Potential attacks, software and platform vulnerabilities, malware and misconfiguration issues can pose serious threats to organizations seeking to protect private, confidential or proprietary data. Fortunately, various technologies – collectively known as Unified Threat Management (aka UTM) – make it easy to use appliance-based tools to provide thorough and comprehensive security coverage.
When coupled with regular updates, monitoring and management services, and key security research and intelligence data, organizations can erect defenses using UTM and sound security policy to cope with this array of threats.
What goes into unified threat management?
The history of information security and palliative technologies goes back to the 1980s when the elements of perimeter security (through firewalls and screening routers) and malware protection (primarily in the form of early antivirus technologies) became available. Over time, as threats evolved in their sophistication and capability, other elements designed to secure business or organizational networks and systems became available to counter such things, including email checks, file screening, phishing protection, whitelists and blacklists for IP addresses and URLs, and so forth and so on.
From the mid-1990s and into the first decade of the 21st century, there was an incredible proliferation of point solutions to counter specific types of threats, such as malware, IP-based attacks, denial of service attacks, rogue Web sites with drive-by downloads, and more. In turn, this led to a proliferation of software packages and hardware appliances designed to counter individual classes of threats. Unfortunately, a collection of individual-focused security systems cannot help but lack consistent and coherent coordination of their efforts.
Alas, this confers no ability to detect and deal with hybrid attacks that might start with a rogue URL embedded in a tweet or an email message, continue with a drive-by download when that URL is accessed, and really get underway from a surreptitiously installed keylogger teams up with timed transmissions of captured data from a backdoor uploader. Worse yet, many of these applications are Web-based and use standard HTTP port addresses, so that higher-level content and activity screening becomes necessary to detect unwanted influences at work, and then to counter them.
Simply put, the basic premise of UTM is to create powerful, customized processing computer architectures that can handle, inspect, and –when necessary-- block large amounts of network traffic at or near wire speeds. The same data that must be reviewed to look for blacklisted IP addresses or URLs must also be inspected for malware signatures, proofed against data leakage, and checked to make sure that the protocols, applications, and data involved are both allowed and benign. That’s why typical UTM solutions typically bundle a great many functions, including:
- Proxy services, to block revealing details of internal IP addressing on networks, and to examine communications and data transfers at the application level.
- Stateful packet inspection, to distinguish legitimate network communications from suspect or known malicious forms of communication.
- Deep packet inspection, to enable the data portion or payload of network packets to be checked. This facility not only enables protection against malware, but also permits data checks to block leakage of classified, proprietary, or private/confidential data across network boundaries. This kind of technology is called data loss or data leak protection. In addition, deep packet inspection technology also supports all kinds of content filtering.
- Real-time packet decryption exploits special hardware (which essentially reproduces software programs in the form of high-speed circuitry to perform complex data analysis) to permit deep inspection to occur at or near network wire speeds. This lets organizations apply content level controls even to encrypted data, and to screen such data for policy compliance, malware filtering, and more.
- Email handling, which included malware detection and removal as well as spam filtering and content checks for phishing, malicious Web sites, and blacklisted IP addresses and URLs.
- Intrusion detection and blockage, which observes incoming traffic patterns to detect and respond to denial of service attacks, and to more nuanced and malicious attempts to breach network and system security, and obtain unauthorized access to systems and data.
- Application controls (or filtering) which observes applications in use – especially Web-based applications and services – and applies security policy to block or starve unwanted or unauthorized applications from consuming network resources, or accomplishing unauthorized access to (or transfer of) data.
- Virtual private network or remote access devices enable remote users to establish secure private connections over public network links (including the Internet). Most organizations use such technologies to protect network traffic from snooping while it’s en route from sender to receiver.
Modern UTM devices incorporate all of these kinds of functions, and more, by combining fast, powerful special-purpose network circuitry with general-purpose computing facilities. The custom circuitry that opens up network traffic to detailed and painstaking analysis and intelligent handling does not slow benign packets down in transit. But it can, however, remove suspicious or questionable packets from ongoing traffic flows, and turn them over to programs and filters to perform complex or sophisticated analysis to recognize and foil attacks, filter out unwanted or malicious content, prevent data leakage, and make sure that security policy applies to all network traffic.
Unified threat management providers
Unified threat management (UTM) devices usually take the form of special-purpose network appliances that sit at the network boundary, straddling the links that connect to external networks via high-speed links to service providers or communication companies.
By design, UTM devices coordinate all aspects of security policy so they apply a consistent and coherent set of checks and balances to network traffic coming and going. Most UTM device manufacturers build their appliances to work with centralized, Web-based management consoles so that network management companies can install, configure and maintain them for their clients, or centralized IT departments can take over this kind of function for themselves. This approach also ensures that the same checks, filters, controls, and policy enforcement applies to all UTM devices equally, and avoids the kinds of gaps that integrating multiple point solutions (discrete firewalls, email appliances, content filters, virus checkers, and so forth) can expose.
Choosing best-of-breed UTM providers
Gartner forecast over $1.2 B of sales in this market for 2012, and expects this market to continue growing in tandem with overall IT investment for the foreseeable future (rates in the 2-5% range apply for most economies, but are higher for leading economies like the BRIC countries and their ilk). Savvy buyers look for features like those described in the previous section (sophisticated firewalls with deep packet inspection, intrusion detection and prevention, application control, VPN, content filtering, data loss/leakage protection, malware protection, and so forth). These days, buyers also look for:
- Support for sophisticated virtualization technologies (for virtual clients and servers, as well as virtualized implementations for UTM appliances themselves).
- Endpoint controls that enforce corporate security policies on remote devices and their users.
- Integrated wireless controllers to consolidate wired and wireless traffic on the same device (this simplifies security policy implementation and enforcement, and reduces network complexity)
Finally, advanced UTM devices must also support flexible architectures whose firmware may be easily upgraded to incorporate new means of filtering and detection, and to respond to the ever-changing threat landscape. UTM makers generally operate large, ongoing security teams that monitor, catalog, and respond to emerging threats as quickly as possible, and provide warning and guidance to client organizations to avoid unnecessary exposure to risks and threats.
Some of the best-known names in the computing industry offer UTM solutions to their customers, but not all offerings are alike. Look for solutions from companies such as Cisco, NetGear, Dell/SonicWALL, and Juniper, and you’re sure to find offerings that provide the proper mix of features and controls, along with size, speed, and cost characteristics designed to meet your security needs without breaking your budget.
IT infosec certifications that address UTM
As a visit to the periodic survey of information security certifications at SearchSecurity will confirm, there are more than 100 active and ongoing credentials in this broad field currently available.
Not all of them address UTM directly or explicitly, however. And while there is no credential that focuses exclusively on this aspect of information security, the following well-known certifications include coverage of this subject matter in their exam objectives or associated common body of knowledge that candidates for such credentials must master:
- ISACA Certified Information Systems Auditor (CISA)
- Cisco Security certifications: (CCNA Security, CCNP Security, CCIE Security)
- Juniper Security certifications: (JNCIS-SEC, JNCIP-SEC, JNCIE-SEC)
- (ISC)2 Certified Information Systems Security Professional (CISSP)
- SANS GIAC Certified Incident Handler (GCIH)
- SANS GIAC Windows Security Administrator (GCWN)
- DHS Certified in Homeland Security (CHS) Level I-III (and beyond)
Of these credentials, the generalist items such CISA, CISSP, CHS and the two SANS GIAC items (GCIH and GCWN) provide varying levels of coverage on the basic principles that govern DLP, and best practices for its application and use within the context of a well-defined security policy. Of these, the CISSP and CISA are the most senior and demanding. On the other hand, the Cisco and Juniper credentials concentrate more on the details involved with specific platforms and systems from those vendors designed to deliver working UTM solutions.