Network Security is time-consuming. Appliances make the work somewhat easier, but each firmware-based appliance usually targets a narrow range of security needs. The alternative is a robust, configurable integrated appliance, usually based on a PC platform. But the most highly integrated appliances are expensive and complicated to manage, and still only deliver on a certain set of functions.
Fortinet's FortiGate line of security appliances sets new standards for price, performance, and functionality. These devices boast standard security capabilities such as firewall, NAT (network address translation), VPN, and intrusion detection. They also fend off DoS (denial of service) and DDoS (distributed DoS) attacks, and they perform traffic-shaping to give streaming packets higher priority. The units also break open network data packets to scan for viruses, worms, banned text, cookies, scripts, and blacklisted URLs.
Four qualities set FortiGate devices apart from other appliances: speed, cost, expandability, and breadth of standard features. The FortiGate series is a fantastic entry point into the world of security appliances. What soon becomes apparent, is the room Fortinet has reserved for future capabilities. This is not a one-shot appliance that you'll have to replace in a year. It is an extensible platform with lots of room to grow.
The Fortinet FortiGate line of security appliances is unique in many ways. These firmware-based devices are as versatile and configurable as any PC-based solution, but they enjoy the greater reliability, reduced size, and the power/cooling conservation only firmware provides.
Fortinet's architecture performs even demanding tasks such as 3DES (Data Encryption Standard) and AES (Advanced Encryption Standard) encryption at network speeds that most PC-based platforms can't touch. What sets this appliance apart, is that all of FortiGate's features are enabled out of the box.
The FortiGate-50 splits your network into user-defined zones (internal and external by default) for flexible configuration. Most security settings and policies are applied according to connections between zones.
For example, you can apply a tight set of firewall rules to traffic flowing between the internal and external zones (egress filtering), or a looser set between the external zone and the internal zone (ingress filtering). The firewall, anti-virus, and VPN features use zone-based configurations. Intrusion detection watches a single specified port, whereas banned words, URL blocks, and script/cookie filters are applied to all ports and zones.
It's reasonable to expect a firmware-based device to have limited capabilities compared with a PC security platform. Surprisingly with this appliance, that's not the case.
When configured, the FortiGate downloads updated virus signatures and intrusion/DoS/DDoS rules nightly. The anti-virus engine tracks HTTP, SMTP, POP, and IMAP traffic, not only cracking packets on the fly but reassembling them so that the entire transferred file can be examined. The device identifies thousands of viruses, worms, and network attacks, with lots of room for expansion. The banned-word list and URL blacklist are empty by default. You can upload and download these lists at will, and the lists can be huge. Also a nice feature, is the ability to configure schedule's for network access. If say, your business is open 24 hours a day, but your inside sales department is 9 - 5, you can deny network activity to that network segment by entering a group assignment based on date and time. And because of this nifty feature, Fortinet has also included a one-time scheduled event to compliment this, in case an employee stays late one-night.
Most security appliances, whether they are bought preconfigured or built using Linux or BSD, degrade network performance so badly that companies limit their use to the perimeter of the network. Internet connections usually run at a fraction of the internal LAN's speed, so the degradation is acceptable. But ISP links are getting faster, and some companies want to monitor, filter, and prioritize traffic passing from one LAN segment to another in there trusted (internal) network segment.
For example, you might want to put a FortiGate between your desktop LAN and your server farmnetwork, or between users handling classified information and those who do not. You wouldn't do that with most appliances, but with the enterprise-grade FortiGate units, you could. It's hard to find a fault with the FortiGate-50. The Web-based configuration interface can be a little cumbersome to navigate, but there are so many settings, we can't think of a better layout.
Overall, the FortiGate is an unbelievably affordable, expandable, and powerful little box. There is no reason to wait. The FortiGates are worth buying for what they can do now. With a list price of $495.00 for the Fortigate-50 for 10 users or 695.00 for unlimited users throughput, this is perfect appliance for the SOHO or small business environment. Add to this the $175.00 for a 1-year signatures/firmware update subscription service, and the FortiGate-50 is my appliance of the year.
For more product information please visit their website at https://www.fortinet.com
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2009-11-07 Michael Desrosiers
I am not out to destroy Microsoft, that would be a completely unintended side effect. (Linus Torvalds)