📜 ⬆️ ⬇️

Comprehensive Information Security: a Binary Overview of the Fortinet Line

Hello! Below, there will be an educational program for one specific line of equipment, which allows you to understand what it is, why you need (and if necessary) and what tasks are being solved (overall protection of the ICT infrastructure, implementation of locks, compliance with the Federal Law on PD).

So, today protection components usually look like a real “zoo”:


')
These are streaming antivirus, firewall, antispam and antididos, as well as intrusion detection systems, etc., located at the entrance to your data center. The Fortinet (as well as a number of other manufacturers) combines these devices into one piece of hardware, plus reviews the concept of protection in principle. They have been leading Gartner for 7 years in the UTM segment (FW + IPS + VPN + Application Control + WebFiltering + Antispam + Antivirus and other functions).

Their idea is that the perimeter is not on the border with the public Internet. If earlier protective hardware was installed at the output, then these guys think that it is necessary to put devices closer to the local network - work with WLAN and in the data center right between the machines. Naturally, this requires completely different streaming capacities, but, on the other hand, it gives a couple of huge advantages.

Solvable tasks


Solutions Fortinet is a complete complex to protect the network infrastructure, built into a single piece of hardware.

Here are the applications:
- General protection of the network, internal segment and operator's clients from network, content and application-level threats.
- Filtering requests to the Internet, including to meet the requirements of federal laws and government regulations on blocking.
- Disposal of the "zoo" subsystems.
- Protection of PD (FZ-152) in accordance with the norms of the Russian Federation.
- Integration of detection and prevention of targeted attacks.
- Protection of the PCS.

Architectural opportunities


The “core” of the solution is a hardware-software complex with multiple network ports. It has three types of processors: for processing traffic (network processors), control and content processors. Managing processors distribute tasks between network and content processors, balance and generally perform system tasks. Large glands have several processors, so the tasks are fairly evenly parallelized. At the network processor level, the session is also distributed to the network coprocessors each time. All the "chips" such as email filtering, sandboxes and other things are on the content processors. If to use a piece of iron as usual NGFW, it is close to the declared synthetic results. If you begin to load with rules (especially difficult ones, such as “not allowing employees to disclose confidential information on the forum”), content processors will predictably consume power.

The security approach is systemic: all network events are collected, correlated and treated as a chain of interactions. For example, one of the most interesting practical tasks - banning torrents in banks - is done on the basis of the decisions of the Fortinet very quickly and very funny.

The story is this: we had one bank in which sly users downloaded torrents. At first they used their standard proxy mechanics, but there were several problems. Starting from the need to disassemble SSL (which is not very real) and ending with the fact that the very same TCP over DNS was not taken by any proxy. And from time to time, letters from American copyright holders came to the bank (they say, what are you, bastards, create, this was our film).

A year later, UTM was installed there and NLFW blocking torrent sessions was set up as a test for NGFW. FortiGate is able to block P2P client traffic by establishing relationships between user behavior and subsequent h2k signs of P2P. Here, for example, is about how to solve this issue for the company once and for all. By the way, another traditional way of circumventing proxies and classic user control solutions is being worked out - Translate. Google, the best anonymizer.

Deep integration into the data center


So, in order to process the entire flow inside the data center, the first thing that is required is hardware with a much higher performance than the usual “outgoing” ones. The claimed synthetic characteristics of their iron are simply enormous. Naturally, there is a nuance here about synthetics (will be lower), and not one.

In general, the infrastructure uses a distributed approach to security. At each node (more precisely, the final machine) put the client. Clients process data and send events to the main server with UTM, which handles traffic. Suspicious objects from client machines automatically go into the sandbox, clients integrate themselves with the same anti-spam (they follow the links themselves, give themselves attachments to the antivirus and into the sandbox, and so on) - in general, they do everything that they should do ideally.


Types of protection, then we will talk mainly about the left version of the architecture

While the main thing - the Fortinet quickly grinds good flows. For example, UDP is “milled” at speeds of 52 Gb / s at mid-range quite normally, while the closest analogues are the same boxes at approximately the same prices, only working at 2 Gb / s.

The second feature is that this manufacturer has everything to protect. That is, they close everything at once, if you need. Here is their complete set of solutions:


All your: antivirus, VPN, database protection solution, access points, routers, switches

They even have their phone gateways. From the latter, it turned out that it was very successful that they could have their own external 3G / LTE extenders attached to their glands. Actually, one Fortigate firewall can be the controller of access points, and already it is the module of an external antenna, which is defined as a normal interface.

Previously, when banks dropped the main channel, the reserve often in remote regions was a “whistle” of one of the operators - with appropriate dances with a tambourine for integration into security or specifically a sagging level of protection for the time of the channel change (without input filtering, for example). And here everything is in one box, and do not bother with compatibility. This is also a plus, because, for example, Huawei (where Tsisk used to be) takes everything to small branches, and not everything works exactly as it should (the difference in realizations makes itself felt).

Who needs


First of all, the Fortinet line is viewed either by companies that are regularly attacked, or by various traffic operators, for example, solutions of this group are deployed by Amazon and LTE operators to clear traffic. In general, the "zoo" introductions like this:



Plus, another 50 carriers from Verizon and T-Mobile to China Telecom and Vodafone.

Despite these "monsters", more than a third of Fortinet sales in 2015 are SMB and low-end hardware. Small and medium business is also interesting due to the fact that a lot of different hardware, such as routers, NGFW, WLC, etc., can now be on the same piece of hardware. It makes sense to take those who open new branches, for example.

Here are their Gartner counterparts:



The differences "on the fingers" from the analogs are that the FortyNet gives a generally high standard for the market in terms of channel protection, is only licensed for the device and allows you to distribute the power as you please. When new functions are connected, performance of all these solutions decreases, while Fortinet’s behavior when using additional functions is more predictable due to load optimization by hardware coprocessors.

What is profitable


Fortinet offers quite cost-effective solutions compared to similar equipment from other manufacturers. For large businesses, the main “point” of comparison is the price per unit of traffic, for small and medium ones, functionality. Other vendors often have the same feature set that requires a very expensive piece of hardware.

Underwater rocks


Until I became quite happy, I’ll tell you what you need to know in advance about the features of this architecture and specific solutions:


Summary


This is a high end iron that pays off at the expense of better cost of ownership on large infrastructures. It has predictable performance (compared to competitors), has extensive support for virtual infrastructures (ESXi, Xen, KVM, Hyper-V, as well as cloud Azure and AWS), a large number of supported hypervisors, a bunch of different types of protection. However, I note: when determining the budget or setting up the rules, mandatory tests are required prior to implementation.

On March 30, we will have a webinar on information security based on Fortinet solutions. Who cares - connect .

Links


Source: https://habr.com/ru/post/280135/


All Articles