A unified threat management (UTM) system is a type of network hardware appliance, virtual appliance or cloud service that protects businesses from security threats in a simplified way by combining and integrating multiple security services and features.
UTM devices are often packaged as network security appliances that can help protect networks against combined security threats, including malware and attacks that simultaneously target separate parts of the network.
UTM cloud services and virtual network appliances are becoming increasingly popular for network security, especially for smaller and medium-sized businesses. They both do away with the need for on-premises network security appliances, yet still provide centralized control and ease of use for building network security defense in depth.
While UTM systems and next-generation firewalls (NGFWs) are sometimes comparable, UTM devices include added security features that NGFWs don't offer.
Originally developed to fill the network security gaps left by traditional firewalls, NGFWs usually include application intelligence and intrusion prevention systems, as well as denial-of-service protection. Unified threat management devices offer multiple layers of network security, including next-generation firewalls, intrusion detection/prevention systems, antivirus, virtual private networks (VPN), spam filtering and URL filtering for web content.
Capabilities of UTM
UTM systems often include several network security technologies, including:
- Antispam services block or tag incoming email-based attacks by scanning inbound and outbound Simple Mail Transfer Protocol email traffic. Antispam filtering enables businesses to use third-party server-based spam block lists or to create their own local whitelists and blacklists to filter email messages. Antivirus scanning for web and email means that UTM devices scan email and web application traffic for malware. Some UTM systems scan for other network security threats carried in application traffic, such as instant messaging services that hackers use to spread malware.
- UTM devices and services may also offer application control to whitelist applications and flag which applications may and may not be used, and when. Application control is important for network security because many apps are either malicious or contain vulnerabilities that attackers can use to compromise network security.
- The firewall is the oldest and most basic network security function. Firewalls restrict the establishment of network connections between hosts inside and outside the organization with the intention of reducing or eliminating exposure to external hosts, networks or protocols that are known to be vectors for network threats.
- Intrusion detection and intrusion prevention technologies identify and prevent attacks by detecting when an attacker is attempting to access the network and preventing those types of attacks from occurring. The most effective UTM devices and services address this type of security threat through a combination of methods, including detecting attacks based on malware signatures, anomalies or reputation-based detection to stop both known and unknown attacks.
- Virtual private network functions are often included with UTM devices and services. While most UTM network security functions are meant to detect and stop attacks, VPNs are designed specifically to protect an organization's network activity from unauthorized manipulation or eavesdropping. A VPN provides a protected tunnel through which network activity can pass. A VPN can be configured to tunnel all the traffic from mobile hosts to a UTM device, enabling all UTM network security checks to be applied to mobile traffic and reducing the number of security incidents involving these devices.
- Web filtering for content and URL filtering capabilities cover a range of techniques that determine if a web request involving a website or URL should be permitted or not. Some UTMs use analytic techniques that are able to scan websites for security violations that indicate a website may pose a security threat.
Because, by their nature, UTMs are offering unified threat management services, the menu of security services provided by a UTM platform may expand over time as new security functions are added or modified. One of the benefits of using a UTM for many businesses is that it offers a single, simple platform for many or even most information security functions.
How UTM works
UTM systems provide increased protection and visibility, as well as control over network security, reducing complexity. UTM systems typically do this via inspection methods that address different types of threats.
These methods include:
- Flow-based inspection, also known as stream-based inspection, samples data that enters a UTM device, and then uses pattern matching to determine whether there is malicious content in the data flow.
- Proxy-based inspection acts as a proxy to reconstruct the content entering a UTM device, and then executes a full inspection of the content to search for potential security threats. If the content is clean, the device sends the content to the user. However, if a virus or other security threat is detected, the device removes the questionable content, and then sends the file or webpage to the user.
UTM devices provide a single platform for multiple network security functions and offer the benefit of a single interface for those security functions, as well as a single point of interface to monitor or analyze security logs for those different functions.
How UTM is deployed
Businesses can implement UTM as a UTM appliance that connects to a company's network, as a software program running on an existing network server, or as a service that works in a cloud environment.
UTMs are particularly useful in organizations that have many branches or retail outlets that have traditionally used dedicated WAN, but are increasingly using public internet connections to the headquarters/data center. Using a UTM in these cases gives the business more insight and better control over the security of those branch or retail outlets.
Businesses can choose from one or more methods to deploy UTM to the appropriate platforms, but they may also find it most suitable to select a combination of platforms. Some of the options include installing UTM software on the company's servers in a data center; using software-based UTM products on cloud-based servers; using traditional UTM hardware appliances that come with preintegrated hardware and software; or using virtual appliances, which are integrated software suites that can be deployed in virtual environments.