Secures what ails you
Unified threat management offers multiple levels of protection in a single dose
- By Edmund X. DeJesus
- Jun 29, 2007
Unified threat management sounds like a miracle cure. Have security problems? Just use UTM for fast relief! Supports your security seven ways!
The truth isn't much different. Agencies face multiple security threats: viruses and other malware, spam, phishing, intrusions, and more-sophisticated attacks.
That's why UTM solutions include multiple components, including some combination of firewall, intrusion detection or intrusion prevention, content filtering, antivirus or anti-malware, anti-spam, and a virtual private network. They may also offer services such as bandwidth management. UTMs act on network traffic, including e-mail, HTTP and File Transfer Protocol.
The original UTM solution was oriented toward small and midsize businesses with limited resources. These enterprises couldn't afford to buy multiple boxes to address each class of threat separately. They also couldn't support large IT staffs to handle security or babysit multiple boxes. UTMs provide a good security answer.
Since that start, however, UTMs have surfaced in many other settings. Large enterprises frequently use them at remote sites that have limited IT staff ' and limited security concerns. They also find extensive use at the edges of enterprise networks.
The usefulness for government agencies is similar. For small and midsize offices, including remote sites, UTM may be all the security necessary. For larger installations, edge and in-network use is common.
'Determine what applications you will be running: firewall, VPN, intrusion detection or intrusion prevention, gateway antivirus, and so forth,' said Charles Kolodgy, research director at IDC and originator of the term 'unified threat management.' Using UTMs also reduces the number of systems that government agencies must support. Stacks of multiple components have evolved into integrated security appliances. Single-platform solutions are more attractive than multiple-platform solutions, from both security and support points of view.
Manageability is important for a system being built at the Army's Dugway Proving Grounds in Utah. 'The network staff here is two people,' said Brent Martinez, president of Secure Network Innovation, which is installing the system. 'We appreciate that this solution doesn't require a lot of attention to run perfectly.' What's more, the reduced cost of a single solution is a significant inducement. As a bonus, finger-pointing by multiple vendors when problems occur is minimized with a single box handling all the jobs.Block that threat
The first step in selecting a UTM solution is to determine which threats you are most concerned about. For most agencies and departments, the priority is blocking outsiders from entering the network via the Internet. However, significant threats can also come from inside the network. If this is a concern, you'll want insider-threat prevention features. Going a step further, you may have multiple workgroups with different security levels at your facility. Solutions that provide virtual ' or physical ' separation of access between workgroups can help isolate threats and allow administrators to customize security.
Most solutions protect based on pattern detection. They know, for example, what features of an e-mail look dangerous and what port probes are suspicious.
However, identity-based security is an increasingly important concept. This means making decisions about what to do with data based on who sent it, not just the nature of the data.
With UTMs, this means, for example, the ability to identify the origin of e-mail and recognize that it's not from a trustworthy source, regardless of how innocent the e-mail may seem. Identity-based security can also be more efficient: If you know a source is untrustworthy, you don't have to bother scanning e-mail originating from there.
With all the jobs UTMs are handling, performance is a legitimate concern. Sure, you want to throw barriers in front of the nasty stuff that wants to get onto your network. But you also want legitimate traffic to get through without hindrance. Throughput is not so significant for ordinary office settings. But if your UTM is guarding access to a significant application or data source, speed is a major factor. Typically, hardware-based processing ' including application-specific integrated circuit acceleration ' is faster than software.
Performance is one of the major concerns for the Dugway system. Martinez said dozens of isolated video cameras and other instruments feed images and data back to the network for analysis and through a Fortinet UTM appliance for security. Under such circumstances, a speedy solution is required to keep those bits flowing smoothly.Talk to me
You want the UTM to not only stop the intruders but also tell you about it. That's why reporting capabilities are important. You should be able to control the level of detail so you can track important indicators that will allow you to monitor trends in attempted attacks, possibly pointing to the need for advanced measures. There may also be a pattern of internal access from employees, deliberate or not. Many threats involve a wolf knocking at the door and an unwitting little pig undoing the latch.
How security-specific is the UTM solution? 'Some UTM solutions are general-purpose boxes that happen to be running the client applications,' said Robert Whitely, a senior analyst at Forrester Research. The box ' and the operating system it's running ' may not be particularly secure. A computer running a conventional operating system is a computer subject to all that operating system's vulnerabilities. This may work for a lot of customers whose security needs aren't that demanding.
However, federal agencies and departments often demand a more hardened solution. Many vendors offer nonstandard hardware platforms running proprietary solutions. For instance, Juniper Networks offers its ScreenOS operating system ' a far less obvious target for attack than, say, Windows or Linux. Selecting a hardened solution instantly improves the security of an agency's network.Is it certifiable?
Obviously, any federal agency or department is required to consider certification issues. 'We had a stack of dozens of regulations to satisfy when we started,' Martinez said. Because UTMs serve multiple purposes, this means dealing with multiple certifications for a single piece of equipment. 'Most UTMs have industry certification for individual applications, but not for the system as a whole,' Kolodgy said.
However, it's the second aspect of certifications that can sting you most. 'Vendors implement compliance at different levels,' Whitely said. This is a kind of marketing game that vendors play and of which you need to be aware. Don't expect vendors to be forthcoming about this information: You'll have to grill them to clarify their level of compliance.
Because UTMs are often deployed at the edge of a network, agencies should give careful consideration to required changes for IPv6 that might catch them short. The federal government has specified that federal agencies must implement IPv6 ' the next-generation Internet ' on network backbones by June 2008. There is no special funding available for the transition to IPv6, so many agencies are using ordinary procurement for new or updated equipment to make the transition.
To meet this deadline ' or any extensions ' agencies must ensure that UTM solutions are already IPv6-compliant. 'This will save them from guaranteed obsolescence,' Whitely said.Future: Tense?
As usual, agencies should scrutinize potential UTM solutions for scalability, reliability and integration with existing systems. Scalability is especially significant for growing agency offices that rely on UTM for their main security protection. Integration is also critical. 'How well do the security appliances handle networking?' Kolodgy asked. 'Most include routing, some can do switching, many have wireless access points, and some allow network printing and storage.'
In short, many key considerations come down to how the vendor has implemented features: high-level or low-level compliance, hardware or software. Do your homework with vendors, and you'll find a UTM solution that will cure what ails you.Unified threat management products
|Secure Computing |
|Sidewinder Network |
|Self-defending firewall with most security functions in a single appliance, incorporates real-time, sender-based reputation scores from TrustedSource global intelligence service. |
|SonicWALL Pro 2040 ||Rackmounted appliance providing business-class performance, optimized for networks of as many as 200 nodes or 50 network locations, with gateway, antivirus, anti-spyware and intrusion prevention. |
SonicWALL Pro 4060
|High-performance gateway with enterprise-class firewall and VPN performance, gateway antivirus, intrusion prevention and anti-spam. |
|Symantec Gateway Security ||Integrated stateful inspection firewall, |
antivirus, IPsec VPN, intrusion detection,
intrusion prevention and content filtering, with multiport local-area network switch, router and Internet link protection with automatic detection and failover capabilities.
|Firebox X Core e-Series ||Stateful packet firewall, VPN, proactive |
zero-day attack prevention, anti-spyware, anti-spam, antivirus, intrusion prevention and URL filtering.