This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
UNIFIED THREAT MANAGEMENT
REVIEWED BY SANDRA KAY MILLER
Price: Starts at $32,995
The FortiGate 3600A rolls eight homegrown security services--firewall, IPsec and SSL VPNs, IPS, traffic shaping, antivirus, antispam and Web filtering--into one high-availability appliance built for speed.
It's a good choice for publicly facing data centers and managed service providers, with enterprise-class features such as redundant power supplies, dual-core processing, the new FortiASIC Content Processor-6, AMC network adapter expansion slots, two accelerated gigabit SFP ports and eight 10/100/1000 copper gigabit ports.
Using the quick-start guide, we planned our network configuration and connected to the Web-based manager in minutes. The interface is pleasantly clean and easy to navigate. Thanks to the expandable menu tree, moving through the initial setup was fairly intuitive.
For example, the VPN option expands to provide instant access to IPsec, PPTP, SSL and certificate administration. We created firewall rules, applied policies for content filtering and set up VPN tunnel associations.
Fortigate supports RADIUS, LDAP and Active Directory authentication.
Our only significant frustration was with the client software, which provides endpoint security and IPsec VPN connectivity. It was extremely slow to install and created instabilities in several instances.
Working primarily through the firewall, we quickly assigned numerous policies relating to network settings, logging, traffic shaping and restricting client network access based on policy compliance, such as up-to-date antivirus and IPS signatures.
However, given the extensive hardware support for high throughput (the pair of SFP connectors for optical networks), we were dismayed there was little standard policy control for VoIP. Also, there are only four IM services listed in the IM/P2P policy tab (MSN, Yahoo!, AIM and ICQ); we would have liked to seen more choices, given the explosive growth of IM clients.
Each layer of security functioned effectively when faced with common threats such as syn floods, malware, port scans and spam. Prohibited Skype traffic and potentially hazardous URLs and sites containing blacklisted keywords were blocked.
Using check boxes, we set up custom email alerts for more than a dozen different events, to be sent at defined intervals. The event log is also highly customizable.
Unfortunately, there are few onboard reporting features unless the data is sent to a FortiAnalyzer, which was not included in our testing.
Testing methodology: We set up a lab with Windows and Linux PCs sending legitimate as well as malicious traffic back and forth through ISG 2000.
This was first published in February 2007