Skip navigation

An Introduction to Unified Threat Management in Network Security

In this article, we have a look at a broad range of network security threats that concerns an enterprise user, what is Unified Threat Management (UTM) and why it is required, the types of UTM – hardware based, software based and distributed model, and the advantages and limitations of UTM based network security solutions.A broad look at the threats affecting network security:

Enterprise networks face a wide range of security threats, which penetrate through the network perimeter. Threats from viruses (through email attachments) and worms are pretty common. Spam mails coming to the user mailboxes are not dangerous until they contain some links pointing to sites which involve in phishing and pharming where the user credentials, bank account details etc. can be stolen. A rootkit is a type of threat which embeds itself in to an operating system and interprets the commands that other programs use to do basic functions like accessing files etc, and manipulate them. There are then threats from the Internet like ad-ware (which produces pop up ads every time a program is run) or spy-ware which acts in the background without the knowledge of the user and secretly passes on user activities to recipients across the Internet. And then there are attacks that are carried on the enterprise networks to stall its functioning like the Denial of Service attacks or the Distributed Denial of Service attacks where the attackers generate a lot of requests that servers cannot handle and thereby preventing it from servicing the genuine requests. There are also hackers who try to penetrate the network from a remote location using sophisticated tools either to steal some classified information/business secrets or some other malicious intent like defaming an organization/ blocking the websites hosted by an organization etc.

What is Unified Threat Management (UTM)?

Hitherto, there were separate devices for guarding against each category of network security threats. A firewall was used for determining which ports are open to outsiders and which applications can be accessed by the users etc, an anti-virus engine was used to filter all the emails and the attachments coming in to the organization, an web filter was used to block/allow website access to the employees selectively and so on. But after a point of time, many of the perimeter network defence mechanisms were integrated and consolidated on a single platform. That is what we call a UTM – Unified Threat Management approach. These days there are even Xtensible Threat Management platforms that offer even more management features and functionalities than a UTM.

So, UTM brings the following network security technologies in to a single system/platform:
¤ Firewall
¤ Anti-Spam
¤ Anti-Virus
¤ Web/URL filtering
¤ Network Intrusion/Spyware protection
¤ Virtual Private Network (VPN)
And probably some more, depending on the vendor.

Types of UTM:

UTM’s are mostly Hardware/appliance based. These appliances come with specialized ASIC chip-sets which are tailor made to handle the processing that is required to scan for multiple threats simultaneously. Apart from the hardware, they feature a network security operating system which is highly robust and integrates with all the individual components of the UTM. The individual components themselves are license based – you could purchase a UTM with a basic firewall, anti-virus and anti-spam engines alone or you could purchase the entire gamut of network security technologies supported by them. Actually, UTM’s are pretty flexible – their components could be selected individually. The individual licences need to be upgraded after their license period is over (Normally once in a year).

There are Software based UTM’s too. The licensing is similar to the hardware based UTM’s, but the network security operating system and the individual UTM components (like anti-spam, IPS etc) are hosted on standard computer servers with a certain minimum configuration based on the number of users and the applications that are run simultaneously.

There are Distributed UTM’s. Actually they do not comprise of a single appliance to combat the various network security threats, but multiple hardware boxes from the same vendor, each specialized in its own functionality (like separate boxes for IPS, Web-Filtering etc) but still having a common management interface which makes them virtually a single appliance that can be controlled on a single platform.

There are advantages and disadvantages to each type and individual deployment scenarios also influence the type of UTM deployed. Hardware/appliance based UTM’s are more popular.

Advantages of UTM:

¤ One of the driving factors (at least in the SMB segment) for the adoption of UTM is the cost savings that it gives over point network security devices. With UTM, there are fewer physical devices to buy, single management interface, lesser complexity and fewer technical staff required to maintain.

¤ UTM avoids repetition of processes and hence saves time. Common processes (like scanning packets) once for each functionality would be time consuming. So, they are done once and used for all the applicable modules. For example, the packets are not scanned separately once for anti-spam and once more for gateway level anti-virus, hence saving time and processing power.

¤ With UTM, there is transparency of events and sharing of knowledge between different security modules, whic helps in identifying network threats more efficiently.

¤ Multiple devices can be managed from single place (especially for remote locations and branch offices) and flexible grouping policies can be created from the central management console itself.

¤ Single management interface to create uniform policy across the enterprise and across the different modules – the settings of a given domain can be established transparently and notified from the central administration interface.

¤ Single and familiar interface for analysing the results of multiple security modules which does event analysis, event correlation, detailed logging and reporting for all the security modules.

¤ Multiple patches, multiple upgrades and hence multiple maintenance contracts for each security module can be avoided using UTM’s.

¤ A UTM is not only deployed at the network perimeter of data centres, but it is also deployed at multiple locations (with varying functionalities and security modules, which can be flexibly configured) across the network like remote offices, network choke points etc.

¤ UTM provides both preventive and reactive protection for the network security threats. It also provides protection for various infrastructure elements like networks, applications, services etc.

¤ UTM solutions allow for the purchase of minimum functionalities (security modules) at the beginning and then add additional functionalities as the needs increase.

Dis-advantages of UTM:

¤ There are always existing investments in point security solutions like Firewalls etc, which may be considerable.

¤ Not all processing can be consolidated as some protection methods rely on different inspection techniques (Scanning for virus is different from deep inspection of packets in a firewall, for example).

¤ UTM introduces a single point of failure for all the network security elements, unless a high availability configuration is deployed.

¤ Normally, all the different security modules need to be bought from a single vendor (or their partners) creating a vendor lock-in on a longer term.

¤ When processing peaks are reached, certain vendors disable some functionalities (like IPS for example) to keep the system running. So, if the UTM has not been sized according to the maximum utilization requirements, there could be some compromise in the functionality.

¤ There is always challenge from cloud computing initiatives and UTM’s might have to be deployed in a virtual manner (One UTM divided in to several logical units, each serving different locations etc.) in the future, which is not possible currently.

¤ Some UTM devices may not have the granular features supported by stand alone technologies and hence those functionalities are either ignored or additional investments in terms of add-on’s needs to be made.

¤ There is always a possibility of performance constraint as there are limitations in hardware processing capabilities to handle so many applications/users simultaneously.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: