Advertisment

How to Choose the Right UTM

author-image
PCQ Bureau
New Update

Complete security has always been utopian quest for organizations and hence

an area of prime concern for IT managers. Among the whole host of security

solutions available today, the one which is the simplest in configuration and

management, are UTM devices. These devices provide a single point of management

and maintenance and secure against multiple threats. So, an ideal UTM should

have all essential components such as a gateway level anti-virus, spam filter,

content filter, bandwidth shaping solution, proxy, firewall and an IDS/IPS

system. Additionally, it should also have a good log capturing and monitoring

system.

Advertisment

Well all these are individual solutions unto themselves and so, testing all

these features before you decide on a UTM device becomes an enormous task. In

this article, we delve into these concerns and discuss some of the simpler

points to be kept in mind before you buy a UTM device for your organization.

The virus question



Different people have different reasons for buying a UTM device. For some,

it is a one stop security solution for his whole infrastructure but for others

it is just a second line of defense. And so we have different products for

different requirements. For instance, there are UTM devices for eg, from

Fortinet which don't come with a full set of virus definition; rather they come

with virus signatures which are 'on the wild,' which means those viruses that

are active on the Internet. There are positives and negatives to both

situations. The devices which only have signatures of active viruses will check

an incoming packet for fewer sets of virus signatures; and as a result the

performance will be better compared with the performance of a device which has a

huge set of virus signatures. But the flip side is if someone with a malicious

intent knows that you are using such a device that doesn't detect a dormant

virus, then he can actually attack and infect your network with such viruses

unless and until you have some other mechanism to fight back such viruses.

Generally, devices with database of wild viruses only, claim that whenever a

dormant virus gets active, they would push the signature for the virus to the

device. Now we are not sure (and there is no specific way to test it as well)

that in case a dormant virus gets active in a smaller area and doesn't trip

their honeypots then what will happen. We think that's the reason why vendors

with such UTMs portray these devices as a second line of defense for your

network and require a client level antivirus running on all machines. So, if

performance is of high priority and you already have a setup of good

anti-viruses running on all clients in your network, and just want an additional

level for security against viruses on the wild, then a device with lesser

definitions is a better option. Else you should go for one which has a larger

number of and more detailed virus definitions.

Advertisment
An Open Source UTM with features comparable

to commercial UTMs. It's very cost-effective and can be configured on just a

separate machine

Paid or free?



This is another most important question which arises while acquiring new UTM

devices. A standard UTM device which can handle a load of 100 to 500 users and

has most of the requirements will cost you some where between 2 to 5 Lakhs of

INR. Whereas you can get most of the functionalities of such devices by using an

Open Source UTM device where the software or license cost will be Zero. All you

have to pay for is the hardware which will hardly cost you 50k.

But of course there will be no service or support with such a deal. And this

means that you have to have a good IT team in house to first build and then

maintain such devices.

Advertisment

Now, let's take the case where you have a number of branch offices. Let's

say, you have 30 different branch offices with at least 100 users at each

location. Now if you have to spent 2lakh per branch then you will end up

spending 60lakhs just for securing your branches. Rather in such a case you can

use a commercial UTM at your central office and go with the Open Source UTM in

the branches.

Some UTM devices provide very

intuitive wizard driven VPN configuration, which simplifies the process of

deploying a VPN

Advertisment

Remote or central office



The security requirement of remote and central offices are completely

different. In your central office you might be having an IT team but it's not

necessary that you will have a full-fledged IT team at your branches. So in case

of a branch office you require something which can be easily monitored remotely

and have an intuitive web interface with which you can do all the configurations

when needed and don't require a physical presence. So in that case while

deciding upon buying such devices make sure that the one which you are putting

at your branches doesn't require console connections, etc, frequently and most

of the configuration can be done from a remote NOC.

Additionally, in such a setup where you have a central NOC and multiple

branch offices you should also keep in mind how well the UTMs work together. So

for instance if you are planning to deploy a point to point VPN between your

central and branch offices you should keep in mind that the devices at both ends

are either from the same vendor or supports same sets of technologies and can

work seamlessly together. But as we have discussed above, going with the same

vendor can sometimes become too costly an affair. If you are planning to go with

some Open Source UTM, then be very careful while choosing and make sure that it

integrates perfectly with the UTM sitting at the central office.

While buying a UTM for your central location you should also keep in mind the

fail over options as well. For instance does it support active-active or

active-passive failovers? The difference is exactly as it sounds like. In

active-active fail over both the devices will work together and in case one is

down the other will take the complete charge. Where as in active-passive

mechanism one device will be the master and will be serving the network where as

the other will be just sitting idle and checking the status of the first one. In

case the first one fails it will take the charge.

Advertisment

In case of branch offices you should look for devices that have an additional

modem port with which you can dial into the device and configure it in case all

your WAN or Internet links are down.

Using this interface of Cyberoam UTM, one

can check the Net access log based on user name instead of IP address

Proxy or not



Sometimes, a cache based proxy becomes essential. This not only gives you

better control over the Internet bandwidth, but also gives you a faster access.

Though, adding storage to UTM appliances, for caching, affects their cost and

compactness. Not surprisingly, most of the UTMs which we recieved came without

an in-built cache-based proxy. The devices that we received for review; either

had a small laptop hard disk for storing quarantined viruses and spam, or didn't

have a hard disk at all.

Advertisment

But the Open Source UTM software which we checked out had the option for

caching proxy. The reason is again clear. They are installed on commodity

machines and servers, wherein you can easily add required storage. So, if you

essentially need cache-based proxy, then you can either go for an Open Source

UTM or for a UTM plus proxy server combination. The choice is yours.

ADS or no ADS?



ADS or active directory integration is new functionality of today's UTM

devices. ADS integration means that the UTM device can actually capture data

based on usernames and not on IPs. Earlier, it used to be “192.168.1.1---total

download 100 MB”, but now with ADS integration it becomes “Ramesh---total

download 100 MB”. So, now you can do user-based monitoring, irrespective of the

IP of the machine from which he is accessing network. This kind of a setup is

very useful for environments where we have DHCP-based IP allocations.

A customized Linux distro for

UTMs can be installed on a machine with a large hard disk and can be used as

a UTM with in-built cache-based proxy
Five

UTMs Attacked



Sonicwall PRO 5060

Cyberoam CR250i

Gajshield GS 500A

ZyXEL 70

ZyXEL 35

Advertisment