Home
Classic
Harley
Yamaha
Suzuki
Ducati
Triumph
Honda
Kawasaki
Aprilia
Moto Guzzi
BMW
Buell
Morini
Royal Enfield
Racing
Tarmac
Track
Motocross
Trials
Mechanics
Chain
Oil
Battery
Tank
Carb
Horn
Lights
Brakes
Clutch
Cylinder
Gears
Wheels
Tyres
Chassis
Exhaust
Suspension
Misc

OT IT: Unified Threat Management



Namely UTM Network equipment such as that from Check Point and Fortinet et
all.

Anyone in the group have much knowledge of it or experience of deploying it?
I've not used the UTM stuff for Checkpoint (we're still on NG) but we
started rolling out Fortigate boxes 6 months or so ago. They're
basically Netscreens with the UTM stuff bolted on top (no surprise that
when the honcho at Netscreen sold out to Juniper, he took the devs with
him and reinvented the wheel as Fortigate).

Not made much use of the UTM features yet, though they seem simple
enough to configure. Be aware that performance drops like a stone the
moment you turn on anything like AV scanning so don't expect wire-speed
whatever the marketing blurb says. FortiManager is a bit cack and
FortiAnalyzer hasn't been overly impressive, especially compared with
something like Protego (or whatever Cisco call it since acquisition).

VPN interoperability on the Fortigates is pretty iffy. I've had serious
trouble with Checkpoint and Sonicwall peers. But if you just want
something to filter traffic, they do the job and they're simple enough
Thanks Oggy, no VPN required. I guessed there *had* to be a LAN performance
hit. I shall remember to get some very cast iron guarantees along those
parameters.
It's marginally better if you have multiple (up to 4, iirc) devices in a
cluster, as it offloads CPU jobs to cluster members regardless of which
is actually forwarding the packets themselves. But that's the key point
- filtering is carried out in the ASIC, but file processing is all on
the CPU, hence the performance hit.


Very few users behind each UTM device but occasional gigabit file data
transfer (Radiotherapy images/prescriptions).

to configure.
We're still pretty dubious but then we're a pretty conservative
organisation. Something about eggs in baskets.
Yes I normally wouldn't but as I said in the thread there are several XP
processors with a ringfenced OS. I don't know of any other way to protect
them connected to a large complex varied network.

Eventually some sick puppy will write a virus just to target LINAC
prescriptions. Deep suntans all round.