(FortiGate)Fortinet firewall anti-virus solution
1 Overview
Computer viruses have always been a major threat to information security. With the continuous development of the network, the network speed is getting faster and faster, and the network applications are becoming more and more colorful, making the risk of virus spreading and the damage caused by it becoming more and more severe. According to statistics from ICSA (International Computer Security Association), more than 90% of viruses are spread through the Internet. When intranet users access the Internet, whether they are browsing WEB pages, or downloading files via FTP, or sending and receiving E-mail, or even MSN chats, they may bring viruses on the Internet into the network. However, the Internet worms that have been flooding in recent years (such as Code Red, Nimda, Shockwave, Oscillation, etc.) are very different from traditional file-based viruses that spread through CDs, floppy disks and other media. It is a combination of a virus and a VPN tool. When a computer in the network is infected with a worm, it will automatically scan the security vulnerabilities of other computers in the network at a very fast speed (hundreds of threads per second), and Actively spread the virus to those computers with security vulnerabilities. As long as the relevant security vulnerabilities are not compensated by installing patches, the worm virus will spread across the network at a geometric growth rate, even if the computer is installed. Anti-virus software with real-time monitoring function (including stand-alone version and network version) is also helpless. The spread of worms will also consume a large amount of network bandwidth, cause network congestion, and form a denial of service (DoS).
Therefore, for new types of network worms, filtering must be performed at the gateway to prevent the virus from entering the intranet. Gateway anti-virus has become the top priority in the current anti-virus system.
ICSA statistics: more than 90% are spread through the Internet. Different from other antivirus gateways based on software processing in the market, FortiGate is the only hardware antivirus gateway in the world that uses ASIC chip acceleration, which can provide antivirus performance several times higher than similar products. FortiGate high-end models use Fortinet's latest generation of ASIC chips. ——FortiASIC CP8, which can reach a single HTTP antivirus throughput of more than 10Gbps, far surpasses other similar products, and has minimal impact on the performance of real-time applications such as Web browsing.
FortiGate currently supports more than 15 million virus signatures, and the anti-virus signatures can be automatically updated via the Internet. The 4 times a day virus database update frequency is one of the highest standards in the industry, which can ensure that users can access the latest network in the first time. Threat defense. FortiGate supports manual, automatic, and push-type updates. When a new signature database is available on the server, the push update will actively "push" it to the user's FortiGate, with the fastest response time.
FortiGate supports heuristic scanning. For unknown viruses, it can be judged based on its behavior and report suspicious files to users in a timely manner.
Fortinet has established virus and virus defense R&D centers in Beijing and Tianjin in China. Among them, the Tianjin R&D center works closely with the National Virus Emergency Response Center to quickly capture domestic viruses and viruses. There are more than 150 R&D personnel in these two R&D centers.
2. External Virus Defense
FortiGate can be deployed between the Internet and the internal network. It can block viruses, worms, malware, spyware, malware, etc. from the Internet, as well as prevent internal users from sending these viruses and other security threats.
The servers in the DMZ zone can also be protected by FortiGate to prevent viruses, worms, *** Web, Email, Proxy and other servers.
FortiGate's virus filtering is based on standard protocols and has nothing to do with applications. Regardless of the email server and client used by the user, as long as the standard SMTP, POP3, and IMAP protocols are used, FortiGate can filter viruses in emails to prevent viruses from spreading through emails. FortiGate also supports HTTP and FTP protocols, and can block viruses carried during Web browsing, downloading, Web mail, and FTP file transfer. It is in the forefront of the industry in terms of the comprehensiveness of the support agreement. For protocol applications that use non-standard ports (for example, in an environment that uses a proxy server, the HTTP protocol does not use TCP80 port, but uses TCP8080 port), FortiGate can also filter the viruses in it.
In terms of the comprehensiveness of protocol support, FortiGate has taken the lead in the industry. Enabling the anti-virus function on the FortiGate to filter protocols such as HTTP, FTP, SMTP, POP3, IMAP, MAPI, etc., can minimize the risk of external network viruses entering the internal network.
FortiGate supports basic virus database and extended virus database. Users can turn on different levels of security protection for different protocols to achieve a good balance between security and performance.
When there is a virus in an email attachment, FortiGate will automatically insert a reminder message to notify the recipient that the attachment has been deleted by FortiGate because the attachment contains a virus. The prompt information can be set by the administrator himself.
Administrators can also use FortiGate to block files that exceed a certain size. For example, if the administrator does not want intranet users to download movies and consume a large amount of network bandwidth, they can set the FortiGate to block files larger than 50M in size.
3. Internal Virus Defense
Although more than 90% of viruses currently originate from the Internet, there are still some viruses that enter the intranet through other channels, such as CDs, U disks, file sharing, and mobile users. After the virus enters the intranet, it usually adopts the method of network security, using the security vulnerabilities of other hosts in the network to spread, and may cause DoS***.
As shown in the previous figure, in addition to deploying FortiGate at the Internet egress, FortiGate can also be used to isolate each area of the intranet (the following subordinate units, departments, etc.) to prevent viruses from one area from spreading to other areas.
On the other hand, the FortiGate security gateway can not only scan for viruses such as HTTP, FTP, SMTP, POP3, IMAP, MSN, NNTP and other protocols. At the same time, it can also identify the intranet propagation characteristics of various worms based on the IPS principle. To locate and block the spread of the virus in China.
FortiGate's IPS function can also limit the number of sessions generated by a single IP address to prevent DoS/DDoS*** caused by worm outbreaks; it can also use the firewall function to block the spreading ports of common viruses. The above functions can assist the anti-virus function and obtain a better defense effect.
There are many ways of spreading viruses at present, and the boundaries between viruses, worms, worms, malware, and network *** are becoming blurred. Users can only be truly effective if they combine multiple security technologies such as anti-virus, IPS, and firewalls. To filter a new generation of viruses.
4. Virus Scan Mode
FortiGate supports two virus scanning modes, which are based on proxy scanning and streaming scanning.
Agent-based scanning
FortiGate acts as a proxy to take over network traffic. When proxying, it caches the scanned files. When the file is cached, it reorganizes and performs virus scanning. Until the end of the scan, no data will be sent to the client or server. The proxy scan mode can provide a high preparation rate, but it will bring a relatively high delay.
Stream scan
When files pass the FortiGate, they are checked package by package, and there is no file reorganization process. If a virus is detected, the last packet will be discarded, or the connection will be reset, and the client will not receive the complete file. Because there is no file caching process in the streaming mode, the execution efficiency is higher and the virus scanning delay is also small, but there may be false negatives.