Winners will be announced in August. Questions related to this survey can be addressed to Rick Popko. Thank you for your participation.

The following article originally appeared in SC Magazine

Firewalls are again becoming talk of the town. There are an enormous amount of opinions, including claims of a recent firewall revolution that have been proposed to completely change the firewall landscape. I will be the first to admit that the features and capabilities offered in today’s firewall products are not the same as was offered in their original incarnation. But then again, traffic patterns and applications are not the same as they were when firewalls first hit the market.

If we look at the some of the original firewall products (bypassing the whole proxy versus stateful approaches), most products focused on a simple, yet powerful proposition – allow or deny specific protocols (applications) and most often the policy was to deny all, allow few exceptions. The general intent is to insert a barrier at the network border fending off unnecessary and potentially dangerous application traffic. These firewall policies were based on a common way to identify the application – the layer 4 protocol identifier.

Today, applications have taken a dramatically different approach in terms of user interface and communication methods. It should not be a surprise that the majority of applications have moved from a proprietary, client-based executable user interface and unique communication protocol to a web-based interface / communication method. This “webification” of applications is due in part to the innovations in web technology and the ability to deliver rich user experiences that parallel previous “heavy” client-based GUI applications in a web-based environment.

Given this change in application delivery, it is natural for firewalls to evolve and address the new challenge of application security. Obviously the same principles exist as with the original firewall concept – allow / deny applications based on a corporate security policy. However, if every application uses a common web communication method such as HTTP – port 80, how would the traditional firewall implement appropriate controls? If port 80 is “allowed” through the firewall, it would open access to a plethora of applications, some of which could be contrary to the overall security policy.

This is where things get interesting regarding the so-called “firewall revolution” being claimed today, whereby applications are identified based on their content distinguishing, for example, between peer-to-peer (P2P) applications and hosted business applications. While this is a new way to identify applications, I don’t agree it is a “revolution” because other security technologies have been doing this type of detection for quite a while, including intrusion prevention/detection systems (IPS/IDS). With IPS/IDS technologies, the ability to distinguish between multiple applications on a common protocol employs exactly the same principle as the proposed new firewall “revolution”. The new “revolution” isn’t a revolution at all. It is nothing new, just a new way to use existing capabilities.

It seems disingenuous and just plain marketing hype to say that extending the application identification technology as part of a firewall policy is revolutionary. What is really happening is the evolution of the firewalls to meet the application evolution.

If there is anything revolutionary about firewalls today, it is the incorporation of content-based security technologies being integrated into the firewall, something that was previously thought to be impossible. The true revolution is in identifying threats within the application content, irrespective of the application, not just a new way to identify an application and allow or deny it.

A security solution that harnesses the power of application control and content-based security enforcement is the true state of firewall technology innovation – especially if you agree that firewalls should be deployed as defense mechanisms to eliminate threats versus an “allow-or-deny” paradigm for application access.

Malware Lifecycles

All malware have a life cycle. Some are like shooting stars, blasting across the Internet infecting everything in their path and going out with a bang with the next signature update, leaving much news buzz in their wake. Others creep along, slowly infiltrating systems with their variants, keeping their name alive for months to years. Still others have gone the way of the dinosaurs and only live in memory, no longer spreading or able to spread on modern operating systems, aka the zoo viruses. In general it is the actively spreading viruses that a user need be overly concerned about and use products providing coverage for these active malware.

Today viruses are still tracked using the Wild List, a vendor independent managed list of the most active viruses. This is used as a minimal benchmark for vendors, to ensure that customers are protected from the most actively reported threats. The viruses that slow down and eventually drop off of this list eventually find themselves on the list of zoo viruses and are rarely, if ever, seen in the wild again.

Under the Hood

Although there are many different vendors of antivirus products most vendors use very similar techniques and need to deal with the same issues when trying to detect a virus. Most viruses are contained in a file of some sort, either self executable or as part of a format where it can be executed by another host program (e.g. such as a macro virus embedded in a document). Roughly 80-85 percent of the effort when examining a file is decomposing the file into a usable form for signature scanning. Decomposing the file is the process of extracting or converting the data of that file to a form where the signature scanning routines can match any known viruses in its corresponding database. For example, an incoming file may be an archive file, such as a zip archive, containing an executable file. If the file is sent in an email it is often in an ASCII format called base64. The file needs to be converted back to binary for deeper examination. This in-depth decomposition of the file is very often required for the most sophisticated viruses and therefore the full file needs to be buffered.

Flow or stream based antivirus is one of the latest techniques being used by network based products for scanning. They have a high throughput and use state based engines to keep track of what they have scanned, but they do have some limitations that probably can’t be solved due to the format of certain types of files. For example, some archive formats can not be streamed due to complexities in parts of their algorithms so streaming scanners have difficulty with these files. Heavily encrypted files, packed executables and file infectors may be difficult to detect using these stream based methods since not all the data will be available to assist in decryption of the files. Viruses embedded in documents require more in-depth extraction routines which are probably not commonly used in stream based scanning. Some files, such as polymorphic or packed files, require emulation in order to extract the clear viral code from its encrypted cocoon. Without this level of decomposition the number of different detection signatures that would be required is staggering to imagine. It’s not all bad news however. Flow or stream based methods are quite effective and fast against certain types of malware such as static worms (executables that don’t change their binary composition when they spread), certain Trojans, spyware, adware and other more static malware. Stream methods are useful for large files too, having little file size limits, but if you consider most malware files are relatively small (so they can spread quickly) the only advantage would be on large archives of files (which are most likely manually created and infrequently spread).

What Do You Need?

In this part of the article I’ll discuss the different coverage needs and how you can configure the latest FortiGate products to provide the appropriate level of protection and coverage. First I’ll discuss some of the different users and their basic needs.

• The Need For Speed: Some users are not overly concerned about full coverage for every virus that ever existed. They just want the Internet as fast as they can get it. For these users basic protection against most malware that is actively spreading is normally sufficient. Many of these users will also use host based antivirus if they want more protection at the host but still keep high speed networking (e.g. ISPs need to provide certain levels of performance so they may augment protection with host based security bundles for their customers). I’ll call these “High Performance” Users.
• On the Fence: Users in this category desire a bit more coverage but decent performance too. The malware coverage will go further back in history to malware that has lived over about the last year or so, but not go as far back as the ancient viruses of the 70s and 80s. I’ll call these “Cautious” Users.
• Nothing is Getting In: These users don’t want any viruses, no matter how old, in their networks. These users may be willing to sacrifice a bit of performance for full detection of every malware that has ever existed. I’ll call these users “Guarded” Users.

First Things First, What’s in the Box?

In the next version of the FortiGate OS 4.2 there will be support (on some platforms) for larger antivirus databases and a new stream based antivirus scanning engine. The breakdown of the basic coverage types are a follows:

• Normal
  • This setting contains signatures for the most currently active threats. These threats are actively spreading on the Internet in some form or another, e.g.) via email, self spreading worms, etc.
• Extended
  • This setting extends the Normal setting to include signatures for recent but no longer active malware. Such as viruses that may have been actively spreading within the past year but have significantly or completely died off.
• Extreme
  • The extreme setting provides the largest coverage and includes coverage of nearly all malware detected by Fortinet including zoo viruses from ages past.
• Flow
  • The flow antivirus operates independently from the above settings and is used as an alternative to the proxy based antivirus settings (normal, extended and extreme). It is a stream based scanning method in which the network session is inspected in chunks. Although fast, there are limitations with stream based scanning technology such that not all files can be fully decomposed in order to properly scan for a virus. Flow based scanning is however very fast and effective against static threats such as worms, Trojans, spyware and related malware. The flow based antivirus will cover a subsection of what the extreme setting detects.

These settings can be enabled on a per VDOM basis and used for all antivirus protection profiles within that VDOM. As a side note, users can override a specific protection profile setting using the CLI if desired.

High Performance Users

For High performance users there is the option of using the Flow AV option, a stream based scanning engine, or the proxy based normal setting. This can be set per VDOM via the CLI or GUI. Navigate to the UTM menu and select the Antivirus->Virus Database menu item. On this page you will be able to configure your database settings that will be used by default by the antivirus protection profiles.

The normal antivirus database, containing detection for the most active threats, is available on all FortiGate models. Flow AV will only be available on certain newer models such as the FGT-80C, and other mid/high end models.

Cautious Users

For cautious users it is recommended to use the Extended setting. This provides coverage for both older threats, up to about one year, as well as any malware that is actively spreading. Older threats were previously active malware that have essentially died off and are no longer being reported to our servers. Although some of these threats continue to spread in small areas, they are no longer widespread.

The extended database is available on many of the newer mid to high end FortiGate Products.

Guarded Users

For guarded users the extreme setting is the way to go. This gives the largest coverage to prevent both the newest threats from entering the network as well as preventing users from downloading some old archives of legacy malware. Users also have the option of enabling the full grayware detection to scan for programs that may not necessarily be threatening but cause annoyance, such as adware.

The extreme database will be available on many of the newer mid to high end FortiGate Products.

Conclusion

When looking for a product to protect your network, be wary of what various products are offering. You may be looking for speed, but know the benefits and limitations of the different types of technologies so you can choose what is best for your network. Although the data sheet may look impressive in regards to performance numbers, ask what kind of coverage you are really getting. At least ensure that you can get coverage for the Wild List and other active threats with whatever product you choose. I hope this article helps you decide the type of coverage you require in your network and what products suit your needs. May your networks remain infection free.

When we look through the evolution of UTM, it is easy to understand how this technology was initially positioned, and today still carries a connotation of Small / Medium Business (SMB). In truth, the first products were targeted at SMB customers for a couple of reasons:

1. Economics – As many small businesses struggle with balancing profit vs. the cost of operating their businesses, they often look for the products and services that provide the biggest “bang for the buck”.  This is one of the main benefits offered by UTM products as they integrate multiple security features like firewall, VPN, antivirus, intrusion prevention (IPS) and a host of additional security elements into a single product.  This means that instead of purchasing many solutions to fend of the barrage of security attacks, they need only invest in one – UTM.
2. State of the technology – After the UTM term was uniformly adopted by the industry, in the early days it opened the floodgates for entrepreneurs trying to capitalize on this growing market, and the barrage of software-based solutions exploded. Many of these were a simple combination of off-the-shelf packages thrown together under a common management interface.  This provided a barrier for many, as they were not scalable enough to meet the demands of medium and large enterprise businesses.

Given the early roots and initial attempts by software UTM vendors, it created an inappropriate connotation of SMB for UTM.  This unfortunately is not the case, especially for vendors that helped shaped the vision of UTM and saw that custom hardware, ASIC acceleration and an integrated approach to security features would pave the way for high-performance UTM that are viable replacements and alternatives to aging layer 3/4 security infrastructures.

Consider a parallel evolution in security technology history with respect to the convergence of firewall and VPN technologies.  When the VPN world began to evolve, the networking and security vendors produced effective, scalable VPN concentrator products that delivered on their promise – high-performance, secure, remote communications.  Today, it would be almost absurd to think of firewalls and VPNs as separate appliances.  This begs the question as to how and why this convergence occurred.  One proposition is that the computing power requirements to support firewall processing and VPN encryption were met with advances in hardware acceleration, therefore allowing the combination we are familiar with today.  Obviously technology maturity was a major factor, and you can argue that the combination made logical sense as these technologies are typically deployed together at a security border.

Now, if you consider the combination of firewall/VPN as a valid combination based on the result of advances in technology supporting the complex processing required, it goes to reason that the same should be said for UTM.  In fact, vendors that are focused on UTM will argue that they are building on that same philosophy.  Development in hardware based platforms that employ purpose-built custom ASICs with integrated security software are able to deliver high-performance UTM solutions, breaking the previous adoption barriers for medium and large enterprises.

Recent UTM products introduced into the industry have proven that not only are they capable of delivering comprehensive security, far superior to traditional firewall/VPN devices, but they are able to keep pace with network infrastructure demands of the largest networks.  Solutions available today designed for mid-range and high-end enterprises utilize state-of-the-art custom silicon (ASICs) to accelerate application content inspection, allowing for multi-features security processing without grinding network performance to a halt.  Additional advances in blade-based products with load distribution capabilities provide multi-Gigabit performance for UTM and show the ability to deliver up to 10-Gig and beyond performance capabilities today with an estimated 10 fold increase in the near term.

The lesson: We should consider advances in UTM good for the industry and not believe the naysayers who urge us to believe that UTM is SMB.  The proof is in the pudding, and I would urge any customer looking at security infrastructure upgrades to evaluate a UTM product both on security features as well as performance – I believe many will surely be surprised with the result.

I wanted to mention our load balancing capability as another one of those surprising Fortinet free features.

Of course in the current economic climate, consolidation, something Fortinet has pioneered for the past decade, is always being sought and the more features that a unified solution can provide the better.  Realists will always point out, however, that consolidation only works when the features being offered are of a sufficient quality compared with other solutions on the market.  This is where the little known FortiGate load balancing feature often surprises.

The Fortinet load balancing feature set contains all of the features you would expect of a server load balancing solution.  Traffic can be balanced across backend servers based on multiple methods including static (failover), round robin, weighted to account for different sized servers, or based on the health and performance of the server including round trip time, number of connections.  The load balancer supports HTTP/S, SSL or generic TCP/UDP or IP protocols.  Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.  The load balancing feature is supported on all devices from the FG50B upwards and supports 10,000 virtual servers on the high end systems.

In addition to the load balancing features, there is also a range of heavy duty options including:

• SSL Offload where the decryption process is offloaded to the FortiGate custom ASIC to accelerate performance
• HTTP Multiplexing where multiple HTTP streams are pipelined into a single request to the backend server
• Intrusion Prevention performed on the traffic before distribution out to the servers, protecting them from attack.

Quite the UTM appliance…

This is casting our memories back to a time when firewalls and VPNs were “supposed to be” separated for many reasons (performance, security etc.), but with technology innovation and advances the naysayers were silenced.  Yes, it makes sense to merge these perimeter technologies – the technology exists, it makes sense and it benefits customers.

Can we not draw a parallel between this example with new security products and solutions?  Yes, I don’t doubt that there are some customers that are not ready for the convergence of an integrated security solution (aka UTM), but there are many customers who are ready and a UTM solution is right for them. ”Evangelists” are merely doing the industry a disservice by saying “NO! You might like the idea, heck you might even like the product and can derive significant benefit from it…but you are an ENTERPRISE! Send that box packing on that Unicorn riding Pixie it rode in on.”

We can all quote factual data supporting any side of the story, but at the end of the day what counts is that we are all developing products and technologies to stop the spread of cybercrime and protect customers and their infrastructures.  The packaging is just the wrapping – do yourself a favor, evaluate and purchase the technology that solves your problem, and if you are an enterprise evaluating UTM, don’t fret. We are here to support you.

Fortinet pioneered and built its business on the vision that unified solutions bring security, cost, and operational benefits to customers of all sizes. While we are pleased to be the best-positioned vendor in Gartner’s report, we disagree with various statements the firm makes — namely that multifunction firewalls (or UTM solutions) only belong in small to medium business environments. We see evidence to the contrary every single day.

It is true that SMBs and larger enterprises use multifunction firewalls differently; SMBs typically deploy more of the integrated security functions than do large enterprises. However, we believe, and the data supports, that numerous enterprises, telecommunication carriers and service providers have adopted UTM solutions for the benefit of being able to turn the functions on one at time as needed without having to deploy additional functions. This is a clear trend among our enterprise customers. But perhaps the strongest evidence for UTM’s rightful place in enterprise environments is quantitative data from IDC.

According to the IDC Worldwide Security Appliance Tracker, more than $500 million was spent on enterprise and high-end UTM appliances in 2008, compared with $280 million in 2006*. So, if UTM is not an enterprise or high-end play, where are all of these units going?

Further supporting IDC’s quantitative data is research from Frost & Sullivan, who reported in its World Unified Threat Management 2008 end-user study that “UTM has started to appear in enterprise and data-center class networks.” We are observing the same trends that IDC and Frost & Sullivan are seeing. Here is some data to support this:

• Fortinet has shipped more than 450,000 UTM appliances.
• More than 75,000 global customers, including the majority of the Global 100, have purchased our UTM appliances.
• Some notable customers include Polycom, CKE Restaurants, Sylvania and many branches of the U.S. Federal Government, including the Marine Corps, Army, Navy, Air Force, civilian agencies and the intelligence community.

Gartner is certainly entitled to its opinion, but there are hard facts to support the notion that UTM appliances are not an SMB only solution. Data from numerous analyst firms, vendors, and end-users themselves give credence to the fact that enterprises are adopting UTM solutions at an accelerating pace. For a firm like Gartner to continue to ignore or refute this market shift is difficult to fully understand and seems a disservice to those who rely on their research and analysis.

* Data based on price bands above $6K

The good news about all this is that it does give us an excuse to look at the speed of security devices. Picking up your favourite data sheet, you can see speeds quoted based on link speeds, up to values of throughput and maybe even some hint at the packet per second numbers. Of course, these numbers are based on test cases — and RFC2544 does a good job at defining how to navigate around these claims for network devices introducing the idea of testing based on differing packet sizes. It even suggests  packet sizes to use when testing 4M token ring. It was written in 1999, not quite the same longevity as our steam powered car, but not bad.

Complex environments generate increasingly complex test cases and of course with more and more features being consolidated in to a single device the ability to predict the likely performance of that device in all cases can become a real headache, particularly if you are reliant on a general purpose CPU. Providing dedicated hardware elements to offload the more intensive aspects of the performance helps greatly when generating test cases and solution designs. This is not a new idea, but can sometimes be lost in the feature race. Take a look at how hot your steam is….

Michael Xie is CTO of Fortinet and drives all of their development of true “Next Generation” security appliances. Hear him describe his views on speeds and feeds, routing and switching in the firewall, and cost per secure megabit.

Take a look and listen (click the picture to jump to video):