Fortinet's Anti-virus Firewall
By Andrew Conry-Murray
Network Magazine 09.04

Claim: Fortinet is attacking best-of-breed solutions head-on with firewall, VPN, anti-virus, IPS, and URL filtering capabilities on one ASIC-based appliance. The company aims to win customers through better integration and lower costs than point solutions.

Context: A best-of-breed architecture can cost more than twice as much as Fortinet's multipurpose appliance. Fortinet must now prove its security functions are good enough to get the job done. At the same time, it must fend off other entrants into the multifunction market.

Credibility: The founder is Ken Xie, who also started NetScreen and led it to a successful IPO. Pedigree aside, Fortinet is winning customers, but functions such as Web filtering and spam protection need improvement.

Security infrastructure is supposed to cost tens of thousands of dollars and require a staff of specialists to manage. But that's only for networkers who haven't heard of Fortinet. This start-up offers a multifunction security appliance that combines firewall, VPN, intrusion prevention, spam protection, and anti-virus filtering capabilities for under $19,000. A comparable collection of best-of-breed solutions would cost over $44,000 (see table on page 49).

Fortinet is one of several companies leading the attack against best-of-breed incumbents with multifunction products. In addition to a compelling price point, these products reduce management hassles on several fronts. First, they provide a single console to manage numerous security functions. Second, they eliminate the need to patch multiple OSs, maintain multiple licenses, and update multiple signature databases.

Fortinet also goes a step further. Unlike solutions that cobble together various functions from third parties, the company has created its entire platform from scratch, including the OS, security software, and anti-virus engine. The result is a tightly integrated platform that offers several benefits. For example, Fortinet owners don't have to worry that an OS patch or upgrade will disrupt applications. Integration also means that the protection features work closely together. For instance, the firewall will automatically close a port if the intrusion prevention mechanism detects an attack. Policy creation is also simplified: Rather than toggle between functions, administrators can use one screen to define all the content protection parameters for individual users, groups of users, and network segments.

PRICE WARS

We compared Fortinet's FortiGate-800 appliance against a collection of point solutions priced for a 1,000-user enterprise. The FortiGate-800 is rated as a firewall with a throughput of 600Mbits/sec and a Triple DES VPN throughput of 200Mbits/sec. It comes with four 10/100 Ethernet ports and four copper Gigabit Ethernet ports.

The point solutions include Check Point's VPN-1 Pro for firewall, VPN, and intrusion prevention capabilities; Sophos' PureMessage for anti-virus protection; Barracuda Networks' Spam Firewall 200 for spam protection; and Internet Security Systems (ISS)' Proventia Web Filter (acquired from Cobion) for URL filtering.

When laid side by side, the cost of Fortinet's integrated solution is stunning. Even more amazing, the price doesn't include the hardware necessary to run VPN-1 and the Proventia Web Filter. (Spam Firewall is an appliance, and PureMessage can be run on the mail server itself.)

But while the price is right, does the product actually perform? "There's always a certain amount of risk with an unknown company," says Vic Fischer, vice president of IT at Colliers International, a global real estate consultancy. While searching for a replacement for an aging PIX at corporate headquarters, his team came across Fortinet. He and his team did a thorough evaluation of both the FortiGate-800 and a NetScreen product.

Not only did Fortinet win on price and functionality, but the company has decided to deploy the appliances in 11 of its branch offices as well.

In addition to firewalling, Fischer's Fortinet box is running intrusion prevention checks (in alert mode only), anti-virus scanning, and Web filtering. He also runs McAfee both on servers and desktops, but says Fortinet's anti-virus engine often catches new threats before McAfee has an updated DAT file.

His one compliant is URL filtering. "We were using Websense, which did a better job than Fortinet." He says Websense's database of restricted sites was more comprehensive. However, because Websense didn't interoperate with Fortinet, he now relies on the appliance's built-in Web filters.

Fortinet is also a laggard on the spam front (which may be why the company doesn't charge for that feature). Solutions include an open-relay database, remote black-list heading, and content-level checking for body and subject lines. It lacks spam signatures, Bayesian filtering, and a good heuristics engine--features that are standard in most standalone anti-spam products (including the Spam Firewall listed here). Fortinet says upgrades are planned.

FORTIFICATIONS

Fortinet relies on a purpose-built ASIC to accelerate content analysis for viruses, worms, Trojans, and the like. Other components on the ASIC accelerate DES, Triple DES, and hashing algorithms.

Critics of ASIC-based hardware say the chips lock customers into one platform, whereas pure software solutions can be migrated to new servers (or processors can be added to existing machines) as performance needs increase. Fortinet addresses this problem by offering a wide range of products, from small and home office-sized appliances to multigigabit monsters aimed at service providers. Multiple appliances can also be linked together to increase performance and availability.

Working in conjunction with the ASIC is FortiOS, a home-grown OS developed by Fortinet. FortiOS applies policies to traffic streams. All packets are first checked at the firewall, with subsequent analysis depending on the traffic type.

Fortinet has also created FortiProtect Services to identify new Internet threats and create the signatures to detect and block those threats. Updates are pushed automatically from nine distribution servers located around the world, including three in the United States.

A set of other products are also being offered, including FortiManager, a system that monitors, manages, and controls up to thousands of Fortinet appliances; and FortiLog, a centralized data collection system that consolidates reporting and analysis of event information. The company also sells a new host client that includes anti-virus protection, a personal firewall, and remote access via an IPSec VPN.

Fortinet says it built its hardware platform with expansion in mind. To that end, the company plans to create an SSL VPN module to run on the appliance, but a release date hasn't been established.

BREEDER BUSTERS

Other companies have recognized the market for multifunction security devices. Two standouts are Symantec, with its Security Gateway 5400 appliances; and Astaro Internet Security, which produces Astaro Security Linux, a software solution. Both products offer the same security functions as Fortinet.

Symantec's Security Gateway 5420 is priced around $16,300 for 500 nodes. The price includes anti-virus and Intrusion Detection System (IDS) signatures and a year of Gold-level maintenance. Symantec has powerful brand awareness for anti-virus protection and a strong protocol anomaly detection component in its Intrusion Prevention System (IPS) scanning. (Fortinet and Astaro are strictly signature-based.) The device also draws on Symantec's vast security resources, including Security Response, a global security research body that provides virus and attack signatures.

Astaro Security Linux starts at $6,895 for an unlimited number of users. That price also includes a year of software updates for the product. Spam protection is included for free, but costs go up from there. A year of IPS signatures costs $2,990. E-mail and Web anti-virus signatures are $2,750 each, and URL filtering is $9,600.

Astaro puts a unifying GUI on top of several different products, including anti-virus updates from Kaspersky Labs. The core anti-spam engine is SpamAssasin, a heuristics-based spam filter. The intrusion prevention signatures come from Snort, the open-source IDS technology. Astaro performs integrity checking on the Snort signatures before making them available.