Here's a look at the process that one administrator went through in evaluating whether to build out a site-to-site VPN with Cisco PIX firewalls or Fortinet firewalls.
My company is planning a project to migrate from a traditional frame-relay network to a site-to-site VPN. As part of this project, we must decide on what firewall and VPN devices we will standardize on.
Currently, we have two remote site-to-site VPN test locations utilizing Cisco PIX 501 firewalls. These locations are connecting back to a Cisco IOS firewall and working successfully. Having configured the PIX firewalls myself, one of my concerns was the complexity of the configuration and troubleshooting. Once we standardize on a device and roll out the VPN network with these associated firewall/VPN devices, I'll turn this project over to the network administrator and the network support group.
I'd like the end solution to be as simple as possible to troubleshoot, monitor, and modify. While I like Cisco products and I like the idea of standardizing on a Cisco solution, I don't consider the PIX firewalls to be easy to configure, troubleshoot, or monitor. Sure, Cisco PIX devices do offer the PIX Device Manager (PDM), a Java Web-based interface for management. However, I still feel that, even with the Web-based interface, the PIX still lacks a great deal of user-friendliness and simplicity. Again, while I like Cisco products, in my capacity as project manager, I don’t want to have to say, "Here is the excellent solution I came up with, but yes, it is a pain to do many of the day-to-day tasks." I was curious if I could find a solution that does the job, but which the network support group would find easy to work with.
I met with a security consulting firm and, after hearing my requirements, they recommended that I take a look at devices from Fortinet, a company that I had never heard of. The consulting firm told me that, yes, there are a large number of choices available in the VPN/firewall market; however, based on the devices they have looked at, they felt that selecting Fortinet offered "the most bang for the buck" in my case.
Some of you reading this may already be very familiar with Fortinet. For those who aren’t, here's a little background on the company. Ken Xie, the former founder and CEO of Netscreen, founded Fortinet in 2000. I heard that he left Netscreen because he believed strongly in the use of ASICs (Application Specific Integrated Circuits) to run devices like firewalls. At the time, Netscreen disagreed and Xie left to form Fortinet. Today, Fortinet’s Web site says that it is "the only provider of ASIC-powered, network-based antivirus firewalls."
This idea of using ASICs is interesting. I'm not a firewall architecture expert, but this is what I gathered from my research: Cisco devices use a standard RISC or AMD processor (just like you could find in a small UNIX server), RAM, and operating systems with applications. By using ASICs, Fortinet has dedicated chips that speed the processing of things like firewall filtering, encryption, virus scanning, and traffic shaping. By using these dedicated chips, Fortinet claims that they are the only provider that can screen traffic for viruses at "broadband rates." In other words, other firewall solutions that scan for viruses have higher latency than the Fortinet solutions, according to Fortinet.
I want to take a second to mention that this is not an ad for Fortinet devices. I'm simply doing a firsthand review of these devices. This is a review of only two Fortinet firewalls, not an exhaustive review of all firewall devices available. I can't claim that Fortinet is better than other devices on the market since I haven't reviewed them all. This article does compare Cisco PIX firewalls to Fortinet firewalls (as Cisco PIX firewalls are well known) and also firewalls that I have experience with.
Features of Fortinet appliances
Besides being interested in more user-friendliness and simplicity, some of the other features that attracted my interest in the Fortinet devices were:
- The FortiGate product can do the same things that I was doing already with the PIX 501: firewall, VPN tunnels, and intrusion detection.
- The FortiGate devices come with additional features that the PIX 501 does not support: antivirus functionality, RADIUS/LDAP user-based authentication with Web logging (syslog), intrusion prevention, Web content filtering, e-mail filtering (antispam), traffic prioritization within the VPN tunnel, and a fast, Web-based interface.
- Fortinet also claims that, because it uses ASICs, the FortiGate firewalls are faster than Cisco PIX firewalls.
- The FortiGate 50A costs about $500, the same price as the PIX 501 units I have been buying.
I really liked the idea of getting more for my money, so I agreed to demo the Fortinet devices (they didn’t know that I would eventually write a review).
As part of the demo, we were provided a FortiGate 60 (Figure A) and a FortiGate 100. The units were small, grey, metal boxes that, from the outside, looked unimpressive but practical (no blue neon LCD display or anything). The FortiGate 60 is about 50 percent faster than a 50A, and it comes with a DMZ interface. The FortiGate 60 would be our endpoint, and the FortiGate 100 would be our concentrator at the headquarters.
For testing, I took the FortiGate 60 home and connected it to my cable modem. The FortiGate 100 was connected to our Internet router at the corporate office, where we have two T1 circuits using BGP shortest-path routing. The local Fortinet engineer was very helpful in our configuration. He showed us how to configure a tunnel between our two locations and configure the remote device to hand out IP addresses based on a new remote subnet we created. Once we got the tunnel up and communicating, the device started firewalling by default.
During the configuration phase, I connected to the Web interface (Figure B) of both units and was amazed with how quick the interface responded. I was also pleased at how simple the features seemed to be to configure. I could define my inside and outside networks and create my VPN tunnels in only a few clicks and IP address entries. My only suggestion might be for Fortinet to make a "VPN tunnel Wizard" for people who have never configured a VPN tunnel before and are too lazy to read the documentation.
The devices came with a CD that had documentation for virtually every Fortinet device available. For the device I was configuring, there was a 240-page installation and configuration guide. For the entire line of Fortinet devices, there were separate guides for CLI configuration, IDS configuration, VPN configuration, logging, and content protection.
To test the devices, I ran Citrix, telnet, Web browsing, and VNC over the link for a couple of weeks whenever I was working from home (about 20 hours per week). In my opinion, I could tell a difference in speed between the new hardware firewall/VPN device and my old Microsoft VPN client. This would make sense as I was offloading the encryption onto a dedicated hardware appliance with ASICs designed to do encryption.
I enabled the intrusion prevention. I then scanned the public IP addresses of the devices with Retina Network Security Scanner and tried a few common hacks. I saw that only the ports we had opened for management (HTTPS and SSH) were open, along with the necessary ports for the VPN tunnel. I then checked the intrusion logs and found that my security scans had logged that I had done port scans and other automated common hacking techniques. On each of the log entry lines were Web links that pointed me to full definitions from the Fortinet Web site, which explained what types of attacks had been foiled by the intrusion prevention system.
One of my concerns with the current PIX implementation I had was that I wouldn't be able to offer remote locations a "split tunnel" (the ability to connect to the Internet from a PC through your local connection and also have an encrypted tunnel back to some other location). Since I wanted to be able to authenticate and log all Internet activity and protect against viruses, I thought that I would have to route all Internet traffic through an encrypted tunnel, back to the corporate office, authenticate the user and log the traffic, then send it to the Internet. This is not preferable because it would increase my Internet traffic and add latency for the user. Plus, it seems silly to encrypt standard Web surfing.
From what I have learned about the Fortinet devices, I could provide a split tunnel because I could authenticate the user with a Windows login account and then log the traffic to a syslog server. Also, I could protect against viruses at the Fortinet box without having to worry about constantly updating users’ PCs with antivirus updates (we would try to do it anyway, but the concern is less with a network antivirus solution).
Some of the other things I learned about the FortiGate devices are:
- The OS that runs on the devices is called FortiOS.
- They can also run in "transparent mode." This means that the interfaces on the device are not on their own IP subnets, and it isn’t running NAT or routing. There is only one IP assigned to the device for management purposes. The unit watches all traffic, in and out of the device, blocking or encrypting traffic as it meets policies. This seemed interesting, but too foreign to initially use, so I stuck with the standard NAT/routing mode.
- Fortinet offers a centralized management platform called FortiManager. This platform can manage all Fortinet devices. It's a hardware appliance and software application you load on a workstation. I did not demo this, but I'll consider using it if I decide to standardize on these devices at all 60+ of our remote offices.
- Creating a VPN tunnel between a Fortinet VPN device and a Cisco PIX, Cisco VPN concentrator, or IOS router is supported, and Fortinet offers documentation to show how to configure it. So you don’t have to create a "Fortinet-only" VPN network.
- Fortinet recently came out with its own VPN client, called FortiClient.
Based on my demo experience with Fortinet devices, I'll recommend that we purchase one to deploy at a site. I'd like to configure split tunneling with real-time antivirus, user authentication, and logging for Web requests, and pair it with a Cisco PIX over a VPN tunnel.