Secures what ails you

Unified threat management offers multiple levels of protection in a single dose

Unified threat management

Unified threat management appliances offer multiple security features, so you may need to combine multiple requests for proposals into one. Here are some questions to ask:

What is the setting for the UTM appliance? Does it reside on the edge of the network? At some remote location? Is it part of overall security or the only security? Each has its own advantages and disadvantages.

What features do you need? Decide on the features your agency's UTM systems must have, including firewall, intrusion detection or intrusion prevention, content filtering, antivirus or anti-malware, anti-spam, and virtual private network. The more you include in a box from a single vendor, the less finger-pointing you'll have to deal with. Also, will the UTM be replacing existing solutions? Remember that these multiple solutions should not replace existing firewalls and
antivirus protection.

What threats does your agency face? Are internal threats a problem? Does the UTM solution need to separate multiple communities?

How important is easy manageability? Do you need to minimize IT staff attention? If so, look for a system that caters to this environment.

What is the best way to detect malicious behavior on your network? Although pattern detection is customary to detect problems, identity-based security can eliminate attempted intrusions based on their origin, saving time.

Is performance an issue? If so, go with hardware-based processing, which is usually faster than software. Security-specific appliances are more secure than general-purpose boxes. Although it seems to run counter to commercial guidelines, hardened solutions often run on nonstandard platforms running proprietary operating systems.

What kind of reporting capabilities do you require? Is remote management possible? Do you want to use patterns to identify threats?

What are the government- and agency-required certifications for all the features of a UTM solution? General standards include CIPA, Health Insurance Portability and Accountability Act, Sarbanes-Oxley, PCI, Federal Information Security Management Act and Gramm-Leach-Bliley Act. Specific certifications include PIV or Common Access Card-based Defense Department PKI, DOD Directives 8500.1 and 8500.2, DOD Application Firewall Protection Profile, Federal Circular A-123, and DOD JITC-MoonV6 tested IPv6 security. Encryption standards include Triple Data Encryption Standard, Advanced Encryption Standard, Federal Information Processing Standard 140-2. Remember that vendors implement compliance on various levels, from software to hardware, and from component level to system level. Obtain specific information from vendors about the level of compliance they provide.

Do you need to be IPv6-compliant? Are the projects IPv6 compliant? If you work for a federal agency, you must implement IPv6 on network backbones by 2008, so look for IPv6 systems.

Unified threat management sounds like a miracle cure. Have security problems? Just use UTM for fast relief! Supports your security seven ways!

The truth isn't much different. Agencies face multiple security threats: viruses and other malware, spam, phishing, intrusions, and more-sophisticated attacks.

That's why UTM solutions include multiple components, including some combination of firewall, intrusion detection or intrusion prevention, content filtering, antivirus or anti-malware, anti-spam, and a virtual private network. They may also offer services such as bandwidth management. UTMs act on network traffic, including e-mail, HTTP and File Transfer Protocol.

The original UTM solution was oriented toward small and midsize businesses with limited resources. These enterprises couldn't afford to buy multiple boxes to address each class of threat separately. They also couldn't support large IT staffs to handle security or babysit multiple boxes. UTMs provide a good security answer.

Since that start, however, UTMs have surfaced in many other settings. Large enterprises frequently use them at remote sites that have limited IT staff ' and limited security concerns. They also find extensive use at the edges of enterprise networks.

The usefulness for government agencies is similar. For small and midsize offices, including remote sites, UTM may be all the security necessary. For larger installations, edge and in-network use is common.

'Determine what applications you will be running: firewall, VPN, intrusion detection or intrusion prevention, gateway antivirus, and so forth,' said Charles Kolodgy, research director at IDC and originator of the term 'unified threat management.' Using UTMs also reduces the number of systems that government agencies must support. Stacks of multiple components have evolved into integrated security appliances. Single-platform solutions are more attractive than multiple-platform solutions, from both security and support points of view.

Manageability is important for a system being built at the Army's Dugway Proving Grounds in Utah. 'The network staff here is two people,' said Brent Martinez, president of Secure Network Innovation, which is installing the system. 'We appreciate that this solution doesn't require a lot of attention to run perfectly.' What's more, the reduced cost of a single solution is a significant inducement. As a bonus, finger-pointing by multiple vendors when problems occur is minimized with a single box handling all the jobs.

Block that threat

The first step in selecting a UTM solution is to determine which threats you are most concerned about. For most agencies and departments, the priority is blocking outsiders from entering the network via the Internet. However, significant threats can also come from inside the network. If this is a concern, you'll want insider-threat prevention features. Going a step further, you may have multiple workgroups with different security levels at your facility. Solutions that provide virtual ' or physical ' separation of access between workgroups can help isolate threats and allow administrators to customize security.

Most solutions protect based on pattern detection. They know, for example, what features of an e-mail look dangerous and what port probes are suspicious.

However, identity-based security is an increasingly important concept. This means making decisions about what to do with data based on who sent it, not just the nature of the data.

With UTMs, this means, for example, the ability to identify the origin of e-mail and recognize that it's not from a trustworthy source, regardless of how innocent the e-mail may seem. Identity-based security can also be more efficient: If you know a source is untrustworthy, you don't have to bother scanning e-mail originating from there.

With all the jobs UTMs are handling, performance is a legitimate concern. Sure, you want to throw barriers in front of the nasty stuff that wants to get onto your network. But you also want legitimate traffic to get through without hindrance. Throughput is not so significant for ordinary office settings. But if your UTM is guarding access to a significant application or data source, speed is a major factor. Typically, hardware-based processing ' including application-specific integrated circuit acceleration ' is faster than software.

Performance is one of the major concerns for the Dugway system. Martinez said dozens of isolated video cameras and other instruments feed images and data back to the network for analysis and through a Fortinet UTM appliance for security. Under such circumstances, a speedy solution is required to keep those bits flowing smoothly.

Talk to me

You want the UTM to not only stop the intruders but also tell you about it. That's why reporting capabilities are important. You should be able to control the level of detail so you can track important indicators that will allow you to monitor trends in attempted attacks, possibly pointing to the need for advanced measures. There may also be a pattern of internal access from employees, deliberate or not. Many threats involve a wolf knocking at the door and an unwitting little pig undoing the latch.

How security-specific is the UTM solution? 'Some UTM solutions are general-purpose boxes that happen to be running the client applications,' said Robert Whitely, a senior analyst at Forrester Research. The box ' and the operating system it's running ' may not be particularly secure. A computer running a conventional operating system is a computer subject to all that operating system's vulnerabilities. This may work for a lot of customers whose security needs aren't that demanding.

However, federal agencies and departments often demand a more hardened solution. Many vendors offer nonstandard hardware platforms running proprietary solutions. For instance, Juniper Networks offers its ScreenOS operating system ' a far less obvious target for attack than, say, Windows or Linux. Selecting a hardened solution instantly improves the security of an agency's network.

Is it certifiable?

Obviously, any federal agency or department is required to consider certification issues. 'We had a stack of dozens of regulations to satisfy when we started,' Martinez said. Because UTMs serve multiple purposes, this means dealing with multiple certifications for a single piece of equipment. 'Most UTMs have industry certification for individual applications, but not for the system as a whole,' Kolodgy said.

However, it's the second aspect of certifications that can sting you most. 'Vendors implement compliance at different levels,' Whitely said. This is a kind of marketing game that vendors play and of which you need to be aware. Don't expect vendors to be forthcoming about this information: You'll have to grill them to clarify their level of compliance.

Because UTMs are often deployed at the edge of a network, agencies should give careful consideration to required changes for IPv6 that might catch them short. The federal government has specified that federal agencies must implement IPv6 ' the next-generation Internet ' on network backbones by June 2008. There is no special funding available for the transition to IPv6, so many agencies are using ordinary procurement for new or updated equipment to make the transition.
To meet this deadline ' or any extensions ' agencies must ensure that UTM solutions are already IPv6-compliant. 'This will save them from guaranteed obsolescence,' Whitely said.

Future: Tense?

As usual, agencies should scrutinize potential UTM solutions for scalability, reliability and integration with existing systems. Scalability is especially significant for growing agency offices that rely on UTM for their main security protection. Integration is also critical. 'How well do the security appliances handle networking?' Kolodgy asked. 'Most include routing, some can do switching, many have wireless access points, and some allow network printing and storage.'

In short, many key considerations come down to how the vendor has implemented features: high-level or low-level compliance, hardware or software. Do your homework with vendors, and you'll find a UTM solution that will cure what ails you.

Unified threat management products







Secure Computing

(408) 979-6100

www.securecomputing.com
Sidewinder Network
Gateway Security
Self-defending firewall with most security functions in a single appliance, incorporates real-time, sender-based reputation scores from TrustedSource global intelligence service.
SonicWALL

(888) 557-6642

www.sonicwall.com
SonicWALL Pro 2040 Rackmounted appliance providing business-class performance, optimized for networks of as many as 200 nodes or 50 network locations, with gateway, antivirus, anti-spyware and intrusion prevention.
SonicWALL

(888) 557-6642

www.sonicwall.com

SonicWALL Pro 4060
High-performance gateway with enterprise-class firewall and VPN performance, gateway antivirus, intrusion prevention and anti-spam.
Symantec

(408) 517-8000

www.symantec.com
Symantec Gateway Security Integrated stateful inspection firewall,
antivirus, IPsec VPN, intrusion detection,
intrusion prevention and content filtering, with multiport local-area network switch, router and Internet link protection with automatic detection and failover capabilities.
WatchGuard

(206) 521-8340

www.watchguard.com
Firebox X Core e-Series Stateful packet firewall, VPN, proactive
zero-day attack prevention, anti-spyware, anti-spam, antivirus, intrusion prevention and URL filtering.


inside gcn

  • Global Precipitation Measurement of Florence

    USDA geotargets the press

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group