Fortinet aims for speedy security, Part 2

This is the conclusion of a two-part interview with Rick Kagan, vice president of marketing at Fortinet.

This interview does not constitute an endorsement of Fortinet products. I have not evaluated its products (I doubt that I have the technical expertise to do so in a meaningful way). I have no financial interest whatsoever in Fortinet.

Q: Why have network-centric security appliances always won over client-software security systems?

A: Because in networking, speed is always the critical issue. In a network, it doesn’t matter if you can turn lead into gold unless you can do it fast. So our security solutions have to evolve as the attacks do and also have to maintain performance.

The stateful-inspection firewalls did a good job in the 1990s, but as the intrusions became more sophisticated, we moved to deep-packet inspection (looking beyond the header). Then as e-mail-enabled worms, spam and other complex attacks became more common, we had to start looking at the content of packet streams to be able to identify the attacks in the first place and then to respond appropriately. The rub is that you need hundreds or thousands of times more processing to complete content processing compared with stateful inspection; unless you provide that speed, you will bottleneck the bandwidth.

For example, lately we’ve had to cope with the W32/Randex.AK-net virus; its packed size is 133,120 bytes – about a hundred packets at least to transmit. Somewhere in those bytes – some at the beginning, some in the middle and some in the end – are characteristic patterns with little chance of occurring in legitimate packets. Worse still, the virus is going to be embedded in some other code. You cannot guarantee that the dispersal of the viral code will always be same across all the packets. Therefore, inspecting one packet at a time is almost bound to fail if there are enough packets. It’s a bit like breaking a missile up into hundreds of pieces and mailing them independently; it’s going to be hard to recognize the missile from any one package.

So it really is necessary to reassemble the packets into the original content for inspection – something that the PC anti-virus does all the time. Three years ago we developed a system for content reassembly and inspection using the FortiASIC Content Processor and FortiOS Operating System to accelerate the process to such a speed that it can handle network bandwidth.

Q: So what’s the maximum bandwidth?

A: Up to 2G bit/sec so far on our FortiGate 4000 system, which can accommodate up to 10 FortiBlade-4010 modules, which makes the FortiGate-4000 system suitable for Internet service providers. And we have other systems (that I can’t discuss yet in detail) that will scale even higher.

Q: Tell me more about your products.

A: Around the core hardware and ASIC technology, we put all the other functionality into firmware. We always ship a complete system with full functionality – there is no per-function license fee. Finally, around all of that we wrap the services: FortiProtect instant attack updates (we can and will update our entire installed base within five minutes); FortiCare Services for comprehensive support; and the FortiManager System for centralized management. At the moment, we match or exceed performance of ASIC-based stateful inspection firewalls but we greatly exceed the performance on deep-packet inspection and content-based protection (typically six to 10 times the performance for equivalent costs).

We currently have 13 models ranging from a $500 FortiGate 50 suitable for a small office/home office (SOHO) or telecommuter system all the way up to a FortiGate 4000 which can handle multi-gigabit-per-second throughput. We also have centralized management in the FortiManager device and logging tools in the FortiLog systems. The FortiClient software extends protection to remote clients such as a laptop and provides VPN functionality; soon there will be anti-virus and firewall functionality (providing centralized management and low cost).

Q: Are you basing your filtering algorithms primarily on heuristic algorithms, signature-based pattern-recognition, a combination of these methods or additional techniques?

A: Primarily signature-based but also heuristics. We’ve also been using family signatures that have allowed us to spot new variants of existing attacks without issuing new signatures.

Q: How do you handle inappropriate Web content? What controls do you offer your users to avoid political restrictions such as those that bedeviled some other product developers a few years ago?

A: We provide a flexible policy interface for our customers. They can enable or disable content based on 80 different categories – quite fine granularity. We also have a 24-7 team who analyze Web sites all the time and handle challenges to the categorization; we don’t see ourselves as the thought police but rather as serving the customer.