Unified threat management commonly abbreviated as UTM is an approach to security management that provides the ability to monitor and manage a variety of security-related applications and infrastructure components through a single management console. Simply a single security solution.
UTM is the integration of multiple security functions into hardware and software appliances, compared to legacy network security systems that used single function appliances that resulted in multiple and complex hardware, software, and management control systems.
Unified Threat Management is a network security appliance that provides firewall, identity-based access control, application control, intrusion prevention (IPS), Antivirus, Antispam, Antispyware, Web Filtering, SSL/SSH inspection, Quality of service (QoS), VPN capabilities and graphical reporting in one integrated package that can be installed easily.
image by Lotus93 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons
The most basic and required network security technology, which uses sets or rules or policies to determine which traffic is allowed into or out of a network. UTM builds on this foundation to integrate other security capabilities.
Identity-Based Access Control
The UTM system tracks user names, IP addresses, and Active Directory user groups. When a user logs on and tries to access network resources, UTM applies a firewall policy based on the group the user belongs to. Access is allowed only if the user belongs to one of the permitted user groups.
UTM can identify and control applications, software programs, network services, and protocols. In order to protect networks against the latest web-based threats. Application control should be able to detect and control Web 2.0 apps like YouTube, Facebook,and Twitter. Application control provides granular policy control, letting you allow or block apps based on vendor, application behaviour, and type of technology. For example, you can block specific sites, block only your users’ ability to follow links or download files from sites, or block games but allow chat.
Intrusion Prevention (IPS)
IPS is capable of detecting potential threats to the network and react by sending a message to the firewall to block the threat. IPS issues alarms or alerts and is able to block unwanted traffic. IPS also routinely log information as events occur, so they can provide information to better handle threats in the future. IPS is the best way to detect threats trying to exploit network vulnerabilities.
Provides protection against viruses, spyware, and other types of malware attacks. It enables scanning e-mail for viruses. You can also apply anti-virus protection to File Transfer Protocol (FTP) traffic, instant messaging (IM), and web content at the network perimeter. Some solutions support Secure Sockets Layer (SSL) content scanning, which means that you can protect the secure counterparts to those types of traffic as well, such as HTTPS, SFTP, POP3S, and so on. A UTM virus filter examines all files against a database of known virus signatures and file patterns for infection. If an infection is detected, the UTM solution deletes or quarantines the infected file and notifies the user.
This is a module that scans emails, detects and removes unwanted emails (spam before they reach recipient’s mailbox. UTM detects spam through a list of senders identified by a user or comparison against databases of known spam server addresses.
UTM blocks web traffic on a network by IP address, domain name/URL, type of content (for example, “adult content” or “file sharing”), or payload. They maintain a list of forbidden sites to prevent users from violating acceptable use policies or being exposed to malicious content.
This provides the ability to inspect content encrypted by applications using Secure Socket Layer (SSL) cryptologic technique, in which it performs a “man-in-the-middle” takeover of the SSL traffic. This allows other inspections to be applied such as DLP, web filtering, and antivirus/malware. Some popular SSL protocols are HTTPS, FTPS, and mail protocols SMTPS, POP3S, and IMAPS
Quality of Service (QoS)
QoS refers to a network’s ability to achieve maximum bandwidth and deal with other network performance elements like latency, error rate and uptime. QoS also involves controlling and managing network resources by setting priorities for specific types of data (video, audio, files) on the network. QoS is exclusively applied to network traffic generated for video on demand, VoIP, streaming media and video conferencing.
A Virtual Private Network (VPN) uses special protocols to move packets of information across the Internet securely. In general, VPN protocols encrypt traffic going from sender to receiver. This makes such traffic appear completely garbled to anyone that might intercept and examine those packets while they’re on the Internet. VPNs use encryption to protect the traffic they carry from unauthorised access.
UTMs are usually used to protect home/home office, small and medium-sized business (SMB) and remote/branch offices.
The principal advantage of a UTM product is its ability to reduce complexity, integrating security components and functions into both hardware appliances and associated security software applications.
The principal disadvantage is that a UTM appliance can become a single point of failure. Because of this, deploying a second UTM as a failover may be the way forward though it’s an extra cost.
Some of the UTM solutions are from vendors such as Fortinet, Sophos, WatchGuard, Dell Sonicwall, Checkpoint etc
Which Unified Threat Management (UTM) do you use?