FortiWiFi-30E: if you run a small business, you probably need such a device
ConclusionsIf the main goal of a company employing several to several dozen employees is to focus on network security and protection against modern threats, including malware from the ransomware family, as well as threats using social engineering and drive-by downloads, the FortiWiFi-30E solution with successfully replaces a traditional router with one or two WAN interfaces. One thing to keep in mind - UTM will not replace the backup.
The solution that consolidates the most-needed security functions that are necessary to secure the entire IT area reliably is the UTM device, enclosed in a small enclosure and resembling an ordinary router. Small companies employing up to 50 employees, and this review is directed to them, most likely have at least one person whose duties include protecting interests at the digital level, taking care of the equipment and software to function properly and without failure. The reviewed FortiWiFi-30E was designed to protect just such small enterprises, which belong to the SME sector, which generates almost 70% of gross domestic product.
For small businesses, a limited budget is one of the most serious problems. For many years, the Polish economy has been hampered by high labor costs, which directly translates into (not) investing in new technologies and security. The complete elimination of capital involvement in the protection of the IT area is a very difficult task for small businesses, but not impossible. There are free solutions for commercial use on the market, eg anti-viruses, gateway anti-spam, CRM packages, office software, mail clients, operating systems, and even open-source firewalls. The problem is that free counterparts can not always replace commercial ones, so if you already use "free" software, it's responsible and thoughtful. And here, one of the main disadvantages of distributed protection is the lack of a central console that integrates all functions in one place. Hence, choosing a cheap model of UMT class device that meets the reasonable requirements of a small enterprise, even in the case of dispersed departments, is probably the most wise way out of this situation.
The Fortinet FortiWiFi-30E integrated security system is equipped with:
- USB port, which gives the possibility of connecting the GSM modem in emergency situations and gaining a backup or second WAN link;
- additional dedicated out-of-band management port for RS232 DB9 RJ45 console cable
- WAN RJ45 port with a bandwidth of 1GB / s;
- 4 RJ45 ports, two omnidirectional 2.4 GHz and 5 GHz antennas supporting the 802.11 a / b / g / n protocol with a maximum power of 17 dBm;
In scattered IT environments over a short distance, the FortiWiFi-30E device allows you to segment your wireless network, providing a separate policy and separating broadcast Wi-Fi networks. Segmentation is carried out in compliance with the PCI DSS (Payment Card Industry Data Security Standard) standard, where a lot of attention is paid to protection against unauthorized wireless access points (rogue access point). Demanding customers, Fortinet can offer FortiAP access points, which are designed for networks of varying intensity. As a result, it is possible to provide a wireless signal source anywhere. Such a solution will for a long time serve as a productivity wherever there is a need for high flexibility in managing network communication and security policies, with integrated management of Wi-Fi infrastructure.
In such devices, the difficulty of configuring the security policy is determined by the network topology - in simple structures it is enough to connect the device to the power supply, plug the RJ45 cable to the WAN port, connect the router with the switch, and the rest will take care of the device (if it does not require changing the default addressing from the DHCP server) will be ready for operation in a minute.
The entire Fortinet device power is hidden in FortiOS software and FortiASIC processors, which accelerate the processing of packets flowing through network ports: content processors perform packet inspection and decryption and re-encryption, while network processors work in conjunction with FortiOS firmware and decapsulation and re-encapsulation of incoming and outgoing packets through the firewall. For the consolidation of content processors and networks, specialized "System-on-a-Chip" processors are enclosed in one silicon system, which is more efficient than previous versions of processors. As a result, the operation of the device without fans, which are simply not here (because they are not needed) is quiet, the temperatures are low, and the power consumption is small.
The manufacturer declares that FortiWiFi-30E has a firewall capacity of 950Mbps. With protection functions enabled (antivirus at the gateway level, application control, endpoint protection via FortiClient anti-virus for Windows, MacOS, Android, iOS, also IPS module and HTTP / S protocol scanner) the device can scan traffic with bandwidth up to 150Mbps . Considering the availability of connections on the domestic market, the limit of 150Mb / s for small private companies and public institutions or offices should be sufficient.
FortiOS: firmware with huge possibilities
One of the more important advantages of this class of devices is a set of functions that are integrated in one administration console. UTM can completely replace almost any more or less advanced router. The "basic" functions include configuration, for example: prioritization of Internet traffic, firewall, virtual LAN networks or configuration of routing protocols. The extension of the router's functions include: intrusion prevention system (IPS), anti-virus protection at the gateway level and workstations, internet content control, anti-spam module, traffic sharing between several WAN links, whose task is to protect employees from malicious software . Obtaining similar effects using solutions from several different manufacturers would require the implementation of several management consoles, a stronger server that consumes a lot more electricity, increased workload for configuration, a separate server for backup and invest in UPS (if we talk about continuous operation). Lack of compatibility or duplication of some functions is another defect of protection. That's why one of the most important factors to pay attention to is the simplicity of configuration and the complexity of functions in one device.
Using the FortiOS graphics software does not require specialist skills from the administrator (unless the company's security policy fulfills this condition).
A practical function that greatly facilitates the configuration and protection of network segments is the mentioned audit. Graphical audit functionality [BT1] [A-A2] will automatically display the recommended settings, eg for the implementation of FortiClient antivirus programs on detected devices with Windows and MacOS, importing the SSL certificate required to encrypt the connection between the browser and the device, better WiFi network protection or removal of unused from many weeks of politics.
Initial recommendations that will require attention from the administrator are around a dozen or so. But this is not a problem, because with a few clicks it is possible to look at the changes that will be made after acceptance.
Extensive and graphical statistics generated on the basis of data from devices perfectly reflect the usefulness of such functions. Thanks to the visualization of data that is friendly and intuitive, and information about the network status and productivity of employees will certainly improve management. For example, based on them, it is possible to create a policy tailored to the current requirements of the company, a specific department, applications or the requirement to aggregate several different links in SD-WAN networks. The statistics include consuming excessive bandwidth installed programs on end devices (regardless of the operating system), the most frequently used ports and protocols, found and blocked malicious Internet resources or most frequently blocked categories of sites that are inappropriate for employees in the configured security policy.
Reporting available in Fortinet devices is actually a kind of real-time audit, on the basis of which it is possible to determine the current state of security.
The extension of local statistics is the global FortiCloud service, which is available in the extended offer is a cloud-based platform for managing FortiGate, FortiWiFi and FortiAP devices. Management in the FortiCloud panel includes configuration of devices, installation of new clients using a group key or automatic updating of FortiOS firmware on all implemented points. FortiCloud, as it offers access from the cloud to all devices, is particularly useful in dispersed environments, eg in large retail chains or educational establishments. In turn, FortiCloud in the basic offer, although it does not include mediation in managing devices from the cloud, the undeniable advantage of the service are correlated visual reports in one console.
What can FortiCloud be used in practice? In real-time, FortiCloud gives you insight into the state of devices that record Internet traffic from all source IP addresses, applications used by employees, and target servers with which they communicate; websites visited or detected threats in the local network, as well as blocked suspicious traffic at the gate level. Each such view can be filtered according to available attributes: selected device or calendar date. It is worth noting that the administrator from the level of FortiCloud has an insight into various statistics regarding all the networks he manages. Any information about potential problems is an added value that allows you to precisely identify the resource that creates the most security problems.
FortiGuard: safety components
A very important component of the system is the FortiGuard service. It is referred to as security modules that are integrated with FortiOS software in a single console. Some of these components are available as standard, and some after purchasing a license. They include:
- Protection against intruders (Intrusion Protection). The manufacturer declares that the IPS database contains over 5000 signatures identifying network attacks. In the latest NSS Labs tests, Fortinet's IPS system achieved 100% of blocked attacks:
- Application Control. It provides insight into currently running real-time applications that can hide Trojans and thus switch to other segments of the network. The module can identify the application independently of the port, protocol or installed operating system.
- Web content control (Web Filtering). According to the manufacturer - based on URLs, IP addresses, HTTP headers, operating system or even user interaction with the browser, the module blocks 160000 malicious websites every day. Tested Web Filtering by Virus Bulletin has managed to block over 83% of all malicious websites, including websites landing page, initiating the drive-by download attacks.
- Antivirus (Anti-Virus). Its base is enlarged every day by 300,000 signatures, thanks to which it better protects employees in real time at gate level (and on workstations).
- Protection against botnets (Anti-Botnet). Aggregates malicious IP addresses from the distributed network of honeypots of CERT teams and organizations involved in the implementation of modern technologies in "cities 2.0".
- Antispam (Anti-Spam). According to the statistics provided by the producer, it protects against spam on the basis of the database growing every day by over 11 million signatures.
- The vulnerability detection module (Endpoint Vulnerability). It guarantees a systematic and automatic method of patching applications on endpoints without the interference of administrators.
All of these security modules are now available "out of the box". At the initial stage, only management people with the slider, activating or deactivating individual security components are required.
It is not worth giving up the FortiGuard service, because the practice shows that a well-configured policy, which is supported by protective technologies that achieve systematically high ratings in the NSS Labs tests, is something that small businesses need most - companies that do not have the resources for additional audits or purchase of specialized solutions to protect Web applications or endpoints.
FortiWiFi-30E is a world class device. It enables centralized management, reporting, implementation of security for Web applications, e-mail systems, access points or network protection against DDoS attacks. For more demanding clients who have a dispersed infrastructure, Fortinet has prepared SD-WAN architecture management that supports various types of connections between departments and company's headquarters (eg LTE), and the aggregation point of these connections.
If the main goal of a company employing several to several dozen employees is to focus on network security and protection against modern threats, including malware from the ransomware family, as well as threats that use social engineering and drive-by downloads, the FortiWiFi-30E solution with successfully replaces a traditional router with one or two WAN interfaces. One thing to keep in mind - UTM will not replace the backup.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.