Inside FortiOS: Certifications and Testing

Many organizations, including government agencies, large enterprises, and service providers require or benefit from network equipment that has been independently certified to achieve particular security requirements. To assure these demanding customers, Fortinet participates in a wide range of certification and testing programs. We work with well known groups such as ICSA Labs and NSS as well as government organizations for evaluation and certification.

FIPS 140-2 and Common Criteria

FortiOS 5.4.2 is in evaluation for FIPS/Common Criteria (CC) evaluation for certification for Stateful Traffic Filter Firewalls (FWcPP), Network Device collaborative Protection Profile (NDcPP) Extended Package - VPN Gateway, collaborative Protection Profile for Network Devices, collaborative Protection Profile for Stateful Traffic Filter Firewalls Extended Package (EP) and for Intrusion Prevention Systems (IPS).

FortiOS 5.2.7 GA b718 is FIPS 140-2 and Common Criteria EAL4 CC certified. The builds are available in the 5.2.7 GA directory on the Fortinet Support Site.

The specific certificate numbers are:

  • 2765 - FortiOS 5.2
  • 2781 - FortiGate-100D/200D/300D/500D
  • 2782 - FortiGate-3700D/3815D
  • 2783 - FortiGate-1000D/1500D
  • 2784 - FortiGate-30D/60D/92D, FortiWiFi-60D and FortiGateRugged-60D
  • 2790 - FortiGate-5140B Chassis with FortiGate-5001D Blade

Security Policies and Certificate information is posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.

The Security Target and certificate information for CC is posted at http://www.fmv.se/en/Our-activities/CSEC---The-Swedish-Certification-Body-for-ITSecurity/ Certified-Products/Fortinet-FortiGate-Next-Generation-Firewalls-och-FortiOS-527-CC-Compliant-Firmware-/

About FIPS

 

Federal Information Processing Standards (FIPS) is a cryptographic certification program jointly run by the US and Canadian governments. FIPS 140 is the standard, the -2 indicates the second revision of the standard. FIPS is concerned with the cryptography used in a product and the protection of that cryptography (i.e. keys and critical security parameters).

The use of FortiOS in a FIPS approved mode of operation is often a requirement of Government agencies and other customers where assurances of data security are needed.

Since version v2.5, FortiOS firmware releases and a wide range of FortiGate appliances have been successfully validated against the FIPS PUB 140-2 standard. The FIPS PUB 140-2 standard is maintained by the US National Institute of Standards and Technology (NIST). FIPS validation is designed to ensure that cryptographic modules used to implement data security on unclassified networks meet the security, functional and tamper requirements laid out in the standard. FIPS does not concern itself with the product’s reasons for using cryptography.

When using a FIPS-certified version of FortiOS in the FIPS-compliant mode of operation, weak cryptographic algorithms, insecure management services, etc, are disabled to ensure that traffic is protected with the strongest methods possible.

Both the FortiOS firmware and FortiASIC hardware cryptographic implementations are validated to ensure they are correctly implemented. Algorithm verification and integrity self-tests are implemented and execute when cryptographic encrypt and decrypt operations are performed to ensure that the integrity of data and the FortiGate unit are not compromised.

FIPS validated cryptographic implementations are often prerequisites for US Government sanctioned Common Criteria evaluations, where specific security functional requirements of FortiOS are further scrutinized and tested.

For further information on FIPS and FIPS validated products, refer to the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html.

About Common Criteria

Common Criteria (or CC) is an abbreviation for Common Criteria for Information Technology Security Evaluation. CC is an international certification program accepted by many countries as a common standard for commercial off-the-shelf information technology products.

Common Criteria focuses on functionality related to product security and management services. Common Criteria is an international standard (ISO/IEC 15408) which is recognized by over 20 countries world-wide.

Common Criteria certification typically requires FIPS certification as well if a product implements cryptography of any sort (e.g. use of SSL, IPsec, etc).

The key Common Criteria document is the Security Target which is a publicly available description of the product, its intended use, applicable protection profiles or NDPP and so on.

For further information on Common Criteria and certified products, refer to the following website: http://www.commoncriteriaportal.org.

Other Common Criteria Certifications

Fortinet products have received NDPP, EAL2+, and EAL4+ based Common Criteria certifications. More information on the latest Fortinet Common Criteria Certifications are available below:

Other certifications and test results

Fortinet continues to participate in a wide range of certification and testing programs and trials. This section lists many of our more recent certification and test results. For a more complete and up-to-date list go to our certifications page (https://www.fortinet.com/corporate/about-us/product-certifications.html).

IPv6

The USGv6 test program, designated by NIST, provides proof of compliance to IPv6 specifications outlined in current industry standards for common network products. It is meant as a strategic planning guide for USG (United States Government) IT acquisitions to help ensure the completeness, correctness, interoperability and security so as to protect USG investments in the technology.

NSS Labs Breach Detection Systems Test 2016 and SVM

FortiSandbox was perfect (100%) in detecting the most sophisticated malware and leveraging encryption to hide, and 99%+ overall--while demonstrating 10 Gbps performance handling of enterprise traffic. Fortinet is the only vendor that earned the NSS Labs “Recommended” rating for cloud and appliance breach detection systems.

NSS Labs DCIPS 2016 SVM

NSS Labs’ Data Center Intrusion Prevention System (DCIPS) report is the industry’s most comprehensive test to date with their Security Value Map revealing that Fortinet’s FortiGate 3000D earned the highest ratings for Security Effectiveness, blocking 99.9 percent of exploits, and TCO (Total Cost of Ownership) per protected Mbps (Megabit per second).

NSS Labs NGFW 2016 SVM

NSS Labs’ Next Generation Firewall (NGFW) real-world testing reveals that Fortinet delivers a winning combination of security, network performance, and total cost of ownership (TCO). Fortinet was nearly perfect; scoring 99.6% in overall security effectiveness. The FortiGate 3200D was rated by NSS at 19 Gbps, 37% above its data sheet specifications, with excellent TCO where the value increased based on actual performance compared to the claimed specifications.

ICSA Certified for Advanced Threat Defense

With data breaches continuing to make headlines, new products and solutions designed to detect and prevent the advanced attacks often at the root of these breaches have emerged. To help organizations assess the effectiveness of these new offerings, ICSA Labs, an independent division of Verizon (author of the annual Data Breach Investigations Report or DBIR), recently introduced a new independent, Advanced Threat Defense certification.

For more information on Fortinet product testing with ICSA Labs, visit http://icsalabs.com/vendor/fortinet-inc.

Independent Validation of Fortinet Solutions- NSS Labs

Firmly committed to independent testing to demonstrate what organizations should expect when selecting Fortinet security products, Fortinet participates in a broad set of ongoing NSS Labs Public Group tests. In short, Fortinet has consistently earned their top “Recommended” rating for many products. Check out summary test results in this NSS Labs brochure:

ICSA Labs Certified: Antivirus, Corporate Firewall, IPsec, NIPS, SSL-TLS, and Web Application Firewall

FortiGate and FortiWeb products are evaluated against ICSA criteria in 6 popular Certification programs. ICSA Labs manages and sponsors security consortia that provides a forum for intelligence sharing among the leading vendors of security products. In addition, ICSA Labs publishes surveys, security industry studies and buyer's guides for computer security products.

NSS Labs 2015 Breach Detection Systems Test

NSS Labs conducted its second annual group test of breach detection systems. And for the second year in a row FortiSandbox earned the coveted “Recommended” rating by demonstrating superior detection of advanced threats as well as superior value. The Tech Brief below presents key results from the testing, as well as an overview of FortiSandbox and integrated Fortinet products.

NSS Labs 2015 Enterprise Endpoint Testing

NSS Labs tested 10 Enterprise Endpoint Platform (EPP) solutions against live (real-time) web-based exploits being used by threat actors in active campaigns identified with the NSS Cyber Advanced Warning System™. FortiClient earned the coveted NSS Labs “Recommended” based on high effectiveness at an affordable cost in this independent, real-world test.

Department of Defense UC APL

UC APL certification qualifies designated Fortinet products for sale to Department of Defense (DoD) agencies based on stringent Security Technical Implementation Guide (STIG) testing, a standardized methodology for the secure installation and maintenance of computer software and hardware. To achieve UC APL certification, all approved Fortinet products were tested following STIG guidelines and checklists applied to System Under Test.

Virus Bulletin Antispam Testing

For more than seven years, VBSpam has been conducting continual independent comparisons of antispam solutions. Fortinet FortiMail has participated in roughly 40 VBSpam tests, including six in 2015, so that organizations can see the level of effectiveness they can expect in real-world environments. FortiMail has routinely earned the highest VBSpam+ rating, with results similar to the test excerpt here.

NSS Labs 2015 Next Generation IPS Test

In 2015, NSS Labs conducted a group test of next generation IPS solutions to assess their abilities to identify both the applications and the users on their internal networks, protect the enterprise user against threats/exploits, and catch sophisticated attacks while producing as few false positives as possible. Demonstrating 99% effectiveness and superior value, Fortinet FortiGate earned the NSS Labs Recommendation.

Top Industry Ratings, Certifications, and Collaboration Validates Fortinet Security

Fortinet security solutions are tested, validated, and certified by a broad range of industry organizations. FortiGuard Labs leads industry collaboration efforts to improve protection levels for every organization.

NSS Labs WAF 2014 SVM

In its first-ever web application firewall testing, NSS Labs reported that the FortiWeb-1000D achieved an overall block rate of 99.85% at $2.77 TCO per protected connection per second that earned the WAF “Recommended” status in their Web Application Firewall Security Value Map.

NSS Labs 2014 Breach Detection Systems Test

Fortinet’s FortiSandbox-3000D is one of the top rated Breach Detection Systems (BDS), delivering 99% breach detection and zero false positives, based on real-world comparative analysis conducted by third party NSS Labs.

CVE-Compatible Products and Services

Fortinet products are recognized as CVE-Compatible by MITRE. CVE is a dictionary of publicly known information security vulnerabilities and exposures. CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

Microsoft Certification

The Fortinet Single Sign-On agent has been certified to be compliant with the Windows Server 2012 R2 (x64) and Microsoft Windows 2008 Server R2 certification program requirements.

ISO 9001:2008

Fortinet Canada offices are registered against the ISO 9001:2008 Quality Management Systems standard. These offices represent key research and development centers for the company for activities such as hardware and software design and development, FortiGuard Security Services, technical documentation, and manufacturing operations.

NSS Labs WAF 2014 SVM

In its first-ever web application firewall testing, NSS Labs reported that the FortiWeb-1000D achieved an overall block rate of 99.85% at $2.77 TCO per protected connection per second that earned the WAF “Recommended” status in their Web Application Firewall Security Value Map.

NSS Labs 2014 Breach Detection Systems Test

Fortinet’s FortiSandbox-3000D is one of the top rated Breach Detection Systems (BDS), delivering 99% breach detection and zero false positives, based on real-world comparative analysis conducted by third party NSS Labs.

Fortinet Earns “Recommend” Rating in NSS Labs’ 2013 Firewall Comparative Analysis

Based on NSS Labs’ test results, the FortiGate-800C scored 100% for Stability, 100% for Evasion, 100% for Leakage and 100% in the central management review. All of which resulted in a TCO of $4 per protected megabit and 100% test scores for security and management effectiveness.

IPv6 Ready Phase 2 Logo Program

FortiGate products running FortiOS 3.0 MR7 and FortiOS 4.0 MR3 conform to IPv6 Ready Logo Phase 2 Core test specifications as a router product. IPv6 readiness provides confidence in environments running IPv6 networks or IPv4 networks being transitioned to the new protocol.

Wi-Fi Alliance

Fortinet's offers a range of FortiAP Wireless Access Points and FortiGate Controller combinations that have achieved Wi-Fi CERTIFIED™ status from the Wi-Fi Alliance®. The Wi-Fi CERTIFIED logo ensures operability in numerous configurations and interoperability with other Wi-Fi CERTIFIED equipment. The FortiAP Thin Access Point supporting various standards including WPA®, and WMM® for multimedia quality of service.