Last week, Amazon Web Services (AWS) held its 11th annual re:Invent event. The show is important for AWS customers as they learn about the latest and greatest innovations from the market leader in cloud computing. Another important part of the event is that attendees can be kept up to date on the updates from the massive ecosystem of technology partners that AWS has.
One of the more interesting announcements came from security vendor Fortinet. The AWS Marketplace is filled with security vendors who bring best-of-breed capabilities to customers where Azure and GCP are more directly competitive. Google's multi-billion-dollar acquisition of Mandiant is evidence of this.
At re:Invent, Fortinet just announced a new firewall service that is designed specifically for AWS environments. The Fortinet FortiGate Cloud-Native Firewall (FortiGate CNF) safeguards AWS workloads against external and internal security threats. The service’s key value proposition is to provide enterprise-grade network protection that is superior to the basic network firewall built into AWS.
In almost every aspect of infrastructure, AWS offers a "basic" product, but partners provide more advanced capabilities. As an example, F5’s cloud application delivery controller has significantly more capabilities than the AWS global load balancer.
FortiGate is one of the most widely deployed network firewalls and uses artificial intelligence (AI) to provide deep visibility into applications, users, and devices (even encrypted ones). However, FortiGate is not a cloud-native platform and had to be rebuilt to run in AWS environments.
Fortinet is labeling FortiGate CNF as a "cloud-native firewall" because of its level of integration with AWS services. It aggregates security across cloud networks, availability zones, and virtual private clouds (VPCs). The firewall is completely managed by Fortinet, which means customers don't have to do any work themselves, according to Vinod Sundarraj, Fortinet’s senior director of products and solutions.
“We are running the security infrastructure for the customer. They don’t have to deploy any firewall software. They just bring the policies,” said Sundarraj. “With our solution, all customers have to do is to bring up one instance of the FortiGate CNF service, attach a policy to it, and all traffic can be inspected through the FortiGate CNF service. In comparison, with other competitors, you need multiple CNF instances.”
The FortiGate CNF Console is what customers would use to create, deploy, and manage security policies and the firewall service itself. The service runs on top of AWS Gateway Load Balancer (GWLB)—a process that’s transparent to users. Traffic from customer VPCs is sent through a GWLB endpoint to Fortinet’s VPC for inspection. Inside the VPC, Frontier runs its FortiGate virtual machines (VMs) and clusters. When a customer brings up a FortiGate CNF instance, it’s backed by a cluster, so they don’t have to set up the availability zones.
“This reduces the level of complexity that customers are burdened with in bringing up these different availability zones. We support many, many options for management,” said Sundarraj.
The predominant use case for FortiGate CNF is outbound traffic inspection to protect AWS workloads from accessing bad internet protocol (IP) addresses. However, enterprise customers who already use FortiGate physical appliances on-premises, or virtual appliances on AWS, can get centralized security enforcement through FortiManager, a management app that can be utilized to deploy policies both in the cloud and on-prem.
In addition to rebuilding FortiGate for the cloud, Fortinet designed a new user interface (UI), where multiple accounts can use the same security policies to reduce complexity. The UI minimizes the need for security expertise and improves the user experience, according to Sundarraj. It also makes it easier to define and implement robust security policies—including dynamic meta-data-based policies—on AWS.
FortiGate CNF comes bundled with security services developed by FortiGuard Labs. The services include URL filtering, DNS filtering, intrusion prevention, application control, and others commonly used by enterprises. Using AI/machine learning (ML) models, FortiGate CNF performs real-time threat intelligence and behavior-based detection of both known and unknown threats. The firewall also protects East-West traffic by inspecting data flow between AWS VPCs, thus, preventing the lateral spread of threats. FortiGate CNF is now available in AWS Marketplace.
Customers can consume the service in two ways, either on demand (pay-as-you-go monthly) or by signing an annual contract.