The network security industry has been buzzing with a lot of moving and shaking lately. Some of that buzz has been created by the fact that the market, and especially Fortinet, continues to grow, even in face of global economic challenges. Not only is Fortinet growing, but we continue to hire at rapid speeds. We’re always on the hunt for top talent across many different departments, and we’re noticing more and more why people like to join our company.

For one, we’ve consistently been a strategic thought leader in this dynamic industry. We’ve been focusing for 10 years on optimizing network security using an internally-developed hardware and chip-based platform — and we’ve been successful at it. So successful that we’re the only security vendor with five ICSA technical certifications. Secondly, a quick review of our financial performance shows that we’re solid and have a consistent track record of revenue growth, profitability and cash flow. Some other accolades:

• Worldwide Leader in UTM (IDC; Frost & Sullivan)
• One of Top 4 Network Security Appliance Vendors WW (IDC)
• Ranked Tier 1 Enterprise Security Vendor (Current Analysis)
• Leader in Gartner Multi-Function Firewall Magic Quadrant
• Ranked “Top Player” in Email Security Appliance Quadrant
• ISO 9001:2000 Certified for Quality Management Systems standard
• Recently named Network Security Company of the Year for the consecutive year by Everything Channel

A critical factor in Fortinet’s continued success has always been, and will continue to be our employees. We realize that the success of our company does not rest solely on our award-winning products but with the people who engineer, market, sell, support and manufacture them. We bring on the best people and their satisfaction is one of the reasons that we’ve been voted one of the best places to work in the Bay Area by San Francisco Business Times.

We’re not bragging, we’re hiring. And in order to continue to attract the top talent we need to put our successes out there. If you’re interested in working for Fortinet, here are some jobs that we’re looking to fill in some of our North America locations:

Sunnyvale, CA
Principle Software Engineer (AMRD150)

Software Engineer (AMRD154)

Intermediate/Senior QA Engineers (AMRD160/AMRD162)

Intermediate ASIC Engineer (AMRD169)

Sr. Tax Analyst (AMGA221)

Burnaby, BC
Intermediate Software Engineer (CARD440)

Intermediate/Senior Software Engineer (CARD413/414/431)

Sr. Software Engineer – FortiOS (CARD443)

Sr. Software Engineer – CARD445 – NPI Development Team (CARD445)

New York City
Consulting System Engineer II (AMSL121)

There are plenty of other open jobs. For a full listing of Fortinet jobs all over the world, please visit our careers page, or send your resume to dsilveira@fortinet.com.

When it comes to antivirus, how much coverage do you need? Everyone has different concerns when it comes to antivirus coverage. Some people want to circle the wagons and let very little into their networks, while others need some basic protection but prefer speed, speed and more speed. In this article I’ll discuss the new antivirus features in the FortiOS 4.0 MR2 for the FortiGate family and how your device can be configured for your preferred level of coverage versus performance.

Malware Lifecycles

All malware have a life cycle. Some are like shooting stars, blasting across the Internet infecting everything in their path and going out with a bang with the next signature update, leaving much news buzz in their wake. Others creep along, slowly infiltrating systems with their variants, keeping their name alive for months to years. Still others have gone the way of the dinosaurs and only live in memory, no longer spreading or able to spread on modern operating systems, aka the zoo viruses. In general it is the actively spreading viruses that a user need be overly concerned about and use products providing coverage for these active malware.

Today viruses are still tracked using the Wild List, a vendor independent managed list of the most active viruses. This is used as a minimal benchmark for vendors, to ensure that customers are protected from the most actively reported threats. The viruses that slow down and eventually drop off of this list eventually find themselves on the list of zoo viruses and are rarely, if ever, seen in the wild again.

Under the Hood

Although there are many different vendors of antivirus products most vendors use very similar techniques and need to deal with the same issues when trying to detect a virus. Most viruses are contained in a file of some sort, either self executable or as part of a format where it can be executed by another host program (e.g. such as a macro virus embedded in a document). Roughly 80-85 percent of the effort when examining a file is decomposing the file into a usable form for signature scanning. Decomposing the file is the process of extracting or converting the data of that file to a form where the signature scanning routines can match any known viruses in its corresponding database. For example, an incoming file may be an archive file, such as a zip archive, containing an executable file. If the file is sent in an email it is often in an ASCII format called base64. The file needs to be converted back to binary for deeper examination. This in-depth decomposition of the file is very often required for the most sophisticated viruses and therefore the full file needs to be buffered.

Flow or stream based antivirus is one of the latest techniques being used by network based products for scanning. They have a high throughput and use state based engines to keep track of what they have scanned, but they do have some limitations that probably can’t be solved due to the format of certain types of files. For example, some archive formats can not be streamed due to complexities in parts of their algorithms so streaming scanners have difficulty with these files. Heavily encrypted files, packed executables and file infectors may be difficult to detect using these stream based methods since not all the data will be available to assist in decryption of the files. Viruses embedded in documents require more in-depth extraction routines which are probably not commonly used in stream based scanning. Some files, such as polymorphic or packed files, require emulation in order to extract the clear viral code from its encrypted cocoon. Without this level of decomposition the number of different detection signatures that would be required is staggering to imagine. It’s not all bad news however. Flow or stream based methods are quite effective and fast against certain types of malware such as static worms (executables that don’t change their binary composition when they spread), certain Trojans, spyware, adware and other more static malware. Stream methods are useful for large files too, having little file size limits, but if you consider most malware files are relatively small (so they can spread quickly) the only advantage would be on large archives of files (which are most likely manually created and infrequently spread).

What Do You Need?

In this part of the article I’ll discuss the different coverage needs and how you can configure the latest FortiGate products to provide the appropriate level of protection and coverage. First I’ll discuss some of the different users and their basic needs.

• The Need For Speed: Some users are not overly concerned about full coverage for every virus that ever existed. They just want the Internet as fast as they can get it. For these users basic protection against most malware that is actively spreading is normally sufficient. Many of these users will also use host based antivirus if they want more protection at the host but still keep high speed networking (e.g. ISPs need to provide certain levels of performance so they may augment protection with host based security bundles for their customers). I’ll call these “High Performance” Users.
• On the Fence: Users in this category desire a bit more coverage but decent performance too. The malware coverage will go further back in history to malware that has lived over about the last year or so, but not go as far back as the ancient viruses of the 70s and 80s. I’ll call these “Cautious” Users.
• Nothing is Getting In: These users don’t want any viruses, no matter how old, in their networks. These users may be willing to sacrifice a bit of performance for full detection of every malware that has ever existed. I’ll call these users “Guarded” Users.

First Things First, What’s in the Box?

In the next version of the FortiGate OS 4.2 there will be support (on some platforms) for larger antivirus databases and a new stream based antivirus scanning engine. The breakdown of the basic coverage types are a follows:

• Normal
  • This setting contains signatures for the most currently active threats. These threats are actively spreading on the Internet in some form or another, e.g.) via email, self spreading worms, etc.
• Extended
  • This setting extends the Normal setting to include signatures for recent but no longer active malware. Such as viruses that may have been actively spreading within the past year but have significantly or completely died off.
• Extreme
  • The extreme setting provides the largest coverage and includes coverage of nearly all malware detected by Fortinet including zoo viruses from ages past.
• Flow
  • The flow antivirus operates independently from the above settings and is used as an alternative to the proxy based antivirus settings (normal, extended and extreme). It is a stream based scanning method in which the network session is inspected in chunks. Although fast, there are limitations with stream based scanning technology such that not all files can be fully decomposed in order to properly scan for a virus. Flow based scanning is however very fast and effective against static threats such as worms, Trojans, spyware and related malware. The flow based antivirus will cover a subsection of what the extreme setting detects.

These settings can be enabled on a per VDOM basis and used for all antivirus protection profiles within that VDOM. As a side note, users can override a specific protection profile setting using the CLI if desired.

High Performance Users

For High performance users there is the option of using the Flow AV option, a stream based scanning engine, or the proxy based normal setting. This can be set per VDOM via the CLI or GUI. Navigate to the UTM menu and select the Antivirus->Virus Database menu item. On this page you will be able to configure your database settings that will be used by default by the antivirus protection profiles.

The normal antivirus database, containing detection for the most active threats, is available on all FortiGate models. Flow AV will only be available on certain newer models such as the FGT-80C, and other mid/high end models.

Cautious Users

For cautious users it is recommended to use the Extended setting. This provides coverage for both older threats, up to about one year, as well as any malware that is actively spreading. Older threats were previously active malware that have essentially died off and are no longer being reported to our servers. Although some of these threats continue to spread in small areas, they are no longer widespread.

The extended database is available on many of the newer mid to high end FortiGate Products.

Guarded Users

For guarded users the extreme setting is the way to go. This gives the largest coverage to prevent both the newest threats from entering the network as well as preventing users from downloading some old archives of legacy malware. Users also have the option of enabling the full grayware detection to scan for programs that may not necessarily be threatening but cause annoyance, such as adware.

The extreme database will be available on many of the newer mid to high end FortiGate Products.

Conclusion

When looking for a product to protect your network, be wary of what various products are offering. You may be looking for speed, but know the benefits and limitations of the different types of technologies so you can choose what is best for your network. Although the data sheet may look impressive in regards to performance numbers, ask what kind of coverage you are really getting. At least ensure that you can get coverage for the Wild List and other active threats with whatever product you choose. I hope this article helps you decide the type of coverage you require in your network and what products suit your needs. May your networks remain infection free.

We had a bit of a win last week. CRNtech published a top-notch review of the FortiGate-620B, one of our more popular multi-threat security appliances among enterprises. We normally don’t like to brag about our products, but this is a project of which our R&D team can be very proud.

Naysayers in the past have expressed concerns that no company can do all things well; we’ve proven that wrong. Here are some examples from the review:

• What’s attention-grabbing about this device… is that it fights threats that have broken through the security perimeter of the average network, including threats posed by mobile devices that often pass through traditional security defenses.

• Fortinet has designed this device from the ground up, delivering the goods on both the hardware and the software fronts.

• The software is the latest, version 4.0’s. core technologies include firewall, Web content filtering, antimalware, intrusion protection, VPN (both IPSec and SSL) and two additional critical components: data leak prevention and granular application control.

• The management interface is well-designed, and full of information and configuration options… The management interface includes a series of widgets that can be added, changed and moved around offering complete customizability for the administrator.

• To help sift through the potentially dizzying array of options, the FortiGate’s management interface has intuitive help guides. The help topic relates to the specific area of the interface you are in, a feature that is so helpful and so woefully lacking in other UTMs we have tested.

We’ve worked hard. Thousands of Fortinet customers have already installed and upgraded to FortiOS 4.0 to take advantage of the enhanced security features outlined above. This is an appliance that can scale, as proven by the reviewer, our management interface is grade A.

While again this might be a bit boastful, I’m proud of our team. And thankful for our customers, for giving us the feedback and ideas needed to develop these products.

Today was another big milestone in the history of the company I co-founded and I’m very happy to have this opportunity to tell you about it. Fortinet has released FortiOS 4.0, the firmware upgrade for our FortiGate security systems. This release is the result of a tremendous effort by our development teams over the better part of 12+ months. These highly skilled and talented teams worked hard to design and implement these technology innovations so that we could confidently put the product in front of our customers.

Even in this time of economic uncertainty, I believe that innovation is our greatest strength. While other security vendors are merely coasting along, Fortinet is focused more than ever on expanding our vision for comprehensive and easily managed network security solutions. We are continuously updating our FortiOS firmware and each release builds upon our existing, pioneering innovations. For example, with FortiOS 3.0, Fortinet became the first security hardware company to offer VoIP / IM / P2P security; we were also the first security vendor to deliver integrated SSL VPN with complete content inspection. We’ve now built upon that technology to offer full application control and prioritization of more than 1,000 apps. Overall, our FortiOS 4.0 release delivers on two main objectives:

1. Give our FortiGate customers access to security technologies and features that were previously only available via a combination of standalone vendors
2. Continue to drive the increased security capabilities that help protect our customers from the never-ending and evolving threat landscape

FortiOS 4.0 introduces several features, the four most significant of which I want to highlight here:

• Application Control
• Data Leakage Prevention
• WAN Optimization
• SSL Inspection

Read the rest of this entry »