UTM Firewalls : Control Internet Access Within Your Organisation

UTM Firewalls : Control Internet Access Within Your Organisation

fwThe majority of today’s businesses permit some form of employee internet access. This could be an integral part of their job, to serve as a job aide or to simply enable staff to check their personal e-mail or browse the web during their lunch breaks.

Whatever the reason, there is a risk that unrestricted internet access could lead to a lack of productivity, expose the company’s IT infrastructure to unwanted threats or act as a conduit for unwanted data leakage. Web-filtering and content control at the network edge can go some way to controlling internet access in a modern business environment. A UTM (Unified Threat Management) Firewall is the perfect solution to control and monitor Internet access.

Solutions

There are a number of solutions and technical solutions that can be used to control internet access and screen content for viruses, malware and similar exploits.

Historically, the most common solution was to use a HTTP proxy and all employee web requests were sent through the proxy software. These solutions were typically licensed by the user, required a degree of administration and end-user devices had to be configured to use the proxy.

Gateway-level web filtering

A Firewall device serves as the gateway between the company network and the Internet. Many leading Firewall vendors quickly identified an opportunity. As their devices resided at the network-edge, this could be considered the ideal place to both filter and control web-traffic. Most modern UTM Firewalls now employ some form of web-filtering and content-control as part of their standard offering.

Wi-Manx extensively use Fortinet Firewalls as part of their datacentre and managed service deployments. This article will outline the key features of the Fortinet solution, how they function and how these translate into tangible business benefits, saving money, improving productivity whilst eliminating threats. In all cases, we would recommend a Fortinet Firewall as a key component and part of a multi-layered approach to security.

Fortinet

Gartner Quadrant

Gartner’s 2013 Magic Quadrant Report for Unified Threat Management

Fortinet are a global provider of network security appliances and a market leader in the relatively new field of unified threat management (UTM). Fortinet regularly feature on the Gartner Magic Quadrant, leading the likes of Cisco, Checkpoint and Watchguard. Perhaps not as well known, Fortinet is used by the majority of 2011 Fortune 100 companies and has revenues exceeding $534m and annual growth of 23%!

Their products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure.

Wi-Manx has been utilising Fortinet Firewalls along with their UTM capabilities both in our datacentre and deployed externally to customer sites as part of our managed connectivity solutions for a number of years now. Our technical team thoroughly reviewed the vendors on the market. Our internal testing demonstrated the Fortinet Firewalls were the clear winners throughout our tests and this view is echoed by many researchers and industry reviews.

Along with the standard features that you would expect from a modern enterprise class Firewall, Fortinet’s addition of UTM features facilitates a new range of services to further secure your network, increase staff productivity and  prevent data leaks.

The UTM feature set includes Antivirus, Web Filtering, Application Control, Intrusion Protection, Email Filtering, Data Leek Prevention & End Point control.

For this article, we will be taking a further look into the Web Filtering capabilities.

Features

Category based blocking

Like many web filtering solutions, Fortinet’s solution is based on URL classification. This is where every URL or website on the Internet is rated into a given category (e.g. business, government, social networking).

To test the rating, you can view the FortiGuard network lookup here. FortiGuard is the Cloud service the Firewalls use to retrieve website ratings:

http://www.fortiguard.com/static/webfiltering.html

The database currently rates more than 104 million sites covering billions of URLs with each site able to be rated in multiple categories and data classes. With support for 70 languages the FortiGuard database provides a truly international service. For more information of the database and to perform real time queries on the current database, you can go to the following URL.

Custom whitelists / blacklists

Customer white/black lists enable you to override the classification of specific websites. For example, where you want to prohibit access to sports websites but one of your clients is a football club. In this instance, you can block sports websites but white list the client website. Conversely, if you allow access to social networks but wish to block one particular website, this can be done using the blacklist.

Quotas

Quotas can limit the amount of time spent viewing or the amount of data that can be downloaded from web sites. This can be globally or for a specific website. With quotas enabled it would be possible to, for example, limit access to gaming sites for two hours per day or limit the amount of data downloaded from streaming media sites. Quotas are set per web filter profile, accumulate over a 24 hour period and reset at the end of the day.

Fortinet Firewall

A Fortinet Firewall appliance

User identification

Having a single web filtering profile is seldom appropriate for an entire organisation. Different groups of users often require varying levels of access that can change during the day. Typical examples include:

  • Restricting access to social networking sites during core business times
  • Imposing special restrictions on guest users access
  • Limiting customer facing employee access

These scenarios require the end user to authenticate with the FortiGate unit to select the correct web profile to apply to each user’s traffic. To ensure a completely flexible approach, a number of options are available to achieve end user identification:

  • Local User Groups, with optional remote LDAP, RADIUS or TACACS+ databases
  • Certificate based authentication, Two-factor authentication
  • Temporary guest accounts, NTLM Authentication
  • Directory Service, Windows and Citrix-based single sign on (SSO)

This integration ensures the device works alongside your existing IT solution. In our experience, Active Directory domains are the most common means of identifying and authenticating users; in these cases, Fortinet can communicate with the Domain Controller. This ensures a seamless approach to service, reduces the total cost of ownership and ensures a low administrative burden.

Device

Fortinet identity access control adds an additional layer of control by providing the ability to associate web filtering profiles with device types. Typical examples include:

  • Restricting mobile phone access to social networking and gaming sites during office hours
  • Imposing special restrictions on guest devices such as mobile phones or tablets used by visitors

Device identification can detect device types and impose restrictions completely transparently to the device user. The device types are identified by the FortiGate unit with no user authentication or identification required. Typical deployments would block access to mobile devices or tablets or permit mobile access to certain websites.

Time based policies

Time based policies enable you to enforce web access policies but at specific times of day.

In our experience, Quotas are most commonly used to:

  • Block unproductive websites throughout the day (e.g. Facebook, YouTube)
  • Allow certain websites during lunch hours and after work

YouTube Education Filter

The Fortinet features functionality specifically for the educational sector.

Video is now becoming a powerful educational tool with many useful educational videos hosted on YouTube.  The challenge has been how to limit access to educational videos on the site while filtering out all the piano playing cats and endless Gangnam style parody videos.

YouTube has made efforts to classify the content it hosts as part of your YouTube for education program http://www.youtube.com/schools.

If an Organization has a YouTube for Schools account they can enter their account ID directly into their FortiGate web filtering profiles to apply their YouTube education filter to all YouTube traffic right from the FortiGate unit.

Replacement pages

When a site is blocked, a fully customisable replacement page can be sent in its place. These replacement pages are stored on the FortiGate unit and can be customised by website category to include corporate branding (logos etc), provide details on the category of site blocked, references to any corporate policies, details on how to apply for overriding privileges or a simple ‘site blocked’ notification.

HTTPS Deep scanning

HTTPS or SSL provides users with a technical means to securely browse web content over an encrypted session. This functionality is vital if data and content is to remain secure between the end-user and the website (e.g. online banking). The fact content is fully encrypted means it introduces a challenge in terms of content filtering and data-leakage prevention because the Firewall is unable to interpret encrypted data.

Encrypted web traffic was historically used when applications required a level of security, for example online shopping, checkouts and online banking. Scanning and controlling secure pages has often proved problematic. With the recent privacy revelations and PRISM, more and more website operators are adopting HTTPS as the standard protocol, meaning the majority of content is now encrypted.

With popular sites like Facebook and Youtube now offering services using HTTPS, the question of how to filter and restrict access arises. Fortinet addressed this need by implementing HTTPS deep scanning which provides FortiGuard web filtering of encrypted HTTPS sessions. HTTPS deep scanning performance is enhanced by leveraging FortiASIC’s HTTPS hardware acceleration. HTTPS deep scanning respects user’s privacy by optionally not scanning banking, health care and personal privacy sessions. This enables organisations to fully enforce their web filtering policies whilst not comprising staff privacy.

Reporting

FortiGate units and the FortiCloud remote logging and reporting service generate daily security analysis reports that contain detailed information about website usage, blocked websites and other web filtering-related output. Default reports are available that can be extended and customised as required.

chart1

Reports at a username level can also be generated and user information can be provided directly from Microsoft Active Directory or Citrix environments.

Benefits

Controlling employee internet access makes the most of available bandwidth (by restricting access to bandwidth intensive applications).

Even in environments where bandwidth may seem abundant, it can soon be consumed by a small number of users accessing content with high bandwidth demands. HD video content can consume up to 8Mbps of bandwidth very quickly.  It soon becomes apparent that in an office of 50 users it could take as little as 3 or 4 people accessing this content to saturate the available bandwidth.

This can be easily addressed by creating robust web filtering profiles to quota or restrict access to such services ensuring that your companies valuable bandwidth is not abused by users accessing such services.

Fortinet provide a range of extremely granular reporting tools that enable you to drill down into the data to produce reports from any perspective (User, site, IP address, Category).

Speak to Wi-Manx

If you would like to learn more about Fortinet Firewalls, web/content filtering and how our range of managed solutions can benefit your organisation, please get in touch.

Wi-Manx provides a range of managed Firewall solutions in our Isle of Man, Manchester and London datacentres. We also provide a range of managed Firewall solutions to our ISP customers through a managed service arrangement. All of our managed solutions feature an enterprise-class SLA and we maintain hot-spares of all equipment.

Previous Article Colocation Series #3 - Power December 17, 2013 Next Article Isle of Man Broadband & Big Data December 23, 2013