"Sweet" encrypted VPN traffic or How we "protected" ice cream

The history of the creation of the company "Lasunka" began in January 1997, with the production of ordinary ice cream - ice cream in a waffle cup and popsicle, in a small factory in the outskirts of Dnipropetrovsk. Now it is the leading producer of ice cream in Ukraine.

The company "Lasunka" includes several brands, "White Birch", "Laska", "Lasunka", the main production - ice cream. According to the development strategy of the company “Lasunka”, the main investments are made in the development of infrastructure and in the maintenance of high quality standards.
')
The company's sales branches at the moment are 26, and the company plans to expand. Production is located in Ternopil and Kirovograd, the main office is in Dnepropetrovsk. The IT infrastructure of such an enterprise is complex and requires the secure exchange of information between the offices of the enterprise.

Earlier this year, the enterprise began to install Fortinet gateways, we decided to find out how this solution works for the client.

Actually, it is necessary to ask for feedback on the operation of the equipment from the company's chief IT specialist - says IT director of TM Lasunka, Evgeny:

UPD:

- All business information is located in Dnepropetrovsk, in the main office. Most of the employees of remote offices work through terminal servers, and for this we need stable working channels. Our Internet channels are built at a speed of 100Mbit / s. Moreover, in the central office, 2 channels - 1 channel has a speed of 1Gbit / s, the second backup is 100Mbit / s, in case of any failures, they switch automatically and help to avoid problems with communication.

We had gateways of one vendor, they worked well, but with the growing load on the internal VPN traffic, they began to hang, and we rested on the growth ceiling - 40 Mbit / s (although the vendor’s website has a speed of 130Mbit / s) - and that’s all , then - no way, we miss this speed.

At first, we didn’t really want to, but then, Smartnet partner advised us to try Fortinet equipment, we tried, thanks to the distributor for giving the equipment to the test - not every distributor gives equipment to the test - and, according to the test results, we were all arranged. Now this solution clearly and securely holds 100 Mbit / s (as promised by FortiNet) VPN traffic.


Such FortiGate 60C gateways, as well as other models of FortiGate family gateways for building secure connections (VPN connections), are located in every trade representation office of the company.

Initially, we installed several gateways for encrypted traffic to see how it would work, now this equipment is installed in each of our offices. Our regional offices and production are connected to the main office via secure channels in which the data of terminal sessions are transmitted, and, of course, it is crucial that the connection is not interrupted, because the continuity of the business process depends on it, because it is often necessary at 2 am - Work on production does not stop at night. And if the gateway hangs at night, then everyone is unhappy with this, first of all my admins :), who need to urgently restore the connection. With Fortinet, we have no such problems.

Encrypted VPN traffic and voice traffic in the IT infrastructure takes about 90%. There can be up to 400 terminal sessions at a time - there are no problems with the channel.



- How often do some third-party interventions occur in your network?

We regularly have DDoS attacks, spam attacks on the mail server and other attacks, either competitors, or someone trying to get into our network for the sake of sports interest - Fortinet gateways do an excellent job with all this.

In our main office, there is the main router of another vendor too, we plan to replace it with Fortinet there. And now I’ll be going to set up the network in the newly opened branch of the company in another country, and the Fortinet gateway will also be there.

I do not want to say anything bad about the equipment that we had before Fortinet, these solutions are good, but we grew out of them. And with Fortinet, in addition to solving the pressing problems of infrastructure, we still have a very good margin for the future.

Yes, in fairness, I must say that Fortinet equipment is more expensive, but in this case it is a very profitable investment. We believe that it is impossible to save on the IT infrastructure, since communication depends on the quality of IT, and today in any business: high-quality and secure communication decides everything.



As I said, the equipment that we had, we began to miss, and so that next year we didn’t have to change anything, we didn’t wait until there was a shortage of bandwidth for traffic, and decided look for an alternative and long-term solution, which would be enough for us for 5, or better for 10 years, we have chosen a solution with a good margin - Fortinet - in all respects that may be relevant in the future

After all, our IT department constantly poses new challenges. And we, as IT specialists, can assume what new tasks can come to us from our business in a year or two, (I have been working as an IT director here for 17 years) - therefore we are ready to be ready :) for everything. And we believe that if we put Fortinet in the central office, we are doing a very good supply of everything: first of all, for expanding the network, expanding the enterprise.

It is also necessary to say that during the test phase we took the equipment of another network vendor, in the same price segment as Fortinet. Yes, it has its advantages, but we liked Fortinet much more, it is much better integrated into the enterprise network, and it even surpasses its competitors in performance and performance in some things.

If we compare what was and what is now. Fortinet very pleased us with its wide settings, it has many branches of settings that allow you to very flexibly and more precisely configure all traffic flows. What can not be configured on other equipment - on Fortinet - easily. That is, Fortinet is not a monolithic approach to traffic in the IT infrastructure, but understands that corporate traffic can be very, very different, and for all you need your own individual settings that you can customize for yourself, which you say here is very convenient!

According to the results: we received a speed increase and channel stability. Now we are transferring manufacturing enterprises to Fortinet, we have already transferred Kirovograd, we are planning Ternopil and Dnepropetrovsk. Now we are building a network on Fortinet solutions all new divisions, and we plan to continue to do the same.

Production enterprises, wherever there is a large amount of traffic, heavy loads, where reservation of channels is necessary - Fortinet is an excellent solution, we are very satisfied!

As in any company, there is always a question about security and restrictions of web content, in our network all traffic from all branches is wrapped in the central office, and restrictions are already put here, and FortiGate helps us a lot, the filtering setting is very flexible, as well copes with https traffic, torrent networks, etc.

The flexibility of setting FortiGate can be compared with Linux, management is also worth noting, since the support service can handle many tasks and it’s not necessary to give them full access to the routers, a fairly specific settings section and FortiNet does the same.

You can still talk and talk a lot, but it's better to try!
In a word - ice cream under the protection :)

---

Technical equipment information



FortiGate is an integrated network security device. Contains the functionality of L2 / L3 router, firewall, VPN concentrator, antivirus, antispam filter, web / content filter, intrusion detection system (IPS), as well as user authorization, virtualization and fault tolerance solutions.

Routing - the device supports static, dynamic routing (RIP, OSPF, BGP), on-demand routing (policy-based routing), as well as multicast traffic routing.

Firewall (Firewall) - based on policies that can be flexibly configured individually for each user on the network, depending on the direction of traffic.

User authentication - the device supports user authentication functionality before providing network services. Local user base, interaction with external authentication systems using LDAP, RADIUS, TACACS + protocols are supported. If there are user authentication servers in the infrastructure (such as a Windows Active Directory domain controller and Novell eDirectory), using Fortinet Single Sign-On technology, FortiGate can perform one-time user authentication when they access corporate network resources and / or the Internet for example, application server, access control to Internet resources).

VPN Hub - allows you to establish secure connections between network locations using IPSec protocols (Site-to-site, Hub-and-spoke, Dialup client), SSL (web-portal mode, tunnel mode), PPTP, L2TP. Encryption algorithms DES, 3DES, AES are supported.

Antivirus and anti-malware and spyware - allows real-time scanning for viruses and malicious code: web traffic (HTTP, HTTPS), FTP, email (SMTP, POP3, IMAP), instant messaging protocols (ICQ, AIM , MSN, Yahoo, and others.), P2P, News Transfer Protocol (NNTP), and all this with the support of most popular compressed file formats. Anti-virus signatures are updated automatically from Fortinet servers (there is a PUSH mechanism for notifying that new signatures are released). There is a heuristic analysis mechanism (search for unknown viruses).

Antispam * - checking email (SMTP, POP3, IMAP) for SPAM. Effective testing of various parameters of e-mail, white / black lists of IP addresses and e-mail addresses of senders / recipients. Information leakage prevention (list of prohibited phrases). Verify sender reputation in Fortinet global reputation database. Signature analysis of correspondence.

Intrusion Prevention System (IPS) - an intrusion detection and prevention system based on its own FortiGuard Intrusion Prevention Service. Signature traffic analysis, tracking and analysis of traffic anomalies, the ability to create your own signatures, the definition of new invasions for which signatures have not yet been created, automatic update of the signature database.

WEB / content filter * - ensuring corporate policy for the use of the company's Internet users (site analytics using the global FortiGuard Web Filtering service website classification and reputation of the websites), checking the headers and contents of the WEB traffic, managing Java applets, ActiveX components, Cookies .

Application Control - FortiGate has Web 2.0 control and personal applications (webmail, instant messaging (IM), free VoIP calls, P2P, browser toolbars, file sharing, and various social media resources), transmission protocols Voice over IP (H.323, SIP, SCCP). FortiGate application identification databases currently contain more than 1500 signatures for applications and protocols in 18 categories.

Traffic shaping - the device has traffic flow control functions (guaranteeing / limiting / bandwidth priority).

NAT and load balancing - advanced address translation functions are supported (dynamic and static NAT, policy-based NAT, SIP / H.323 NAT-Traversal), there are also load balancing functions between several servers.

Protection profile - allows you to assign (enable) a set of security services personally for each type of traffic or user on the network.

VDOM (Virtual Domain) - device virtualization. Creating multiple virtual devices with independent control, security policies, routing tables for each. 10 VDOM licenses are activated in the base delivery, it is possible to expand the number of licenses.

HA (high availability) - mode of joint operation of two devices to improve network resiliency. Active / Active, Active / Passive, VRRP modes are supported.

IPv6 - the product supports IPv6.

VLAN - 802.1q VLAN supported.

3G - the device works with external 3G or CDMA modems in the USB form factor.

Management and monitoring can be carried out through the WEB-interface, CLI (ssh, telnet), the console, and centralized management - using the FortiManager device. There are role-based management of several administrators, the differentiation of access rights, the use of VDOM to manage virtual devices. The device supports syslog protocols, SNMP, can inform about events on e-mail. Collection, logging, and reporting of network events is closely integrated with FortiAnalyzer.
In addition to the hardware implementation, the FortiGate platform is presented in the form of a Virtual Application - FortiGate-VM. The FortiGate Virtual Appliances application is designed to protect a virtual infrastructure built on VMware solutions. FortiGate-VM includes the full range of protection for traditional FortiGate devices.

The FortiGate-VM lineup consists of the following devices:

Properties	FortiGate-VM00	FortiGate-VM01	FortiGate-VM02	FortiGate-VM04	FortiGate-VM08
Supported Hypervisors	VMware ESXi / ESX v3.5 / v4.0 / v4.1 / v5.0, Citrix XenServer v5.6 SP2 / v6.0, Open Source Xen v3.4.3 / v4.1, Hyper-V, KVM platform
The number of supported Wirth. processors (max)	one	one	2	four	eight
Number of supported network interfaces (min / max) (10 GbE, 1 GbE)	2/10	2/10	2/10	2/10	2/10
Required amount of memory (min / max)	512/512 Mb	512/1024 Mb	512/3072 Mb	512/4096 Mb	512/12288 Mb
Hard disk space required (min / max)	30/2048 GB	30/2048 GB	30/2048 GB	30/2048 GB	30/2048 GB
Max. ITU bandwidth, Mbps	500	1000	1600	2000	4000 2
Bandwidth IPS, Mbps	200	400	600	800	1000
IPsec throughput (AES256 + SHA1), Mbps	100	125	150	175	200
Antivirus, Mbps	100	200	350	500	600
Maximum number of simultaneous sessions	500 thousand	1 million	2.5 million	3.5 million	8.0 million
Number of new sessions / sec	10 thousand	20 thousand	25 thousand	75 thousand	100 thousand
FortiAP number	32	256	512	512	1024
Virtual domain (default / max.)	1/1	10/10	10/25	10/50	10/250

Note: the number of supported users is unlimited and depends only on the hardware platform.
Actual performance depends on traffic load and system configuration.
1 Performance tests tested on the Dell PowerEdge R715 server platform (AMD Opteron Processor 6128 CPU 2 GHz, 4 physical 1 GBe interfaces - 2 in / 2 out) managed by ESXi v4.1 update 1 with the maximum possible vRAM capacity for each of the FortiGate virtual appliance .
2 Tested on the Dell M910 platform (Intel Xeon Processor E7-4830 CPU 2.13 GHz, 2 physical 10 GBe interfaces).

---

Distribution of Fortinet solutions in Ukraine , Armenia , Georgia , Kazakhstan , Azerbaijan , Kyrgyzstan , Tajikistan , Turkmenistan , Uzbekistan , CIS countries .

The integrator of this solution Fortinet was the company Smartnet (Fortinet Platinum Partner)

MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service

---

UPD on holivaru in the comments. The client shares his personal experience, for obvious reasons he cannot even tell EVERYTHING about how his network is organized, why? so that next time exactly hacked? Comment-comment is written from the client as close as possible, we can provide a record if necessary. We regret that the publication was perceived as an advertisement; there was no such idea.