ADVANCED DETECTION TECHNOLOGY

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 2

Contents:

OVERVIEW PAGE 3

THE PROBLEM: A NEW GENERATION OF ATTACKS PAGE 4

WHY TRADITIONAL SECURITY IS FAILING PAGE 5

THE POWER OF DEFENSE-IN-DEPTH PAGE 8

FORTINET'S ADVANCED DETECTION TECHNOLOGY PAGE 10

FORTINET - SCALABLE & FLEXIBLE SECURITY PAGE 18

ABOUT FORTINET PAGE 20

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 3

>> Content-based and OVERVIEW

The sophistication of computer and network attacks has increased steadily over
Network-based threats
the last few years and is becoming harder to detect and block using traditional
are now becoming the firewalls and Intrusion Detection Systems (IDS). With each successful attack,
hackers are quickly learning which attack vectors are the most successful. The
norm with worms, time between the vulnerability's discovery and its exploitation is also decreas-
viruses, Trojans, ing, giving IT and security staff less time to test and update vulnerable systems.
Content-based and Network-based threats are now becoming the norm with
backdoors, and blended worms, viruses, Trojans, backdoors, and blended threats. Slammer, Blaster,
threats Sasser, Sober, and MyDoom were a few examples of sophisticated worms and
email viruses that made headlines in the last few years and have shown us how
fast these types of threats can spread - usually globally within just a few hours.

Many hackers are now monitoring the patch release notifications from software
manufacturers and simply reverse engineer the patches to find the vulnerabili-
ties. Figure 1 illustrates the number of days it took to exploit a known vulnera-
bility from the time a patch was available. Notice how the time has dramatically
decreased with the most recent attacks.

Not only do IT and security professionals have to worry about known informa-
tion security threats, but now they also have to concentrate on how to prevent
new and unanticipated threats known as "zero-hour" or "day-zero" attacks. To
combat these newer threats, security technology has been evolving to include
deep-packet inspection firewalls, application firewalls, content filtering, anti-
spam, SSL VPN, network-based antivirus, and intrusion prevention systems
(IPS). But as the hacker's motives are shifting away from notoriety to financial
gain, we are seeing much more creative attacks being developed to bypass tra-
ditional security devices and social engineering is now a big part of modern
attacks.

Figure 1:
Gartner's Vulnerability
and Patch Timeline

Attacks with socially engineered components include Spyware, Phishing, Email

www.fortinet.com
based attacks, and malicious Web sites. These attacks are designed to fool or trick
users into exposing sensitive information, downloading and installing malicious
applications, installing tracking software, or executing malicious code. As many of
these threats are designed to use traditional browser or email technology (such as
ActiveX, XML, SMTP, etc) to disguise themselves as legitimate applications, prevent-
ing them with traditional security devices becomes much more difficult. The need
for advanced detection and security technology is now more important than ever.
 ADVANCED DETECTION TECHNOLOGY 4

>> Blended threats use THE PROBLEM: A NEW GENERATION OF ATTACKS

Blended threats use multiple infection and attack methods to leverage vulnera-
multiple infection and bilities found in operating systems and applications such as Windows XP,
attack methods to Internet Explorer, and MS SQL Server. To make themselves harder to detect and
block, blended attacks are created with a hybrid of technologies - such as virus,
leverage vulnerabilities worm, Trojan horse, and backdoor attacks that are delivered with email or
found in operating infected Web sites. With each successful attack, knowledge is quickly trans-
ferred to the next generation or variation of the attack making it more difficult
systems and applications to block all known and unknown variants of the attack. Examples of blended
attacks include Nimda, CodeRed and Bugbear.

Attacks that target new vulnerabilities are being created much faster than in the
past. The amount of social engineering being used in the latest generation of
attacks has also been increased significantly. Attackers are now designing their
attacks to imitate legitimate applications and email messages to fool the users
into executing them. Phishing attacks that claim to be from legitimate organi-
zations are fooling thousands of innocent victims into giving out their financial
and personal information. Adware, malicious Web sites, Web redirectors, and
other forms of Spyware are secretly installing tracking mechanisms, key loggers,
file sweepers, and other forms of malicious software onto the user's hosts with-
out their knowledge. Attacks using email as a delivery mechanism is now one
of the most popular attack methods. Viruses that are designed to use the per-
sonal address book of an email client to spread or further spam other users have
become the norm of modern attacks.

Figure 2
CSO's SecuritySensor VIII Study
shows that nearly 60% of all
respondents reported Spyware
incidents during Q4 2004.

Figure 3: CSO SecuritySensor VIII Spyware Poll Results (December 2004)

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 5

>> The problem with As the level and intensity of attacks and threats increase, IT professionals must
understand the new threats and either add new detection and security devices
traditional stateful or re-architect their network resources to make themselves less vulnerable. For
firewalls is that hackers many years, companies have relied on stateful firewalls, intrusion detection sys-
tems, host-based antivirus, and anti-spam solutions to keep their corporate
have developed many users and resources safe. But the landscape is quickly changing and the effec-
tiveness of these traditional single purpose point security devices are no longer
ways to bypass firewall
proving adequate. In order to detect the newest attacks, security devices will
policies have to adopt multiple security functions.

Figure 4
Average "survival time"
SANS.ORG uses to track the
time between attacks - the
average time is 18 minutes
between reported attacks.

SANS.ORG Survival Time

WHY TRADITIONAL SECURITY IS FAILING

Stateful firewalls, IDS, and host-based antivirus software are the most popular
security products used today. But they are quickly becoming less effective
against the new generation of security threats and IT professionals are seeing
more infections and attacks succeed against their security and network infra-
structure.

TRADITIONAL FIREWALL SYSTEMS

Stateful firewalls were originally designed to secure corporations from the
Internet by providing a secure intermediary between the trusted corporate net-
work and the untrusted public network. Stateful firewalls worked by keeping
track of the session's state and origination. By looking into the packet's header,
stateful firewalls analyzed and monitored the network layer (L3) and protocol
layer (L4) and either permitted, denied, or rerouted the traffic based on a set of
user defined firewall policies.

The problem with traditional stateful firewalls is that hackers have developed
many ways to bypass firewall policies. Some of the methods used to bypass tra-
ditional stateful firewalls include:
• Reconnaissance using port scanners can reveal the open ports that a
firewall supports.
www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 6

• Attacks and probing applications can be tunneled through the fire-

wall's open ports.
• Trojan applications on infected PCs initiate attacks from the trusted
networks. As the session is initiated from the internal network, all corre-
sponding traffic is allowed back in from the untrusted network.
Examples of popular applications that initiate the attacks from the trust-
ed network include backdoor trojans and keystroke loggers that grant
unauthorized access or exports information to the attacker.
• Older firewalls inspect packets on a "per-packet" basis with no ability
to examine the packet payload. Viruses, worms, Trojans and other mali-
cious applications pass through undetected.
• Newer firewalls with deep-packet inspection are often fooled when
the attacker splits the attack payload into many fragmented packets and
sends them out of order.
• Mobile users with laptops, personal digital assistants (PDAs), and
portable email devices can become infected when they are away from
the office and bring infections back to the corporate network.
Perimeter firewalls will not help prevent attacks and infections that are
started from within the corporation's trusted networks.

Figure 5
Number of sites that are targeted
with attacks using well-known
ports (port 80)

TRADITIONAL INTRUSION DETECTION SYSTEMS (IDS)

Like the traditional firewall, the traditional IDS system is giving way to
newer technology as modern threats have become more sophisticated.
Attackers have discovered the weaknesses of IDS systems and have imple-
mented new methods to bypass these monitoring systems. Examples of
IDS system weaknesses include:
• IDS systems are placed at strategic locations such as the perimeter or
critical choke points. They can not monitor the entire network.
• IDS systems are "per-packet" inspection devices that do not sit "in-line"
with the network traffic and can not proactively block attacks in real-time.
They are only monitoring devices and can only provide alerts when mali-
cious traffic is discovered. This allows fast spreading attacks to succeed.
• IDS systems can be fooled by using fragmentation and improperly
sequenced packets.
www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 7

>> IPS systems sit in-line • Mirroring or redirecting traffic from multiple Gigabit ports can easily
overrun IDS systems causing them to drop packets and miss attacks.
with network traffic and
• IDS systems can generate false positives and requires continuous
have the ability to monitoring and fine tuning to be effective - high maintenance over-
head. Many IT professions do not have the time to review IDS log
proactively drop or reset
entries and suspicious traffic often goes unnoticed.
suspicious and dangerous • Reactive IDS systems that are combined with firewalls are still to slow
against fast spreading network-based worms.
attack traffic in addition
to protocol anomaly To overcome the IDS shortfalls, some security vendors are converting their
reactive IDS technology to proactive Intrusion Prevention Systems (IPS). IPS
attacks such as SYN systems sit in-line with network traffic and have the ability to proactively
drop or reset suspicious and dangerous attack traffic in addition to protocol
floods, ICMP attacks,
anomaly attacks such as SYN floods, ICMP attacks, and so forth.
and so forth
Host-based antivirus software is the most widely deployed security applica-
tion - even more so than perimeter firewalls. Host-based antivirus software
became popular in the mid 1980's when file-based viruses first became
prevalent and have grown to become one of the most trusted security
applications used today. But relying on host-based security has its short-
comings too. Some of the drawbacks of host-based security applications
include:
• High maintenance overhead required to install, maintain, and keep
the attack signatures up-to-date.
• Many users do not enable automatic updating or perform regular
manual updates of antivirus signature files. In effect, rendering the
antivirus software useless against the latest threats and attacks.
• Users can accidentally or intentionally turn off host-based security
applications.
• The latest sophisticated Trojans are scanning for popular host-based
antivirus systems and shutting them down before loading - making
them virtually undetectable even with the latest antivirus signature files.

Companies that solely rely on host-based antivirus software and patch man-
agement for application and OS defenses are exposing their internal sys-
tems to much higher risk. With more mission critical systems being used to
conduct business on a continuous and global basis, getting downtime to
update operating system patches, virus signatures, and application
upgrades is becoming more difficult to do. All of this means corporate Web
servers, email servers, ecommerce servers, database servers, and application
servers are left unpatched for longer periods of time making them vulnera-
ble to new attacks. Another disadvantage of only relying on host-based
security is the fact that malicious code is permitted to enter into the corpo-
rate network before being detected and blocked by each individual host's
security defenses - greatly jeopardizing critical business systems and net-
work applications.

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY
>> Tools that were once
extremely effective are no
longer successful against
the latest generation of
attacks using blended,
socially engineered, and
protocol manipulated
techniques
www.fortinet.com
8
THE POWER OF DEFENSE-IN-DEPTH
IT professionals are now realizing that traditional security tools that were
once extremely effective are no longer successful against the latest genera-
tion of attacks using blended, socially engineered, and protocol manipulat-
ed techniques. Security must now be layered at various network choke-
points using newer detection and defense mechanisms to successfully
secure the corporate network. Some of the modern security strategies used
to augment existing security defenses include:
• Designing smaller Security Zones to protect critical systems.
• Adding Network-Based security platforms to provide in-line detection
and prevention.
• Adding Unified Threat Management (UTM) security platforms to com-
bine security technologies for better management, attack correlation,
and lower maintenance and cost.
• Increase monitoring of critical resources.
• Develop effective security policies and educate users.
The solution will be different for each company and IT professionals must
fully analyze and understand their security needs and what it is they're try-
ing to protect through their efforts. A complete and effective security solu-
tion will not only include the latest security technologies, but also the
budgetary, social, and cultural aspects of the company.
SECURITY ZONING CRITICAL RECOURSES
With the popularity of mobile computing devices, attacks and threats can
now originate from both the external as well as the internal network. No
matter how hard IT professionals try to keep their mobile users safe, the risk
will always be greater when employees conduct business away from the
corporate network. Mobile users are more prone to risk due to the follow-
ing reasons:
• Mobile devices are not protected with the same technology as the cor-
porate network.
• Most companies only use host-based antivirus applications to secure
mobile devices. Firewalls and IDS systems are installed on a much
smaller percentage of mobile devices.
• Keeping host-based security applications up-to-date and synchronized
with corporate security policies is very difficult.
• Users can accidentally or intentionally turn off or modify host-based
security systems.
• Employees will connect to other networks to conduct business and
the security level of these foreign networks is unknown.
• Employees may let other non-employees user their mobile devices.
• Mobile users often have Administrator Access to their devices - giving
them ability to install non-approved applications. Many of these are
often freeware applications that are publicly available from the Internet
and can contain Trojans and Spyware.
 ADVANCED DETECTION TECHNOLOGY 9

• Mobile devices containing corporate information may not be properly

backed up and increases the risk of losing valuable corporate property.
• Mobile devices have a much higher probability of being stolen.

Mobile devices are more susceptible to viruses, Trojans, and worms when they
are away from the office. As mobile users connect back to the corporate net-
work, infections and attacks installed on the mobile devices can spread to the
corporate network - infecting other systems that were once normally protected
by the corporate security defenses. To defend against this, IT professionals
must redesign their networks and provide more security zoning around critical
departments, server farms, and mission critical applications. In effect, creating
islands of secure resources to regulate access and contain outbreaks. Common
tools for security zoning include Access Control Lists (ACLs), firewalls, and
authentication technologies.

Figure 6 illustrates the

sources of information
security threats as
reported from CSO's
SecuritySensor VIII
Study. 64% of infor-
mation threats report-
ed in the poll resulted
from internal trusted
users and partners. Figure 6: CSO SecureSensor VIII Study -December 2004

ADDING NETWORK-BASED SECURITY

Network-based security devices can be layered onto an existing security infra-
structure to increase detection rates and block malicious traffic before they enter
the corporate network. Network-based security devices are installed in-line with
network flows and can stop malicious traffic much faster than traditional "one-
armed" security devices relying on mirrored traffic flows. Examples of network-
based security devices include Intrusion Prevention Systems, Antivirus
Gateways, Anti-Spam Gateways, and Unified Threat Management (UTM) devices
that combine multiple security features into one security platform. In addition
to the ability to block traffic in real-time, other advantages of layering network-
based security functions include:

• Reduces the maintenance overhead associated with host-based securi-

ty applications. Attack signatures, antivirus signatures, and detection
engines are upgraded on the appliance rather than hundreds of hosts.
• Upgrading is not intrusive to users, systems, or applications and
occurs in real-time without downtime - unlike OS and application
patches that often require a system restart.
• Protects all hosts behind the network-based security device so the
rush to upgrade host-based antivirus signatures, OS patches, and appli-
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 10

cation patches is reduced - giving IT professionals more time to test

patches adequately before rolling them out.
• Protects legacy devices, operating systems, and applications that can
not be upgraded to the latest versions.
• Blocks attacks at the network perimeter or chokepoint where the
device is installed. Stops malicious traffic before it enters the corporate
network.
• Can not be disabled by end users or malicious applications, unlike
host-based security applications.
• Coexists and compliments existing security technology.

Fortinet's FortiGate security platforms offer another major benefit by allow-

ing the customer to choose the operation mode: Route Mode or
Transparent Mode. Route Mode allows the FortiGate security platform to
function as a router at the perimeter or other Layer 3 chokepoints - detect-
ing and blocking malicious code in real-time as traffic is routed between
various subnets and VLANs. Transparent Mode allows the FortiGate security
platform to act as a Layer 2 "bump in the wire" without routing traffic.
Transparent Mode allows the FortiGate unit to integrate seamlessly into any
existing network without disrupting existing services and allows newer
security functions to be added without redesigning the entire security infra-
structure.

ADDING UNIFIED THREAT MANAGEMENT SECURITY

In order to provide advanced security detection against the latest breed of
blended and socially engineered threats, Fortinet has developed a new gen-
eration of security platform. IDC's Unified Threat Management (UTM) cate-
gory defines this new generation of security platform as a security appli-
ance that combines multiple security functions to increase effectiveness. By
combining stateful firewall, VPN, gateway antivirus, and IPS functions into
one security device, UTM security devices improve detection rates and offer
better blocking capabilities than single-purpose security devices.

OTHER ADVANTAGES OF UTM SECURITY SYSTEMS INCLUDE:

• Reduces complexity and speeds up installation by providing a single
management interface for several security functions.
• Lower cost of ownership when compared to purchasing and deploy-
ing multiple single purpose point-based security systems to achieve the
same security functions.

As network security becomes more important for both consumers and busi-
nesses alike, IDC predicts that UTM security devices will outpace traditional
firewall and VPN security devices over the next few years.
 ADVANCED DETECTION TECHNOLOGY 11

Table 1 illustrates IDC's Unified Threat Management (UTM) security plat-

form comparison showing the growth of multiple function UTM appliances
over single point security products over the next few years.

Table 1: IDC's UTM Growth Forecast

FORTINET'S ADVANCED DETECTION TECHNOLOGY

As the leader of UTM security appliances, Fortinet's FortiGate security plat-
forms provide unparalleled functionality and detection capabilities through
its Dynamic Threat Prevention technology, advanced heuristic and anomaly
detection engines. Fortinet's FortiGate security platforms offer the follow-
ing security functions and benefits:
• Stateful Firewall integration with key security components.
• Gateway antivirus with real-time AV signature and attack updates.
• IDS and IPS with user customizable attack signatures and over 1300
standard signatures.
• Virtual Private Network (IPSec today and SSL coming soon).
• Anti-Spam with multiple user definable blocking mechanisms - includ-
ing Black/White Lists and Real-time Blackhole Listing (RBL).
• Web Content Filtering with user definable filters and/or fully automat-
ed FortiGuard filtering service.
• Bandwidth Shaping to prevent bandwidth abuse.
• User Authentication to prevent unauthorized network use.
• Dynamic Threat Prevention provides advanced threat correlation technology.
• ASIC Acceleration provides 4x - 6x performance increase over PC
based security solutions.
• Hardened OS with no 3rd party components to improve physical security.
• Complete family of supporting services - including log and report
generation products as well as a client-side security component.

As threats become more creative and stealthy in nature, the ability to quick-
ly identify and detect the attack before they enter the trusted network
becomes critical. In order to provide security against the latest threats,
Fortinet created several new security algorithms and detection techniques:
Complete Content Inspection, Dynamic Threat Prevention System, Heuristic
Scanning, and Anomaly Detection.

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 12

>> Only through reassembly,

can some of the most

Figure 7:
sophisticated blended threats Fortinet's
Detection
Technology
be found Advancement

ASIC-ACCELERATED COMPLETE CONTENT INSPECTION

Relying on packet-based security solutions is futile against modern threats
that use fragmentation and a host of other tricks to bypass traditional fire-
walls, IDS, and antivirus systems. Fortinet's advanced Complete Content
Inspection (CCI) technology scans and detects the most advanced threats by
providing protection throughout the entire OSI network stack. Unlike other
security technologies that rely on examination of packet headers or "deep-
packet-inspection", Fortinet's CCI technology reassembles files and session
information to provide unparalleled scanning and detection capabilities.

Only through reassembly, can some of the most sophisticated blended

threats be found. In order to off set the performance and latency delays
associated with this advanced detection technology, Fortinet's FortiASIC is
used to provide hardware acceleration for its signature, encryption/decryp-
tion, and SSL functionality. Fortinet's patent pending Compact Pattern
Recognition Language (CPRL) is used with Fortinet's FortiASIC to provide 4x
- 6x times the performance as modern PC-based security platforms.
Through some very clever designs, the FortiASIC technology will not lock
customers into a design that can be outdated as newer threats become
available. Similar to the way a graphics acceleration card speeds up the dis-
play of complex graphics, FortiASIC and CPRL speeds up the signature and
pattern matching routines for antivirus and attack signature matching.

The following illustration shows how Fortinet's Complete Content

Inspection & Reassembly technology works.

• Attack payload is designed to

avoid traditional security devices that

inspect traffic using "per-packet"

technology.

• Packets are fragmented and sent

out of order.

• Malicious payload is distributed

between many fragmented packets.

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 13

• Fortinet's Content Reassembly

technology takes the inbound pack-

ets and correctly reorders all packets

belonging to the same session.

• Attacks relying on fragmenta-

tion and out-of-sequence tech-

niques are foiled.

• Fortinet's Heuristic and

Anomaly Detection engines care-

fully inspect each packet's header

for proper protocol and applica-

tion formatting.

• Header syntax and semantics

must mach the protocol or appli-

cation's standard formatting rules.

• Malformed packets are identi-

fied and blocked.

• File contents are reassembled completely and fully inspected from beginning to end.

• AV signatures accelerated by Fortinet's CPRL and FortiASIC technologies are used for quick

identification of known attacks.

• Heuristic Inspection is used to find unknown non-signature based attacks.

• Malicious files are identified and blocked

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 14

Fortinet's Complete Content Inspection & Reassembly technology with the

industry's first hardware accelerated inspection engine (FortiASIC and Compact
Pattern Recognition Language) provides the most advanced ASIC accelerated
security products available today.

DYNAMIC THREAT PREVENTION SYSTEM

Fortinet's Dynamic Threat Prevention
System (DTPS) is a unique technolo-
gy that was created by Fortinet to
increase detection capabilities against
both known and unknown threats.
The Dynamic Threat Prevention
System correlates attack information
from Fortinet's Antivirus, IDS, IPS and
Firewall modules. Unlike many other
security companies that combine
antivirus, intrusion detection, intru-
sion prevention, and firewall tech-
nologies from multiple vendors,
Fortinet's approach allows tighter
integration between its security mod-
ules - producing the Dynamic Threat
Prevention System.

Fortinet's DTPS technology allows

threat information from each security
function to be communicated
between each other and correlates
"threat index" information to identify
suspicious and malicious traffic that
may not have attack signatures yet. By tracking the inspection activities of every
security component, the Dynamic Threat Prevention System also decreases the
number of "false positives" to improve detection accuracy of the entire system.

To maximize performance, all session traffic is analyzed by each security and

detection engine using known signatures first. Signature pattern matching with
Fortinet's hardware accelerated Compact Pattern Recognition Language and
FortiASIC is the fastest method for identifying known attacks. If a signature
match is found, DTPS handles the malicious traffic according to the rules defined
in the Action Polices - drop packet, reset client, reset server, end session, and so
forth. The FortiProtect Network provides real-time updates to keep the
FortiGate's AV, IDS/IPS signatures as well as security engines up-to-date. This
ensures that the latest signature based threats are identified and stopped quickly.

If a signature match is not found and the Heuristic Scanning and Anomaly
Detection Engines are enabled, the session traffic will be further scrutinized and
www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 15

examined for abnormalities. By leveraging the latest heuristic scanning technol-

ogy, anomaly detection techniques and its Dynamic Threat Prevention System,
FortiGate security platforms significantly raise the bar against both known and
unknown threats. Security solutions that mix and match security components
(antivirus, IPS, IDS, firewall) from many different vendors lack the ability to
coordinate detection efforts and are at a disadvantage when compared with
Fortinet's DTPS technology.

ADVANCED HEURISTICS AND ANOMALY DETECTION

To provide advanced detection and protection against unknown threats and
malicious traffic, Fortinet combines multiple leading-edge detection techniques
to provide Heuristic Scanning and Anomaly Detection. Heuristic Scanning tech-
nology is used to enhance antivirus, anti-spam, and other related scanning
activities while Anomaly Detection is used by the IDS and IPS detection engines.
By combining both advanced techniques with signature-based technology,
detection capabilities are significantly improved against attacks that rely on
methods such as IP fragmentation and protocol manipulation.

HEURISTIC SCANNING FOR ANTIVIRUS

Fortinet's advanced antivirus scanning techniques include:
• File Analysis
• Worm Inspection
• File Type Analysis
• Signature Inspection
• Heuristic Inspection
Fortinet's antivirus scanning engine combines many technologies to detect
both known viruses and new viruses without developed signatures. Detecting
unknown viruses are performed through sophisticated heuristic techniques that
are performed on the file headers as well as the actual packet content.

Figure 8: Fortinet's Advanced Antivirus Scanning Technology

Fortinet's File Analysis module is used to identify the file type that is associated
with the HTTP, FTP, POP3, SMTP, or IMAP data stream. Based on the file type
identified, the AV engine will employ other scanning techniques developed
www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 16

specifically for the file type. Examples include Microsoft Office files, macros,
executable binary files, and compressed files.

The Worm Inspection module performs several checks against the file stream.
Static Worm inspection is performed against the file type and file characteristics
(such as size, CRC, etc.) to quickly identify well-known worms through signa-
ture matching technology. If a positive match is found, the session is blocked
and a notification is sent.

The File Type Analysis module performs specific scanning routines against the
file's known file type. For example, compressed files are uncompressed and
examined, Microsoft Word files are passed through the MS Word inspection
engine, and binary executables are passed through the binary inspection
engine. Each of the File Type inspection engines will use specific rules and poli-
cies for detecting known threats related to the file type it's designed to inspect.

The Signature Inspection module is used to scan for known threats. This mod-
ule employs Fortinet's Compact Pattern Recognition Language (CPRL) and the
FortiASIC hardware to scan the file stream with thousands of known signatures -
detecting known threats at incredible speeds with the advantage of hardware
acceleration. For hard-to-detect polymorphic viruses, additional scanning rou-
tines are employed with the Signature Inspection module.

After signature inspection is performed, and if heuristic inspection is enabled,

the file stream is passed through the Heuristic Inspection module. This module
performs additional scanning on the header and imports of the Portable
Executable file. For each test, the Heuristic Inspection engine rates the possibili-
ty of a threat based on rules it has developed for the file type. After each test is
completed, the threat ratings are examined and if they exceed the overall rating
permitted for the file type, the file stream is flagged and processed accordingly.

By coordinating all scanning and detection functions with the Dynamic Threat
Prevention System, customers are assured of the highest possible detection rates
against both known and unknown threats and attacks.

Anomaly Detection for Intrusion Detection & Prevention

Fortinet's advanced Intrusion Detection Prevention techniques include:
• Stateful Inspection
• Content Reassembly
• Communication Protocol Inspection
• Application Protocol Inspection
• Content Inspection Figure 9: Fortinet's Advanced Intrusion
Detection & Prevention Technologies

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 17

Fortinet's Anomaly Detection technology goes far beyond signature-based IDS

systems by analyzing the entire packet: including the packet header, protocol
information, application information, packet content, and session activity. By
using six separate anomaly detection processes with full content reassembly
and correlating the inspection process with the Dynamic Threat Prevention
System, detailed session information is tracked and analyzed to detect the most
advanced threats as well as unknown "zero hour" attacks. Attacks such as:

o Network-based Worms & Trojans o Brute Force Attacks o Fragmentation

o Malformed Packets o Cross-site Scripting o Directory Traversal
o Denial of Service o Information Query o Session Hijacking
o Spoofing o Buffer Overflow o Gratuitous Injection

And many others.

The Stateful Inspection Engine is designed to track all communication layers for
every session traversing Fortinet's security platform - for both stateful connec-
tion-based and connectionless protocols. Cumulative state and session infor-
mation is collected and used to ensure that all subsequent packets for each ses-
sion are being sent and received properly.

The Content Reassembly module reassembles all packets to ensure that packets
belonging to each session are arriving in the correct order. This helps to
remove overlapped fragments, duplicate fragments, packets with invalid sizes,
and packets with invalid offsets - eliminating many sophisticated attacks that
rely on fragmentation, illegal offsets, fragroute evasion, and so forth.

The Communication Protocol Inspection engine ensures that the protocols are
indeed valid - TCP, UDP, ICMP, etc. All protocol headers are inspected for irreg-
ularities against the protocol's legal syntax and semantics. Packets with mal-
formed protocol information are identified and blocked.

The Application Protocol Inspection engine ensures that the application's head-
er is compliant according to the application's legal syntax and semantics. The
header values are validated and overflows are prevented. Legal applications
such as Telnet, FTP, HTTP, SMTP, POP3, etc are inspected for compliance while
malicious applications such as BackOrifice, SubSeven, TFN2k, etc are identified
and blocked proactively before they can cause damage to the network.

The Content Inspection module analyzes the application payload and searches
for both known and unknown malicious content. Using a sophisticated rating
system and past session activity patterns, the Content Inspection module per-
forms deep-packet analysis on every session flow and distinguishes between
application content types to maximize detection capabilities.

The Activity Inspection module takes anomaly detection to a new level. By cor-
relating session information in both directions, data information, channel infor-
mation, control information, active sessions, and zombie session information is
gathered and analyzed over time. As traffic information is cumulated, the sys-
tem develops knowledge of normal traffic patterns. When malicious and abnor-
mal traffic flows traverse Fortinet's security platform, they are quickly identified
and blocked.

The Dynamic Threat Prevention System correlates the inspection process and
helps detect a wide range of known and unknown "zero hour" attacks. By

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 18

examining the outcome of each anomaly detection engine and comparing it

with known and learned session activity, the number of false positives is greatly
reduced.

FORTINET - SCALABLE & FLEXIBLE SECURITY

While other security companies are combining multiple vendors' technologies
to bring their products into the Unified Threat Management category, Fortinet
saw the need for this type advanced security appliance back in the year 2000
and created its network security platform based on this premise. Today,
Fortinet is recognized by international research firm IDC as the Unified Threat
Management security category leader. With the ability to filter traffic based on
its stateful firewall, antivirus, Spyware, IDS, IPS, anti-spam, web content filter-
ing, and bandwidth shaping technologies, Fortinet provides additional layers of
security against the latest socially engineered and blended threats.

Detecting and blocking known and unknown threats quickly and pro-actively at
the perimeter and other critical network chokepoints are critical to the security
of any network. Fortinet's advanced threat prevention system uses advanced
detection technology to perform activity inspection, full content reassembly,
deep-packet inspection, and packet-by-packet filtering - using both signature
based detection with advanced heuristic and anomaly detection methods.

A COMPLETE SECURITY SOLUTION

Fortinet security platforms create a proactive unified approach to help cus-
tomers secure their critical network resources regardless of location. Fortinet's
complete family of FortiGate security platforms, logging and reporting systems,
and real-time service modules for Web content filtering and anti-spam provide a
complete in-depth security solution to safeguard both wired and wireless net-
works of all sizes.

To ensure that all Fortinet security platforms are updated with the latest
antivirus & attack signatures, heuristic scanning routines, and anomaly detec-
tion engines, customers can program their Fortinet security devices to automati-
cally update themselves from Fortinet's FortiProtect Network. With over 10
secure and fault tolerant data centers around the world, updates are quickly
sent or pulled from the FortiProtect Network as new signatures and updates
become available - usually within 5 minutes of the update being posted on the
FortiProtect Network.
www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 19

To provide a comprehensive logging and reporting system to alert customers of

security related issues, Fortinet provides customers a choice with FortiLog and
FortiReporter. With hundreds of pre-canned reports detailing activity informa-
tion and security alerts, customers can centralize their security reporting into
one system to help correlate security activity - making it easier to spot malicious
activity and provide detailed logging of security events. For customers that
have multiple Fortinet security devices to manage, Fortinet's FortiManager pro-
vides comprehensive central management to allow quick provisioning for hun-
dreds to thousands of Fortinet devices.

Industry Awards and Recognition

Fortinet's security solutions have won numerous awards for performance, func-
tionality and ease-of-use. Some examples of these awards include the following:

• IDC Unified Threat Management (UTM) Category Leader (2004)

• Network Security - Security Product of the Year 2004
• CRN Test Center Recommended
• Personal Computer World Editor's Choice
• Network Computing Editor's Choice
• Red Herring 100
• ICSA Lab Certified (Firewall, Antivirus, VPN, Intrusion Detection)

For a complete list of awards and product recognition, please visit Fortinet's
web site: www.fortinet.com

Selecting the right security device to protect your mission critical assets can be a
difficult task. To experience the "next generation" security platform, below you
will find info on how to contact a Fortinet representative.

www.fortinet.com
 ADVANCED DETECTION TECHNOLOGY 20

ABOUT FORTINET (WWW.FORTINET.COM)

Fortinet is the confirmed leader of the Unified Threat Management market.
The company's award-winning FortiGate™ series of ASIC-accelerated antivirus
firewalls, winner of the 2004 Security Product of the Year Award from
Network Computing and the 2003 Networking Industry Awards Firewall
Product of the Year, are the new generation of real-time network protection
systems. They detect and eliminate the most damaging, content-based threats
from e-mail and Web traffic such as viruses, worms, intrusions, inappropriate
Web content and more in real time - without degrading network perform-
ance. FortiGate systems are the only security products that are quadruple-cer-
tified by the ICSA (antivirus, firewall, IPSec, NIDS), and deliver a full range of
network-level and application-level services in integrated, easily managed
platforms. Named to the Red Herring Top 100 Private Companies, Fortinet is
privately held and based in Sunnyvale, California.

SALES
Please contact us at sales@fortinet.com
or phone toll-free in the U.S. (866) 868-3678 or +1(408) 235-7700.

POTENTIAL PARTNERS
Please contact us at partners@fortinet.com or visit us at www.fortinet.com.

Copyright 2005 Fortinet, Inc. All rights reserved. Fortinet, FortiGate,

FortiClient, FortiWiFi, FortiGuard, FortiOS, FortiProtect, and FortiASIC are reg-
istered trademarks of Fortinet Corporation in the United States and/or other
countries. The names of actual companies and products mentioned herein
may be the trademarks of their respective owners. WPR1180501

www.fortinet.com

www.fortinet.com