Feature Story

UNIFIED THREAT MANAGEMENT

Whether in the financial industry or not, everyone knows what an ATM is. But credit unions and banks should also know what unified threat management is and how it can benefit them, especially in these critical economic times.

In terms of network security, a UTM solution should at least provide:

firewall,
intrusion detection and prevention,
virtual private network,
anti-malware,
anti-spam and
content and Web filtering.

Some UTM vendors add other functions, such as advanced routing or outstanding service, or provide advanced network-activity analysis tools. In many cases, you can choose to omit some functions, the most common being the VPN and content filters. Security is always a trade-off between what you should do and what you can afford. It all goes under the larger umbrella of risk management. Define your risk, define what level of security you should have, define what you can afford, and you define what you must live with. In short, security is a trade-off between your needs and your means.

When considering a UTM device, keep in mind that a network is not a closed environment with only one entry point—the Internet. Protecting the gateway is not enough to ensure protection of the entire network; that's like having an armored door when all the windows are unprotected. Defense-in-depth means applying a layer of security defense at every level of your network, e.g., doing anti-virus at the gateway, and then on the servers, and then on the workstations, so an e-mail gets scanned at least three times. Adding end-point security to your gateway security is part of that same strategy, as is blocking USB ports so users can't bring in viruses from home. In other words, one should do at the gateway what needs to be done, but that is not all that needs to be done.

Having a UTM solution gives you many advantages—reduced complexity, reduced cost of ownership, reduced overall maintenance, and increased network security. In a UTM scenario, you don't have the difficulties of getting different devices interfacing with each other. You have a simplified architecture because there's only one device (such as the Network Box UTM appliance) to manage, which translates into fewer chances for errors.

Let's consider the other situation. You have a firewall/IDP device at the edge of your network, but your content filtering is done by a proxy device running a Web filtering application installed on a Windows server. Now, not only do you still need to manage the content filtering function, you also need to manage the server the function is running on, with all the complications this entails.

Moreover, if the solutions are from different vendors—as is most likely—you also need to learn different ways of managing the various services, with all the inconsistencies this involves. Each individual box needs to be patched and maintained, to provide a secure platform upon which to run the point solution software. Maintaining several devices—in many cases two of each type—adds so much to the complexity of the management that the possibility of more problems occurring and going unnoticed is very high, not to mention the issues that may arise with routing and with troubleshooting when something goes wrong.

Yes, managing network security is a complex task when various devices are involved. But managing a UTM device is also a complex task, and any function—whether it's on the appliance or on a server of its own—needs to be managed. The difference is that when dealing with a UTM, you are dealing with just a single device.

This brings us to the benefits of having a managed security service. Assuming we agree that all the functions offered by a UTM appliance are necessary, managing all of them requires knowledge of many different systems. The administrator would need in-depth understanding of networking and routing; to know the firewall language and understand firewall security; and to know how to configure the intrusion detection and prevention system, the anti-virus and relevant policies, for example:

Web filtering/content filtering policies—who goes where when and why.
E-mail policies allowing "executables." Microsoft defines more than 40 extensions as executables, but it's the rare IT manager who can list them all. Get one of these through your e-mail and you can get a Trojan. Trojans do not replicate ż having signatures for them may not be quick and easy. Blocking all true executables is important.
E-mail policies again—allowing or not allowing SCRIPT, iFrames, binary objects, hidden objects. How many IT managers concern themselves with these sources of potential threats?

This list could be very long. A policy is made every time a decision is made about allowing or blocking something. Knowing what to allow/block—and why—is very important.

These are the reasons why the second most common cause of a company's networks becoming compromised is improper configuration of its defenses, because understanding and configuring all these functions is no easy task. But doing without them is not an option. All these functions are necessary to properly protect your network. That's why we believe a good solution is to rely on a UTM and a managed service with experienced network operation personnel who are best equipped to manage your gateway security.

Return to: 2009 Feature Stories