With all of the features available in the FortiGate operating system, such as our antivirus, web filtering, IPS and antispam, together with the newer additions such as SSL VPN, DLP, WAN Optimization, etc., it is easy to overlook some of the lesser known features our solution provides.

I wanted to mention our load balancing capability as another one of those surprising Fortinet free features.

Of course in the current economic climate, consolidation, something Fortinet has pioneered for the past decade, is always being sought and the more features that a unified solution can provide the better.  Realists will always point out, however, that consolidation only works when the features being offered are of a sufficient quality compared with other solutions on the market.  This is where the little known FortiGate load balancing feature often surprises.

The Fortinet load balancing feature set contains all of the features you would expect of a server load balancing solution.  Traffic can be balanced across backend servers based on multiple methods including static (failover), round robin, weighted to account for different sized servers, or based on the health and performance of the server including round trip time, number of connections.  The load balancer supports HTTP/S, SSL or generic TCP/UDP or IP protocols.  Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.  The load balancing feature is supported on all devices from the FG50B upwards and supports 10,000 virtual servers on the high end systems.

In addition to the load balancing features, there is also a range of heavy duty options including:

• SSL Offload where the decryption process is offloaded to the FortiGate custom ASIC to accelerate performance
• HTTP Multiplexing where multiple HTTP streams are pipelined into a single request to the backend server
• Intrusion Prevention performed on the traffic before distribution out to the servers, protecting them from attack.

Quite the UTM appliance…

A team of British eccentrics has broken the 103-year-old record for a steam-powered car, previously standing at 127mph. The record now stands at close to 140mph, but with the super heated steam being injected into the turbine at more than twice the speed of sound, there is clearly more to the speed of the car than the speed of the steam.

The good news about all this is that it does give us an excuse to look at the speed of security devices. Picking up your favourite data sheet, you can see speeds quoted based on link speeds, up to values of throughput and maybe even some hint at the packet per second numbers. Of course, these numbers are based on test cases — and RFC2544 does a good job at defining how to navigate around these claims for network devices introducing the idea of testing based on differing packet sizes. It even suggests  packet sizes to use when testing 4M token ring. It was written in 1999, not quite the same longevity as our steam powered car, but not bad.

Complex environments generate increasingly complex test cases and of course with more and more features being consolidated in to a single device the ability to predict the likely performance of that device in all cases can become a real headache, particularly if you are reliant on a general purpose CPU. Providing dedicated hardware elements to offload the more intensive aspects of the performance helps greatly when generating test cases and solution designs. This is not a new idea, but can sometimes be lost in the feature race. Take a look at how hot your steam is….

Earlier this week, independent analyst Richard Stiennon posted a video interview he did with Michael Xie. From Stiennon’s blog post:

Michael Xie is CTO of Fortinet and drives all of their development of true “Next Generation” security appliances. Hear him describe his views on speeds and feeds, routing and switching in the firewall, and cost per secure megabit.

Take a look and listen (click the picture to jump to video):

I decided it was high time I changed my car, well it was either that or wash it. So not being a car-o-phile I didn’t have a specific model in mind so decided to head to that area of down where all the showrooms are located. I gave the GM dealer a miss, their financial position seems way too exciting for me to come involved in just at the moment, I wish them luck.  I pick a showroom based largely on reputation and anecdotes and set about selecting a model that I thought would suit, a wheel on each corner, the right number of seats.

Much discussion about accessories, gadgets, gimmicks, colours and finish ensued and after a few hours the “ideal car” was selected. The sheer range of options was amazing, but of course selecting certain features rule out other features, and not all combinations are possible on all models, and then there’s the cost which keeps ticking up with each choice made. That initial ticket price was long forgotten — we were on the hook now!

It seems obvious now but as I left the showroom I realised that I hadn’t actually driven the chosen vehicle. A u-turn, somewhat embarrassed discussion, they thought I’d already driven one, and I thought they should have asked me. But a couple of signatures later and I drove away in the car I had selected, minus some features and with the addition of ugly metallic blue colour – they didn’t have the exact model to hand of course.  Disaster. It didn’t fit me, or I didn’t fit it, either way the ride was uncomfortable and tiring, I felt I’d been dragging the car around, not as it should be at all.

Returned to the showroom, handed back the keys and cancelled the previous set of paperwork. Of course I was no longer in the frame of mind to look further, the experience was ultimately an exercise in frustration.

I should have done more homework: financial position, what my actual requirements were, read some reviews had some expectation on price, and made sure I had a budget in mind which would not be swayed by those self leveling auto cornering, self cleaning, xeon dazzling headlights.

At the end of the day, it didn’t really matter how many features I added; the fundamental construction was not as I expected, the performance simply not good enough, with or without that  iPod connector. I still fancy changing the car but I’ll drive it first!

We are entering (arguably we have already entered) a digitally bound world where business, service and information flow is bountiful. In parallel, threats have been very active: we have seen a constant increase in malicious code even after a heavy spike in 2007. This increasing trend has carried over into 2009. Most of this increase is simply a flood of variants using packing techniques, server side polymorphism, obfuscation, etc. However, there are always new threats coming out to play. Scareware, ransomware, social networking worms, mobile platform specific threats, hybrids, highly efficient worms (a la Conficker) – take your pick.

With cyber criminal organisations fueled by ludicrously profitable schemes, the end result we often see of a compromised system is a mixed bag of threats: trojan downloaders, botnets utilized to serve up affiliate drivers and other malicious components.

To further complicate matters, infrastructure has become increasingly integrated through the telecommunications industry (mobile threats) to the public internet, as well as once closed-circuit networks hosting critical infrastructure such as SCADA controlled utilities. To support this integration through various services (ie: the “Cloud”), software has become more complex and more interfaces / platforms are available to the end user. So, legacy threats are enhanced (mass mailers and social engineering schemes), new vulnerabilities and malware are introduced, while simultaneously migrating to these new interfaces / platforms in order to be efficient and robust. This is a growing problem, and yes, it is a description of the arms race with cyber crime and the many challenges which we are faced. Enter next generation threats.

The harsh reality is that we do not live in a world in which we can flip a magic switch to route all malicious traffic to /dev/null. In other words, we must learn to live with threats just as we learn to live with crime in the physical world. Thus, the key issue turns to how to properly address and manage these threats while not having an impact on day to day operations.

I was recently at the IT360 Conference in Toronto where I did a couple of presentations on precisely this, bearing in mind several factors. First, it is no secret that nowadays IT budgets are tight, so it is important to be able to address a wide array of threats while working within budget. Second, the sheer volume and variety of threats that was previously described has become so large in scope that effective management is vital in order to build up your best protection. My experience has been that the general thought process towards threat management is too granular. It can be reactive, and addressed with patchy security practices such as various point solutions. Additionally, a large chunk of budget can be allocated towards IT administrators / staff struggling with the fierce pace we see on the threat landscape today. This is not an efficient, nor effective way of dealing with modern threats. First, it is costly as it simply requires more man hours. Second, it takes away from job function and focus that could otherwise benefit business, productivity and security procedures.

So what is a pragmatic approach? Layered security (defense in depth) covering both client and server side issues, which addresses:

1) Transparency (not hindering business, placing roadblocks through blocking critical services and/or throughput)
2) Scalability
3) Cost Effectiveness
4) Management
5) Analysis & Alerts

Threats can come from any direction, through external sources, bridged infrastructures, and even the insider threat. Consolidated security appliances can address this big picture, while offering a universal solution that is manageable, employs less licensing than costly point solutions, and is quite scalable to the ever growing threat landscape. The idea behind using such a solution is that on top of receiving frequent updates to protect against threats of all nature, you can leverage a worldwide team with expertise in specific threat areas (unified), and maintain a working relationship with this team / your security vendor. You can do this without having to purchase multiple point solutions to address these specific areas, which inherently can erect several roadblocks – not to mention increased management complexity. This, I believe, is key. Suddenly, you have reduced the required man hours to protect your networks, and increased your protection through managed, layered security. Now your IT staff can focus on internal security efforts that are not practiced enough, such as patch management, workshops and education, threat exercises, and procedures/guidelines to address such concerns as laptops and mobile devices.