From the outside, UTMs (Unified Thread Management devices, aka Security Gateways) look exactly like firewall appliances (aka "hardware" firewalls). They are deployed in the same way - between the external, or untrusted, network (typically the internet) an the internal, or protected network. That is where the similarity ends. A UTM includes a firewall, but his is just one component of the protection that a UTM offers. Other services include:

• Anti-virus and anti-Spam where it is the most effective. Our own CRM master, John Harbarenko, has given us the perfect analogy for this. When you go to the airport, security is centralized at a single entry point, before you have access to any of the airplanes. Running anti-virus on the desktop or server is analogous to searching passengers as they enter (or even after they are already seated on) the airplane. The same is true for anti-spam. Does this mean that we no longer need AV on the desktop? No, because there are other ways into our network besides the ethernet connection (CD drives, USB drives, etc.). It does make sense to run a different anti-virus product on the desktop than is running on the UTM. A threat missed by one is more likely to be caught by the other. The most important concept in security is LAYERED DEFENSES.

• Web filtering. A large percentage of threats can be eliminated by simply preventing users from visiting certain types of websites - pornography sites, gambling sites, peer-to-peer file sharing sites, etc. There are also sites, such as sports sites, social networking sites, etc., that can be places for company employees to spend a great deal of time that is not job-related. A UTM can be configured to block individual sites or categories of sites. UTMs can be configured allow different users to have access to different sites and can even allow access to sites only during certain times of the day.

• Protocol and file type filtering. If you want even more control, you can configure the UTM to filter off specific protocols or file types that you want to keep out of your network. For instance, if you don't want users to be able to download music files, you can block all music file types.

• Other services. UTMs offer other services, such as a centralized point for VPN access, encrypted email, and other services, including those available on proxy servers.

If a UTM sounds a lot like a proxy server, it is. There is an important difference, though. UTMs connect to outside services to keep their anti-malware (anti-virus, anti-phishing, anti-spyware) and anti-spam components up to date. This is what allows a UTM to offer services that no other device can offer.

This is the last in the firewall series of articles. The next series will be about why firewalls, and even UTMs are not enough. There are some attacks from which perimeter devices cannot offer protection.

Dennis H - February 14, 2009

Recall that, by default, most firewalls drop all incoming packets unless there is a rule allowing them and allow all outgoing packets unless there is a rule prohibiting them.
What about those outbound packets? There are actually several reasons we might be concerned about what is going out of the network, as well as what is coming in.
- Spyware, a rogue program, or other malware could be sending out information to another computer. A software firewall running on the local machine can monitor which programs are accessing the IP stack to send out packets.

These firewalls typically ask the user for permission to allow a program to access the internet. The user has the option to allow temporary access or to create a rule that lists the program as a "trusted application" that can send out packets at any time. Hardware firewalls cannot easily determine which application is sending out the packets, but firewalls that have knowledge of upper layer protocols and use deep packet inspection to analyze packet data can be configured to have some limited control over which applications send data.
- Users could be responding to phishing attacks. Firewalls have no way to detect this problem, but Unified Threat Management devices (UTMs) have the ability to track the IP addresses of known phishing and virus download sites and block packets destined for those addresses..

- Worms or trojans could be attempting to propagate themselves. Again, firewalls have no way to detect this, but UTMs which have antivirus programs running on them and Intrusion Prevention Systems can scan for malware in both outbound and inbound packets.
- People on the network could be sending out sensitive information, either intentionally or unintentionally. Some UTMs or proxy servers can be configured to scan the data in outgoing packets for keywords, phrases, or number sequences that would indicate that sensitive data is leaving the network. If the data is being sent over an SSL connection, only an SSL proxy has the ability to decrypt the packets for inspection.
There is a definite theme here - effective outbound monitoring requires the installation of a UTM or a proxy server. Outbound monitoring can obviously be resource intensive. Another problem with outbound monitoring is that it is resource intensive and requires a lot of configuration and maintenance. Software firewalls running on the local machine that monitor outbound connections tend to be quite "noisy", asking for user approval for each application sending out data. Often, users either do not understand what is being asked, or get into the habit of always allowing applications to be listed as trusted without much thought or analysis, defeating the purpose of the firewall.
The take-away: For environments where you want to have some control over the data going OUT of your network, the solution is a UTM. This is just one of the reasons that a UTM is much more than just a firewall.

Next: Hardware firewalls vs. integral software firewalls vs. third party software firewalls

Dennis H in West Virginia, US

February 3, 2009

As usual, there are some news items this week that highlight the reasons to protect every business (not to mention residential) client with a UTM:

1) If you want to avoid drive-by malware downloads, you should avoid porn sites, gambling sites, file-sharing sites, and mainstream business sites. What? Business sites? Even mainstream sites like Business Week are places where you can have your browser exploited - free of charge and without your knowledge. We cannot stress enough that 78% of malware comes from legitimate sites that have been compromised.

2) Dangerous celebrities? Here is a reason to restrict users' ability to change settings (like wallpaper and screensavers and to restrict the websites available to users.

If you need more convincing that the web is where the bad guys are focusing most of their time and efforts, read this article. It is a bit tedious and full of graphics, but the important point is that cross-site scripting attacks against websites and information leakage are growing threats.

Patching is not just for Windows. Appple and Cisco have also been patching vulnerabilities in their products. Make sure that everyone is up to date.

Spamming as a managed service? Spammers want us to think they offer legitimate business services. There has always been a gray area between spam and freedom of speech. Spam is a problem that won't go away soon and eats up a lot of business resources. Do the math - any device that EFFECTIVELY reduces the amount of time wasted on spam will probably pay for itself several time over every month (hint: Utangle / Astaro).

Finally, Here is an excellent article that discusses using group policy to lock down USB drives. This was the subject of past Security Corner articles and there is an article posted in the Resource Library. I saw this, though, and thought that it was worth keeping as a reference, since this topic is bound to be of interest to business clients.

Dennis H in West Virginia, US

September 19, 2008