Re: Fortinet unified threat management evaluation feedback needed

[Gary Flynn <flynngn () JMU EDU>]

Cal Frye wrote:
> Jere Retzer wrote:
> > One caution: be sure
> > to evaluate carefully your throughput needs as IPS and virus scanning
> > seem to drop throughput by around 90%. I also wonder what are the
> > lantency and other impacts on VOIP and h.323.
> >
> > > > > Christian.Heroux () ETSMTL CA 2/27/2007 9:22 AM >>>
> > I am worry to put all my eggs in one basket. I know
> > they use ASIC instead of CPU but I would like to see all eight
> > functions activated (firewall, antivirus, anti-spam, IPS, IDS,
> > traffic shaping, VPN)
>
> We've seen that just stacking individual devices inline can raise
> latency to unacceptable levels. I have no experience with the Fortigate,
> but you're right to be worried.
>
> Have them send you a largish unit for evaluation -- you'll never know
> how it works with your traffic until you try it out. The times I've done
> this, I often haven't changed vendors, but frequently have discovered we
> needed a more capable box than we evaluated (wishful thinking, every time).


I'll second the idea of installing and testing it in your network
before buying it. And also the idea of planning on buying more
than a "100Mb" unit for a 100Mb link.

One thing that we've seen affect IPS resource requirements
above and beyond rated throughput is the need to maintain
state. The number of sessions associated with the esoteric
applications on a university network containing thousands of
student computers is not trivial.

Also consider the openness of the typical university network
compared to a corporate network. There will probably be a lot
more traffic of varying types and directions that must be
examined and controlled. Then add a few hundred or a few
thousand signatures in the path, background reporting traffic,
and various updates along with all the other functions the
multipurpose devices support.

Test, test, test.

Test failure modes too. Can you disable parts of the device
but not others? If not, are you willing to "go completely
naked" on the Internet if a device has a problem?

Outright failures are easy to survive with a spare box, a high
availability configuration, or redundant link. But what happens
when your traffic exercises a previously unknown software defect
in the device causing it to crash 2, or 3, or 4 times a day
during prime operations hours?

What do you do while you're waiting for your vendor's engineering
department to come up with a fix? For days? For weeks? Do you suffer
prime time crashes or go naked? Do you have other devices inline
that can offer backup protection when things go wrong and defense
in depth when things are right? For example, router acls to back
up a firewall and mail gateway AV/SPAM filtering to back up the
all-in-one unit?


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security