|
Posted by Marcello on March 29, 2006, 8:52 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
We have purchased two FORTGATES 60,they made our internet faster and of
course more secure.
But it could be really better.
I can block banned words and file extensions in my e-mails.
But I would like to apply this concept four groups and not for
"everybody".
Let me give an example.
Group Vendors.
Can receive .JPEG
Can=B4t receive .PPS
Can receive .zip
Can receive a Banned word like "VIAGRA"
Group Buyers
Can receive .PPS
cAN=B4T Receive ZIP.
Can=B4t receive a banned word.
Marcello
|
|
Posted by Somebody. on March 29, 2006, 9:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
>
>We have purchased two FORTGATES 60,they made our internet faster and of
>course more secure.
>
>But it could be really better.
>
>I can block banned words and file extensions in my e-mails.
>
>But I would like to apply this concept four groups and not for
>"everybody".
>
>Let me give an example.
>
>Group Vendors.
>
>Can receive .JPEG
>Canīt receive .PPS
>Can receive .zip
>Can receive a Banned word like "VIAGRA"
>
>Group Buyers
>Can receive .PPS
>cANīT Receive ZIP.
>Canīt receive a banned word.
>
>
>Marcello
One of the limitations of FortiOS 2.8 is that each particular protection
feature is configured globally and applied locally. So, you need to pick a
bunch of options about how to configure each form of protection, in your
case above attachment blocking and banned words, and the selectively apply
them. You can't specify two or three different sets of file blocks and
apply them separately.
So, what you have to do, is peel off the different type of traffic and treat
them differently. So, with banned words, your first policy includes the
vendors, and banned word protection is disabled so they can recieve
"viagra", the second policy includes buyers, annd banned word protection is
enabled, so "viagra" is blocked. So we accomplished that goal. But, if you
wanted to instead block "warez' for the vendors, you couldn't do this if you
had the protection disabled.
With the attachment blocking, no such luck, because you have a different set
of blocks you want. Say, zip and gif blocked for one group and jpg and gif
blocked for another. You have only one set of blocks to apply or not apply.
So you can have one group that has a bunch of stuff blocked and another that
doesn't, and that's as granular as you can get. About all you can do is
have a good hard stare at it and perhaps realise that there are a few sites
they nee to download such files from, and the rest can be blocked without
incident. So you make a policy for those few websites with no attachment
blocking and another one for the rest of the Internet. Keeping in mind
attachment blocking isn't really a security measure as much as a way to
reduce the load on the AV by dumping files outright by extension. and you're
still scanning such things for viruses. Also, you can specify particular
files explicitly such as iesetup.exe and let that through even if you're
blocking .exe files.
So fine, those are some limitations. The good news is that lots of them go
away in FortiOS 3.0. So the reason we have these limits is that they want
to keep one table in memory for each type of protection, that's referred to
by the policies. This is to keep it fast and tight inside the ASIC
architecture. If they had 5 or 6 completely different set of IPS
dispositions, for example, your memory on the 60 would be exhausted and you
couldn't process content.
So what they've done in 3.0 is added extra columns to most of these tables.
So for example, with banned words, they now have a score. Each matched word
contributes a score. And in the protection profile, you define what
threshold indicates a failure to pass. So you can have different behaviours
on differerent protection profiles by tuning the scores for the banned words
and the thresholds that cause them to activate the block. Thus different
protection by policy/group is now possible.
Most critically, for IPS, in 2.8 you can only configure one set of attacks
in terms of what's allowed, blocked, dropped, active, inactive, etc. So,
you're forced to use the same set of these dispositions for incoming vs
outgoing traffic, which isn't ideal. In 3.0, each individual attack (or,
category of attacks if you like) can be assigned one of 5 severity levels.
Then, in the protection profile that you apply to the policy, you specify
which severities will be scanned or not scanned for. With a very small
amount of work you can come up with a large number of custom sets of
dispositions this way, by tuning the severity of the individual attacks to
move them in and out of the corresponding protection profiles. This still
is implemented as a single table in memory, but with the extra column and
the extra lookup, you gain a very large amount of flexibility without
compromising the performance of the box.
3.0 is a great evolutionary change for the FortiGate, look forward to it's
public release shortly although I'd recommend letting a few maintenance
releases go by before you put it on mission-critical production traffic.
-Russ.
|
| Similar Threads | Posted | | GREAT SOURCE TO SHARE! | March 13, 2005, 8:36 am |
| Great FREE PROXY | August 15, 2007, 3:17 pm |
| GREAT Proxy! Unblock NOW | September 20, 2007, 2:49 pm |
| THIS IS A GREAT SITE IF YOU ARE HAVING TROUBLE WITH SPYWARE | March 14, 2005, 10:30 am |
| Great website - Too bad no one sees it KQ09 | July 30, 2006, 12:32 pm |
| Hello Guy. I just bought a cisco 7206VXR from http://www.linkwaves.com. They are seem ok. Quick shipping fedex 3 days saver for $85. I think they are great | August 16, 2006, 3:07 pm |
| Fortigate 3.0 | November 5, 2005, 9:00 am |
| Fortigate FG-60 and SIP | April 1, 2006, 5:47 pm |
| Fortigate FG-60 and SIP | April 1, 2006, 5:54 pm |
| anyone using ips on a fortigate | June 27, 2007, 10:05 am |
|
XML site map