Full Disclosure mailing list archives
RE: Fortinet Firewalls
From: "Bryan K. Watson" <lists-security () nettracers com>
Date: Mon, 2 Aug 2004 12:09:41 -0700
Subject: [Full-disclosure] Fortinet Firewalls Anyone had any experience with these - they claim to be able to offer content filtering and there by detect malicious content embedded into HTML, as well as the usual deliver systems. Sounds interesting my only concern is how you would stay on top of each new
threat... ..automated hourly updates from Fortinet: http://www.fortinet.com/FortiProtectCenter/ I have been very happy with Fortinet Fortigates at my client sites (we have put about 50 Fortigate's into various sites over the past 8 months with great success - they have been very reliable and the tech support has been superior to what I have been used to from the other guys in this space). They do not slow down the traffic (just make sure you get the right capacity unit for the job) and I always configure them for ingress and egress filtering of all non-encrypted traffic (HTTP, FTP, SMTP, IMAP, POP). Additionally, you will want to set your allow policies and then a global deny so that you don't allow circumventing of your protocol scans. These are doing real-time scanning, unlike the typical AV email firewalls that do store->scan->forward. I had one new client site that called me in after being repeatedly cracked (not Windoze but Linux boxes), so I walked in with a Fortigate and the IDS/IPS helped me to track down the originating site and the AV engine showed me what rootkit was being attempted on the target linux box...(de-greetz to you Darius a.k.a. HomeBoy). I still place a snort detector and raw tcpdump passively on the wire at these type of jobs for forensic capture and detection, but I always carry out a Fortigate for use when I am ready to go un-stealth and stop the nefarious activity. I configure the update timer in the Fortigates to check with Fortinet for signature updates every hour...this helped me to have sites protected from MyDoom before the desktop AV vendors could get their sigs out to all the client stations...not much before, but Fortinet is quicker than the desktop AV vendors with AV updates - they don't have to do all that integration and regression testing on all the OS versions that McAfee, Symantec, Trend, Kaspersky, Panda, etc. have to do. You can do global file extension type blocking (exe, zip, dll, etc) so it is easy to quickly lock down all of your network when you suspect some new crack going around. The new version of FortiOS now allows you to do PERL expression matching of any content as well and has a better than rudimentary antispam engine..still testing that one out though. Hope that answers your ??'s. Cheers, -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Bryan K. Watson - InfoSec Consultant - bwatson () netTracers com - www.nettracers.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Fortinet Firewalls Ben (Aug 02)
- Re: Fortinet Firewalls Paul Schmehl (Aug 02)
- Re: Fortinet Firewalls Ben (Aug 02)
- RE: Fortinet Firewalls Bryan K. Watson (Aug 02)
- <Possible follow-ups>
- Re: Fortinet Firewalls pretty vacant (Aug 02)
- RE: Fortinet Firewalls Bryan K. Watson (Aug 02)
- Re: Fortinet Firewalls Paul Schmehl (Aug 02)