[Dshield] Fortinet [Fortigate 5050]
Dregier, Leo A. (CMS/CTR)
Leo.Dregier at CMS.hhs.gov
Mon Feb 12 13:31:32 GMT 2007
In every environment you could perform the same test and you will get different results. Lets not forget the top three layers of the OSI, 8=Politics, 9=Money, 10=religion. You'll get people who swear by integrated IDS/IPS in a firewall box, others with talent to make a box that does whatever you want. There are literally hundreds of combinations of what you could do. No one is right or better than the other. This is why we adapt the SANS Layered approach. (Sounds like I'm working for them or something, I'm not) We do this because it takes the vendor out of the equation. I'm so glad Microsoft is not in the firewall, IDS/IPS or security business for that matter.
Also, this is what sales people are for. Get loaners of their products, test them. Send some viruses, exploits, bandwidth testers, etc. through the devices on an "ISOLATED" (my disclaimer) network. Make them work for the sale. To often Sales folks walk into a company and walkout with a sale because the engineers didn't have "time" to do research. Because it's a Operational Engineer doing the job! No wonder there is no time! Then again, Development Engineers are not found at every company.
OPINION: Professionals with both experiences that can play a hybrid role should get paid more!
As far as stateful packet inspection... lets look at something similar. Stateful packet inspection needs a signature database to be compared against. Its definitions also need to be updated. This has higher overhead compared to something that does a trend analysis and then shows anomalies. I'm sure we could go on and on about this also.... but let me give you something similar
I would monitor the latest signatures and exploits from the major antivirus vendors. www.kaspersky.com, Norton, Mcaffee... etc. or any of the other hundreds out there.
Watch how they "trend" the signatures... IDS/IPS also does the same thing, but you generally don't hear about what the signatures are for ISS(they don't like to give out secrets, Snort Will but you have to wait 7 days (unless you have premium subscription).
You get the idea. It's the same approach with IDS as AV! Firewalls are somewhat similar but it's generally operational based and feature based. (Sales folks again here...)
Thanks for allowing me to rant... Also my contact info is below if you want to have an out of band discussion.
Leo A. Dregier III
Computer Security Incident Response Capability (CSIRC)
- Incident Response Team - Incident Response Lead
Centers for Medicare & Medicaid Services
Lockheed Martin CITIC Security Team
e-mail: Leo.Dregier at cms.hhs.gov
The contents of this e-mail are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee of this e-mail you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. CMS does not accept responsibility for changes made to any e-mail after sending. If you have received this e-mail in error please e-mail the sender by replying to this message.
From: rgolodner at infratection.com [mailto:rgolodner at infratection.com]
Sent: Friday, February 09, 2007 11:08 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Fortinet [Fortigate 5050]
Both of you guys have made some good points and what it really comes down t o s what a company can spend. If it was my network I would want specific devices to provide specific services. I have never cared for that dvd/tv combo stuff. Everybody be cool. Richard Golodner
>From: Moses [mailto:moses at networksamurai.org]
>Sent: Friday, February 9, 2007 11:16 AM
>To: 'General DShield Discussion List'
>Subject: Re: [Dshield] Fortinet [Fortigate 5050]
>-----BEGIN PGP SIGNED MESSAGE-----
>This is rather interesting to note. I find your comments 100%
>accurate. But I'd like to offer the group a bigger question. Now that
>the 'Stateful packet inspection' technology has progressed and many
>companies are doing it VERY well, would companies be more interesting
>in deploying a product from a Firewall vendor that has an integrated
>IPS/IDS or would you be more interested deploying a product from a
>best of breed IPS/IDS vendor that has added firewall capabilities.
>Case in point, I still see larger companies going with a layered
>approach but wishing they could go with a more 'Unified' approach.
>When you peel back the layers its more of the time because most do
>not think that the Firewall manufacturers have a good IPS/IDS product
>integrated that they feel still needed a stronger device in line. If
>you consider or leave VPN as a 'router' only or SSL 'only' product
>maybe we will see the market start changing a bit more.
>Dregier, Leo A. (CMS/CTR) wrote:
>> I've used a Fortigate 5050. I feel they are average in comparison.
>Jamy is correct. While you can get all in one appliances or Unified
>Thread Management as some refer to, remember that a layered solution
>should have multiple layers. One could use McAfee on the desktop and a
>border gateway at the edge from another vendor for example.
>> Also, you have to consider how the appliance works for your company,
>what is your companies needs? For smaller companies that want to save
>money, generally UTM will work, but for larger companies the only way to
>get real accounting is to have multiple solutions.
>> Get a loaner, run it on your network. If it gives you the results,
>accounting and audit capabilities you need then it might be the way to go.
>> For me, it's all about reporting. Can I interrogate the logs and get
>what I need easily.
>> My advice, get a loaner box, sales engineers should be more then
>willing to give you one for 30 days... minimum, sometimes 60 if you can
>justify a large purchase.
>> Lastly, Ask the company itself how it stacks up. Then confirm that
>with the competitors same stat sheet! They all claim to do it better
>then the rest. So it's more of how the device works for you!
>> Best Regards,
>> Leo A. Dregier III
>> Computer Security Incident Response Capability (CSIRC)
>> - Incident Response Team - Incident Response Lead
>> Centers for Medicare & Medicaid Services
>> Lockheed Martin CITIC Security Team
>> desk: 443-348-4002
>> mobile: 410-274-2460
>> e-mail: Leo.Dregier at cms.hhs.gov
>> The contents of this e-mail are confidential to the ordinary user of
>the e-mail address to which it was addressed and may also be privileged.
>If you are not the addressee of this e-mail you may not copy, forward,
>disclose or otherwise use it or any part of it in any form whatsoever.
>CMS does not accept responsibility for changes made to any e-mail after
>sending. If you have received this e-mail in error please e-mail the
>sender by replying to this message.
>> -----Original Message-----
>> From: Klein, Jamy [mailto:Jamy.Klein at cshs.org]
>> Sent: Thursday, February 08, 2007 12:13 PM
>> To: General DShield Discussion List
>> Subject: Re: [Dshield] Fortinet [Fortigate 5050]
>> I have not used them personally, but I know of them. My opinion is that you
>> should be careful with any product like that, that claims to do it all. How
>> do you know that they are good at IPS, A/V, Content Filtering, and
>> firewalling? They most likely are not better at IPS than a company that
>> makes all their profit or a large portion of their profit off of IPS. The
>> company that is primarily focused on IPS is probably investing most of
>> money into IPS research where a company like Fortinet has to split the
>> research dollars between all of the above listed areas.
>> -----Original Message-----
>> From: Basiru Ndow [mailto:bndow at Ndowtech.com]
>> Sent: Thursday, February 08, 2007 8:42 AM
>> To: General DShield Discussion List
>> Subject: [Dshield] Fortinet [Fortigate 5050]
>> Anyone with experience using fortigate 5050 for network security =
>> solutions. Just join the company and we are thinking of using it.
>> Any advantages or disadvantages that you can share ?
>> IMPORTANT WARNING: This message is intended for the use of the person or
>> entity to which it is addressed and may contain information that is
>> privileged and confidential, the disclosure of which is governed by
>> applicable law. If the reader of this message is not the intended
>> recipient, or the employee or agent responsible for delivering it to the
>> intended recipient, you are hereby notified that any dissemination,
>> distribution or copying of this information is STRICTLY PROHIBITED.
>> If you have received this message in error, please notify us immediately
>> by calling (310) 423-6428 and destroy the related message. Thank You for
>> your cooperation.
>> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
>> taught by our top rated instructors plus a huge vendor tools expo.
>> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.6 (MingW32)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>-----END PGP SIGNATURE-----
>SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
>taught by our top rated instructors plus a huge vendor tools expo.
>Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
More information about the list