Re: Fortinet IDS

[Ron Gula <rgula () tenablesecurity com>]

We have a few Fortinet's here at Tenable. We initially got a 'not for
resale' copy to develop signatures for it for our Thunder log aggregator
and Lightning Console vulnerability management products. We were able
to reuse a lot of the logic in Lightning we had built for Snort to
correlate host, network and passive vulns with IDS events from the
Fortinet box, but the log formats where slightly different.

Definitely based on Snort though and it is vulnerable to a variety of
NIDS-bypass attacks. Taking Nessus or NeWT and throwing a scan into
IDS bypass mode generates a much different event stream than without
evasion.

Our network engineers liked the demo model so much we bought it and
also bought a larger 100 MB model. Just from a convenience factor, it's
nice to get virus, spam, firewall, vpn and IDS events from one device.
I think you could argue that there is better technology on dedicated
hardware, but you have to balance your rack space, reliability, admin
overhead and budget.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
NeVO Passive Vulnerability Scanner


At 04:27 PM 10/19/2004 -0400, Ryan Whalen wrote:
> I am using a Fortigate firewall.  It inspects all traffic transparently 
> for IDS/Virus events.
>
> I believe they used Snort for their IDS.  Fortinet provides signature 
> updates for the IDS system several times a week.  We are very happy with 
> this solution.
>
> Ryan


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------