Educause Security Discussion mailing list archives
Re: Fortinet unified threat management evaluation feedback needed
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 27 Feb 2007 17:51:50 -0500
Cal Frye wrote:
Jere Retzer wrote:One caution: be sure to evaluate carefully your throughput needs as IPS and virus scanning seem to drop throughput by around 90%. I also wonder what are the lantency and other impacts on VOIP and h.323.Christian.Heroux () ETSMTL CA 2/27/2007 9:22 AM >>>I am worry to put all my eggs in one basket. I know they use ASIC instead of CPU but I would like to see all eight functions activated (firewall, antivirus, anti-spam, IPS, IDS, traffic shaping, VPN)We've seen that just stacking individual devices inline can raise latency to unacceptable levels. I have no experience with the Fortigate, but you're right to be worried. Have them send you a largish unit for evaluation -- you'll never know how it works with your traffic until you try it out. The times I've done this, I often haven't changed vendors, but frequently have discovered we needed a more capable box than we evaluated (wishful thinking, every time).
I'll second the idea of installing and testing it in your network before buying it. And also the idea of planning on buying more than a "100Mb" unit for a 100Mb link. One thing that we've seen affect IPS resource requirements above and beyond rated throughput is the need to maintain state. The number of sessions associated with the esoteric applications on a university network containing thousands of student computers is not trivial. Also consider the openness of the typical university network compared to a corporate network. There will probably be a lot more traffic of varying types and directions that must be examined and controlled. Then add a few hundred or a few thousand signatures in the path, background reporting traffic, and various updates along with all the other functions the multipurpose devices support. Test, test, test. Test failure modes too. Can you disable parts of the device but not others? If not, are you willing to "go completely naked" on the Internet if a device has a problem? Outright failures are easy to survive with a spare box, a high availability configuration, or redundant link. But what happens when your traffic exercises a previously unknown software defect in the device causing it to crash 2, or 3, or 4 times a day during prime operations hours? What do you do while you're waiting for your vendor's engineering department to come up with a fix? For days? For weeks? Do you suffer prime time crashes or go naked? Do you have other devices inline that can offer backup protection when things go wrong and defense in depth when things are right? For example, router acls to back up a firewall and mail gateway AV/SPAM filtering to back up the all-in-one unit? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Fortinet unified threat management evaluation feedback needed Christian Hroux (Feb 27)
- <Possible follow-ups>
- Re: Fortinet unified threat management evaluation feedback needed Jere Retzer (Feb 27)
- Re: Fortinet unified threat management evaluation feedback needed Mark Rogowski (Feb 27)
- Re: Fortinet unified threat management evaluation feedback needed Cal Frye (Feb 27)
- Re: Fortinet unified threat management evaluation feedback needed Gary Flynn (Feb 27)
- Re: Fortinet unified threat management evaluation feedback needed Botelho Marla (Feb 27)
- Re: Fortinet unified threat management evaluation feedback needed Jere Retzer (Feb 27)
- Re: Fortinet unified threat management evaluation feedback needed jkaftan (Mar 01)
- Re: Fortinet unified threat management evaluation feedback needed John Kemp (Mar 09)