New Fortinet Patents May Spell Nasty Trouble For UTM Vendors, Virtualization Vendors, App. Delivery Vendors, Routing/Switching Vendors…
Check out the update below…
Were I in the UTM business, I’d be engaging the reality distortion field and speed-dialing my patent attorneys at this point.
Fortinet has recently had some very interesting patent applications granted by the PTO.
Integrated network and application security, together with virtualization technologies, offer a powerful and synergistic approach for defending against an increasingly dangerous cyber-criminal environment. In combination with its extensive patent-pending applications and patents already granted, Fortinet’s newest patents address critical technologies that enable comprehensive network protection:
- U.S. Patent #7,333,430 – Systems and Methods for Passing Network Traffic Data – directed to efficiently processing network traffic data to facilitate policy enforcement, including content scanning, source/destination verification, virus scanning, content detection and intrusion detection;
- U.S. Patent #7,340,535 – System and Method for Controlling Routing in a Virtual Router System – directed to controlling the routing of network data, and providing efficient configuration of routing functionality and optimized use of available resources by applying functions to data packets in a virtual environment;
- U.S. Patent #7,376,125 – Service Processing Switch – directed to providing IP services and IP packet processing in a virtual router-based system using IP flow caches, virtual routing engines, virtual services engines and advanced security engines;
- U.S. Patent # 7,389,358 – Distributed Virtual System to Support Managed, Network-based Services – directed to a virtual routing system, which includes processing elements to manage and optimize IP traffic, useful for service provider switching functions at Internet point-of-presence (POP) locations.
These patents could have some potentially profound impact on vendors who offer "integrated security" by allowing for virtualized application of network security policy. These patents could easily be enforced outside of the typically-defined UTM offerings, also.
I’m quite certain Cisco and Juniper are taking note as should be anyone in the business of offering virtualized routing/switching combined with security — that’s certainly a broad swath, eh?
On a wider note, I’ve actually been quite impressed with the IP portfolio that Fortinet has been assembling over the last couple of years. If you’ve been paying attention, you will notice (for example) that that they have scooped up much of the remaining CoSine IP as well as recently acquired IPlocks’ database security portfolio.
If I were they, the next thing I’d look for (and would have a while ago) is to scoop up a Web Application Firewall/Proxy vendor…
I trust you can figure out why…why not hazard a guess in the comments?
/Hoff
Updated: It occured to me that this may be much more far-reaching than just UTM vendors, that basically this could affect folks like Crossbeam, Check Point, StillSecure, Cisco, Juniper, Secure Computing, f5…basically anyone who sells a product that mixes the application of security policy with virtualized routing/switching capabilities…
How about those ASA’s or FWSMs? How about those load balancers with VIPs?
Come to mention it, what of VMware? How about the fact that in combining virtual networking with VMsafe, you’ve basically got what amounts to coverage by the first two patents:
U.S. Patent #7,333,430 – Systems and Methods for Passing Network Traffic Data – directed to efficiently processing network traffic data to facilitate policy enforcement, including content scanning, source/destination verification, virus scanning, content detection and intrusion detection;
U.S. Patent #7,340,535 – System and Method for Controlling Routing in a Virtual Router System – directed to controlling the routing of network data, and providing efficient configuration of routing functionality and optimized use of available resources by applying functions to data packets in a virtual environment;
Whoopsie.
Now, I’m not a lawyer, I just play one on teh Interwebs.
All your PCI-DSS are belong to them?
I wonder what this means for the likes of Vyatta.
…or Crossbeam, Check Point, StillSecure, Cisco, Juniper, Secure Computing, f5…basically anyone who sells a product that mixes the application of security policy with virtualized routing/switching capabilities…
How about those ASA's or FWSMs? How about those load balancers with VIPs?
Come to mention it, how about VMware? How about the fact that in combining virtual networking with VMsafe, you've basically got what amounts to coverage by the first two patents:
U.S. Patent #7,333,430 – Systems and Methods for Passing Network Traffic Data – directed to efficiently processing network traffic data to facilitate policy enforcement, including content scanning, source/destination verification, virus scanning, content detection and intrusion detection;
U.S. Patent #7,340,535 – System and Method for Controlling Routing in a Virtual Router System – directed to controlling the routing of network data, and providing efficient configuration of routing functionality and optimized use of available resources by applying functions to data packets in a virtual environment;
Whoopsie.
Now, I'm not a lawyer, I just play one on teh Interwebs.
/Hoff
I'm not a lawyer either but isn't a lot of this subject to prior art ???
What a load of hogwash. This is like despair.inc patenting the "frownie" 🙁
This technology has been around longer than Fortinet generally. There might be some silicon that is specific and does funky stuff, but reading the patents, there are ambiguous, and contain no real details. There's more details in an RFC.
As Colin and Wremes observed, most of this sounds like it is covered by "prior art" and/or obvious technology. Maybe there's some magic we aren't seeing, but I imagine VMWare, Cisco and others have enough in their patent portfolio to cripple anyone who tried to exert such patents against them.
And isn't that one of the dirty secrets of IP, that there are so many contradictory patents that an all-out battle between large players could shut down the industry? Mutually Assured Destruction with IP attorneys instead of nukes.
But, yes- adding WAF to the portfolio would give them rights to the full suite of U/X/whateverTM components with which to rule the perimeter. Too bad that's dead…
BTW, that "prior art" might be defensible given the fact that I'd wager to guess that much of this came from the Cosine acquisition. Further, patents are often filed based on strategies that are defensive as well as those that are offensive. Sometimes it's a little bit of both.
Given today's overly litigious landscape, do you think Fortinet would do this without an end goal in sight?
Nah, I didn't think so.
Stay tuned.
Oh and Jack, WAF is FAR from being dead. Nothing ever dies in InfoSec, it just comes back as something, um, new. If you've never trusted me before (and why should you) WAF (it won't be called that once it's bundled with database activity monitoring) is going to be back in a big way.
…but what do I know? 😉
/Hoff
I think he meant the perimeter is dead. It also isn't :shrug:
To clarify: yes, I was referring to the much (erroneously) heralded death of the perimeter. I do not actually believe the perimeter is dead. If I knew much about WAF, I would declare it dead so that I could gain some Analyst cred, but that's not my style.
Also, on further reflection, we've missed two dogs in this hunt:
Microsoft- they have certainly acquired a fair bit of IP that could clash with these patents- specifically Softricity/Softgrid virtualization and management systems v. 7,389,358. MS's IP portfolio and legal team is not a challenge to ignore.
And for the idealists, the Borg (aka GPL). Unlikely as they are to ever win such a battle in the US, if GPL or GPL-like code is found in other software it could theoretically be assimilated per the GPL- invalidating the patents, freeing the code and sending lolcats scampering through the interwebs.
@Hoff
In response to: "Oh and Jack, WAF is FAR from being dead. Nothing ever dies in InfoSec, it just comes back as something, um, new. If you've never trusted me before (and why should you) WAF (it won't be called that once it's bundled with database activity monitoring) is going to be back in a big way."
At Imperva we already are bundling WAF with DAM. The product is called the Database Security Gateway and we call the category Application Data Security / ADS. Mogull calls it Application and Database Monitoring and Protection / ADMP.
I personally like our term better, but independent terms often get taken up more readily, so perhaps look for ADMP out there…
You can't evaluate the scope of the patents by looking at the "abstract". You have to read the whole thing, and then determine which part of the claimed invention as a whole is new and different. The new and different part is all that the patent covers.