Fortinet Gives FortiWeb Web App Firewalls, PCI A Jolt With New Firmware

The FortiWeb 4.0 MR2 firmware update adds more protection against remote file inclusion attacks; new file upload restrictions so that new control which file types can be uploaded to Web applications, including jpg, exe, zip and others; and data loss prevention updates that help users mask credit card numbers in server replies to prevent leakage of sensitive data, said Idan Soen, a Fortinet FortiWeb product specialist.

Other additions to FortiWeb with the firmware update include authentication via Radius servers, scheduled and automatic FTP backups and a new import/export tool for specific security policies and the ability to clone those policies.

Overall, Soen said, FortiWeb 4.0 MR2 offers expanded attack protection schemes that will help users and solution providers maintain compliance with PCI compliance regulations and prevent identity theft, financial fraud and corporate espionage associated with Web applications.

Soen said solution providers benefit by the ease of deploying and configuration FortiWeb Web application firewalls. The FortiWeb firmware update eliminates some of the intimidation introduced by application security.

"They understand network security, but they don't understand application security as much," he said.

The FortiWeb family comprises integrated Web application and XML firewall appliances for layered threat protection. It consolidates Web application firewall, XML filtering, Web traffic acceleration and application traffic balancing into one device. The FortiWeb family is aimed at enterprises, application service providers, Security-as-a-Service providers and Managed Service Provider customers looking to protect Web-based applications that contain confidential and sensitive data.

With FortiWeb 4.0 MR2 firmware, Sunnyvale, Calif.-based Fortinet's family of FortiWeb appliances leverages techniques to provide bi-directional protection against threats like SQL injection and cross-site scripting. Additionally, a new Web Vulnerability Scanner is provided as an added layer of visibility to detect existing vulnerabilities that target specific Web applications, which is critical to achieve and maintain compliance with PCI DSS 6.5 and PCI DSS 6.6, the latest specifications for Web applications to process, store and transmit payment card data.

"Web applications are an essential foundation for conducting business today which is why organizations now place a premium on protecting highly sensitive and regulated Web application data," Michael Xie, founder, CTO and vice president of engineering at Fortinet, said in a statement. "The consequences of compromised web application data can be devastating."

Fortinet said that FortiWeb 4.0 MR2 is available now.