With all of the features available in the FortiGate operating system, such as our antivirus, web filtering, IPS and antispam, together with the newer additions such as SSL VPN, DLP, WAN Optimization, etc., it is easy to overlook some of the lesser known features our solution provides.

I wanted to mention our load balancing capability as another one of those surprising Fortinet free features.

Of course in the current economic climate, consolidation, something Fortinet has pioneered for the past decade, is always being sought and the more features that a unified solution can provide the better.  Realists will always point out, however, that consolidation only works when the features being offered are of a sufficient quality compared with other solutions on the market.  This is where the little known FortiGate load balancing feature often surprises.

The Fortinet load balancing feature set contains all of the features you would expect of a server load balancing solution.  Traffic can be balanced across backend servers based on multiple methods including static (failover), round robin, weighted to account for different sized servers, or based on the health and performance of the server including round trip time, number of connections.  The load balancer supports HTTP/S, SSL or generic TCP/UDP or IP protocols.  Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.  The load balancing feature is supported on all devices from the FG50B upwards and supports 10,000 virtual servers on the high end systems.

In addition to the load balancing features, there is also a range of heavy duty options including:

• SSL Offload where the decryption process is offloaded to the FortiGate custom ASIC to accelerate performance
• HTTP Multiplexing where multiple HTTP streams are pipelined into a single request to the backend server
• Intrusion Prevention performed on the traffic before distribution out to the servers, protecting them from attack.

Quite the UTM appliance…

It seems that we keep getting caught up in what can be referred to as “religious” discussions when it comes to technology and the choices in front of us.  Consider the UTM debate and the proposition by influencers of the industry that enterprises have no business investing in this technology.  I am not going to focus on the debate between UTM and alternatives available within the market today; instead I want to ask why there needs to be a line drawn in the sand? Is there value in telling enterprises “thou shall not adopt UTM,” or is there more value in giving an impartial opinion on how each approach has their own respective merits for ANYONE, enterprise or not? Never before (at least not that I can recall) has there been such adamant drives to tell customers what technology simply has NO PLACE for them.

This is casting our memories back to a time when firewalls and VPNs were “supposed to be” separated for many reasons (performance, security etc.), but with technology innovation and advances the naysayers were silenced.  Yes, it makes sense to merge these perimeter technologies – the technology exists, it makes sense and it benefits customers.

Can we not draw a parallel between this example with new security products and solutions?  Yes, I don’t doubt that there are some customers that are not ready for the convergence of an integrated security solution (aka UTM), but there are many customers who are ready and a UTM solution is right for them. ”Evangelists” are merely doing the industry a disservice by saying “NO! You might like the idea, heck you might even like the product and can derive significant benefit from it…but you are an ENTERPRISE! Send that box packing on that Unicorn riding Pixie it rode in on.”

We can all quote factual data supporting any side of the story, but at the end of the day what counts is that we are all developing products and technologies to stop the spread of cybercrime and protect customers and their infrastructures.  The packaging is just the wrapping – do yourself a favor, evaluate and purchase the technology that solves your problem, and if you are an enterprise evaluating UTM, don’t fret. We are here to support you.

In July, Gartner published its Magic Quadrant for SMB Multifunction Firewalls report, which we view positively as it is the firm’s official validation of multifunction security consolidation appliances. Gartner defines multifunction firewalls as all-in-one security appliances, and multifunction firewall is the firm’s term for what has been more widely known as unified threat management, or UTM, coined by IDC in 2004.

Fortinet pioneered and built its business on the vision that unified solutions bring security, cost, and operational benefits to customers of all sizes. While we are pleased to be the best-positioned vendor in Gartner’s report, we disagree with various statements the firm makes — namely that multifunction firewalls (or UTM solutions) only belong in small to medium business environments. We see evidence to the contrary every single day.

It is true that SMBs and larger enterprises use multifunction firewalls differently; SMBs typically deploy more of the integrated security functions than do large enterprises. However, we believe, and the data supports, that numerous enterprises, telecommunication carriers and service providers have adopted UTM solutions for the benefit of being able to turn the functions on one at time as needed without having to deploy additional functions. This is a clear trend among our enterprise customers. But perhaps the strongest evidence for UTM’s rightful place in enterprise environments is quantitative data from IDC.

According to the IDC Worldwide Security Appliance Tracker, more than $500 million was spent on enterprise and high-end UTM appliances in 2008, compared with $280 million in 2006*. So, if UTM is not an enterprise or high-end play, where are all of these units going?

Further supporting IDC’s quantitative data is research from Frost & Sullivan, who reported in its World Unified Threat Management 2008 end-user study that “UTM has started to appear in enterprise and data-center class networks.” We are observing the same trends that IDC and Frost & Sullivan are seeing. Here is some data to support this:

• Fortinet has shipped more than 450,000 UTM appliances.
• More than 75,000 global customers, including the majority of the Global 100, have purchased our UTM appliances.
• Some notable customers include Polycom, CKE Restaurants, Sylvania and many branches of the U.S. Federal Government, including the Marine Corps, Army, Navy, Air Force, civilian agencies and the intelligence community.

Gartner is certainly entitled to its opinion, but there are hard facts to support the notion that UTM appliances are not an SMB only solution. Data from numerous analyst firms, vendors, and end-users themselves give credence to the fact that enterprises are adopting UTM solutions at an accelerating pace. For a firm like Gartner to continue to ignore or refute this market shift is difficult to fully understand and seems a disservice to those who rely on their research and analysis.

* Data based on price bands above $6K

A team of British eccentrics has broken the 103-year-old record for a steam-powered car, previously standing at 127mph. The record now stands at close to 140mph, but with the super heated steam being injected into the turbine at more than twice the speed of sound, there is clearly more to the speed of the car than the speed of the steam.

The good news about all this is that it does give us an excuse to look at the speed of security devices. Picking up your favourite data sheet, you can see speeds quoted based on link speeds, up to values of throughput and maybe even some hint at the packet per second numbers. Of course, these numbers are based on test cases — and RFC2544 does a good job at defining how to navigate around these claims for network devices introducing the idea of testing based on differing packet sizes. It even suggests  packet sizes to use when testing 4M token ring. It was written in 1999, not quite the same longevity as our steam powered car, but not bad.

Complex environments generate increasingly complex test cases and of course with more and more features being consolidated in to a single device the ability to predict the likely performance of that device in all cases can become a real headache, particularly if you are reliant on a general purpose CPU. Providing dedicated hardware elements to offload the more intensive aspects of the performance helps greatly when generating test cases and solution designs. This is not a new idea, but can sometimes be lost in the feature race. Take a look at how hot your steam is….

Earlier this week, independent analyst Richard Stiennon posted a video interview he did with Michael Xie. From Stiennon’s blog post:

Michael Xie is CTO of Fortinet and drives all of their development of true “Next Generation” security appliances. Hear him describe his views on speeds and feeds, routing and switching in the firewall, and cost per secure megabit.

Take a look and listen (click the picture to jump to video):