Unified threat management explained

In an era of blended threats and constantly changing technologies, firewalling is just one requirement of multifaceted perimeter defence. For these reasons, businesses of all sizes are increasingly turning to unified threat management (UTM) systems. These multilayered solutions combine a firewall with other vital security features, centralising visibility, reporting and security controls in a single device to simplify management of network security.

Traditionally, firewalls have, at minimum, performed the same basic function of analysing incoming and outgoing data packets against a list of rules that define what traffic to allow and what traffic to block. Most older-generation firewalls rely primarily on ‘stateful inspection’ technology. Newer solutions add deep packet inspection technologies while an even more recent development has seen the introduction of a proxy technology that blocks all but ‘known good’ traffic, yielding a measurable increase in security.

Why unified threat management?

UTMs are the modern-day alternative to the firewall. The appliances typically consolidate firewall and VPN capabilities along with URL filtering, spam blocking, intrusion prevention, gateway antivirus, application control, and a centralised management, monitoring and logging function. Replacing multiple point solutions, the UTM appliances provide protection against several kinds of network threats. They are a particularly pertinent approach to today’s environment for many reasons including:

1. Multilayered security/defence-in-depth

Viruses, worms, Trojans, root kits, DDOS and cross-site scripting attacks remain relevant today, and the sophistication and scope of attacks continues to increase. For instance, today’s botnets are capable of coordinating a range of blended attacks leveraging millions of zombie computers to exploit zero-day vulnerabilities. APTs (advanced persistent threats), generated by rogue states or bands of cybercriminals, employ multivectored techniques that persist until they penetrate the network, or can map the targeted environment for future attacks (as in the case of Flame and miniFlame).

No single ‘point solution’ provides adequate protection. The current generation of blended threats requires blended security solutions, which is why UTM solutions are generating so much interest.

2. Centralised management and compliance reporting

Having separate security systems means learning different management consoles to configure for each system. Because the management paradigms of these systems are typically discrete, it can be onerous and time-consuming to verify that the different security policies on each system work together and provide adequate protection. Log information from each system will be stored in different formats in separate locations, further complicating detection and analysis of security events.

A UTM avoids all of this because it centralises management, monitoring and logging, making it easy to configure and manage security. A UTM also makes it easier to build coherent security policies and simplifies administration tasks, such as log file management and reporting, while lowering operational costs.

3. UTMs are cost-effective

Integrating multiple security capabilities into a single appliance reduces the expense that used to be required when purchasing, using and managing multiple stand-alone appliances. Aside from the bundled price advantages, organisations find it easier to have fewer vendors to deal with for purchasing, support and ongoing maintenance.

According to Gartner Research, unified threat management can roughly halve the annual network security spending, and over the lifetime of the product, the savings can be considerably more. Gartner also points out that the lack of systems integration between stand-alone products can be costly in terms of the administrative complexity needed to stay on top of it (see ‘Total Cost of Ownership for Unified Threat Management’ by Gartner’s Dionisio Zumerle, October 2012). Thus, the ability to administer one unified solution versus multiple stand-alone products not only simplifies management, but delivers considerable savings throughout the course of the product life cycle.

What to look for in a UTM

At a glance, many UTM vendors seem to market a comparable checklist of features and services - yet vast differences exist between the performance, quality and capabilities of these features from vendor to vendor. The less mature the security at each layer, the higher the risk of exploit.

Therefore, if you are going to consolidate a security feature typically provided by a point solution into a UTM, make sure the UTM security feature is of comparable efficacy to deliver best-in-class security. In particular, look for robust VoIP security and the ability to conduct HTTPS inspection of packet headers and body content on both incoming and outgoing traffic.

There can also be big differences in UTM performance from brand to brand or vendor to vendor. A high-performance packet throughput device, even one with custom ASIC processors, can fall over when a full suite of unified threat management tools is enabled. Therefore, examine UTM throughput numbers carefully. If a vendor does not publish UTM throughput numbers, be suspicious.

Centralised management and ease of use shouldn’t be underestimated. Despite the media attention lavished on dramatic ‘zero day’ security flaws, the consensus among security experts holds that firewall mis-configurations are a likely primary ingredient in data compromise events. In fact, Gartner speculates that firewall mis-configurations - as opposed to flaws in the firewall - play a factor in up to 95% of breaches (see ‘One Brand of Firewall Is a Best Practice for Most Enterprises’ by Gartner’s Greg Young, November 2012).

Given the growing number of regulatory requirements affecting data security, reporting, visibility and auditability are increasingly important functions of a UTM. Surprisingly, however, not every vendor offers reporting within the base UTM product. It’s a good idea to know what reports you are going to require, then check with the vendor whether the information can be obtained from the appliance and whether it is going to involve any additional cost.

The final ‘must have’ in a UTM is the flexibility to add security services. It would be foolish to think the only threats you need to deal with are those in evidence today. The last decade has confirmed the world of IT security is fast moving and rapidly evolving, with new threats arising daily. If it is going to be of any value, a modern UTM must have the versatility to integrate the next generation of vital technologies as they emerge.

This article represents the opinions of Pat Devlin, Regional Director - ANZ, WatchGuard Technologies.