Re: Fortigate 3.0
From: Somebody. (somebody._at_spamout.russdoucet.com)
Date: 11/09/05
- Next message: Duane Arnold: "Re: New XP user seeks Firewall advice"
- Previous message: John Hyde: "Re: New XP user seeks Firewall advice"
- In reply to: Pat: "Re: Fortigate 3.0"
- Next in thread: Pat: "Re: Fortigate 3.0"
- Reply: Pat: "Re: Fortigate 3.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Nov 2005 21:13:13 -0500
"Pat" <pkelecy(removethis)@insightbb.com> wrote in message
news:RK5cf.524692$x96.493595@attbi_s72...
>
> "Somebody." <somebody.@spamout.russdoucet.com> wrote in message
> news:tW2bf.1891$43.1122@nnrp.ca.mci.com!nnrp1.uunet.ca...
>>I had a demo of Fortigate's version 3.0 OS yesterday. It's no longer NDA
>>so I can talk about it.
>>
>> Besides dozens of little things that make the GUI (which was already very
>> good) easier and faster to use, they've added SSL VPN (That's VPN
>> connection without installing client software!), doubled the throughput
>> of the AV engine while getting clear of the Trend patents, added a
>> virtual inteface construct that will be familiar to all you route-based
>> VPN fans from
>
> Russ,
> I've been considering a Fortigate 50A or 60, and was wondering how (and
> how well) the AV capability works. Does it actually scan incoming email
> for viruses (at the gateway itself), or does it act as a server for
> pushing virus definitions to a client component (which does the actual
> email scanning)? The latter is more common, I think.
The latter may be more common but I consider it inferior to the point of
being nearly unworkable.
The FG units scan email (smtp, pop3, imap), http, ftp, and now with 3.0,
several flavors of IM and several flavors of P2P as well. The scans are
done inside the unit, including unzipping of compressed files to multiple
levels if needed.
>
> I've always thought it would be ideal to have AV and Spyware filtering
> happen at the gateway (if possible) rather than having to install software
> on the PC for this (where it always seems to interfere with other things).
> Although I've seen a number products that provide this, none of ones I've
> looked at have completely eliminated the need for a client component.
>
> Thanks for any info. -Pat
While catching viruses at the gateway is a great idea, please note that it
does *not* free you from any form of desktop antivirus. There are still
ways to bring viruses in to a network without going through an AV gateway --
encrypted tunnel, USB key, FDD, CD, DVD, rouge machine connection inside,
infected laptop from a road warrior, unsecured wireless, fragmented files in
unscannable protocols, etc. etc.. Unless you have blocked all of these other
vectors, you still need virus protection on the client.
However, having virus protection at the gateway offers a significant extra
layer of protection, and it will always update faster and be more stable
than desktop protection. Additionally, it can recognize *outbound* virus
payloads, even if an internal machine gets compromised and it's antivirus
gets shut down, so that you can identify and rectify such a machine without
causing infections to other outside agencies.
Some spyware can be stopped at the gateway also, but not all. It morphs so
much and is so difficult to identify, you should still have protection at
the desktop and do regular sweeps. However gateway spyware protection will
help spot the activity of actually network active applications and point you
in the right direction for your remediation.
-Russ.
- Next message: Duane Arnold: "Re: New XP user seeks Firewall advice"
- Previous message: John Hyde: "Re: New XP user seeks Firewall advice"
- In reply to: Pat: "Re: Fortigate 3.0"
- Next in thread: Pat: "Re: Fortigate 3.0"
- Reply: Pat: "Re: Fortigate 3.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
