Beruflich Dokumente
Kultur Dokumente
(UTM)
Study Guide
for NSE 1:
Unified
Threat
Management
(UTM)
February 1
2016
Fortinet
Network
Security
Solutions
Contents
Figures............................................................................................................................................... iii
ii
Figures
iii
Unified Threat Management (UTM) is a security management approach providing administrators the
ability to monitor and manage multiple security-related applications and infrastructure components
through a single management console. Through this simplified management approach, UTM provides
administrators the ability to protect both local and branch offices from potential threats, rather than
having to depend on coordination with remote site administrators or multiple control panels. This
integrated approach to security control is an extension of the philosophy that resulted in integration of
multiple security functions into hardware and software appliances, compared to legacy network security
systems that used single- or dual-function add-on appliances that resulted in complex hardware,
software, and management control systems (Figure 1).
UTM Features
UTMs are generally acquired as either cloud services or network appliances, and integrate firewall,
intrusion detection system (IDS), anti-malware, spam and content filtering, and VPN capabilities
(Figure 2). These can be installed and updated as necessary to keep pace with emerging threats.[1]
Antispam. This is a module that detects and removes unwanted email (spam) messages by applying
verification criteria to determine if the email fits defined parameters as spam traffic. Anti-spam filtering
can block many Web 2.0 threats like bots, many of which arrive in your users e-mail boxes. Multiple
anti-spam technologies incorporated into UTM detects threats through a variety of techniques [3].These
parameters may be as simple as a list of senders identified by a user or comparison against databases of
known bad messages and spam server addresses[2].
Content filtering. These devices block traffic to and/or from a network by IP address, domain
name/URL, type of content (for example, adult content or file sharing), or payload. They maintain a
whitelist of trusted sites and a blacklist of forbidden sites to prevent users from violating acceptable use
policies or being exposed to malicious content. [3]
VPN. A Virtual Private Network (VPN) uses special protocols to move packets of information across the
Internet securely. In general, VPN protocols encrypt traffic going from sender to receiver. This makes
such traffic appear completely garbled to anyone that might intercept and examine those packets while
theyre on the Internet. VPNs use encryption to protect the traffic they carry from unauthorized access.
Because the VPN packets wrap the encrypted data inside a new protocol envelope a technique
known as encapsulation a VPN creates a private, encrypted tunnel through the Internet. [3]
Load balancing. Load balancing distributes traffic and routes content across multiple web servers. This
load balancing increases application performance, improves resource utilization and application stability
while reducing server response times. With data compression and independent SSL encryption
processor, this capability increases further transaction throughput and reduce processing requirements
from web servers, providing additional acceleration for web application traffic.
Intrusion Prevention System (IPS). An IPS acts as a networks watchdog, looking for patterns of network
traffic and activity, and records events that may affect security. An IPS issues alarms or alerts for
administrators, and is able to block unwanted traffic. IPS also routinely log information as events occur,
so they can provide information to better handle threats in the future, or provide evidence for possible
legal action[3]. IPS is the best way to detect threats trying to exploit network vulnerabilities.
Quality of Service (QoS). QoS refers to a networks ability to achieve maximum bandwidth and deal with
other network performance elements like latency, error rate and uptime. Quality of service also involves
controlling and managing network resources by setting priorities for specific types of data (video, audio,
files) on the network. QoS is exclusively applied to network traffic generated for video on demand, IPTV,
VoIP, streaming media, videoconferencing and online gaming. [4]
SSL/SSH inspection. This provides the ability to inspect content encrypted by applications using Secure
Socket Layer (SSL) cryptologic technique, in which it performs a man-in-the-middle takeover of the SSL
traffic. This allows other inspections to be applied such as DLP, web filtering, and antivirus/malware.
Some popular SSL protocols are HTTPS, FTPS, and mail protocols SMTPS, POP3S, and IMAPS.[2]
Application awareness. Web Application Security solutions provide specialized, layered application
threat protection for medium and large enterprises, application service providers, and SaaS providers.
FortiWeb application firewalls protect your web-based applications and internet-facing data. Automated
protection and layered security protects web applications from layer 7 DDoS and more sophisticated
attacks such as SQL Injection, Cross Site Scripting attacks, and data loss. The Web Vulnerability
Assessment module adds scanning capabilities to provide a comprehensive solution to meet your PCI
DSS section 6.6 requirements.
Tradeoffs. The main advantage to UTM is reducing operational complexity. In particular, reducing
operational complexity for network administrators increases the likelihood that they will use the
available protection features to optimize network security. However, while simplification presents the
advantage of security optimization by administrator, the main drawback may be positioning UTM as a
single point of failure (SPOF) in a system or network.
One of the key factors that enables specialized UTM products to achieve the highest levels of
performance and boost network throughput is incorporating custom application-specific integrated
circuits (ASICs) into UTM hardware components. As discussed previously in the lesson Data Center
Firewall, using custom-designed ASICs presents a more challenging design process, but the tradeoff is
achieving the highest levels of system performance by having tailored the ASICs to the device
capabilities and intended functions. Even with high-performance ASICs, however, as more UTM
capabilities are activated performance will decrease. As with most highly efficient technologies, planning
and configuration are critical in achieving optimum performance and control when systems and
networks are brought online.
Expanding on the foundation of an integrated firewall, UTM builds additional capabilities to enhance
network security management. With ever-increasing capabilities for data transfers between remote
users, integration of capabilities not resident in NGFW include Data Leak Prevention (DLP) (sometimes
referred to as Data Loss Prevention), helps prevent unauthorized transfer of information to someone
outside an organization by protecting the contents of email, web pages, and transferred files. DLP
provides a strong authentication appliance to control data by methods such as inbound/outbound
filtering and fingerprinting.
DLP filtering scans inbound and outbound files, searching for text string and patterns that, when
compared against the DLP database, determine whether the content will be allowed, blocked, or
archived.
Fingerprinting consists of a method by which each document file is encoded with a unique
fingerprintbased on the fingerprint, DLP determines whether the document is a sensitive or
restricted file that should be blocked or if the file is allowed to be shared beyond the network.
DLP has the ability to scan and identify data patterns using supported scanable protocolsfor example,
FortiGate systems are capable of detecting HTTP, FTP, SMTP, POP3, IMAP, and instant messaging
protocols for Yahoo, MSN, AOL, and ICQ messaging services[2]. A limitation of DLP, however, is that it is
affected by the same limitations as antivirus scanningmaximum file size, data fragmentation (but not
necessarily packet fragmentation), and encryptionall of which may limit effective data leak detection
and subsequent prevention.
Switching. By integrating Switching into UTM, the capability to manage switching is added to single
control console security management. This again reduces the number of physical hardware devices and
control monitors necessary to manage the UTM system. From this integrated control panel, individual
ports can be switched on or off to physically isolate network traffic. This is important, because some
applications attempt to use port 80 to avoid detection from traditional port-based firewall security
systems. Port 80 is the primary port used by the Worldwide Web (WWW) and is how web servers
listen for incoming unsecure (HTTP) connections from web browsers. This is a primary port through
which malicious code tries to sneak through via Internet applications. Conversely, secure WWW
connections are monitored through port 443 (HTTPS) using TLS/SSL security protocols.
With continued increases in mobile computing and BYOD operations, many people in todays
technologically-empowered workforce expect the ability to replicate their office environment wherever
they happen to be conducting business. Because of the many variables involved in such an endeavor
variations in available Internet speeds, availability of secured versus open networks, volume of users on
remote networks, the cost of high-speed links, and so fortha technique needs to be available to
enable effective remote communication for authorized network users. In this situation, a process called
WAN Optimization (WANOpt) is such a technique for use with UTM-empowered network infrastructures
(Figure 3).
WANOpt provides improved application and network performance to authorized remote users through
five primary methods [3]:
Protocol optimization. Improves efficiency of FTP, HTTP, TCP, and other protocols to accelerate
network performance.
Byte caching. Caches files and data to reduce amount of data necessary to be sent across WAN.
Web caching. Stores/caches web pages to serve on request to avoid reloading over the WAN to
reduce latency and delays between servers.
SSL offloading. Offloads SSL decryption/encryption onto SSL acceleration hardware to boost
web server performance.
Secure tunneling. Secures traffic crossing the WAN.
Power over Ethernet (PoE). PoE allows UTM to provide power to external devices, much like legacy
systems such as Universal Serial Bus (USB). With PoE, power can be supplied over Ethernet data cables
along extensive cable lengths, either on the same conductors as data or on a dedicated conductor in the
same cable (Figure 4). USB data + power capabilities are designed for up to 5m (16ft), compared to PoE
capability up to 100m (330ft) or even more with new PoE-plus developments.
3G/4G. 3G/4G extenders integrate with UTM to provide a secure WAN connection for SMB and
distributed enterprise locations, with ability to serve as a secondary failover connection to the wired
WAN link for business continuity or, if desired, as a primary WAN link.
UTM Functions
UTM provides a number of integrated functions beyond
the scope of NGFW. Two of these important functions
focus on threats inherent in platform capabilities used
daily by users in systems and networks of all sizes, from
personal computers, to smartphones and phablets, to
networks and data center operations and automated
business functions. In particular, these common threats
which continue also to evolve with technology and more
widespread integration of technology components into
common devicesinclude email and Surfing the Web.
You may have heard on many different commercialsboth online and on other mediathe phrase we
have an app for that! Fortunately, UTM has appsor solutionsto help protect your networks from
these continually evolving threats.
Antispam. One of most widely used buttons on email applications is the
one that allows users to designate messages from a particular sender as
spam, thereby delegating it to be routed to a folder for which the user
receives no alert when the message arrives and the message is often
automatically deleted at a programmed periodicity. UTM has an integrated
Anti-Spam function as well, acting as a filter to block threats like botsmany
of which arrive in user email boxes. The multiple anti-spam capabilities
integrated into UTM may detect threats using a variety of methods,
including:
Blocking known spam IP addresses to prevent receipt.
Blocking messages with any URL in the message body associated with known spam addresses.
Comparing message hashes against those for known spam messages. Those that match may
be blocked without knowledge of actual message content.
Comparing the client IP address and sender email address to stored whitelist/blacklist profiles.
Whitelist matches get through; blacklist matches get blocked.
Conducting a DNS lookup on the domain name to see if the domain exists or is blacklisted.
Blocking email based on matching message keywords or key phrases in a banned word/phrase
filter list. [3]
Intrusion Prevention Systems (IPS). IPS performs a dual protection function. In the UTM environment,
IPS protects the internal network from attacks that originate from outside the network perimeter as well
as those that originate from within the network itself. IPS is also discussed as a component of NGFWin
a UTM solutions environment, the IPS component provides a range of security tools to both detect and
block malicious activity, including:
Predefined signatures. A database of malicious attack signatures is included, which is updated
regularly to keep pace with newly identified threats.
Custom signatures. Customizable entries that add to the standard threat signature library to add
protection against new, little known, or unknown attacks.
Out-of-band mode. Alternately referred to as one-arm IPS mode, the component may be
programmed to operate as only an Intrusion Detection System (IDS), detecting but not acting
upon identified threats and attacks. In this configuration, such identified threats/attacks would
be analyzed on a separate switch port.
Packet logging. This feature provides the option to save network packets that match identified
IPS signatures and analyze the log files with analysis tools.[3]
10
Like many other sectors of the technology industry, UTM deployment may be accomplished in various
ways. A common method for vendorsfollowing traditional hardware procurement paradigmswas to
license UTM infrastructure based on the amount of devices included in the deployment package. In
other words, the standard was an a la carte menu of options.
11
Summary
NGFW improved on the basic gatekeeping security of Edge Firewalls by introducing such features as IPS,
Deep Packet Scanning, Network Application Identification and Control, and Access Enforcement.
However, beyond those capabilities, additional security functions meant additional appliances and
software configurations, increasing operational complexity for the network administrator.
Because increased operational complexity often results in bypassing of processes in the interest of time
or administrator overload, development was needed for a new dynamic vision of a flexible, future-ready
security solution to meet the needs of todays network environments and keep paceor think ahead
ofadvanced threats of the future. This dynamic, integrated network security conceptUnified Threat
Management (UTM)is in place today and ready for tomorrows evolving challenges.
Overcoming the difficulties of patching together legacy systems with newer, state of the art systems,
UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have
international reach. Combining user-simple interfaces with threat-complex protections, as well as cost
effective procurement, operations, and support, UTM provides an optimum system to best ensure
continued network operations in a secure environment.
12
Key Acronyms
AAA
AD
Active Directory
ADC
ADN
GUI
Infrastructure as a Service
ICMP
ICSA
AM
Antimalware
API
APT
ID
Identification
ASIC
IDC
ASP
IDS
ATP
IM
Instant Messaging
AV
Antivirus
IMAP
AV/AM Antivirus/Antimalware
BYOD Bring Your Own Device
CPU
DDoS
DLP
DNS
DoS
Denial of Service
DPI
DSL
FTP
FW
Firewall
GB
Gigabyte
GbE
Gigabit Ethernet
Gbps
GSLB
13
Internet of Things
IP
Internet Protocol
IPS
IPSec
IPTV
IT
Information Technology
J2EE
LAN
LDAP
LLB
LOIC
MSP
NSS
NSS Labs
OSI
SPoF
OTS
SQL
PaaS
Platform as a Service
SSL
PC
Personal Computer
SWG
SYN
POE
TCP
POP3
Quality of Service
SaaS
TLS
Software as a Service
URL
SDN
Software-Defined Network
USB
SEG
UTM
SFP
SFTP
VM
Virtual Machine
SIEM
VoIP
SLA
VPN
SM
Security Management
WAF
SMB
SMS
14
XSS
Cross-site Scripting
Glossary
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of
malware attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and
reporting on malicious code. By intercepting and inspecting application-based traffic and content,
antivirus protection ensures that malicious threats hidden within legitimate application content are
identified and removed from data streams before they can cause damage. Using AV/AM protection at
client servers/devices adds an additional layer of security.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:
Application Awareness
IPS. Intrusion Prevention System (IPS) protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including out-ofband mode (or one-arm IPS mode, similar to IDS). IPS can be installed at the edge of your network or
within the network core to protect critical business applications from both external and internal attacks.
Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.
UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as
either cloud services or network appliances, integrating:
Content Filtering
VPN Capabilities
Load Balancing
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires usually the
Internet to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
15
References
1.
Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential
Guide, 2014.
2.
Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
3.
Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
4.
16