Author: Michael Maust
Legacy environments have often utilized a multi-faceted approach to content filtering on LAN networks which has often resulted in vendor-sprawl, poor operating expenditure management and potential inaccuracies in both reporting and filtering. Luckily, with the advent of faster processors, sophisticated application signatures, and dedicated ASIC chipsets, it’s becoming increasingly more feasible to “collapse” multiple content filtering appliances into a consolidated solution.
Fortinet’s Unified Threat Management (UTM) feature set showcases how a consolidated content filtering approach can work in most environments while providing continued world class security that the Fortinet brand has become synonymous with. Delivering a comprehensive set of application signatures and accompanying filtering categories, the Fortigate firewall appliance offers a wide range of granularity for managing and restricting content usage. Furthermore, the recent introduction of newer in-house developed ASIC chipsets has allowed newer Fortigate models to outperform the competition by allowing more overhead for inspection fundamentals – proxying, SSL decryption, flow-based inspection, and on-the-fly categorization. No longer does another appliance have to be sized out to meet the considerations of the firewall!
The “UTM” feature set is divided into multiple security categories. For today’s discussion, a focus will be placed on content-driven inspection – namely the UTM Web Filter and Application Control.
The Web Filter is typically used for all browser-based inspection – typically ports 80 and 443. This content would be categorically different than applications (like IOS or Android apps) which will be discussed later.
The UI gives complete control over what is looked at with a default set of categories to hit major offenders. This feature is incredibly useful for educational environments that adhere to CIPA (Children’s Internet Protection Act) guidelines which prevents the usage of obscene content on the campus networks.
Each category is further broken down into individual buckets to target more specific sub-categories.
For specific sites or content, a static URL filter option is provided to adjust whitelists or blacklists based on filter types.
The second half of content inspection relies on application filtering. Applications typically do not use the standard browser ports of 80 and 443. Often, applications will have a set of known higher ports or randomized ports (seen often with proxy or VPN access). To address this, Fortinet is constantly releasing updated application signatures to keep relevant with the growing number of applications used daily.
Similar to the webfilter features, the application control UTM filter allows customization of categories, customization, and whitelist/black list functionality.
Again, a customized template can be created to match the network administrator’s guidelines and requirements. In addition to categorical content inspection, deep-packet SSL inspection in combination with a self-signed trusted root cert can provide a deep analysis of usage on the network.
Transparent and comprehensive reporting is a feature often overlooked in the content filtering experience. Often, good reporting is a feature most requested by IT administrators as it provides accountability to the network’s users and can aid in reducing administrative liability.
FortiView is a built-in module that allows customized views of overall network traffic. In combination with web-filtering this feature can show, source/destination, IP address, application type, website information, and a number of other tracking features. This information can also be archived or sent to the FortiAnalyzer which is a dedicated syslog tool for managing data views, traffic, and other compatible appliances.