Appliance to monitor internet traffic

[electron]

So do you realize this, lets say you go to a web site, xyz.com, but you don't worry because you have the ISP router with "virus protection" so your all set, right?? Ha Ha. If that web site is secure, like most are today, then from the browser to the web site are encrypted (that little lock symbol) and guess what, your router CAN'T SEE ANY OF THAT DATA. So you better hope that none of xyz.com advertisers, or xyz.com itself is not infected, because guess what, you are now infected.

On a Fortigate, you install a certificate from the router on all your computers, or important devices, at least, and the Fortigate decrypts the encryption, scans it, that reencrypts the data so your browser puts on the lock, and everything is encrypted end-to-end, but it is also fully scanned. Regular routers don't do that. Same with encrypted DNS traffic (TLS over port 853 is better encryption than DNS over HTTPS, by the way.). And the Fortigate intercepts the DNS traffic, even if it doesn't use the DNS server you gave it. (Many use 8.8.8.8 no matter what you TOLD it to use.) And a good bit of traffic NEVER goes to a DNS server at all. The IP address is hard coded in it. If the Fortigate can't decrypt it for whatever reason, its blocked.

You can check any web address here, and they have millions. Don't forget to check your not a robot.
https://www.fortiguard.com/webfilter

I think there's a major misunderstanding here. I totally agree using an ISP provided router is a bad idea (hence my link to NSA's recent announcement). My only concern with the Fortigate (or any vendor for that matter) approach is the lack of access to security patches without an active subscription. This isn't a risk to be ignored, especially with the numerous RCEs Fortinet has been struggling with. If you're willing to pay for the subscription, I highly recommend it, it was in my list after all.

 

[ano]

I think there's a major misunderstanding here. I totally agree using an ISP provided router is a bad idea (hence my link to NSA's recent announcement). My only concern with the Fortigate (or any vendor for that matter) approach is the lack of access to security patches without an active subscription. This isn't a risk to be ignored, especially with the numerous RCEs Fortinet has been struggling with. If you're willing to pay for the subscription, I highly recommend it, it was in my list after all.

I think the real situation is both better and worse than you say. In its basic form, a Fortigate firewall is like any other firewall. EVERYTHING from the outside is blocked, and the ONLY bad things that come into your house are from email, links, infected web sites, etc. So its highly unlikely you will have bad stuff inside your house, unless you or a program BRINGS IT IN.

I just subscribed to Apple Music, which I like, but my wife was surprised to learn that when my subscription ends, I loose access to all the music I previously downloaded, yup, that is how it works. At least with Fortinet, you DO keep your existing definitions, but they are not updated.

What you are paying for with a subscription is many files. One has virus definitions, another has mobile virus definitions, another has millions of IP addresses that are suspicious, in many ways, another has definitions of 10,000"s of applications. Some of these files are updated several times per day. So if you don't subscribe, and they slice it and dice it many ways so you subscribe to what you want, than you are not protected to new risks. Also, if you have a suspicious file, then its mailed to the company to be analyzed, and if dangerous, then everyone gets protected.

I used to run a business in my home, with a very high likelihood of break attempts from China and Russia governments. I had quite a few attempts, but no real breaking luckily. But of course, protecting a house with two people, is 1000X easier than protecting a giant business.

So is $350/a year worth it, you have to decide. I pay almost $250/year for alarm monitoring.

Here are some of the databases that are updated continuously...