Unified threat management F.A.Q.
17 September 2018
In an evolving cyber-landscape filled with reports of new types and strands of malware, more advanced social engineering setups and new vulnerabilities to systems that were once thought of as secure, it feels like the tools businesses have been using for years to defend themselves are becoming less useful by the minute.
And that’s because they are.
Most of these tools are old and are based on defending against threats that now target different parts of a network. Printers and devices once thought of as peripherals, even the employees themselves are the new attack surfaces and old defences can’t keep up.
Fortunately, as the threats have evolved so have the defences, so it might be worth considering them.
What is Unified Threat Management?
Unified Threat Management (UTM) is a type of network protection where a single piece of software or hardware performs multiple security functions simultaneously.
In a system with basic security, the firewall, antivirus, intrusion detection system and intrusion prevention system might all be separate. Installed over several devices and running on many different pieces of software.
With UTM, all these defences (and more) are combined into a single centrally controlled system. Resulting in a layered, integrated defence and a significant reduction in administration for those responsible for network security.
What’s the difference between a firewall and a UTM system?
A firewall is a piece of software that checks data packets before they enter or leave the network or machine it’s installed on. It compares the contents of the packet against a set of rules and then determines if the contents are safe. If they aren’t, the packet is dropped and doesn’t enter the device.
While a UTM does this as well, it also carries out further detection and prevention tasks. Instead of only monitoring packet flow, it can also manage network load balancing, web filtering and can provide a network overview for troubleshooting.
Most UTM systems include a firewall as one of their security features. So automatically provide better defence. Even when compared against a next-gen firewall (NGFW) that includes intrusion prevention, a UTM system still outperforms it as it contains the features of the NGFW and more.
What are the benefits of UTM?
1. Simplifies the network
By consolidating multiple security appliances and services into one, you can easily reduce the amount of time spent on maintaining many separate systems that may have become disorganised. This can also improve the performance of the network as there is less bloat. A smaller system also requires less energy and space to run.
2. Provides greater security and visibility
A UTM system can include reporting tools, application filtering and virtual private network (VPN) capabilities all of which defend your network from more types of threats or improve existing security. Additionally, monitoring and analysis tools can help locate points of weakness or identify ongoing attacks.
3. Can defend from more sophisticated attacks
Because UTM defends multiple parts of a network it means that an attack targeting multiple points simultaneously can be repelled easier. With cyber-attacks getting more sophisticated, having defences that can match them is of greater importance.
Having several ways of detecting a threat also means a UTM system is more accurate at identifying potential attacks and preventing them from causing damage.
What are the downsides of UTM?
1. Single point of failure
Because all the security runs off a single appliance, if the UTM system goes down all services go down, typically all communications. Generally best practice is to have a warm-standby device, basically another device which holds exactly the same configuration that can take over should there be a system failure on the primary device, i.e. a hardware fault, faulty services, etc.
2. Inadequate performance
Because a UTM system can be managing so many services, network performance can be reduced during periods of heavy load. This issue is mostly gone now due to advances in computational power. However, it’s still important to get a correctly sized UTM appliance that can handle the amount of traffic going through it – typically sized against the size of the network connection that faces the Internet.
What security features does UTM have?
As previously mentioned, most UTM services include a firewall, antivirus and intrusion detection and prevention systems. But they also can include other services that provide additional security.
- Data loss prevention software to stop data from exfiltrating the business which in turn prevents a data leak from occurring.
- Security information and event management software for real-time monitoring of network health which allows threats and points of weakness to be identified.
- Bandwidth management to regulate and prioritise network traffic, ensuring everything is running smoothly without getting overwhelmed.
- Email filtering to remove spam and dangerous emails before they reach the internal network, lowering the chance of a phishing or similar attack breaching your defences.
- Web filtering to prevent connections to dangerous or inappropriate sites from a machine on the network. This lowers the chance of an infection through malvertising or malicious code on the page. It can also be used to increase productivity within a business, i.e. blocking or restricting social media, gaming sites, etc.
- Application filtering to either a blacklist or whitelist which programs can run, preventing certain applications from communicating in and out of the network, i.e. Facebook messenger.
How does UTM work?
Most UTM systems work using inspection to detect malicious activity. Inspection generally comes under one of two categories.
1. Flow inspection
Much like how a firewall works, samples of data being sent into the network are analysed with matching algorithms to determine if they’re malicious. If they are they are prevented from entering the network. This method is faster.
2. Proxy inspection
Incoming data is assembled in a virtual environment that determines if it’s safe. If a threat is found, the proxy removes it then sends a clean copy of the data through. This method is slower but more accurate.
What kind of companies use a UTM system?
UTM was originally for small to medium office businesses to simplify their security systems. But due to its almost universal applicability it has since become popular with all sectors and larger enterprises. Developments in the technology have allowed it to scale up, opening UTM up to more types of businesses that are looking for a comprehensive gateway security solution.
Where does UTM fit on the network?
UTM is a flexible service meaning it can be either run on its own hardware, run on an existing server on the network, or even run on the cloud. If it’s run on hardware (which it typically is), then it’s usually placed between the internet and the company LAN. This means all external connections go through it, i.e. connections to the Internet and perhaps to a wireless network.
When is the best time to switch to a UTM system?
Most businesses should be switching to a UTM device now if they don’t have one. All network attacks are best stopped at the gate, before they enter the network. It’s the same as a check point into a secure area – much easier to manage prior to entry. Sure, you may double-up on some security systems but that’s typically a good thing. You shouldn’t really be looking at choosing between a UTM or non-UTM firewall solution. The only option and best-practice is to have a UTM firewall device, without a doubt.