RE: Fortinet Firewalls

["Bryan K. Watson" <lists-security () nettracers com>]

> Subject: [Full-disclosure] Fortinet Firewalls Anyone had any experience 
> with these - they claim to be able to offer content filtering and there 
> by detect malicious content embedded into HTML, as well as the usual 
> deliver systems.
>
> Sounds interesting my only concern is how you would stay on top of each new
threat...

..automated hourly updates from Fortinet:
http://www.fortinet.com/FortiProtectCenter/  

I have been very happy with Fortinet Fortigates at my client sites (we have
put about 50 Fortigate's into various sites over the past 8 months with
great success - they have been very reliable and the tech support has been
superior to what I have been used to from the other guys in this space).
They do not slow down the traffic (just make sure you get the right capacity
unit for the job) and I always configure them for ingress and egress
filtering of all non-encrypted traffic (HTTP, FTP, SMTP, IMAP, POP).
Additionally, you will want to set your allow policies and then a global
deny so that you don't allow circumventing of your protocol scans. These are
doing real-time scanning, unlike the typical AV email firewalls that do
store->scan->forward.

I had one new client site that called me in after being repeatedly cracked
(not Windoze but Linux boxes), so I walked in with a Fortigate and the
IDS/IPS helped me to track down the originating site and the AV engine
showed me what rootkit was being attempted on the target linux
box...(de-greetz to you Darius a.k.a. HomeBoy).  I still place a snort
detector and raw tcpdump passively on the wire at these type of jobs for
forensic capture and detection, but I always carry out a Fortigate for use
when I am ready to go un-stealth and stop the nefarious activity.  

I configure the update timer in the Fortigates to check with Fortinet for
signature updates every hour...this helped me to have sites protected from
MyDoom before the desktop AV vendors could get their sigs out to all the
client stations...not much before, but Fortinet is quicker than the desktop
AV vendors with AV updates - they don't have to do all that integration and
regression testing on all the OS versions that McAfee, Symantec, Trend,
Kaspersky, Panda, etc. have to do.

You can do global file extension type blocking (exe, zip, dll, etc) so it is
easy to quickly lock down all of your network when you suspect some new
crack going around.  The new version of FortiOS now allows you to do PERL
expression matching of any content as well and has a better than rudimentary
antispam engine..still testing that one out though.

Hope that answers your ??'s.

Cheers,
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Bryan K. Watson   -   InfoSec Consultant    
- bwatson () netTracers com - www.nettracers.com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html