Fortinet updated its FortiWeb security appliance to harden critical Web applications containing sensitive and confidential data from identity theft, fraud and data leaks, the company said on Jan. 31.
The 4.0 MR2 firmware update consolidates Web application firewall, XML filtering, Web traffic acceleration and load balancing into a single FortiWeb appliance, Idan Soen, a product specialist for FortiWeb and FortiDB, told eWEEK. The appliance secures Web applications, protects services and optimizes application delivery, he said. A Web Vulnerability Scanner is automatically included with each appliance to scan applications for existing vulnerabilities, Soen said.
Web applications are generally not developed with security in mind, and attacks can range from “simple defacement [to] credit card and thefts of personal data,” Soen said to eWEEK. Cross-site scripting, SQL infection attacks, HTTP response splitting and data leaks are the most common vulnerabilities, he said. He estimated over 80 percent of Web sites are vulnerable to “detailed manual attacks.”
FortiWeb 4.0 can monitor Web applications, automatically detect when attackers deface the page and revert to the clean version, Soen said. A real-time dashboard provides a high-level overview of traffic and attack statistics, he said. Resource-intensive authentication processes such as LDAP and NTLM can be offloaded onto the appliance to improve application performance, he said. The URL rewriting capability was expanded to protect underlying technology and site structure.
The appliance also enforces file restrictions to prevent unapproved file types from being uploaded or executed, according to Soen. There is also a way for IT managers to delete or mask credit card numbers to prevent data breaches.
PCI data security standards require applications to be protected with a Web application firewall and a vulnerability assessment tool. FortiWeb’s new firmware delivers both elements in a single device, Soen said. The export and import tool makes it easy to clone security policies that can be used on other Fortinet products such as FortiGate, FortiAP, FortiGuard, FortiManager, FortiAnalyzer and FortiDB. The dashboard also provides up-to-date reports about PCI compliance, he said.
Network firewalls and intrusion/prevention systems are not sufficient to defend Web applications, Soen said. Network firewalls can block attacks coming from certain IP addresses and check ports, but is “blind” to most Web application attacks because it has to let all traffic on port 80 through, he said. IPS systems are also limited because it can’t read HTTPS and SSL traffic and attackers are getting good at bypassing signature-based scanners, he said.
There are three members in the FortiWeb family, varying on network capability. The 400B appliance targets the small business for PCI compliance, offering 500GB of storage and the ability to process 10,000 transactions per second, Soen said. The midrange 1000C appliance comes with 1TB of storage and can process up to 27,000 transactions per second. And the enterprise-class, high-end 3000C model boasts 40,000 transactions per storage and 2TB of storage, he said. Prices depend on the amount of traffic it has to process, and range from $19,995 to $39,995, Soen said.
The FortiWeb product competes against Web application firewall systems from Trustwave, F5, Imperva and Barracuda Networks, Soen said.