by September 6, 2008 0 comments

Given the growing number of threats to network security, UTMs have become a
must-buy for all enterprises as the first line of defense. We all know that a
UTM is a single device which can block viruses, spyware and spam. What we don’t
know is that they can do much more than this. Apart from the usual anti-X
features (Anti-Virus, Anti-Spam, Anti-Spyware, etc), UTMs also have features
such as a built-in VPN, detailed reporting, bandwidth allocation and much more.
And since we did our last shootout in Sep 07, a lot of things have changed in
this category. Here we talk about those in more detail.

One major shift we have seen in UTMs is in their reporting abilities.
Traditionally policies deployed and reporting in a UTM were IP based,
irrespective of the identity of the user. Such a technique has some severe
drawbacks. Let’s say that a user with an IP address was doing an
intense broadcast on the network for a day but due to some reason his IP got
changed every hour. In such a situation, a standard UTM would fail to identify
at the first go that the broadcast was done by a single machine; rather it would
show it as total bandwidth divided by 24 different IPs. In such a case you would
not be able to immediately check and find out that only one user is responsible
for the broadcast.

You have UTM devices that provide identity based threat management, which
makes things simpler. This means irrespective of how many IPs a machine/user
changes, the UTM will treat is as a single instance. Now even IT managers can
deploy policies directly on the user, irrespective of the location, machine and
IP of the user within the organization.

With the advent of the multiprocessor, multi-core servers, the performance of
UTM devices has also increased tremendously during the last one year. Now top
end enterprise class UTMs are available with four quad-core processors, boosting
the performance and concurrent connections (these devices can take upto
10,00,000 concurrent connections). Of course you have to pay a good amount of
money to acquire such a monster.

Also the connectivity speed of the ports has increased. Last year, majority
of devices that we tested, had 100 Mbps network ports with a max of one Gpbs
port. Today a majority of devices have all ports as Gbps.

The old perception of buying a UTM has completely changed. In many cases IT
managers are buying UTMs to serve specific purposes such as monitoring and
reporting. And it has become a major tool for supporting security audits by
providing structured, historical access and security data. This in turn helps an
organization to present themselves easily for different security compliances
such as HIPPA, CIPA, BS 7799, etc. The other components of a UTM such as an
anti-spam or anti-virus are used as failsafe options.

Now let’s discuss some key buying tips and see what you should look for in a
UTM before you buy. Yes, UTMs should have all anti-Xs and additionally should
have IDP, firewall, logging, custom policy, etc but you should carefully check
how good all these features are. Well, figuring that out might be difficult, and
that’s why we do the shootouts for you. So go through the text carefully.

Secondly, how well and how granularly can you manage your policies using the
management console of the UTM? This is a very important feature and if it’s good
in the UTM, then it can make your setup much nimble in nature. So you will not
feel any pain if suddenly you decide to have one more DMZ in your network with
special type of port pinholing in it. Just configure the policy on a free port
and you are on.

The next big thing for an UTM would be the option for connecting with branch
offices with a central manageable interface. While buying a UTM, you have two
options. One is to connect all the branches over a WAN and connect a central UTM
at the point of the Internet connection. And the other option is to have UTM
deployed on all the branch offices, and connecting all the offices with each
other using VPN over Internet. The second approach is mostly preferred as it
removes risk of the single point of failure and distributes the Internet
connectivity across the branches.

Plus intra office connectivity becomes cheaper as you can use standard
Internet connection instead of leased lines and WANs.

Some UTMs come with software
which needs to be installed in the system to access them localy or remotely.

But, with such a setup there is a problem. The number of UTMs increases like
anything, which makes it difficult to manage them centrally. So to reduce the
effort, now UTM vendors are coming up with central management systems with which
one can monitor and manage all the UTMs from one single interface and that to
from anywhere. So, if you have a setup with lot of UTMs, see if your vendor
provides such a management solution or not.

User Management capabilities
You should look for UTMs which provide easy user management features. These
should ideally provide you to create custom policy for a single user or a group.
Mostly the policies are deployed on the basis of the IP address which means a
user must be dedicated to a single system. As discussed before this is not
possible all the time, so for this kind of scenario you should look for a UTM
which can make things happen at user level irrespective of the IP of the
machine. Now take an example where you have three different branch offices
connected to your head office. And each branch office is getting all the IPs
from a central DHCP server. Then it becomes very difficult to deploy policy
based on the IP. So while buying a UTM please see it supports LDAP/ADS or not
for policy distribution.

High availability support
Another key thing you should watch for is the failsafe option in the UTMs.
Consider a scenario in an enterprise where GBs of data are transmitted in an
hour. And every single packet is scanned to safeguard your enterprise network.
But what if your single defence line device is crashed due to some reason (which
even can be a huge amount of data passing through it), it means that your whole
network will go down and hence bring a full stop to your work. This doesn’t mean
that you should directly expose your network to the outside world for a certain
period of time. Which we have seen is what people do in case of a failure at the
UTM or firewall level.

But the good thing is that most of the UTMs today have a failsafe option;
this means if one of your UTM goes down the other one will automatically take
charge and that too without letting your network down for a second. Ideally this
kind of HA setup should be done on your branch offices as well and for the head
office? There is no point of not having it.

Monitoring and reporting capability
UTM without a monitoring and reporting service is of no use today and better not
to buy such a product. Yes, it might be a challenge to find out such a UTM in
the market today. We have talked about the benefits of monitoring and reporting
in our earlier issues. You have to keep in mind some important points while
buying UTM. First, the reports should be easy to understand. So, before buying a
UTM, ask for a report sample from the vendor to see whether you can interpret
those reports or not. We saw many products in the past with complicated reports.
One would require a security major to decipher such reports.

Secondly, you should check for time period the logs are retained in the
devices. If the internal storage quota is full, can you store the reports and
logs to another shared storage. This kind of feature is very useful for BFSI
verticals, law firms, BPOs etc. as they need to keep track and preserve user
activities for a long time.

Third is alert mechanism. It’s not always possible for an admin to sit and
watch the reports, To see how well and with what mechanisms the device send
alerts in case of an attack or security event. For instance, can it talk on
E-mail, SMS, IM, etc for sending in alerts?

Choosing the right features
A UTM device comprises of multiple security features, However, not all UTM
devices have all the features. Some would lack anti-spam capabilities, while
others won’t have a VPN, and so on. How do you then choose the right device?
Let’s understand this with an example.

Suppose you have a hosted and managed mail server, which takes care of all
your anti-spam needs,and you have a UTM with all features but except anti-spam.
This is the kind of UTM which is ideal for your network, because you already
have an anti-spam solution in place to take care of the spams. So, why to spend
double and have other devices with Anti- Spam. Since it lacks one feature it is
likely to cost you less. Similarly you have a VPN solution already placed on
your network and it’s working fine, then you don’t need to to buy a UTM with VPN
support, which will cost you extra.

So while buying UTM, you have to see what exactly you need and what all you
already have.

UTM Management
Is your UTM providing you a browser based management or you need an agent to
access it? How easy is the interface? Such questions forms another major concern
of managing your UTM. If the interface is pretty complex, it will take time for
hunting down the option of the UTMs and can cause wastage of time. Plus more
server is fact that it could lead to a mis configured device which is worse than
having an open to all insecure network. So keep an eye on the usability of the
device while choosing one.

Cache proxy
This technology is good to save your bandwidth and time. Some of the UTMs
come with caching feature but some don’t have a HDD to save the cached data. It
means, you cannot have a cache of more than a few MBs. But now, UTMs provide an
option where you can add storage to it and UTM start caching everything on it.
Cache can be kept in GB and can be used to save a lot of bandwidth and time.
Some UTMs still don’t provide cache capabilities, but such UTMs cost you far
less than cache based UTMs, because they don’t include the hard disk price. But
for a large enterprise, a caching capable UTM will be more beneficial than those
UTM that does not have cache.

How we tested
Before we start with and see the performance of all the UTM devices, lets
first see how exactly we tested the four major components of the UTM devices.

Anti-virus tests
Testing for anti-virus capability is the easiest amongst all tests. We
simply need to create a Web, FTP and SMB server, and a set of different types of
viruses on top of it.

We used a Linux machine to host these viruses so that the hosting machine
itself doesn’t get affected by them. The viruses that we used had old 16-bit
viruses to the latest Trojans and malware. We used a set of viruses with around
1000 virus files grouped under macros, zipped, Old regular and new regular
viruses. This set was kept constant for all UTM devices.

Once the host machine was ready with all viruses hosted on top of it, we
connected it to the public port of the UTM devices one after the other and tried
downloading all viruses from the private network. Once done, we counted the
number of viruses which bypassed the UTM and got downloaded on the private

Anti-spam tests
These tests are pretty much similar to the anti-virus tests, but not
categorized. We setup a machine with a POP3 Mail server running on it and dumped
around 1000 different spam mails on it. Then we connected the machine to the
Internet and gave it a public IP address which is mapped with the MX record of a
domain. We took the UTM devices one by one and connected their WAN port to the

We then connected a few machines to its private network and started
downloading the spam using Outlook Express. Once done we checked how many spam
the devices had missed; to either tag or block, and counted the number for all
devices. Again, to compare the performance of all devices we kept the set of
spam identical for all devices.

Firewall tests
As Nessue has become pretty common and all the UTMs do detect the tests done
by Nessus, we this time only and a standard DOS attack and a port jammer. For
running the DOS attack, we used ettercap’s Nice DOS plugin and we used Pjam for
port jamming.

The test was pretty simple. We connected the WAN port of the UTM device to
the Internet with a public IP, ran the DOS attack and PJam, sitting on a machine
connected to the Internet from a different gateway.

Surprisingly DOS attack was easily detected by all the UTMs which we got this

IDS/IPS tests
To test the IDS/IPS functionality, we focused on the capability of the
device to detect internal attacks, or attacks that are generated from a
trusted/private network.

To test this we ran an ARP spoofing tool on the IP address of the private
port of the device and we tried see if the device can detect the attacks. ARP
spoofing is a mechanism by which one can compromise the ARP cache of switches,
and divert all traffic intended for some other IP, to one’s own IP. This
technique is also known as ‘Man in the Middle Attack’ or ‘ARP flip-flop attack’
or ‘ARP Poisoning Attack’.

We ran the tests in two modes. First, we spoofed the gateway IP and then
explicitly forwarded the data coming to the hacking machine, to the destination
gateway. And in the second mode we stopped forwarding all the data to the actual

Surprisingly, none of the UTMs were able to detect and log this attack in the
IP forwarding mode. And none of them were able to prevent or take a
precautionary step.

At the same time, access to a UTM’s private or gateway IP completely stopped
when we ran the test in a ‘non-IP forwarding’ mode. This shows that even now, a
‘Man in the Middle Attack’ is one of the most dangerous attacks from inside the
network and one of the stealthiest as well.

Anindya Roy, Rakesh Sharma & Vijay Chauhan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.