back to article Fortinet's latest ASIC promises 2.5Gbps of SSL inspection at the edge

Fortinet this week unveiled a custom ASIC it says will power its next-generation of firewalls debuting later this year. Over the past two decades, Fortinet has staked its reputation on the ability for custom silicon to achieve higher performance in smaller, lower power packages. And the company's new SP5 security processor is …

  1. Anonymous Coward
    Anonymous Coward

    So basically

    this is a hardware accelerated m-i-t-m device.

    Why / how else could a firewall be decrypting and encrypting SSL traffic at wire speeds?

    1. Richard 12 Silver badge

      Re: So basically

      Yes, and the instructions for installing it are so bad that a lot of places end up pushing out certificate chains that mark www.thissitewillstealyourcash.dodgy as being perfectly safe.

      The entire concept is flawed.

    2. LateAgain

      Re: So basically

      So much for end to end encryption

      When my home ISP does this I think I will change to another.

    3. T. F. M. Reader

      Re: So basically

      It does not "break" your end-to-end encryption. What everyone needs to realize is that SSL/TLS, HTTPS, etc., are not about "security". They are about "trust". Your comms are secure except when you trust who you are talking to.

      If you get a preinstalled laptop or phone from your employer it may be configured to trust the employer's (root) certificate. Thus, it is configured to trust The Big Corp, Inc. The Big Corp think that they have a case watching for leaks or whatever, and they pay Fortinet, Palo Alto, CheckPoint, etc. (every enterprise firewall allows deep packet / SSL inspection nowadays) for the tools.

      In that sense the setup is MITM, but the accelerator is just that, an accelerator, of things that can be done without it, but slower. It is not some magic tool that decrypts your RSA without being quantum at heart.

      So, basically, be appropriately paranoid. At least if you didn't install your work machine yourself (this is not out of the question for development machines rather than officially issued primary workstations), don't communicate with your bank, lawyer, doctor, or headhunter using it. Oh, well, if you trust The Big Corp, Inc. then, by all means, do.

      Your personal machine is not installed by your ISP (if it is feel free to wipe it out and install from scratch), so take care not to add any certs that you are not quite sure of. I have no idea if MSFT or AAPL have something inside Edge or Safari, but I doubt Fedora, Ubuntu, or Mint can really get away with such sneaky things or, indeed, have an interest in them.

      1. Anonymous Coward
        Anonymous Coward

        Re: So basically

        But how do we know they haven't got, or couldn't get, a wildcard cert from one of the bazillion CAs or their offsprings that come with our browser/OS these days? And if @GoodGuys can get one, so can @BadGuys.

      2. Anonymous Coward
        Anonymous Coward

        Re: So basically

        > don't communicate with your bank, lawyer, doctor, or headhunter using it. Oh, well, if you trust The Big Corp, Inc. then, by all means, do.

        Ideally people like your bank etc would implement DANE so that you could clearly see that "The Big Corp, Inc" were playing at Big Brother and watching everything you say and do.

    4. A. Nervosa

      Re: So basically

      A MITM device is precisely what it is.

      In the last decade or two there has been a huge shift towards HTTPS on websites that has made about 98% of web traffic un-scannable by firewalls attempting to provide threat management, anti-virus etc. which is a serious concern for those responsible for network security. Once a trusted root CA is pushed out to clients, the firewall intercepts all HTTPS requests and, on-demand, generates and presents a trusted certificate on behalf of the website. The traffic is decrypted by the firewall, inspected and then re-encrypted for the final leg across the internet to the real website.

      As another commenter has pointed out, though, if deployed incorrectly this can lead clients into showing a legitimate, trusted certificate for HTTPS websites that have an invalid certificate.... unless they're sensible enough to also have the firewall check the target certificate and block the connection if it's invalid. Additionally, most firewalls capable of performing TLS deep inspection also have UTM services advanced enough to to perform web filtering, e.g. FortiGuard, which will block access to malicious or suspicious websites whether or not you're using HTTPS.

      HTTPS isn't just used by websites, though, and care must be taken not to enable deep inspection on HTTPS across the board as there are applications/clients that will break if the certificates are tampered with (e.g. any application that has its own root CA certificate built into it and doesn't use the OS's certificate store).

  2. Bearshark

    Fix my silicon

    Maybe they should fix the silicon on my 300E first. SSL HW acceleration kept spiking the CPU so I had to turn it off. Now "proxyd" and "wad" are crashing causing any new VPN connections to not connect.

    Don't pay for their rapid replacement service cause they've never rapidly sent me anything since this problem cropped up over a year ago.

  3. judge090

    FortiSP5 will power the next generation of entry and mid-range FortiGate firewalls released later this year. Now on its https://sinuanonoche.org/ generation, Fortinet's proprietary system-on-a-chip technology has a proven track record of powering the industry's top-performing products and solutions.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like