Guest Column | May 5, 2014

Why Your Customers Need Modern UTM

By Joshua Liberman, President, Net Sciences, ASCII Group Member Since 1996

Selling UTM As a VAR

The days of feeling secure by simply performing packet inspection at your network edge are long past. These SPI (stateful packet inspection) devices or firewalls were the first generation of network security that many of us first experienced in the late 1990s. In the first half of that decade, we also saw a parallel rise of devices and/or applications that performed more complicated duties such as IDS and IPS (intrusion detection and intrusion prevention). In the last six to ten years, those threat detection and remediation duties have now been rolled into DPI (deep packet inspection) devices that offer UTM (unified threat management) for your networks in a single device. These very powerful firewalls are now fast and capable enough to inspect all seven layers of network traffic to block threats of all types at the network perimeter.

Upgrade Your Front Door

Today every network connects to the Internet, and every network needs good perimeter defenses; this is, in effect, the lock on the front door.  Firewalls serve as the first layer of your defense system and stand between you and the outside world of the Internet. For many years, firewalls simply performed SPI. This means that each data packet’s header is examined to verify its validity. Unfortunately, this is roughly akin to asking people at the airport if they are carrying a weapon and then taking them on their word. Trust but verify. These limited SPI capabilities are what you see in the $49 SPI firewalls or integrated in your cable or DSL modems, though some wireless routers improve upon this basic functionality.

That is where modern UTM firewalls and DPI come into play. Unlike SPI, where just the packet header is examined, DPI scans the entire packet (each of the billions of them that comprise a day’s work) for “signatures” of known attacks of every kind. Since virtually all attacks are identifiable in this manner, DPI firewalls are capable of searching packets for viruses, spyware, trojans, and many other network attacks. Their traffic scanning abilities are vastly superior to that of old school SPI firewalls. The downside to this is performance. As anyone who has spent time in an airline security line knows, thorough examinations take longer. Fortunately, fast DPI firewalls are now affordable for every business, at price points from about $1,000, including remote access and secure wireless support.

It’s All In The Signatures

Like most devices designed for the SMB marketplace, DPI firewalls (aka, UTM or unified threat management devices) work on signature-based scanning, as do antimalware products.  Each packet is scanned for any known attack as it flows through the device, with pattern files being continuously updated in the device through a subscription service. Some firewalls buffer the packets before inspection (Fortinet) and some scan in real time without first buffering (Sonicwall). There are benefits to either method, but real-time scanning without buffering removes any inherent limit to the size of file that can be scanned, but requires more power in the device to keep up with the data flow. With 100 Mpbs and faster circuits becoming increasingly common, you can see that this is ever more challenging.

The Swiss Army Knife Of Security

UTMs or next generation firewalls are capable of inspecting traffic at all seven layers of the network stack, and, therefore, can identify traffic by application type. That means they can go far beyond traditional content filtering offerings, able not just to block or track web access, but the ability to identify, control and report on application usage, distinguishing Facebook chat from “standard” Facebook usage, and control user behavior on a very granular level.  They can filter, log, and/or track by individual IP source address (or with the LDAP connectivity, by authenticated user), and can be configured to report this usage graphically and in real time.

Many UTMs either integrate Wi-Fi and/or control remote access points, in effect acting as a wireless switch or controller. They can, in some cases, handle dozens to hundreds of access points and provide enterprise level features such as wireless hand-offs, advertise multiple virtual SSIDs (each with its own policies), rogue access point detection, and more. They also serve as SSLVPN endpoints, providing secure clientless or client-based SSLVPN remote connectivity as well as in some cases, proxy-based remote access to internal network resources. Some UTMs also offer more enterprise grade features such as the ability to bond many Internet circuits with load balancing and fail-over capabilities, either in HA (high availability, passive failover) operation — think RAID1, or in active or clustered operations, more of a RAID0 for firewalls. Some UTMs include features such as integrated spam filtering capabilities. Some UTMs can act as front end controllers for simple WAN acceleration with traffic shaping and data compression capabilities at a fraction of the cost of dedicated units.

Properly configured, a modern UTM can provide you excellent perimeter security, granular management of your Internet usage (content filtering, bandwidth management), secure wireless access, and secure remote access. Properly configured, one device can handle your perimeter security, secure wireless, and remote access requirements, user access controls, and much more in a single, potentially fault tolerant device.  They really are the Swiss army knives of security.

SMBs are the ideal target for today’s modern UTM devices, as they can provide 80 percent of the security requirements in a single, nearly set and forget appliance. They also provide SSLVPN connectivity, granular user control, and some even offer secure managed wireless.  At price points between $1K and $2K, they are the silver bullets of security.