Vous êtes sur la page 1sur 8

Fortinet vs Trend Micro Network VirusWall

The Trend Micro Network VirusWall series appliances come in three models,
listed below and their targeted applications.

Network VirusWall 300 Secure Mission Critical Devices
Network VirusWall 1200 Secure Network Segments
Network VirusWall 2500 Secure Multiple Segments/Servers

Model 300 Model 1200 Model 2500


Each product offers Anti-virus protection at the network gateway and is
positioned as an Outbreak Prevention Appliance. Trend claims that these
appliances are targeted at stopping threats at the network layer, as opposed to
their gateway software security products running at the application layer, called
the InterScan series, which runs on a customer-provided server.

One of the benefits of scanning at the network layer is their capability to scan
TCP and UDP transmissions as well as Window File Sharing and Instant
Messaging protocols. However since they do not scan at the application layer
they cannot protect against Intrusion based attacks and server vulnerabilities.
Thats why you need an integrated IPS with your AV scanning system to provide
complete protection. They attempt to get around this by offering additional
services, such as vulnerability assessment, outbreak prevention services, and
damage clean-up services. Keep in mind that these are all extra charge items
and/or professional services. The funny part about this is that they call it an
Outbreak Prevention Appliance, but they seem to make a big push to sell
damage clean-up services, which means that they make more money selling an
insurance policy that if the virus gets through they will help clean it up.
The main function that Trend is pushing is not so much to do real-time scanning
of network traffic but to focus on checking each client system for adherence to
security policies such as current version of desktop AV software, current OS
patches, and behavioral anomalies, and then deny or segment those systems
away from the internal network similar to Ciscos NAC initiative.

Each model is limited in the number and type of interfaces. The high-end model
(2500) only has 5 standard copper Gig interfaces plus one or two optional
Gigabit fiber ports. The mid-range model (1200) only has two 10/100 ports. The
low-end model (300) only has a 4 port internal switch and one external 10/100
port. All units only have a single power supply. Pricing will be lower than an
equivalent powered FortiGate, however we must sell on our added value and
wider feature set. See comparison charts.

Their Trend Micro Control Manager 3.0 software is network management
software that runs on a customers server, which manages signature updates,
policy and configuration changes, and integrates into HP OpenView using
SNMP. They claim to manage up to 5000 units. Other than monitoring and
configuring other Trend products, most of the added features of TMCM are extra
charge services including Trend Micro Vulnerability Assessment, Trend Micro
Outbreak Prevention Services, and Trend Micro Damage Cleanup Services. So,
customers should be prepared to pay significant annual support costs to take
advantage of these offerings.

Network VirusWall deployment considerations
Trend Micro Network VirusWall Fortinet FortiGate
Limited hardware architecture: The
Network VirusWall platforms use general
purpose CPUs with no ASICs.
Fortinets ASIC based architecture
delivers industry leading application
security performance scaling to
Gigabit throughputs.
No application layer awareness:
checking only at the network layer
prevents detection of threats and attacks
that happen at the application layer
Fortinet FortiGate security
appliances offer a more
comprehensive application layer
antivirus network protection.
Certification limitation: The Network
VirusWall platforms lack important
industry certifications such as ICSA, EAL, or
NSS.

EAL4+: The current release of
FortiOS has been certified to meet
Common Criteria CC EAL4+
security standards.
ICSA: The FortiGate security
systems have earned ICSA
certifications for Firewall, IPSec, SSL
VPN, IPS and Antivirus.
NSS: FortiGate IPS has achieved
NSS Approved certification
No IPS features: The Network VirusWall
offers no built-in Intrusion Detection or
Prevention features and requires you to
buy a separate appliance for that
important need.
Fortinets comprehensive security
solution includes three modes of
Intrusion Prevention including
FortiGuard Network provided
signatures, protocol anomalies, and
customer written signatures.
Antivirus update limitation: The
antivirus updates are scheduled only, no
support for push updates. Leaving a
vulnerability window from as little as one
hour up to one day depending on
schedule selected.
Fortinet employs teams of antivirus
researchers and development
engineers around the world
devoted to discovering new threats
and updating the virus signature
and heuristics databases.
FortiGuard Distribution Network
servers positioned in high
availability data centers around the
globe can push antivirus updates to
all FortiGate devices in less than 5
minutes.
No Firewall support: The Network
VirusWall appliance has no stateful firewall
capabilities (except for model 300) so no
control over other protocols that may be
passing thru the gateway such as Telnet,
P2P, or VOIP traffic.
Fortinet offers a full ICSA certified
firewall to filter unwanted traffic
and block protocol based attacks.
No Antispam support: The Network
VirusWall does not provide anti-spam
capabilities
Stress Fortinets feature rich,
integrated antispam protection,
including the new FortiGuard
Antispam Shield service, blocks up
to 90% unwanted spam email.
No VPN support: Requires a separate
appliance to have secure remote office
connections.
The FortiGate security appliances
support IPSec and SSL VPNs for
secure remote office users.
No power redundancy: The Network
VirusWall appliance only has a single
power supply, which requires you to buy
a second box for power redundancy.
FortiGate high-end systems offer
redundant power supplies with
separate power cords.
No Dynamic Routing support: The
Network VirusWall does not support RIP or
OSPF, also no multicast protocol control.
FortiGate security gateways provide
full support for dynamic routing
protocols including RIP, OSPF and
BGP for routing around failed
networks.
Web Filtering limitation: The Network
VirusWall appliance web filtering options
are limited to only File extension blocking
and virus blocking. No URL filtering,
banned word filtering, or web category
filtering to keep up with the ever-
changing World Wide Web.
Fortinets CIPA certified FortiGuard
Web filtering service is a cost
effective and very accurate web
filtering solution for enterprises and
schools of all sizes. FortiGuards
simple per device licensing offers a
much lower total cost of
deployment of traditional per user
licensing solutions.
Limited Product Line: Trend offers only Fortinet offers a scalable and cost
3 models of the Network VirusWall. Trend
does not have a full range of security
appliances that provide integrated
application security for the large
enterprise or service provider segments.
effective product line of 14
FortiGate security appliances that
meet the performance and
application security requirements
of SOHO, small, medium and large
enterprise and service provider
customers.

Key Fortinet Advantages over a Trend Solution
Market leadership: IDC ranks Fortinet as a market leader in the Unified
Threat Management (UTM) security market offering tightly integrated,
multi-functional security appliances.
Functionality: Fortinets defense-in-depth approach to network security
integrates AV scanning, IPS protection, URL filtering and content
scanning, Antispam protection, Stateful firewall, Denial of Service
protection and IPSec and SSL VPN. All FortiGate models are designed
around purpose built ASIC based hardware and a security focused
operating system.
Industry leading AV Coverage: Signature and Heuristics engines
protect against 50K known and unknown attacks including 100%
coverage of the Wild List viruses, VB100 and ICSA certified.
CIPA Certified URL Filtering: FortiGuard offers the largest URL
database to provide the most accurate and comprehensive URL filtering
solution in the market.
Response time: FortiGuard Distribution Network (FDN) dynamically
pushes virus and signature updates as soon as new signatures are added
to the database. With virus database servers located strategically located
around the world, the FDN can push IPS and AV signatures to all
FortiGate devices in the field in less than 5 minutes.
IPS certification: FortiGate NSS test results:
100% IPS Blocking performance: Blocked 100% of attacks while
allowing 100% of legitimate traffic
100% Accurately decoded and blocked all IPS evasion techniques
that were fragmented and masked
100% False negative recognition: FortiGate accurately detected
hidden and masked malicious packets
FortiGate AV firewalls still pass traffic while under a heavy SYN
flood attack
Performance: FortiGate ASIC based hardware delivers up to gigabit
performance for firewall, AV, IPS and VPN.
Denial of Service protection FortiGates ASIC based hardware
provides superior DoS/DDoS protection.
Cost Effective Subscription Services model: Fortinet subscriptions
for AV updates and URL filtering are licensed per FortiGate device that is
much less costly than competing vendors per user licensing model.
Ease of use: Intuitive and easy to use UI to create firewall, AV and IPS
policies, site to site VPN tunnels, create custom signatures etc
HA FortiOS has an enterprise tested High Availability solution that scales
in performance and delivers transparent failover for mission critical
applications.
Scalability of product line: The FortiGate models delivers application
security appliances ideal for the SOHO and branch office to the large
enterprise and service provider customers.
Operation: Transparent or NAT/Route mode of operation for firewall
and AV/IPS operation modes to seamlessly incorporate FortiGate systems
into existing networks.
Central Management: FortiManager system that can scale to manage
up to 1000 FortiGate devices.

Product and features comparison
FGT-60 Network VirusWall 300 FGT-300A Network VirusWall
1200
List Price
($US)
$695 $325 $6,495 $5,995
Redundant
power
NO NO NO NO
High
Availability
YES NO YES NO
Interfaces 8x10/100 5x10/100 6x10/100
2x10/100/1000
2x10/100
Rack size 1U 1U 1U 1U
Concurrent
sessions
200K ? 400K 68K
Max
Throughput
70Mbps 30Mbps 400Mbps 180Mbps
Integrated
Antivirus
YES YES YES YES
Integrated IPS YES NO YES NO
Integrated
Antispam
YES NO YES NO
Integrated full
featured URL
filtering
YES NO YES NO
Integrated
IPSec VPN
YES NO YES NO
Spyware
detection
YES YES YES YES
VLAN support YES NO YES NO
Integrated
SSL VPN
YES* NO YES* NO
Virtual
Firewalls
YES (up to 10) NO YES (up to 10) NO
DoS/DDoS
protection
YES YES YES YES
*SSL VPN is currently available on a limited release and will be available in FortiOS 3.0

FGT-3000 Network VirusWall 2500
List Price (US dollars) $19,995 (including fiber) $7,995 (without fiber)
Redundant power option YES NO
High Availability YES YES
Interfaces 3x10/100 1x10/100/1000
2x Fiber
5x10/100/1000
2x Fiber (optional)
Rack size 2U 1U
Concurrent sessions 1,000,000 1,000,000
Max Throughput 2.25Gbps 1.2Gbps
Integrated Antivirus YES YES
Integrated IPS YES NO
Integrated full featured Antispam YES NO
Integrated full featured URL filtering YES NO
Integrated IPSec VPN YES NO
Spyware detection YES YES
VLAN support YES YES
Integrated SSL VPN YES* NO
Virtual Firewalls YES (up to 250) NO
DoS/DDoS protection YES YES
*SSL VPN is currently available on a limited release and will be available in FortiOS 3.0

Security Features Comparison
Feature Fortinet Trend
Integrated Antivirus scanning
for HTTP, FTP, SMTP, POP3,
and IMAP
YES, FortiOS protects against
virus outbreaks via HTTP, FTP,
SMTP, POP3 and IMAP
No application layer support,
Network layer scanning only
Detects viruses in zipped files YES, can scan for viruses
zipped up 12x
YES
Dynamic real-time updates of
antivirus signatures
YES, All FortiGate devices
support having signature
updates pushed
dynamically to provide real-
time protection against the
latest viruses
NO, scheduled updates only
Integrated anti-spam
protection features including
custom white and black lists,
RBL, keyword blocking,
Bayesian and Heuristics
analysis
YES, is addition Fortinet
maintains the FortiGuard
Antispam service which keeps
a very accurate and up to date
RBL, ORDBL database
NO anti-spam, requires
InterScan software product on
separate server
Integrated Intrusion Detection
and Prevention. Signature and
Protocol anomaly detection
YES, FortiOS currently has
1400+ IPS signatures in its
database
NO
Trojan/Backdoor application
protection
YES YES
Spyware/Adware filtering YES YES
AV and IPS filtering of data
transferred through a VPN
tunnel
YES NO
Dynamic updates of IPS
signatures
YES, real-time push updates
of IPS signatures are
supported on every FortiGate
model
NO
Dual ISP/WAN support YES, for link failover NO
Granular blocking of Java
applets, cookies and ActiveX
YES YES
Granular controls to block
user configurable file
extension types (.exe,
.vbr,.bat.dll, etc)
YES, all FortiGate models offer
many user configurable
security options
YES
Inspects netbios traffic for
viruses and attack signatures
YES YES
URL Filtering service offers
granular user controls to
configure white and black URL
lists, script filter, banned word
rules
YES NO
Support for VOIP protocols YES, H.323 and SIP NO
Supports tunneling VoIP
traffic through a VPN
YES NO
Multicast support FortiOS supports NAT of
multicast and also forwards
multicast packets in
transparent mode
NO
802.1Q support YES YES
Traffic Shaping YES NO
DHCP client/server YES NO, client only
NAT/PAT YES NO
PPPoE support YES NO
Transparent mode YES YES
Dynamic DNS for IPSec VPN
configuration
YES NO
SSL VPN available on all
platforms
YES, SSL is available on all
platforms on a limited release
NO
Centralized management
option. Manager is shipped as
a preconfigured appliance
YES, FortiManager can
manage up to 1000 FortiGate
AV firewalls. Yes FortiManager
is shipped as a preconfigured
appliance
NO, centralized management
is shipped as software only
product, customer must
provide the server hardware.
Comprehensive logging and
reporting
YES, internally and externally.
Support for Syslog,
Webtrends and Fortinets
reporting tools, FortiReporter
and FortiLog.
YES, internal logging and
Syslog support


Copyright 2005 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiASIC, FortiProtect, FortiGuard, and
FortiOS are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
COM1340705