Given the growing number of threats to network security, UTMs have become a must-buy for all enterprises as the first line of defense. We all know that a UTM is a single device which can block viruses, spyware and spam. What we don't know is that they can do much more than this. Apart from the usual anti-X features (Anti-Virus, Anti-Spam, Anti-Spyware, etc), UTMs also have features such as a built-in VPN, detailed reporting, bandwidth allocation and much more. And since we did our last shootout in Sep 07, a lot of things have changed in this category. Here we talk about those in more detail.
One major shift we have seen in UTMs is in their reporting abilities. Traditionally policies deployed and reporting in a UTM were IP based, irrespective of the identity of the user. Such a technique has some severe drawbacks. Let's say that a user with an IP address 10.10.10.10 was doing an intense broadcast on the network for a day but due to some reason his IP got changed every hour. In such a situation, a standard UTM would fail to identify at the first go that the broadcast was done by a single machine; rather it would show it as total bandwidth divided by 24 different IPs. In such a case you would not be able to immediately check and find out that only one user is responsible for the broadcast.
You have UTM devices that provide identity based threat management, which makes things simpler. This means irrespective of how many IPs a machine/user changes, the UTM will treat is as a single instance. Now even IT managers can deploy policies directly on the user, irrespective of the location, machine and IP of the user within the organization.
With the advent of the multiprocessor, multi-core servers, the performance of UTM devices has also increased tremendously during the last one year. Now top end enterprise class UTMs are available with four quad-core processors, boosting the performance and concurrent connections (these devices can take upto 10,00,000 concurrent connections). Of course you have to pay a good amount of money to acquire such a monster.
Also the connectivity speed of the ports has increased. Last year, majority of devices that we tested, had 100 Mbps network ports with a max of one Gpbs port. Today a majority of devices have all ports as Gbps.
The old perception of buying a UTM has completely changed. In many cases IT managers are buying UTMs to serve specific purposes such as monitoring and reporting. And it has become a major tool for supporting security audits by providing structured, historical access and security data. This in turn helps an organization to present themselves easily for different security compliances such as HIPPA, CIPA, BS 7799, etc. The other components of a UTM such as an anti-spam or anti-virus are used as failsafe options.
Now let's discuss some key buying tips and see what you should look for in a UTM before you buy. Yes, UTMs should have all anti-Xs and additionally should have IDP, firewall, logging, custom policy, etc but you should carefully check how good all these features are. Well, figuring that out might be difficult, and that's why we do the shootouts for you. So go through the text carefully.
Secondly, how well and how granularly can you manage your policies using the management console of the UTM? This is a very important feature and if it's good in the UTM, then it can make your setup much nimble in nature. So you will not feel any pain if suddenly you decide to have one more DMZ in your network with special type of port pinholing in it. Just configure the policy on a free port and you are on.
The next big thing for an UTM would be the option for connecting with branch offices with a central manageable interface. While buying a UTM, you have two options. One is to connect all the branches over a WAN and connect a central UTM at the point of the Internet connection. And the other option is to have UTM deployed on all the branch offices, and connecting all the offices with each other using VPN over Internet. The second approach is mostly preferred as it removes risk of the single point of failure and distributes the Internet connectivity across the branches.
Plus intra office connectivity becomes cheaper as you can use standard Internet connection instead of leased lines and WANs.
|Some UTMs come with software which needs to be installed in the system to access them localy or remotely.|
But, with such a setup there is a problem. The number of UTMs increases like anything, which makes it difficult to manage them centrally. So to reduce the effort, now UTM vendors are coming up with central management systems with which one can monitor and manage all the UTMs from one single interface and that to from anywhere. So, if you have a setup with lot of UTMs, see if your vendor provides such a management solution or not.
User Management capabilities
You should look for UTMs which provide easy user management features. These should ideally provide you to create custom policy for a single user or a group. Mostly the policies are deployed on the basis of the IP address which means a user must be dedicated to a single system. As discussed before this is not possible all the time, so for this kind of scenario you should look for a UTM which can make things happen at user level irrespective of the IP of the machine. Now take an example where you have three different branch offices connected to your head office. And each branch office is getting all the IPs from a central DHCP server. Then it becomes very difficult to deploy policy based on the IP. So while buying a UTM please see it supports LDAP/ADS or not for policy distribution.
High availability support
Another key thing you should watch for is the failsafe option in the UTMs. Consider a scenario in an enterprise where GBs of data are transmitted in an hour. And every single packet is scanned to safeguard your enterprise network. But what if your single defence line device is crashed due to some reason (which even can be a huge amount of data passing through it), it means that your whole network will go down and hence bring a full stop to your work. This doesn't mean that you should directly expose your network to the outside world for a certain period of time. Which we have seen is what people do in case of a failure at the UTM or firewall level.
But the good thing is that most of the UTMs today have a failsafe option; this means if one of your UTM goes down the other one will automatically take charge and that too without letting your network down for a second. Ideally this kind of HA setup should be done on your branch offices as well and for the head office? There is no point of not having it.
Monitoring and reporting capability
UTM without a monitoring and reporting service is of no use today and better not to buy such a product. Yes, it might be a challenge to find out such a UTM in the market today. We have talked about the benefits of monitoring and reporting in our earlier issues. You have to keep in mind some important points while buying UTM. First, the reports should be easy to understand. So, before buying a UTM, ask for a report sample from the vendor to see whether you can interpret those reports or not. We saw many products in the past with complicated reports. One would require a security major to decipher such reports.
Secondly, you should check for time period the logs are retained in the devices. If the internal storage quota is full, can you store the reports and logs to another shared storage. This kind of feature is very useful for BFSI verticals, law firms, BPOs etc. as they need to keep track and preserve user activities for a long time.
Third is alert mechanism. It's not always possible for an admin to sit and watch the reports, To see how well and with what mechanisms the device send alerts in case of an attack or security event. For instance, can it talk on E-mail, SMS, IM, etc for sending in alerts?
Choosing the right features
A UTM device comprises of multiple security features, However, not all UTM devices have all the features. Some would lack anti-spam capabilities, while others won't have a VPN, and so on. How do you then choose the right device? Let's understand this with an example.
Suppose you have a hosted and managed mail server, which takes care of all your anti-spam needs,and you have a UTM with all features but except anti-spam. This is the kind of UTM which is ideal for your network, because you already have an anti-spam solution in place to take care of the spams. So, why to spend double and have other devices with Anti- Spam. Since it lacks one feature it is likely to cost you less. Similarly you have a VPN solution already placed on your network and it's working fine, then you don't need to to buy a UTM with VPN support, which will cost you extra.
So while buying UTM, you have to see what exactly you need and what all you already have.
Is your UTM providing you a browser based management or you need an agent to access it? How easy is the interface? Such questions forms another major concern of managing your UTM. If the interface is pretty complex, it will take time for hunting down the option of the UTMs and can cause wastage of time. Plus more server is fact that it could lead to a mis configured device which is worse than having an open to all insecure network. So keep an eye on the usability of the device while choosing one.
This technology is good to save your bandwidth and time. Some of the UTMs come with caching feature but some don't have a HDD to save the cached data. It means, you cannot have a cache of more than a few MBs. But now, UTMs provide an option where you can add storage to it and UTM start caching everything on it. Cache can be kept in GB and can be used to save a lot of bandwidth and time. Some UTMs still don't provide cache capabilities, but such UTMs cost you far less than cache based UTMs, because they don't include the hard disk price. But for a large enterprise, a caching capable UTM will be more beneficial than those UTM that does not have cache.
How we tested
Before we start with and see the performance of all the UTM devices, lets first see how exactly we tested the four major components of the UTM devices.
Testing for anti-virus capability is the easiest amongst all tests. We simply need to create a Web, FTP and SMB server, and a set of different types of viruses on top of it.
We used a Linux machine to host these viruses so that the hosting machine itself doesn't get affected by them. The viruses that we used had old 16-bit viruses to the latest Trojans and malware. We used a set of viruses with around 1000 virus files grouped under macros, zipped, Old regular and new regular viruses. This set was kept constant for all UTM devices.
Once the host machine was ready with all viruses hosted on top of it, we connected it to the public port of the UTM devices one after the other and tried downloading all viruses from the private network. Once done, we counted the number of viruses which bypassed the UTM and got downloaded on the private network.
These tests are pretty much similar to the anti-virus tests, but not categorized. We setup a machine with a POP3 Mail server running on it and dumped around 1000 different spam mails on it. Then we connected the machine to the Internet and gave it a public IP address which is mapped with the MX record of a domain. We took the UTM devices one by one and connected their WAN port to the Internet.
We then connected a few machines to its private network and started downloading the spam using Outlook Express. Once done we checked how many spam the devices had missed; to either tag or block, and counted the number for all devices. Again, to compare the performance of all devices we kept the set of spam identical for all devices.
As Nessue has become pretty common and all the UTMs do detect the tests done by Nessus, we this time only and a standard DOS attack and a port jammer. For running the DOS attack, we used ettercap's Nice DOS plugin and we used Pjam for port jamming.
The test was pretty simple. We connected the WAN port of the UTM device to the Internet with a public IP, ran the DOS attack and PJam, sitting on a machine connected to the Internet from a different gateway.
Surprisingly DOS attack was easily detected by all the UTMs which we got this time.
To test the IDS/IPS functionality, we focused on the capability of the device to detect internal attacks, or attacks that are generated from a trusted/private network.
To test this we ran an ARP spoofing tool on the IP address of the private port of the device and we tried see if the device can detect the attacks. ARP spoofing is a mechanism by which one can compromise the ARP cache of switches, and divert all traffic intended for some other IP, to one's own IP. This technique is also known as 'Man in the Middle Attack' or 'ARP flip-flop attack' or 'ARP Poisoning Attack'.
We ran the tests in two modes. First, we spoofed the gateway IP and then explicitly forwarded the data coming to the hacking machine, to the destination gateway. And in the second mode we stopped forwarding all the data to the actual IP.
Surprisingly, none of the UTMs were able to detect and log this attack in the IP forwarding mode. And none of them were able to prevent or take a precautionary step.
At the same time, access to a UTM's private or gateway IP completely stopped when we ran the test in a 'non-IP forwarding' mode. This shows that even now, a 'Man in the Middle Attack' is one of the most dangerous attacks from inside the network and one of the stealthiest as well.
Anindya Roy, Rakesh Sharma & Vijay Chauhan