Jon’s Network

new tagline pending

Jon’s Network - Church on Pilatus
Google Found Eset’s Confidential Sophos Comparison How to Beat Blue Coat

Fortinet Will Have SSL Inspection

November 7th, 2007 · 12 Comments

Prediction: Fortinet will have SSL inspection on their Fortigate line of products within 12 months. Why? Because their new competition, Palo Alto Networks, has it and Fortinet will need to add it or get kicked to the curb.

Tags: Firewall/UTM · SSL Inspection

12 responses so far ↓

  • 1 Landon Lewis // Nov 8, 2007 at 7:11 am

    It’s good to see SSL decryption being baked in firewalls, Tipping Point, Mcafee, and Bluecoat have been doing this for a couple of years now. Looking over the spec sheets however it appears that the Palo Alto Networks devices only does outbound as a forward proxy and no inbound to your own HTTPS devices?

    Have you had any experience first hand with the Palo Alto boxes? Thoughts?

  • 2 Jon Robinson // Nov 8, 2007 at 1:30 pm

    No first hand experience yet, but it is true they can’t do reverse proxy yet. That is coming soon though I’ve been told. Blue Coat’s ssl inspection I have known about, although I favor Webwasher right now. I didn’t know McAfee and Tipping Point did though…I’m going to look into that.

  • 3 Landon Lewis // Nov 8, 2007 at 2:40 pm

    The Mcafee piece I couldn’t find much documentation on when I looked a year and half or two years ago. They just claimed you could drop the private keys for your web server on their device and it would decrypt them. Looks like it might have been a bit early when I responded this morning. I mispoke with regards to Tipping Point and meant to say Juniper’s IDP. Through the CLI you can import private keys and decrypt SSL traffic (i.e. DMZ web servers). Juniper also added the ability to decrypt the SSL-VPN traffic, but I haven’t had the opportunity to toy with it too much.

  • 4 Jon Robinson // Nov 8, 2007 at 3:48 pm

    Hmmm, sounds like they are doing it for different reasons too. There’s the SSL traffic from your users out to the web or from users outside your network to your own web servers. For example, with Webwasher, once you get the CA set up, it will proxy the ssl traffic from inside your network. You typically tell it to ignore shopping and banking, but you can then ensure that users don’t abuse web mail or try to bypass your content filters using ssl. The cool thing about Palo Alto is that the do the identical thing as Webwasher and Blue Coat but on a firewall-type platform as opposed to a proxy-cache platform. I found a McAfee WP on the topic (from 2005) and it seems like they were doing the same thing but only for IPS.

  • 5 JJ Wolf // Nov 8, 2007 at 8:52 pm

    I believe that Secure Computing’s Sidewinder firewall already supports inbound SSL decryption beating both Palo Alto and Fortinet to the punch. And this is on their firewall that is favored by some of the most security conscious networks in the world. Coupling this with Webwasher, as Jon mentioned which also has SSL inspection capabilities, provides a complete inbound and outbound capability.

  • 6 Jon Robinson // Nov 8, 2007 at 10:32 pm

    So true about Sidewinder. They did beat them to the punch. I guess I don’t see Fortinet changing strategy because of it though. It is a sweet product, but the way they license the Trusted Source, URL filtering, AV, etc puts the price point way beyond what my average customer will pay for a next gen firewall. The Palo Alto price, from what I have learned so far, is much more likely to give Fortinet a run for their money. That being said, if money isn’t lacking, Sidewinder should be considered since it’s one of the oldest firewalls and has never had a known vuln or exploit.

  • 7 Adrian Lewis // Nov 9, 2007 at 12:40 am

    Fortinet Fortigates have been able to do SSL decryption and re-encrytption for some time now (about 6 months). They can then do anything with the decrypted traffic that they do with regular traffic.

  • 8 Jon Robinson // Nov 9, 2007 at 8:32 am

    Really? I will need more evidence since I was on several calls with them this week and they indicated they couldn’t. Plus, do this search in google: site:fortinet.com ssl decryption

    It returns 4 results, none of which discuss an SSL proxy feature. I’ll ask them again today to make sure though.

  • 9 Eric Perkins // Nov 11, 2007 at 5:16 am

    First off thanks Jon, really enjoy the site.

    I hope more vendors implement this type of functionality, forcing development of the technology. We find SSL decryption causing so much administrative overhead that many clients turn it off.

    While it’s easy on the Webwasher platform to whitelist/exclude sites. It should only be used on the Sidewinder platform in the most secure enviroments.

    I’m excited to see this capability mature in all the products mentioned.

  • 10 Mitchell Ashley // Nov 11, 2007 at 6:49 pm

    And of course there’s stunnel in Linux, possibly what many of the vendors are using behind the scenes.

    I think the issue with the PaloAlto box and reverse proxies is that they just don’t create a cert, and as such, rely on the same cert from the destination server. They create their own cert for outbound.

    Their paper explains this at http://www.paloaltonetworks.com/literature/whitepapers/App-ID_overview.pdf

  • 11 Jon Robinson // Nov 11, 2007 at 7:33 pm

    Mitchell, anyone making a plug-in of this type for Cobia? Would there be a demand for it?

  • 12 InformationWeek Reviews Palo Alto Networks // Mar 24, 2008 at 3:10 pm

    [...] SSL Proxy [...]

Leave a Comment