Unified Threat Management (UTM) is a new term in the firewall industry — in fact, UTM is the hottest buzzword in the industry today. The term describes the combination of several security technologies on one device. The typical UTM technologies are the following: stateful firewall; IPS; antivirus; antispyware;
antiphishing; anti-adware; antispam; and Web filtering. This technology is included typically on a firewall that employs a stateful firewall as its core technology. This technology is used in lower-speed deployments of a gigabit-per-second throughput or less.
UTM increases the security of a stateful firewall by adding different layers of inspection. It does this and still maintains the important throughput, which is one of the important benefits of stateful inspection. The Intrusion Prevention System functions implemented in UTM are usually subsets of full-blown IPS features. This form of IPS was formerly known as Deep Inspection or Deep Packet Inspection. The
IPS feature looks for specific attacks inside flows. These attacks are usually divided into categories of severity. The IPS component is usually deployed to stop the most critical attacks that are active threats, such as worms.
A discussion of the IPS features of UTM can be found at www.securityfocus.com/
infocus/1716.c. Network-based antivirus technology is often limited to a small set of protocols. These protocols are the ones in which viruses are most commonly found, such as HyperText Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3). Anti-x protocols (spyware, adware, and spam) block or at least limit the amount of incoming spyware, adware, and spam. These products can be developed by the firewall vendor themselves or they can be
products developed by partners. As with the antivirus products, these products are used only on specific protocols, such as mail protocols in the case of antispam.
Web filtering allows you to block Web sites that are inappropriate for your organization. By including filtering on the firewall, you reduce the number of devices that need to be managed in your environment.
The features for integrated Web filtering can be limited as opposed to using a full installation of a filtering product. Often, Web filtering is done by partnering with a major player such as Websense or Surf Control.
UTM features are often best deployed in low throughput environments with low user
counts. Over the years, performance of such features has become much better. In the past, you would never want to deploy these features in environments with more than 50 people. Today, however, many products can support several hundred users. UTM is a great technology to add to your environment, and the future for it looks bright.
Intrusion Protection System (IPS) technologies have been deployed on stand-alone devices in the past. However, today you can run a complete IPS system on your firewall. You do so by combining (usually) a stateful firewall technology with an IPS engine. Throughput typically depends on the implementation. Some vendors choose to dedicate specific hardware resources to the IPS inspection. These devices have the highest throughput — much more than a completely software-based implementation. This IPS technology deployment differs from UTM because it is much more feature rich and supports more protocols. A typical UTM deployment consists of a couple hundred signatures and supports a dozen signatures whereas a true IPS deployment consists of several thousand signatures and 40 or more protocols. A signature is a specific pattern or combination of patterns that match an attack. The inclusion of IPS on firewalls provides stateful firewalls with the security that an application proxy can
provide yet at incredibly fast, multigigabit speeds.
You can find a more in-depth discussion of IPS at www.securityfocus.com/infocus/1670.
Network Address Translation Network Address Translation (NAT) is a technology that allows you to change one IP address into another as a packet passes through a firewall. This can be done to the source IP, destination IP, or both. NAT gives you the ability to do several different things, the first being the ability to hide your network’s IP address range, obfuscating what its true IP address range is. You can use a set of nonroutable IP addresses for your private network. These typically come from the Request For Comment (RFC) 1918 address set. Because these addresses are not routable on the Internet, you need to hide them behind public IP addresses.
Most organizations do not have the ability to provide one public IP address for each private IP address. In these cases, a combination of NAT and Port Address Translation (PAT) is used. PAT swaps the source port of the packet to a higher port and then uses a single IP address to hide many internal IP addresses behind. The firewall tracks the connection by mapping the original source port to the new PAT port.
Doing so allows it to know which connection belongs to which internal IP.
To read more about NAT, go to www.tcpipguide.com and search for NAT. You can find a more indepth discussion there.
Virtual Private Networks
A Virtual Private Network (VPN) is created by employing a protocol that allows packets to be transported between two endpoints yet seem as though they are part of the same network. Using one of several protocols such as Multiprotocol Label Switching (MPLS), IPsec, or Generic Router Encapsulation, you can create a VPN. Most firewalls create VPNs using IPsec. IPsec is a protocol suite that enables the secure
transport of traffic between two endpoints. Most firewall products on the market today allow for thecreation of IPsec VPNs. IPsec VPN.