Unified Threat Management
Donovan Anderson
July 29, 2006
UTM, or Unified Threat Management is one of the hot buzzwords in the IT security field today. Working at the application level, UTM combines traditional security elements, including firewalls, intrusion detection and prevention, junk mail filtering, spyware filtering, and content filtering into one appliance (Probert, 2005.) In a traditional network environment each of these functions would be handled by a separate device. The phrase “Unified Threat Management” was coined by the technology research organization, IDC in 2004 to “describe a category of security appliances which integrates a range of security features into a single appliance”(Webopedia.com.) UTM attempts to simplify the management of security on the network by bundling these services on one easy to manage package.
The first element of the UTM appliance is the firewall and intrusion detection system. Firewalls operate at the gateway level of the network and control which ports are accessible from the outside of the network. More advanced firewalls contain rule sets for each machine on the network, blocking access to some machines on certain ports while permitting access to other machines on those same ports. An intrusion detection system analyzes network traffic in real time, and compares the traffic against a database of known attack signatures. When an IDS detects traffic matching one of these signatures, it begins to log the activity and notifies the system administrators of the trouble. When an IDS is combined with a firewall, as is the case with unified threat management, the IDS can send a command to the firewall that shuts down access from the offending IP address, port, or both for a predetermined interval. This is a very effective way of neutralizing outside attacks.
The next component is the junk mail, virus and spyware filtering software. Working at the application level, a junk mail filter scans incoming messages and analyzes the content. A certain point value will be assigned to attributes indicative of junk mail. Once a message reaches a certain threshold, it will be either deleted or sent to a quarantine folder. An additional level of filtering is provided by subscribing to blacklist databases containing the IP addresses of known junk mail sources. Usually, mail from these sources is deleted immediately, skipping the quarantine. The mail scanning software will also scan attachments in email for known viruses and spyware programs. While virus and spyware defense is mainly handled by the mail scanning application, the third element, content filtering, also aides in this task.
Content filtering is limiting web access to only organizationally approved sites or subjects. Commonly restricted sites would include any kind of adult content. There are two main methods used in content filtering. The first method is the use of URL databases. In this, the URLs of blocked websites are contained in a database. When a user makes a web request, the requested URL is compared against the blocked content database, if there is a match, access is denied. There is an issue with the URL database method regarding new content recognition. This is solved by employing dynamic filtering. The dynamic filtering approach analyzes the HTML code as it passes through the router. This includes words, pictures, and other content on the website (Azoulay, 2006.) With this method, unauthorized material can be blocked even if it has not yet been categorized and included in the blocked URL databases.
As one can imagine, managing each one of these elements separately can be a daunting task, and can consume a great amount of the IT staff’s time, arguably the most expensive organizational resource. Centralizing this management reduces the amount of labor required to address security threats. UTM systems also eliminate the cost of purchasing separate machines for each of these jobs. Because Unified Threat Management brings all of these filters and security devices out to the gateway level, threats are better managed, and stopped before they can reach the internal network (Gosal and Solanki, 2006.)
The disadvantages of employing Unified Threat Management are relatively few. There can be a performance issue in some larger networks. The latency involved in analyzing traffic at the router can create a bottleneck in a high bandwidth environment (Gosal and Solanki, 2006.) This latency is rather small, and would only be a factor at very large organizations. The other disadvantage is that it represents a single point of failure on the network. If there is a bug in the mail filtering software that overflows the appliance’s resources, it could cut off access to the network completely.
The advantages in moving to UTM far out weigh the disadvantages. The initial cost of deploying UTM will be offset by freeing up the IT staff, and allowing them to concentrate on more profitable activities. Many organizations also need to consider various compliance regulations such as PCI Compliance and the Sarbanes-Oxley Act of 2002. Many of the standards set forth by these regulations can be addressed by the deployment of a single UTM appliance.
Azoulay O. (2005). How unified threat management vendors can ensure they provide comprehensive and flexible content filtering solution to users. Retrieved July 25, 2006, from Web site: www.securitypark.co.uk/article.asp?articleid=25087&CategoryID=33
Gosal S. and Solanki V. (2006). Unified threat management: preparing for a new generation of network security threats. Retrieved July 25, 2006, from Web site: www.itsecurity.com/security.htm?s=16856
N A. (ND). Unified threat management. Retrieved
July 25, 2006, from Web site:
practicallynetworked.webopedia.com/TERM/U/Unified_Threat_Management.html
Probert T. (2005). Unified threat management will make IT security easier. Retrieved
July 25, 2006, from Web site: www.it-observer.com/articles.php?id=1010
0 comments:
Post a Comment