A unified threat management (UTM) appliance uses several detection and prevention capabilities to stop malicious...
activity. However, the exact combination of these capabilities varies somewhat among different products. The network security capabilities that UTM appliances most often support include the following.
- Antivirus for Web and email
- Application control
- Intrusion prevention
- Virtual private network (VPN)
- Web content filtering
Some UTM products provide additional network security capabilities besides these core features, such as load balancing, data loss prevention (DLP) and bandwidth management.
Let's examine each of the core network security capabilities of UTM systems more closely. As already mentioned, the extent to which a UTM product supports each security capability may differ significantly among products. For example, this may include a product that supports only the most basic Web content filtering, such as checking URLs for malicious content, while another product does much more rigorous Web content filtering, such as using reputation services and advanced analytics to determine the likely nature -- benign or malicious -- of each website.
- Antispam: Just about everyone is already familiar with antispam technologies. What you may not realize is how effective antispam software can be at stopping incoming email-based attacks. Many spam messages are malicious in nature; for instance, they might try to trick users into revealing sensitive personal information (e.g., passwords, PINs, Social Security numbers) through social engineering techniques. As social engineering becomes one of the most common methods for achieving system compromises and identity theft, it is critical that as many malicious emails as possible be blocked from reaching users, or marked as spam and stored in a separate spam folder for subsequent evaluation by users. Antispam is also effective at stopping internally generated spam messages (from compromised desktops and laptops, in particular) from being sent outside the organization.
- Antivirus for Web and email: Antivirus technologies are among the oldest network security technologies. UTM tools typically offer malware-scanning capabilities for email and Web application traffic, and in some cases, for other network-application traffic frequently used to spread malware (e.g. instant messaging services). Antivirus software is not as effective as it used to be because malware has become more targeted and customized, while antivirus software is primarily signature-based and better at detecting previously known instances of malware. Still, antivirus software is a necessity because of the number of attacks that it can stop.
- Application control: As the name implies, application control is the process of managing which applications users can run. It may involve application whitelisting functionality and determining which applications may and may not be used, and it may also include limitations on application use. An example of such a limitation is setting which hours of the day, or days of the week, a particular application may be used. Another instance is limiting the bandwidth that an application can use. Robust application control capabilities can detect and enforce application policies regardless of how the application is being used in order to evade detection (i.e., running on different ports, using alternate protocols and so on). Application control is increasingly important for network security because many applications are either malicious in nature or contain exploitable vulnerabilities that can lead to compromises. Application control also helps an organization limit the installation and use of applications, thus reducing overall attack surface.
- Firewall: The firewall is the most fundamental aspect of network security control, which restricts the establishment of network connections between hosts. Like antivirus software, firewalls are not nearly as effective as they used to be because the nature of attacks has changed. At one time, a sizable percentage of all attacks involved establishing unauthorized network connections. While the likelihood of this happening has dropped considerably, it is still a concern, particularly for hosts containing sensitive information, such as database servers. Even organizations without much of a security perimeter still generally need firewalling to protect their most valuable cyber assets.
- Intrusion prevention: Intrusion prevention technologies (also known as intrusion detection technologies or intrusion detection and prevention technologies) are used to identify and prevent forms of attack that other UTM network security capabilities do not stop. The exact techniques intrusion prevention technologies use varies greatly among products, but generally, the most effective products use a combination of methods, such as signature-, anomaly- and reputation-based detection. This allows intrusion prevention software to stop both previously known and unknown attacks, with the latter filling an important gap in UTM detection capabilities.
- VPN: Unlike most UTM network security capabilities, which are geared toward attack detection and stoppage, the virtual private network is a technology specifically designed to protect an organization's network activity from eavesdropping or unauthorized manipulation. A VPN provides a protected tunnel through which other network activity can pass. VPNs have been increasingly utilized for network protection of an organization's mobile hosts, such as laptops, smartphones and tablets. These devices often use unsecured or weakly secured external networks, so VPNs provide protection for the use of these networks. VPNs can also be configured to tunnel all the traffic from mobile hosts to the UTM appliance, which allows all UTM network security checks to be applied to the mobile traffic, thus reducing security incidents involving these devices.
- Web content filtering: Web content filtering was originally a simple technology that prevented access to websites known to be unauthorized for workplace use. Since then, Web content filtering capabilities have greatly expanded and diversified to cover a range of techniques for determining if a web request should be permitted or not. An example is using reputation services to rate the likely benign or malicious nature of each website. There are also analytic techniques that can scan websites for security violations that indicate that a site may have serious security problems, such as a compromise or malicious content. The extent to which your organization needs to use Web content filtering services may depend upon your organization's particular Web security policies, especially when it comes to flagging sites that are simply "inappropriate" and not necessarily malicious in nature.
- Technical architecture: As you would expect from a network security technology, UTM appliances feature a primary technical architecture of one or more network appliances or servers. Typically, these devices are placed at key points within the network perimeter, such as within proximity of where external communications links attach to the organization's networks. Particularly in larger enterprises, UTM appliances or servers may also be deployed at boundaries between portions of the enterprise, including different divisions of a company. Basically, UTMs may be most effectively deployed at any network boundary, where networks with different levels of trust or security policies intersect.
Because each UTM device (appliance or server) plays such a critical role in network security, it is imperative that all deployments have redundancy built in to mitigate the effect of a UTM failure. Remember that because a UTM is providing firewalling and other core security functions, a UTM failure will effectively prevent any network traffic from crossing the network location where the UTM is located. For many years, experts have recommended that organizations place redundant firewalls at key locations, and having redundant UTM devices at these spots is even more important. Also, don't forget about UTM during disaster recovery planning -- hot sites and other alternate locations must be protected should operations be transferred there in case of disaster.
About the author:
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.