My company is planning a project to migrate from a traditional frame-relay network to a site-to-site VPN. As part of this project, we must decide on what firewall and VPN devices we will standardize on.
Currently, we have two remote site-to-site VPN test locations utilizing Cisco PIX 501 firewalls. These locations are connecting back to a Cisco IOS firewall and working successfully. Having configured the PIX firewalls myself, one of my concerns was the complexity of the configuration and troubleshooting. Once we standardize on a device and roll out the VPN network with these associated firewall/VPN devices, I’ll turn this project over to the network administrator and the network support group.
I’d like the end solution to be as simple as possible to troubleshoot, monitor, and modify. While I like Cisco products and I like the idea of standardizing on a Cisco solution, I don’t consider the PIX firewalls to be easy to configure, troubleshoot, or monitor. Sure, Cisco PIX devices do offer the PIX Device Manager (PDM), a Java Web-based interface for management. However, I still feel that, even with the Web-based interface, the PIX still lacks a great deal of user-friendliness and simplicity. Again, while I like Cisco products, in my capacity as project manager, I don’t want to have to say, “Here is the excellent solution I came up with, but yes, it is a pain to do many of the day-to-day tasks.” I was curious if I could find a solution that does the job, but which the network support group would find easy to work with.
I met with a security consulting firm and, after hearing my requirements, they recommended that I take a look at devices from Fortinet, a company that I had never heard of. The consulting firm told me that, yes, there are a large number of choices available in the VPN/firewall market; however, based on the devices they have looked at, they felt that selecting Fortinet offered “the most bang for the buck” in my case.
Some of you reading this may already be very familiar with Fortinet. For those who aren’t, here’s a little background on the company. Ken Xie, the former founder and CEO of Netscreen, founded Fortinet in 2000. I heard that he left Netscreen because he believed strongly in the use of ASICs (Application Specific Integrated Circuits) to run devices like firewalls. At the time, Netscreen disagreed and Xie left to form Fortinet. Today, Fortinet’s Web site says that it is “the only provider of ASIC-powered, network-based antivirus firewalls.”
This idea of using ASICs is interesting. I’m not a firewall architecture expert, but this is what I gathered from my research: Cisco devices use a standard RISC or AMD processor (just like you could find in a small UNIX server), RAM, and operating systems with applications. By using ASICs, Fortinet has dedicated chips that speed the processing of things like firewall filtering, encryption, virus scanning, and traffic shaping. By using these dedicated chips, Fortinet claims that they are the only provider that can screen traffic for viruses at “broadband rates.” In other words, other firewall solutions that scan for viruses have higher latency than the Fortinet solutions, according to Fortinet.