by RSS Michael Xie  |  Mar 03, 2009  |  Filed in: Security Research

mxieToday was another big milestone in the history of the company I co-founded and I'm very happy to have this opportunity to tell you about it. Fortinet has released FortiOS 4.0, the firmware upgrade for our FortiGate security systems. This release is the result of a tremendous effort by our development teams over the better part of 12+ months. These highly skilled and talented teams worked hard to design and implement these technology innovations so that we could confidently put the product in front of our customers.

Even in this time of economic uncertainty, I believe that innovation is our greatest strength. While other security vendors are merely coasting along, Fortinet is focused more than ever on expanding our vision for comprehensive and easily managed network security solutions. We are continuously updating our FortiOS firmware and each release builds upon our existing, pioneering innovations. For example, with FortiOS 3.0, Fortinet became the first security hardware company to offer VoIP / IM / P2P security; we were also the first security vendor to deliver integrated SSL VPN with complete content inspection. We've now built upon that technology to offer full application control and prioritization of more than 1,000 apps. Overall, our FortiOS 4.0 release delivers on two main objectives:

  1. Give our FortiGate customers access to security technologies and features that were previously only available via a combination of standalone vendors

  2. Continue to drive the increased security capabilities that help protect our customers from the never-ending and evolving threat landscape

FortiOS 4.0 introduces several features, the four most significant of which I want to highlight here:

  • Application Control

  • Data Leakage Prevention

  • WAN Optimization

  • SSL Inspection

Application Control

This feature is part new innovation and part extension of our existing security features. The idea of application control is to provide a more granular approach to enforcing security policies as part of a firewall solution. In essence, this technology can provide our customers with an additional way to identify and secure applications that can otherwise disguise themselves by utilizing common protocols typically allowed as part of a security policy (e.g. port 80).

This underlying technology is not new to FortiOS 4.0. In fact the previous versions of FortiOS implemented the dynamic detection capability for IM and P2P traffic, which are notorious for riding on common application protocols. What FortiOS 4.0 delivers is a significant maturation of this technology, with the ability to classify and define policies for more than 1,000 applications. With this extensive application control list, administrators can define even more granular policies that will detect applications based on behavior and other characteristics, irrespective of the underlying protocol they utilize as the transport.

Additionally, Fortinet has a team of researchers who are continually monitoring new applications and cloaking techniques on the ever-changing Internet. Thus, our customers can expect to receive continual updates to the list of identified applications via our subscription service option. While this type of granular application security policy constitutes a great addition to the typical firewall policies inherently available in FortiOS, it is the combination of advanced security processing (antivirus, IPS, content inspection) that is true security. Identifying the application is only one piece of the puzzle. Just identifying the application doesn't ensure security - the content needs additional inspection to ensure there are no malicious threats contained within the data.

Data Leakage Prevention (DLP)

DLP is an emerging need that many of our customers are seeking, but they are quickly overwhelmed by the variety of fancy-sounding techniques employed in the industry (and their associated hefty price tags). Fortinet already has a decade of experience in content inspection. By leveraging our field-proven, mature inspection technologies for data in motion, we can provide customers with the foundation for DLP without the heavy investment others are asking from them.

Since we have always provided protection from malicious content/threats, the ability for customers to define data that needs to be identified and protected is a natural extension of this technology. Administrators can define simple or complex targets that we incorporate into our built-in inspection rule set, thus allowing corporations to identify and protect intellectual property that should not be transmitted outside the boundary of an organization, or even data that should not be transmitted between departments within an organization. This is complementary to the approach we take with our firewalls.

Our firewall technology has always delivered "outside in" and "inside out" protection; now we are simply looking for targets administrators define in concert with the targets our own threat researchers define. While protecting the network from malicious content/threats is one aspect of network security, DLP is increasingly a must-have for companies that need to ensure their competitive edge is not compromised by the intentional or unintentional transmission of confidential data across specific boundaries.

WAN Optimization

I am often asked why a leading provider of focused network and application security solutions would choose to integrate a network service like WAN optimization. But if you think about it, this network technology is a natural extension for our security technologies. Fortinet is constantly developing ways to enhance networking performance, such as our Network Processor-accelerated interfaces.

Plus, consider that a large portion of our customers utilize our VPN technology for remote site and remote user access. Encryption and compression technology can make it difficult for acceleration devices deployed outside the network perimeter to deliver meaningful results. Given that we are providing security services, including VPN, on both ends of the WAN connection, it made sense to us and to our customers to offer these WAN optimization features. The customers who requested these features - especially those managing complicated enterprise branch deployments - recognized that we were already providing to them the basic foundation required for WAN acceleration technology: application content reassembly and inspection.

Now, consider the scenario where a FortiGate is providing antivirus scanning for FTP, Web and email across a VPN to a remote office location. To deliver these leading security features, the FortiGate is designed to intercept application traffic and reassemble it for the purpose of security. Since we already intercept the application data, it is a logical extension to enable WAN optimization, including caching and compression techniques.

Finally, when you consider that we are coupling sophisticated security features designed to detect and remove unnecessary or malicious traffic with WAN optimization, you receive the highest possible experience with WAN optimization - bandwidth that carries "clean, optimized" traffic. When you consider what it would take from other vendors to deliver a clean, optimized WAN experience, Fortinet's innovative all-in-one solution provides an ROI that is head and shoulders above the field.

SSL inspection

I see this as a must-have when customers need to be assured that the traffic entering (and exiting) their network is "clean" and safe. While secure socket layer (SSL) offers encryption and point-to-point protection for communications between two devices for privacy reasons, it can also "hide" possible threats that can ride on the data inside that tunnel.

Consider a user accessing a secured Web site via SSL, except that the Web site has been modified by hackers to deliver a malicious script. This threat could be carried through the SSL connection all the way to the client on the inside of the corporate network. With our ASIC-accelerated SSL inspection technology and sophisticated security features, the FortiGate will intercept the SSL traffic (transparently to the user or host) and inspect it for any possible threats before passing to the host.

Conversely, it may be just as important to ensure that traffic passed to your servers is inspected and protected from malicious content or threats, thus protecting against attacks from malicious SSL clients.

These are only a few of the most compelling features that we've released in FortiOS 4.0. We build these products to meet the demands of our customers, and our customers come to us because they expect us to be at the leading edge of innovation. We also expect and challenge ourselves to be at the leading edge of innovation, and that's why I am especially proud of this new version of the operating system. With this release our customers will be able to experience these new cutting edge technologies along with the staple Fortinet network and security features that have fueled our continued growth and success.

by RSS Michael Xie  |  Mar 03, 2009  |  Filed in: Security Research