trojan virus from a Web server located outside our network. Immediately, we were given the message that we were not allowed to download the infected file.
To test the HTTP content-filtering capabilities, we filled our blocked-word list with a multitude of unmentionable words found on some unsavory Web sites. When we browsed a few sites that contained words from this banned list, we were immediately given our preconfigured message that the Web pages we were trying to read contained banned words.
Fortinet automatically downloads signatures for both antivirus and intrusion-detection systems from their Web site to the FortiGate system.
The next order of business was to subject the FortiGate to a real-world reconnaissance attack. Our favorite tool for this work is the Nessus vulnerability scanner. In the right configuration, the impact of such a scanner can be like machine-gunning tin cans off a log. But we contented ourselves with simple information gathering. We pointed the Nessus scanner outside our protected network toward three servers located behind the FortiGate device. Immediately, the FortiGate attack log began to fill, and FortiGate generated an e-mail alert. The detailed log allowed us to quickly and easily determine the IP address of the host performing the attack and block further access.
Although the intrusion-detection system did not have some of the bells and whistles we have seen on other, specialized products, their absence is not necessarily a bad thing. A staff of security experts will want granular packet-by-packet control on a device of this type. But if your staff consists of network administrators who may not be security experts, then simplicity is often a good thing.
The FortiGate 3600 has far too many features to cover here. The device can easily be integrated with existing Lightweight Directory Access Protocol or Remote Authentication Dial-In User Service servers. This is an important feature because most organizations already have some form of these technologies for authentication, so it simplifies FortiGate's integration into existing networks.
Perhaps the product's greatest value lies in its ability to examine network traffic at the application layer. This gives the network administrator control over content that is passed through the network. No longer is there a need to fight with the mail administrator about installing antivirus or content-filtering tools on the mail server. If mail content needs to be checked, FortiGate makes it easy to add a rule to look for a subject line or virus in messages.
Overall, we consider the FortiGate 3600 to be a good value for the money. But as true believers in multilayered security, we cannot recommend FortiGate as a substitute for a comprehensive antivirus system even though the price may be less than what you are currently paying for enterprisewide antivirus protection alone.
Greer and Bishop are network analysts at a large Texas state agency. They can be reached at Earl.Greer@dhs.state.tx.us.