Complete security has always been utopian quest for organizations and hence
an area of prime concern for IT managers. Among the whole host of security
solutions available today, the one which is the simplest in configuration and
management, are UTM devices. These devices provide a single point of management
and maintenance and secure against multiple threats. So, an ideal UTM should
have all essential components such as a gateway level anti-virus, spam filter,
content filter, bandwidth shaping solution, proxy, firewall and an IDS/IPS
system. Additionally, it should also have a good log capturing and monitoring
system.
Well all these are individual solutions unto themselves and so, testing all
these features before you decide on a UTM device becomes an enormous task. In
this article, we delve into these concerns and discuss some of the simpler
points to be kept in mind before you buy a UTM device for your organization.
The virus question
Different people have different reasons for buying a UTM device. For some,
it is a one stop security solution for his whole infrastructure but for others
it is just a second line of defense. And so we have different products for
different requirements. For instance, there are UTM devices for eg, from
Fortinet which don't come with a full set of virus definition; rather they come
with virus signatures which are 'on the wild,' which means those viruses that
are active on the Internet. There are positives and negatives to both
situations. The devices which only have signatures of active viruses will check
an incoming packet for fewer sets of virus signatures; and as a result the
performance will be better compared with the performance of a device which has a
huge set of virus signatures. But the flip side is if someone with a malicious
intent knows that you are using such a device that doesn't detect a dormant
virus, then he can actually attack and infect your network with such viruses
unless and until you have some other mechanism to fight back such viruses.
Generally, devices with database of wild viruses only, claim that whenever a
dormant virus gets active, they would push the signature for the virus to the
device. Now we are not sure (and there is no specific way to test it as well)
that in case a dormant virus gets active in a smaller area and doesn't trip
their honeypots then what will happen. We think that's the reason why vendors
with such UTMs portray these devices as a second line of defense for your
network and require a client level antivirus running on all machines. So, if
performance is of high priority and you already have a setup of good
anti-viruses running on all clients in your network, and just want an additional
level for security against viruses on the wild, then a device with lesser
definitions is a better option. Else you should go for one which has a larger
number of and more detailed virus definitions.
An Open Source UTM with features comparable to commercial UTMs. It's very cost-effective and can be configured on just a separate machine |
Paid or free?
This is another most important question which arises while acquiring new UTM
devices. A standard UTM device which can handle a load of 100 to 500 users and
has most of the requirements will cost you some where between 2 to 5 Lakhs of
INR. Whereas you can get most of the functionalities of such devices by using an
Open Source UTM device where the software or license cost will be Zero. All you
have to pay for is the hardware which will hardly cost you 50k.
But of course there will be no service or support with such a deal. And this
means that you have to have a good IT team in house to first build and then
maintain such devices.
Now, let's take the case where you have a number of branch offices. Let's
say, you have 30 different branch offices with at least 100 users at each
location. Now if you have to spent 2lakh per branch then you will end up
spending 60lakhs just for securing your branches. Rather in such a case you can
use a commercial UTM at your central office and go with the Open Source UTM in
the branches.
Some UTM devices provide very intuitive wizard driven VPN configuration, which simplifies the process of deploying a VPN |
Remote or central office
The security requirement of remote and central offices are completely
different. In your central office you might be having an IT team but it's not
necessary that you will have a full-fledged IT team at your branches. So in case
of a branch office you require something which can be easily monitored remotely
and have an intuitive web interface with which you can do all the configurations
when needed and don't require a physical presence. So in that case while
deciding upon buying such devices make sure that the one which you are putting
at your branches doesn't require console connections, etc, frequently and most
of the configuration can be done from a remote NOC.
Additionally, in such a setup where you have a central NOC and multiple
branch offices you should also keep in mind how well the UTMs work together. So
for instance if you are planning to deploy a point to point VPN between your
central and branch offices you should keep in mind that the devices at both ends
are either from the same vendor or supports same sets of technologies and can
work seamlessly together. But as we have discussed above, going with the same
vendor can sometimes become too costly an affair. If you are planning to go with
some Open Source UTM, then be very careful while choosing and make sure that it
integrates perfectly with the UTM sitting at the central office.
While buying a UTM for your central location you should also keep in mind the
fail over options as well. For instance does it support active-active or
active-passive failovers? The difference is exactly as it sounds like. In
active-active fail over both the devices will work together and in case one is
down the other will take the complete charge. Where as in active-passive
mechanism one device will be the master and will be serving the network where as
the other will be just sitting idle and checking the status of the first one. In
case the first one fails it will take the charge.
In case of branch offices you should look for devices that have an additional
modem port with which you can dial into the device and configure it in case all
your WAN or Internet links are down.
Using this interface of Cyberoam UTM, one can check the Net access log based on user name instead of IP address |
Proxy or not
Sometimes, a cache based proxy becomes essential. This not only gives you
better control over the Internet bandwidth, but also gives you a faster access.
Though, adding storage to UTM appliances, for caching, affects their cost and
compactness. Not surprisingly, most of the UTMs which we recieved came without
an in-built cache-based proxy. The devices that we received for review; either
had a small laptop hard disk for storing quarantined viruses and spam, or didn't
have a hard disk at all.
But the Open Source UTM software which we checked out had the option for
caching proxy. The reason is again clear. They are installed on commodity
machines and servers, wherein you can easily add required storage. So, if you
essentially need cache-based proxy, then you can either go for an Open Source
UTM or for a UTM plus proxy server combination. The choice is yours.
ADS or no ADS?
ADS or active directory integration is new functionality of today's UTM
devices. ADS integration means that the UTM device can actually capture data
based on usernames and not on IPs. Earlier, it used to be “192.168.1.1---total
download 100 MB”, but now with ADS integration it becomes “Ramesh---total
download 100 MB”. So, now you can do user-based monitoring, irrespective of the
IP of the machine from which he is accessing network. This kind of a setup is
very useful for environments where we have DHCP-based IP allocations.
A customized Linux distro for UTMs can be installed on a machine with a large hard disk and can be used as a UTM with in-built cache-based proxy |
Five UTMs Attacked |