Fortinet specializes in system security and is particularly strong in its firewall products. Fortinet offers firewalls both as network appliances and as cloud services. The cloud delivery of firewalls is known as Firewall-as-a-Service. This product model takes Fortinet into the realm of edge services. The company also provides software-defined wide area networks (SD-WANs) and Secure Access Service Edge (SASE) products.
Data loss prevention (DLP) involves protecting sensitive data from theft or accidental disclosure. Fortinet offers three products that provide a partial DLP service. These are:
What is a data loss?
Data loss prevention is closely linked to data privacy standards. In addition, any data leaks can be embarrassing or inconvenient. However, unlike a ransomware attack, this event does not prevent the company from continuing its business.
Depending on the type of data stolen, there can be severe consequences to a data leak. This is because of industry standards and also legislation from governments. These rules create data privacy standards. In the case of standards enforced by legislation, companies can be fined for data disclosure. In the case of industry standards, businesses can find themselves locked out of bids for work if they don’t meet the standard. In both cases, customers whose data is stolen can sue for compensation. A data leak can also damage a company’s reputation and lose its customers.
The type of data that needs to be protected depends on where the company operates and the type of business it is involved in. Some standards are imposed over areas of the world, such as countries or states. There are other standards that are imposed by industries on specific information, such as health-related data or payment card information. In all cases, the types of data that need to be protected are related to private individuals. If that information relates to people in their jobs, it isn’t covered by the privacy standards.
Of course, you wouldn’t want your intellectual property or trade secrets, such as client lists or variable price agreements, to be revealed to competitors. So that information also needs to be protected.
Data disclosure can be accidental or the result of a theft. For example, intentional data appropriation could be instigated by thieves, breaking into the system, or by insiders who want to damage the company or profit by selling the stolen data.
How does data loss prevention work?
There are two ways to protect data – at rest and in motion.
Protecting data at rest
When protecting data from theft, the first task is to identify which data needs to be protected – this is referred to as sensitive information – and where it is. The next step is to control access to that data. This can involve fine-tuning access rights management, and file protection can also be enforced by encryption.
Protecting data in motion
Data transfers can occur out over the internet. However, the movement of data within a network can also be a problem. Once sensitive data is moved from controlled locations, it can be easier to steal. As well as moving data out of the network with file transfer systems, data can be leaked in the body of emails or as attachments. It can also be printed or copied onto a USB drive and carried out of the office or sent out by fax.
How does Fortinet DLP operate?
The three Fortinet products that implement DLP are all types of firewalls. These services offer both forward and reverse firewall functions. A traditional firewall inspects incoming traffic from the internet before it is allowed onto the network. A reverse firewall looks at data passing from the network out to the internet.
The reverse firewall is the ideal place to block the transfer of sensitive data out of the network. Of the three Fortinet systems that implement DLP, FortiGate and FortiProxy are network appliances FortiSASE is a cloud-based system.
The Fortinet system requires the applications that communicate over the internet to share their encryption keys with the firewall. Without that mechanism, the firewall would not be able to scan outgoing packet content.
All secure systems over the internet encrypt the contents of packets but not the packet headers. The most widely used service for this encryption is SSL, which uses Transport Layer Security (TLS), usually with RSA encryption. The methodology behind TLS is that encryption is applied end-to-end, and the Web browser manages the client-side.
The browser encrypts data with the encryption key given to it by the Web server, and data cannot be decrypted with the encryption key, and only the remote server has that key. When a browser creates an HTTPS encryption, TLS is in force to protect packet contents, which would make it impossible for the reverse firewall to scan packet contents for sensitive data.
Fortinet deep packet inspection for DLP
FortiGate protects connection clients, and FortiProxy is designed to protect Web servers. Finally, FortiSASE creates a secure network, unifying all the sites and cloud resources of a business.
The tasks of creating an HTTPS connection with FortiProxy are straightforward because the firewall performs SSL offloading. The FortiProxy device takes over the responsibility of managing connection security from the Web server – it negotiates the encryption with the remote clients and, therefore, holds both the encryption and decryption keys.
All traffic leaving the Web server passes through the FortiProxy unit. That scans all packet contents, which arrive in plain text, called deep packet inspection (DPI). The service looks for data patterns that denote sensitive data, such as Social Security number and credit card number layouts.
If a packet does not contain a match to a sensitive data format, the firewall encrypts it and sends it out to the client.
FortiGate protects a typical office network where most internet traffic will be initiated by clients (usually Web browsers) within the network, communicating with remote Web servers, dictating the encryption key.
FortiGate has to force clients to operate on HTTP, so outgoing packets arrive in plain text. The firewall performs DPI, looking for sensitive data formats, and if none are found, encrypts the packet and sends it out as HTTPS. When a response comes in, the firewall decrypts it, scans the contents, and then, if everything is OK, passes it on to the browser over the network in plain text.
FortSASE acts as a hub, so all traffic in and out of all sites has to pass through the remote FortiSASE server. For this service to perform DPI, all traffic has to pass through it in unencrypted format. Those packets must cross the internet to get to the FortiSASE server; leaving the data payload in plain text is not an option.
FortiSASE sets up a VPN with each site. Thus, all traffic traveling out of one site passes through the VPN, which applies encryption. The FortiSASE server decrypts arriving packets and performs DPI, looking for sensitive data.
If the traffic is destined for another site, depending on the security policy, the service could either pass it on or block it if sensitive data is detected. When traffic passes between sites, the FortiSASE forwards it to its destination site down another VPN connection. If the traffic is traveling out of the SASE network, the firewall encrypts it with the appropriate systems, such as SSL, and sends it on.
Problems with Fortinet DLP
The Fortinet products that perform DLP need to have that function activated in the control panel of the device or service – it is not started automatically. In the device settings, the DLP function is called SSL/SSH Inspection.
The Fortinet method of checking outgoing internet traffic for sensitive data only protects one exit point for data. It doesn’t control USB drives or check on printer or fax activity. The service also doesn’t implement any file integrity monitoring or identify sensitive data at rest. Thus, this solution is missing a large part of the techniques used to prevent accidental disclosure, insider threats, or account takeover.
It is also straightforward for a hacker to work out how to circumnavigate the Fortinet DPI service. For example, the scanner just looks for a data format, such as a typical credit card number sequence. All the hacker would need to do to fool that process is to split the number in two, transform each number into a corresponding letter and send the two halves out with a two-minute interval between them, and they would get past the inspection.
So, the Fortinet DLP is an optional feature of an expensive system that complicates normal internet traffic protection processes and can be easily duped. Plus, it is only a partial DLP solution.
Fortinet DLP strengths and weaknesses
We can find more weaknesses than strengths with the Fortinet system.
- Combines with other firewall and reverse firewall services
- It is offered in three firewall scenarios
- Blocks sensitive data from being sent out over the internet
- Complicates established and successful data encryption routines
- Requires data to circulate the network in plain text
- Only looks for a limited number of sensitive data formats
- Only operates on a packet by packet basis
- It doesn’t protect sensitive data at rest
- Doesn’t control removable storage devices, printers, or faxes
- It doesn’t refine access rights management
Alternatives to Fortinet DLP
Other DLP services are implemented in firewalls, and many packages cover every aspect of DLP.
What should you look for in a Fortinet DLP alternative?
We reviewed the market for data loss prevention systems and analyzed the options based on the following criteria:
- A sensitive data discovery and classification service that can be tailored to specific standards requirements
- Discovery and classification for sensitive data
- Access rights management auditing
- File integrity management
- Controls overall data exfiltration points
- Activity tracking for users
- A free trial or a demo account for a no-cost assessment
- Value for money with a reasonable price for a comprehensive DLP
- With this set of criteria in mind, we have identified some good rivals to Fortinet for data loss prevention
Here is our list of the five best alternatives to Fortinet DLP:
- Palo Alto Enterprise DLP This is a close match for Fortinet DLP because it operates from the firewall. The service can block outbound transfers of sensitive data but doesn’t control printers, fax machines, or USB removable storage. This system does search for and classify sensitive data. This service is integrated into a network device.
- Endpoint Protector A total DLP, uses endpoint agents for Windows, macOS, and Linux to scan endpoints, identify sensitive data (PII, credit card data, PHI, and IP), and control peripheral devices. Offered as a SaaS platform, as a service on AWS, GCP, or Azure, or as a virtual appliance on site. Additionally, you can access a demo system.
- Zscaler DLP A SASE service that treats on-premises data stores as cloud storage; thus, even users on the same network have to pass through the Zscaler controls to get to it. This DLP doesn’t watch over peripherals, but it can log all activity on sensitive data and block it where necessary. You can request a demo to see how Zscaler works.
- Digital Guardian DLP A SaaS platform uses endpoint agents for Windows, macOS, and Linux to implement data discovery and classification for PII and intellectual property. This system controls USB devices, printers, faxes, file transfer systems, messaging services, and emails. In addition, you can access a demo account to assess this service.
- ManageEngine DataSecurity Plus An on-premises package of a DLP and a vulnerability scanner with compliance auditing. This service performs data discovery and classification, file integrity monitoring, access rights assessment, and data movement monitoring. It includes the control of USB ports and can monitor print jobs. DataSecurity Plus installs on Windows Server, and it is available for a 30-day free trial.