[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200408021741.i72HfjBr018625@ylpvm15.prodigy.net>
Date: Mon, 2 Aug 2004 10:41:11 -0700
From: "Bryan K. Watson" <bwatson@...tracers.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: RE: Fortinet Firewalls
>Subject: [Full-Disclosure] Fortinet Firewalls
>Anyone had any experience with these -
>they claim to be able to offer content
>filtering and there by detect malicious
>content embedded into HTML, as well as
>the usual deliver systems.
>
>Sounds interesting my only concern is how you would stay on top of each new
threat...
..automated hourly updates from Fortinet:
http://www.fortinet.com/FortiProtectCenter/
I have been very happy with Fortinet Fortigates at my client sites. They do
not slow down the traffic (just make sure you get the right capacity unit
for the job) and I always configure them for ingress and egress filtering of
all non-encrypted traffic (HTTP, FTP, SMTP, IMAP, POP). Additionally, you
will want to set your allow policies and then a global deny so that you
don't allow circumventing of your protocol scans. These are doing real-time
scanning, unlike the typical AV email firewalls that do
store->scan->forward.
I had one new client site that called me in after being repeatedly cracked
(not Windoze but Linux boxes), so I walked in with a Fortigate and the
IDS/IPS helped me to track down the originating site and the AV engine
showed me what rootkit was being attempted on the target linux
box...(de-greetz to you Darius a.k.a. HomeBoy). I still place a snort
detector and raw tcpdump passively on the wire at these type of jobs for
forensic capture and detection, but I always carry out a Fortigate for use
when I am ready to go un-stealth and stop the nefarious activity.
I configure the update timer in the Fortigates to check with Fortinet for
signature updates every hour...this helped me to have sites protected from
MyDoom before the desktop AV vendors could get their sigs out to all the
client stations...not much before, but Fortinet is quicker than the desktop
AV vendors with AV updates - they don't have to do all that integration and
regression testing on all the OS versions that McAfee, Symantec, Trend,
Kaspersky, Panda, etc. have to do.
You can do global file extension type blocking (exe, zip, dll, etc) so it is
easy to quickly lock down all of your network when you suspect some new
crack going around. The new version of FortiOS now allows you to do PERL
expression matching of any content as well and has a better than rudimentary
antispam engine..still testing that one out though.
Hope that answers you ??'s.
Cheers,
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Bryan K. Watson - InfoSec Consultant
- bwatson@...Tracers.com - www.nettracers.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists