Article received from Simon Heron,
Managing Director of Network Box (UK) Ltd, a unified threat management company
UTM PLUS- THE FUTURE
Unified Threat Management has already moved on, don’t be left behind
The Unified Threat Management (UTM) market will grow to fifty percent of the European security market for vendors by 2009 according to IDC. UTM is the shape of things to come, and yet it didn’t exist before 2004. So why the sudden growth in the management of multiple threats?
The advent of the Internet and broadband has altered the way network security is viewed. Two years ago, firewalls and email filtering were all that were required to stop most threats. Now, this has changed to a vast field of security systems and networks. We now need anti-virus and anti-spam and anti-phishing and anti-spyware and… the list goes on. It will continue to do so as long as IT systems remain the target of hackers, spammers, and anyone with a motive for penetrating an organisation’s network.
One system to bind them all
Network security is constantly evolving to respond to these threats. With the legacy approach, each threat is handled by a separate system, but this leaves room for infiltration. For instance, installing an anti-virus engine on the email server is a standard part of any network security plan but this does not protect a company when a virus comes straight onto the desktop because a user accessed their web mail account or a remote POP3 account. Or downloaded a file using FTP. Or surfed to a web page containing a virus. So, there is a need for proxies to stop this, and for the server hardware to run them. Added to that is routing to ensure traffic is directed through the proxies and tied down to the desktops to stop people bypassing them.
The IT industry has come up with a solution: take the different applications and integrate them onto one gateway product. This addresses the internal security problems but controls and protects where traffic enters the network.
Step forward UTM systems. With a unified approach you can install a single solution that incorporates the best-of-breed technologies from multiple vendors, all on a single hardware platform. This reduces capital expenditure, decreases integration costs and produces a more secure and manageable system where all systems work together.
What you need to manage the threats
So what defences should be in place? The minimum requirement should be:
- An industrial strength firewall – it should be powerful and have application proxies. Some application firewalls revert to a generic or SOCKS proxy for some applications and do not provide sufficient protection.
- Intrusion Detection and Prevention (or Deep Packet Inspection) – this needs to be tightly integrated into the firewall to ensure ports needed to open on the firewall are policed for malicious activity. It has to be zero latency: some systems allow one or more packets through before blocking malicious traffic, which can then be exploited by viruses and worms.
- VPN: you need a compliant and compatible implementation of the most used solutions, with the ability to upgrade to the next standard that will inevitably materialise.
- Anti-Malware – this covers anti-virus, anti-spam, anti-phishing, anti-spyware, anti-hoax etc. It should cover all the email protocols (SMTP, POP3 and IMAP4) as well as HTTP and FTP. There is no point in allowing malware onto servers or onto the LAN if it can be avoided.
- Content Filtering – this performs three important tasks: prevents offensive material from being downloaded; protects the company from known malicious sites; and improves productivity.
Finally, many companies now need the ability to handle multiple Internet links, traffic shaping, Voice over IP and dynamic routing protocols. All of this functionality must come with simple and manageable reporting, as it is important to be able to measure and monitor the systems that have been implemented.
UTM and beyond
The UTM approach has forced a re-think on perimeter security. Even old-school firewall vendors are bolting on anti-virus and the like so that they don’t look as though they’ve been left behind. But again beware – many will have solutions that are poor in one or more areas. For instance, they may have poor anti-virus solutions with as little as 10,000 signatures or no heuristics; or anti-spam systems that have poor detection rates.
So is a UTM device the answer? On its own, it can be a great piece of technology but simply installing a piece of technology is not sufficient to keep a network safe. Without 24x7 monitoring, updates and management, your network still runs the risk of being compromised.
Plus is more
UTM Plus provides the established security parameters with these added additions:
- Monitoring: security systems must be actively monitored, setting alarms when safety parameters are exceeded. This should not just be for attacks but also for processes and for hardware performance. This allows IT staff to ensure defences are working correctly, no matter how good a system is, it’s no use if it doesn’t work.
- Updates: UTM Plus is updated very quickly (within one minute, anywhere in the world) using PUSH technology – there is no reason to wait for protection updates once they are available.
- Management: using PUSH technology it becomes the supplier’s responsibility to keep your system up to date, immediately as protection is available. A good supplier will ensure systems are updated because they are alerted to threats, meaning they can maintain and manage your system and keep defences up to date with the latest applications.
PUSH technology allows for automated detection and protection, reducing the window of vulnerability to minutes in some cases. Because UTM Plus systems are monitored, any attacks are immediately reported, new threats are identified and solutions created, which are then proactively PUSHed into action.
The manageability of these systems, that work together as one complete solution, has benefits far beyond any legacy approach. For example, let’s look at spy-ware. The first contact is usually made through email, enticing the unwary user onto an infected site. The anti-malware scanning the email should be able to spot these emails and quarantine them.
However, users might still stumble on a rogue site while surfing the Web, which is where the content filtering is effective at protecting the company by blocking access to that site. It is possible that the site is very new and that the content filtering does not have it in the database yet. In this case having http scanning to look for spyware will protect the network. Once the spyware is identified and marked as malicious, each UTM system will be updated instantaneously, eliminating any further harmful attacks.
Plus is the present, don’t wait until the future
PUSH technology ensures the updates do not dominate your bandwidth as PULL (relying on users to download updates) can. It only uses bandwidth when sending updates; it does not rely on pre-set schedules to work, or websites to be up; it doesn’t require system logs to be checked or for update systems to be debugged. Quite simply, it takes the strain out of maintenance.
The emergence of the new threats has forced a rethink to network security. Threats are activated at the push of a button, so companies need instant protection. UTM is already here but UTM Plus is the next step to ensuring complete managed security, anywhere in the world, at any time of the day. This is comprehensive, proactive, intelligent protection. It is UTM Plus, and companies need to make sure they don’t get left behind.
 Stumble It!
|
