Category: Fortinet Network

Security specialist Fortinet has agreed to provide some source code available, following allegations that it infringed on the GPL, the company Tuesday.
Earlier this month, will gpl-violations.org founder Harald Welte an injunction against Fortinet, banning companies that distribute their products to them with the terms of the GPL. The GPL or GNU General Public License is used by developers for the products they want to remain freely available under license to other programmers in accordance with the ideals of free software movement.

Welte claimed that Fortinet had not only abused the code under GPL, but it also tries to hide the use of GPL code by using cryptographic techniques.

Fortinet has decided to send the source code of Linux kernel under GPL and other components to provide any interested party. The code is available upon request for the cost of distribution, from the Fortinet website. The company also agreed to amend its license to the GPL with all Fortinet include shipments. The settlement agreement also stipulates that no Fortinet partners are subject to prosecution.

This is the latest in a series of victories for the GPL-violations.org project. Since the project began in 2004, Welte has negotiated more than 30 off-court settlements.

My company is planning a project to migrate from a traditional frame-relay network to a site-to-site VPN. As part of this project, we must decide on what firewall and VPN devices we will standardize on.

Currently, we have two remote site-to-site VPN test locations utilizing Cisco PIX 501 firewalls. These locations are connecting back to a Cisco IOS firewall and working successfully. Having configured the PIX firewalls myself, one of my concerns was the complexity of the configuration and troubleshooting. Once we standardize on a device and roll out the VPN network with these associated firewall/VPN devices, I’ll turn this project over to the network administrator and the network support group.

I’d like the end solution to be as simple as possible to troubleshoot, monitor, and modify. While I like Cisco products and I like the idea of standardizing on a Cisco solution, I don’t consider the PIX firewalls to be easy to configure, troubleshoot, or monitor. Sure, Cisco PIX devices do offer the PIX Device Manager (PDM), a Java Web-based interface for management. However, I still feel that, even with the Web-based interface, the PIX still lacks a great deal of user-friendliness and simplicity. Again, while I like Cisco products, in my capacity as project manager, I don’t want to have to say, “Here is the excellent solution I came up with, but yes, it is a pain to do many of the day-to-day tasks.” I was curious if I could find a solution that does the job, but which the network support group would find easy to work with.

Enter Fortinet
I met with a security consulting firm and, after hearing my requirements, they recommended that I take a look at devices from Fortinet, a company that I had never heard of. The consulting firm told me that, yes, there are a large number of choices available in the VPN/firewall market; however, based on the devices they have looked at, they felt that selecting Fortinet offered “the most bang for the buck” in my case.

Some of you reading this may already be very familiar with Fortinet. For those who aren’t, here’s a little background on the company. Ken Xie, the former founder and CEO of Netscreen, founded Fortinet in 2000. I heard that he left Netscreen because he believed strongly in the use of ASICs (Application Specific Integrated Circuits) to run devices like firewalls. At the time, Netscreen disagreed and Xie left to form Fortinet. Today, Fortinet’s Web site says that it is “the only provider of ASIC-powered, network-based antivirus firewalls.”

This idea of using ASICs is interesting. I’m not a firewall architecture expert, but this is what I gathered from my research: Cisco devices use a standard RISC or AMD processor (just like you could find in a small UNIX server), RAM, and operating systems with applications. By using ASICs, Fortinet has dedicated chips that speed the processing of things like firewall filtering, encryption, virus scanning, and traffic shaping. By using these dedicated chips, Fortinet claims that they are the only provider that can screen traffic for viruses at “broadband rates.” In other words, other firewall solutions that scan for viruses have higher latency than the Fortinet solutions, according to Fortinet.

Besides being interested in more user-friendliness and simplicity, some of the other features that attracted my interest in the Fortinet devices were:

The FortiGate product can do the same things that I was doing already with the PIX 501: firewall, VPN tunnels, and intrusion detection.

The FortiGate devices come with additional features that the PIX 501 does not support: antivirus functionality, RADIUS/LDAP user-based authentication with Web logging (syslog), intrusion prevention, Web content filtering, e-mail filtering (antispam), traffic prioritization within the VPN tunnel, and a fast, Web-based interface.

Fortinet also claims that, because it uses ASICs, the FortiGate firewalls are faster than Cisco PIX firewalls.

The FortiGate 50A costs about $500, the same price as the PIX 501 units I have been buying.

I really liked the idea of getting more for my money, so I agreed to demo the Fortinet devices (they didn’t know that I would eventually write a review).

My company is planning a project to migrate from a traditional frame-relay network to a site-to-site VPN. As part of this project, we must decide on what firewall and VPN devices we will standardize on.

Currently, we have two remote site-to-site VPN test locations utilizing Cisco PIX 501 firewalls. These locations are connecting back to a Cisco IOS firewall and working successfully. Having configured the PIX firewalls myself, one of my concerns was the complexity of the configuration and troubleshooting. Once we standardize on a device and roll out the VPN network with these associated firewall/VPN devices, I’ll turn this project over to the network administrator and the network support group.

I’d like the end solution to be as simple as possible to troubleshoot, monitor, and modify. While I like Cisco products and I like the idea of standardizing on a Cisco solution, I don’t consider the PIX firewalls to be easy to configure, troubleshoot, or monitor. Sure, Cisco PIX devices do offer the PIX Device Manager (PDM), a Java Web-based interface for management. However, I still feel that, even with the Web-based interface, the PIX still lacks a great deal of user-friendliness and simplicity. Again, while I like Cisco products, in my capacity as project manager, I don’t want to have to say, “Here is the excellent solution I came up with, but yes, it is a pain to do many of the day-to-day tasks.” I was curious if I could find a solution that does the job, but which the network support group would find easy to work with.

Enter Fortinet
I met with a security consulting firm and, after hearing my requirements, they recommended that I take a look at devices from Fortinet, a company that I had never heard of. The consulting firm told me that, yes, there are a large number of choices available in the VPN/firewall market; however, based on the devices they have looked at, they felt that selecting Fortinet offered “the most bang for the buck” in my case.

Some of you reading this may already be very familiar with Fortinet. For those who aren’t, here’s a little background on the company. Ken Xie, the former founder and CEO of Netscreen, founded Fortinet in 2000. I heard that he left Netscreen because he believed strongly in the use of ASICs (Application Specific Integrated Circuits) to run devices like firewalls. At the time, Netscreen disagreed and Xie left to form Fortinet. Today, Fortinet’s Web site says that it is “the only provider of ASIC-powered, network-based antivirus firewalls.”

This idea of using ASICs is interesting. I’m not a firewall architecture expert, but this is what I gathered from my research: Cisco devices use a standard RISC or AMD processor (just like you could find in a small UNIX server), RAM, and operating systems with applications. By using ASICs, Fortinet has dedicated chips that speed the processing of things like firewall filtering, encryption, virus scanning, and traffic shaping. By using these dedicated chips, Fortinet claims that they are the only provider that can screen traffic for viruses at “broadband rates.” In other words, other firewall solutions that scan for viruses have higher latency than the Fortinet solutions, according to Fortinet.

Many advantages can be obtained by combining several separate point based security systems into one unified security platform. The most popular reasons why customers choose Fortinet over other leading security vendors include the following 10 reasons.

1. Integrated security platform that provides 7 key security components to provide customers the greatest flexibility and protection available in a modern security platform: Stateful Firewall, Antivirus, Intrusion Detection & Prevention, IPSec Virtual Private Network (VPN), Web Content Filtering, Anti-Spam (including Spyware/Grayware), and Bandwidth Shaping. Fortinet’s security solutions are the only security products that are certified in four ICSA Lab categories – Firewall, VPN, IPS, and Antivirus.

2. Fortinet‘s award winning technology is consistent across its entire family of products and provides the same leading edge protection regardless of company size (SoHo to SME to large enterprise to service provider). Smaller customers benefit by taking advantage of enterprise and carrier class security features while larger customers benefit from Fortinet’s experience in designing strong security products that are intuitive, easy to deploy and use. In September 2004, IDC named Fortinet’s technology as the leader in the Unified Threat Management (UTM) security category with 29.5% market share. And in April 2004, Gartner named Fortinet’s technology as Visionary in their Enterprise Firewall Magic Quadrant.

3. FortiGate products lower Security TCO. Eliminating multiple security devices and collapsing them into one security choke-point decreases the Capital Expenditure (CAPEX) and Operating Expenditure (OPEX) costs. Implementing single purpose point security products is not only more expensive than Fortinet’s FortiGate security platforms, but it also lacks the Dynamic Threat Prevention System capabilities of Fortinet’s combined technologies – which greatly increases the detection rate of modern stealth and blended threats. With Fortinet’s simple “per box” licensing, ongoing maintenance, support, and product update costs are greatly reduced over competing products that are licensed on a “per user” basis.