Advertisment

How to choose the right UTM for your network

author-image
PCQ Bureau
New Update

Given the growing number of threats to network security, UTMs have become a

must-buy for all enterprises as the first line of defense. We all know that a

UTM is a single device which can block viruses, spyware and spam. What we don't

know is that they can do much more than this. Apart from the usual anti-X

features (Anti-Virus, Anti-Spam, Anti-Spyware, etc), UTMs also have features

such as a built-in VPN, detailed reporting, bandwidth allocation and much more.

And since we did our last shootout in Sep 07, a lot of things have changed in

this category. Here we talk about those in more detail.

Advertisment

One major shift we have seen in UTMs is in their reporting abilities.

Traditionally policies deployed and reporting in a UTM were IP based,

irrespective of the identity of the user. Such a technique has some severe

drawbacks. Let's say that a user with an IP address 10.10.10.10 was doing an

intense broadcast on the network for a day but due to some reason his IP got

changed every hour. In such a situation, a standard UTM would fail to identify

at the first go that the broadcast was done by a single machine; rather it would

show it as total bandwidth divided by 24 different IPs. In such a case you would

not be able to immediately check and find out that only one user is responsible

for the broadcast.

You have UTM devices that provide identity based threat management, which

makes things simpler. This means irrespective of how many IPs a machine/user

changes, the UTM will treat is as a single instance. Now even IT managers can

deploy policies directly on the user, irrespective of the location, machine and

IP of the user within the organization.

Advertisment

With the advent of the multiprocessor, multi-core servers, the performance of

UTM devices has also increased tremendously during the last one year. Now top

end enterprise class UTMs are available with four quad-core processors, boosting

the performance and concurrent connections (these devices can take upto

10,00,000 concurrent connections). Of course you have to pay a good amount of

money to acquire such a monster.

Also the connectivity speed of the ports has increased. Last year, majority

of devices that we tested, had 100 Mbps network ports with a max of one Gpbs

port. Today a majority of devices have all ports as Gbps.

The old perception of buying a UTM has completely changed. In many cases IT

managers are buying UTMs to serve specific purposes such as monitoring and

reporting. And it has become a major tool for supporting security audits by

providing structured, historical access and security data. This in turn helps an

organization to present themselves easily for different security compliances

such as HIPPA, CIPA, BS 7799, etc. The other components of a UTM such as an

anti-spam or anti-virus are used as failsafe options.

Advertisment

Now let's discuss some key buying tips and see what you should look for in a

UTM before you buy. Yes, UTMs should have all anti-Xs and additionally should

have IDP, firewall, logging, custom policy, etc but you should carefully check

how good all these features are. Well, figuring that out might be difficult, and

that's why we do the shootouts for you. So go through the text carefully.

Secondly, how well and how granularly can you manage your policies using the

management console of the UTM? This is a very important feature and if it's good

in the UTM, then it can make your setup much nimble in nature. So you will not

feel any pain if suddenly you decide to have one more DMZ in your network with

special type of port pinholing in it. Just configure the policy on a free port

and you are on.

The next big thing for an UTM would be the option for connecting with branch

offices with a central manageable interface. While buying a UTM, you have two

options. One is to connect all the branches over a WAN and connect a central UTM

at the point of the Internet connection. And the other option is to have UTM

deployed on all the branch offices, and connecting all the offices with each

other using VPN over Internet. The second approach is mostly preferred as it

removes risk of the single point of failure and distributes the Internet

connectivity across the branches.

Advertisment

Plus intra office connectivity becomes cheaper as you can use standard

Internet connection instead of leased lines and WANs.

Some UTMs come with software

which needs to be installed in the system to access them localy or remotely.

But, with such a setup there is a problem. The number of UTMs increases like

anything, which makes it difficult to manage them centrally. So to reduce the

effort, now UTM vendors are coming up with central management systems with which

one can monitor and manage all the UTMs from one single interface and that to

from anywhere. So, if you have a setup with lot of UTMs, see if your vendor

provides such a management solution or not.

Advertisment

User Management capabilities



You should look for UTMs which provide easy user management features. These

should ideally provide you to create custom policy for a single user or a group.

Mostly the policies are deployed on the basis of the IP address which means a

user must be dedicated to a single system. As discussed before this is not

possible all the time, so for this kind of scenario you should look for a UTM

which can make things happen at user level irrespective of the IP of the

machine. Now take an example where you have three different branch offices

connected to your head office. And each branch office is getting all the IPs

from a central DHCP server. Then it becomes very difficult to deploy policy

based on the IP. So while buying a UTM please see it supports LDAP/ADS or not

for policy distribution.

High availability support



Another key thing you should watch for is the failsafe option in the UTMs.

Consider a scenario in an enterprise where GBs of data are transmitted in an

hour. And every single packet is scanned to safeguard your enterprise network.

But what if your single defence line device is crashed due to some reason (which

even can be a huge amount of data passing through it), it means that your whole

network will go down and hence bring a full stop to your work. This doesn't mean

that you should directly expose your network to the outside world for a certain

period of time. Which we have seen is what people do in case of a failure at the

UTM or firewall level.

But the good thing is that most of the UTMs today have a failsafe option;

this means if one of your UTM goes down the other one will automatically take

charge and that too without letting your network down for a second. Ideally this

kind of HA setup should be done on your branch offices as well and for the head

office? There is no point of not having it.

Advertisment

Monitoring and reporting capability



UTM without a monitoring and reporting service is of no use today and better not
to buy such a product. Yes, it might be a challenge to find out such a UTM in

the market today. We have talked about the benefits of monitoring and reporting

in our earlier issues. You have to keep in mind some important points while

buying UTM. First, the reports should be easy to understand. So, before buying a

UTM, ask for a report sample from the vendor to see whether you can interpret

those reports or not. We saw many products in the past with complicated reports.

One would require a security major to decipher such reports.

Secondly, you should check for time period the logs are retained in the

devices. If the internal storage quota is full, can you store the reports and

logs to another shared storage. This kind of feature is very useful for BFSI

verticals, law firms, BPOs etc. as they need to keep track and preserve user

activities for a long time.

Third is alert mechanism. It's not always possible for an admin to sit and

watch the reports, To see how well and with what mechanisms the device send

alerts in case of an attack or security event. For instance, can it talk on

E-mail, SMS, IM, etc for sending in alerts?

Advertisment

Choosing the right features



A UTM device comprises of multiple security features, However, not all UTM

devices have all the features. Some would lack anti-spam capabilities, while

others won't have a VPN, and so on. How do you then choose the right device?

Let's understand this with an example.

Suppose you have a hosted and managed mail server, which takes care of all

your anti-spam needs,and you have a UTM with all features but except anti-spam.

This is the kind of UTM which is ideal for your network, because you already

have an anti-spam solution in place to take care of the spams. So, why to spend

double and have other devices with Anti- Spam. Since it lacks one feature it is

likely to cost you less. Similarly you have a VPN solution already placed on

your network and it's working fine, then you don't need to to buy a UTM with VPN

support, which will cost you extra.

So while buying UTM, you have to see what exactly you need and what all you

already have.

UTM Management



Is your UTM providing you a browser based management or you need an agent to

access it? How easy is the interface? Such questions forms another major concern

of managing your UTM. If the interface is pretty complex, it will take time for

hunting down the option of the UTMs and can cause wastage of time. Plus more

server is fact that it could lead to a mis configured device which is worse than

having an open to all insecure network. So keep an eye on the usability of the

device while choosing one.

Cache proxy



This technology is good to save your bandwidth and time. Some of the UTMs

come with caching feature but some don't have a HDD to save the cached data. It

means, you cannot have a cache of more than a few MBs. But now, UTMs provide an

option where you can add storage to it and UTM start caching everything on it.

Cache can be kept in GB and can be used to save a lot of bandwidth and time.

Some UTMs still don't provide cache capabilities, but such UTMs cost you far

less than cache based UTMs, because they don't include the hard disk price. But

for a large enterprise, a caching capable UTM will be more beneficial than those

UTM that does not have cache.

How we tested



Before we start with and see the performance of all the UTM devices, lets

first see how exactly we tested the four major components of the UTM devices.

Anti-virus tests



Testing for anti-virus capability is the easiest amongst all tests. We

simply need to create a Web, FTP and SMB server, and a set of different types of

viruses on top of it.

We used a Linux machine to host these viruses so that the hosting machine

itself doesn't get affected by them. The viruses that we used had old 16-bit

viruses to the latest Trojans and malware. We used a set of viruses with around

1000 virus files grouped under macros, zipped, Old regular and new regular

viruses. This set was kept constant for all UTM devices.

Once the host machine was ready with all viruses hosted on top of it, we

connected it to the public port of the UTM devices one after the other and tried

downloading all viruses from the private network. Once done, we counted the

number of viruses which bypassed the UTM and got downloaded on the private

network.

Anti-spam tests



These tests are pretty much similar to the anti-virus tests, but not

categorized. We setup a machine with a POP3 Mail server running on it and dumped

around 1000 different spam mails on it. Then we connected the machine to the

Internet and gave it a public IP address which is mapped with the MX record of a

domain. We took the UTM devices one by one and connected their WAN port to the

Internet.

We then connected a few machines to its private network and started

downloading the spam using Outlook Express. Once done we checked how many spam

the devices had missed; to either tag or block, and counted the number for all

devices. Again, to compare the performance of all devices we kept the set of

spam identical for all devices.

Firewall tests



As Nessue has become pretty common and all the UTMs do detect the tests done

by Nessus, we this time only and a standard DOS attack and a port jammer. For

running the DOS attack, we used ettercap's Nice DOS plugin and we used Pjam for

port jamming.

The test was pretty simple. We connected the WAN port of the UTM device to

the Internet with a public IP, ran the DOS attack and PJam, sitting on a machine

connected to the Internet from a different gateway.

Surprisingly DOS attack was easily detected by all the UTMs which we got this

time.

IDS/IPS tests



To test the IDS/IPS functionality, we focused on the capability of the

device to detect internal attacks, or attacks that are generated from a

trusted/private network.

To test this we ran an ARP spoofing tool on the IP address of the private

port of the device and we tried see if the device can detect the attacks. ARP

spoofing is a mechanism by which one can compromise the ARP cache of switches,

and divert all traffic intended for some other IP, to one's own IP. This

technique is also known as 'Man in the Middle Attack' or 'ARP flip-flop attack'

or 'ARP Poisoning Attack'.

We ran the tests in two modes. First, we spoofed the gateway IP and then

explicitly forwarded the data coming to the hacking machine, to the destination

gateway. And in the second mode we stopped forwarding all the data to the actual

IP.

Surprisingly, none of the UTMs were able to detect and log this attack in the

IP forwarding mode. And none of them were able to prevent or take a

precautionary step.

At the same time, access to a UTM's private or gateway IP completely stopped

when we ran the test in a 'non-IP forwarding' mode. This shows that even now, a

'Man in the Middle Attack' is one of the most dangerous attacks from inside the

network and one of the stealthiest as well.

Anindya Roy, Rakesh Sharma & Vijay Chauhan

Advertisment