Fortinet Unveils New Security Fabric and Firewalls Designed to Tackle Challenges of Encrypted Network Traffic
Network security firm Fortinet made two new product announcements this week, including its new Fortinet Security Fabric architecture and a powerful new firewall designed to tackle the increasing demands from encrypted network traffic.
The company’s new Security Fabric is an architecture designed to integrate different silos of network security into a cohesive whole, while the new firewall is tailor-made to cope with the growing throughput and demands from remote workers, VPNs and SSL traffic.
Fortinet’s vision with its Security Fabric is to allow different segments of network security to integrate seamlessly and to cooperate actively under the management of a central control. The problem for many organizations is that different point products have been employed for different security functions without adequate integration and actionable threat sharing.
Fortinet’s John Maddison told SecurityWeek that its new Security Fabric solves these issues with collaborative intelligence (shared between security devices locally and with global threat intelligence); segmentation into functional security zones that provides deep and seamless visibility into traffic as it moves across the network); and a centrally coordinated security policy that establishes trust levels and distributes orchestrated policy enforcement across the network – whether that is local or cloud.
This is achieved by bringing the company’s existing security controls together into the Fabric environment. “Using a cloud-based management tool (FortiManager), a common operating system (FortiOS), and a single threat intelligence source for consistent enforcement (FortiGuard), organizations can weave together a single, integrated security fabric for complete visibility and control across their entire distributed network environment,” explained Bill McGee in a blog post .
The design principles behind the Security Fabric, said Maddison, are five-fold: scalability, both vertically and horizontal to allow for growth in both networks and threats; awareness throughout the Fabric, where each network segment integrates sufficiently to allow the whole to operate as a single entity; security, where threat intelligence and mitigation information is shared across the whole fabric seamlessly; actionable where local and global intelligence is shared in real time; and open, where APIs allow the inclusion of third party products into the Fabric.
For now, the individual segments of the Security Fabric are Fortinet’s own security products. The plan is to extend options to include third party products that can be incorporated into individual customers’ own fabric via APIs. This is currently limited to CarbonBlack.
Fortinet’s second major launch is a new and powerful network firewall, the FortiGate 6040E. While organizations are increasingly adopting XaaS solutions, many decide (and some are compelled by regulations) to keep the corporate crown jewels in a local or private network. This has resulted in an almost exponential increase in traffic between the insecure Internet and the local private network. This traffic is increasingly SSL/TLS encrypted.
The computational overhead required for SSL inspection is a challenge and already too heavy for many organizations’ perimeter defenses: many existing firewalls simply cannot handle the workload without introducing unacceptable latency. There is a choice: security or business efficiency; and since business invariably wins over security, many companies have simply abandoned SSL decryption at or by the firewall. This is dangerous since criminals are also increasingly using SSL to disguise the delivery of malware and communicate with C&C servers.
The usual solution is to hand off the crypto functions to separate devices designed for high computational work – but this involves additional cost and complexity that is also sometimes avoided. Fortinet’s new firewall seeks to solve this problem by adding computational power to the single device through the use of the CP9 ASIC, a Content Processor designed by Fortinet itself.
“The Fortinet CP9 security ASIC,” notes McGee in a separate blog post, “provides for high-speed deep content inspection, and increases the performance of IPS full-signature matching, and advanced VPN (including support for the NSA’s ‘Suite B’ elliptical curve cryptography algorithms.)”
The company also launched two smaller enterprise firewalls, the FortiGate 2000E and 2500E, which also leverage the CP9 ASIC processors to decrypt network traffic on the fly.
