RE: Looking for a simple firewall with VPN functionality

I agree, Fortinet firewalls are excellent.  At the same time I hope
Fortinet's engineers and marketing personnel read these newsgroups;
Fortinet firewalls could stand improvement.  

Fortinets share with Netscreens the performance and security of ASIC
architecture; an easy to use web management interface accessible via SSL
(from anywhere you allow); solidly IPSEC compliant VPN tunnels; VLAN
tagging; policy based routing; zone based routing and rule application.

Fortinet's IPS beats Netscreen's IPS (note, although Netscreen's IPS
seems little more than a marketing gimmick, their "Screen" functions
work nice) and it appears more care was taken in developing and applying
Fortinet's AV functionality.  Also - though Fortinet's own engineers
will tell you not to rely on it too much - Fortinet comes with spam
filtering, even if it's only on a parr with spam assassin and razor;
Netscreen doesn't address spam.  It seems Fortinet matches or beats
Netscreen on most points.

However, Fortinet firewalls adhere closely to a Trust / Untrust / DMZ
network model; the Netscreen offers fully flexible port assignments.

Where I work in the Northwestern US the three zone model used by
Fortinet applies to 80% of the businesses; it applies to only about 5%
of the businesses that call our firm for products and expertise.  I hope
Fortinet will address this in future releases.

Judging from the request, I think Fortinet is probably the best choice
for the user who initially asked for firewall recommendations.  I
gathered from the request the user didn't require a high degree of
flexibility in port assignments, density and network segmentation.  A
Fortinet will provide that user a feature-rich, secure firewall at a
bargain.  

As far as I regardless of port density Fortinet firewalls permit only
four logically addressable segments places restrictionss on those
segments are used.  (Granted, in the lower end, Netscreen fares no
better and implements arbitrary traffic restrictions.)

By contrast, a Netscreen 25 or 204 provides four dry, unmarked and
unassigned ports which can be segmented and addressed at will; a 208
provides eight dry ports, etc.  With regards to routing, rule
application, NAT'ing, etc, the Netscreens don't care what direction
traffic travels in, what ports traffic comes in on or even if the port
is physical, virtual or a VPN - to the firewall and routing engines all
ports, physical and virtual, are real.  On a Netscreen traffic is
traffic and it will apply any available manipulation option on any port.
The traffic and ports are never "trusted", "untrusted", "DMZ", "WLAN"
...

Netscreen's ambivalence towards ports and traffic accommodates the
nature of the LAN's and WAN's I see.  Without such ambivalence, when I
am asked to deploy Watchguard, Checkpoint, Fortinet, Sonicwall, Raptor
ne Symantec, SideWinder, ISS M or any of the rest into complex
environments my deployments become difficult and mucky and I too often
find myself asking the customer to accommodate the firewall's
limitations rather than configuring the firewall to accommodate the
customer's network.

I like Fortinet firewalls much but am cautious when recommending
Fortinets.  I like to know they will meet the customer's needs for
routing and NAT'ing.  Although superior to Netscreen on a number of key
points Fortinet's don't always fit.

Life was easier when firewalls were just firewalls.

BTW:  Have you seen this article comparing IPS's?
http://www.nwc.com/story/singlePageFormat.jhtml?articleID=57700108  My
greatest surprise in reading the article was finding Fortinet firewalls
favorably reviewed (though not entirely comparable).  The article really
is about IPS's.  My first thought was, what is Fortinet doing in this
review? But it got a favorable review.  The other IPS's reviewed are
exponentially more expensive than the Fortinet.   (Note that the
Netscreen product reviewed in the article is not the Netscreen firewall
with its IPS features; the thing reviewed is the dedicated Netscreen IPS
which in my experience bears no relation to the Netscreen firewall.)

Have a good day.  I look forward to your response.
____________________________________________
Robert Synak, CISSP, CCNA, SCSA, MCSE
Security Engineer
ANITIAN  ENTERPRISE  SECURITY

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-807-4429 Cell
503-214-8069 Fax
www.anitian.com
____________________________________________
 
-----Original Message-----
From: Abel Lucano [mailto:abel@globalgate.com.ar] 
Sent: Tuesday, April 19, 2005 6:25 AM
To: Robert Synak
Cc: firewalls@securityfocus.com; dda@cbsd.donetsk.ua
Subject: RE: Looking for a simple firewall with VPN functionality

On Mon, 18 Apr 2005, Robert Synak wrote:

> Netscreen doesn't do Dynamic DNS (neither does Fortinet, which is
> Netscreen at about half the cost.)

Hello Robert,
Fortinet is actually a 'little' more than Netscreen at about half the
cost, take
some time to read the comparative specs.
BTW, it support Dynamic DNS with several dynamic dns service providers

Best regards,

--Abel

------------------------------------------------------------------------
--

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------