Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Fortinet unified threat management evaluation feedback needed
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 27 Feb 2007 17:51:50 -0500

Cal Frye wrote:
Jere Retzer wrote:
One caution: be sure
to evaluate carefully your throughput needs as IPS and virus scanning
seem to drop throughput by around 90%. I also wonder what are the
lantency and other impacts on VOIP and h.323.

Christian.Heroux () ETSMTL CA 2/27/2007 9:22 AM >>>
I am worry to put all my eggs in one basket. I know
they use ASIC instead of CPU but I would like to see all eight
functions activated (firewall, antivirus, anti-spam, IPS, IDS,
traffic shaping, VPN)

We've seen that just stacking individual devices inline can raise
latency to unacceptable levels. I have no experience with the Fortigate,
but you're right to be worried.

Have them send you a largish unit for evaluation -- you'll never know
how it works with your traffic until you try it out. The times I've done
this, I often haven't changed vendors, but frequently have discovered we
needed a more capable box than we evaluated (wishful thinking, every time).

I'll second the idea of installing and testing it in your network
before buying it. And also the idea of planning on buying more
than a "100Mb" unit for a 100Mb link.

One thing that we've seen affect IPS resource requirements
above and beyond rated throughput is the need to maintain
state. The number of sessions associated with the esoteric
applications on a university network containing thousands of
student computers is not trivial.

Also consider the openness of the typical university network
compared to a corporate network. There will probably be a lot
more traffic of varying types and directions that must be
examined and controlled. Then add a few hundred or a few
thousand signatures in the path, background reporting traffic,
and various updates along with all the other functions the
multipurpose devices support.

Test, test, test.

Test failure modes too. Can you disable parts of the device
but not others? If not, are you willing to "go completely
naked" on the Internet if a device has a problem?

Outright failures are easy to survive with a spare box, a high
availability configuration, or redundant link. But what happens
when your traffic exercises a previously unknown software defect
in the device causing it to crash 2, or 3, or 4 times a day
during prime operations hours?

What do you do while you're waiting for your vendor's engineering
department to come up with a fix? For days? For weeks? Do you suffer
prime time crashes or go naked? Do you have other devices inline
that can offer backup protection when things go wrong and defense
in depth when things are right? For example, router acls to back
up a firewall and mail gateway AV/SPAM filtering to back up the
all-in-one unit?

Gary Flynn
Security Engineer
James Madison University

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]