Unified threat management (UTM) F.A.Q.

/ Security
September 17th, 2018

IT solutions - Your guide to Unified Threat Management (UTM)

In an evolving cyber-landscape filled with reports of new types and strands of malware, more advanced social engineering setups and new vulnerabilities to systems that were once thought of as secure, it feels like the tools businesses have been using for years to defend themselves are becoming less useful by the minute.

And that’s because they are.

Most of these tools are old and are based on defending against threats that now target different parts of a network. Printers and devices once thought of as peripherals, even the employees themselves are the new attack surfaces and old defences can’t keep up.

Fortunately, as the threats have evolved so have the defences, so it might be worth considering them.

What is Unified Threat Management?

Unified Threat Management (UTM) is a type of network protection where a single piece of software or hardware performs multiple security functions simultaneously.

In a system with basic security, the firewall, antivirus, intrusion detection system and intrusion prevention system might all be separate. Installed over several devices and running on many different pieces of software.

With UTM, all these defences (and more) are combined into a single centrally controlled system. Resulting in a layered, integrated defence and a significant reduction in administration for those responsible for network security.

What’s the difference between a firewall and a Unified Threat Management system?

A firewall is a piece of software that checks data packets before they enter or leave the network or machine it’s installed on. It compares the contents of the packet against a set of rules and then determines if the contents are safe. If they aren’t, the packet is dropped and doesn’t enter the device.

A UTM system does this as well but also performs further detection and prevention tasks. Instead of only monitoring packet flow, it can also manage network load balancing, web filtering and can provide a network overview for troubleshooting.

Most UTM systems include a firewall as one of their security features. So automatically provide better defence. Even when compared against a next-gen firewall (NGFW) that includes intrusion prevention, a UTM system still outperforms it as it contains the features of the NGFW and more.

What are the benefits of Unified Threat Management?

1. Simplifies the network

By consolidating multiple security appliances and services into one, you can easily reduce the amount of time spent on maintaining many separate systems that may have become disorganised. This can also improve the performance of the network as there is less bloat. A smaller system also requires less energy and space to run.

2. Provides greater security and visibility

A UTM system can include reporting tools, application filtering and virtual private network (VPN) capabilities all of which defend your network from more types of threats or improve the existing security. Additionally, monitoring and analysis tools can help locate points of weakness or identify ongoing attacks.

3. Can defend from more sophisticated attacks

Because UTM defends multiple parts of a network it means that an attack targeting multiple points simultaneously can be repelled easier. With cyber-attacks getting more sophisticated, having defences that can match them is of greater importance.

Having several ways of detecting a threat also means a UTM system is more accurate at identifying potential attacks and preventing them from causing damage.

What are the downsides of Unified Threat Management?

1. Single point of failure

Because all the security runs off a single appliance, if the UTM system goes down all services go down, typically all communications. Generally, best practice is to have a warm-standby device, basically another device which holds exactly the same configuration that can take over should there be a system failure on the primary device, i.e. a hardware fault, faulty services, etc.

2. Inadequate performance

Because a UTM system can be managing so many services, network performance can be reduced during periods of heavy load. This issue is mostly gone now due to advances in computational power. However, it’s still important to get a correctly sized UTM appliance that can handle the amount of traffic going through it – typically sized against the size of the network connection that faces the Internet.

What security features does Unified Threat Management have?

As previously mentioned, most UTM services include a firewall, antivirus and intrusion detection and prevention systems. But they also can include other services that provide additional security.

  • Data loss prevention software to stop data from exfiltrating the business which in turn prevents a data leak from occurring.
  • Security information and event management software for real-time monitoring of network health which allows threats and points of weakness to be identified.
  • Bandwidth management to regulate and prioritise network traffic, ensuring everything is running smoothly without getting overwhelmed.
  • Email filtering to remove spam and dangerous emails before they reach the internal network, lowering the chance of a phishing or similar attack breaching your defences.
  • Web filtering to prevent connections to dangerous or inappropriate sites from a machine on the network. This lowers the chance of infection through malvertising or malicious code on the page. It can also be used to increase productivity within a business, i.e. blocking or restricting social media, gaming sites, etc.
  • Application filtering to either a blacklist or whitelist which programs can run, preventing certain applications from communicating in and out of the network, i.e. Facebook messenger.

How does Unified Threat Management work?

Most UTM systems work using inspection to detect malicious activity. This generally comes under one of two categories.

1. Flow inspection

Much like how a firewall works, samples of data being sent into the network are analysed with matching algorithms to determine if they’re malicious. If they are they are prevented from entering the network. This method is faster.

2. Proxy inspection

Incoming data is assembled in a virtual environment that determines if it’s safe. If a threat is found, the proxy removes it then sends a clean copy of the data through. This method is slower but more accurate.

What kind of companies use a Unified Threat Management system?

UTM was originally for small to medium office businesses to simplify their security systems. But due to its almost universal applicability, it has since become popular with all sectors and larger enterprises. Developments in the technology have allowed it to scale up, opening UTM up to more types of businesses that are looking for a comprehensive gateway security solution.

Where does Unified Threat Management fit on the network?

UTM is a flexible service meaning it can be either run on its own hardware, run on an existing server on the network, or even run on the cloud. If it’s run on hardware (which it typically is), then it’s usually placed between the internet and the company LAN. This means all external connections go through it, i.e. connections to the Internet and perhaps to a wireless network.

When is the best time to switch to a Unified Threat Management system?

Most businesses should be switching to a UTM device now if they don’t have one. All network attacks are best stopped at the gate before they enter the network. It’s the same as a checkpoint into a secure area – much easier to manage prior to entry. Sure, you may double-up on some security systems but that’s typically a good thing. You shouldn’t really be looking at choosing between a UTM or non-UTM firewall solution. The only option and best-practice is to have a UTM firewall device, without a doubt.