Manage Learn to apply best practices and optimize your operations.

Unified threat management (UTM) features needed for Internet security

In order to deliver the best and broadest Internet security and WAN access to your users, you must evaluate UTM features, or unified threat management appliance features -- like the ones discussed in this tip -- to evaluate which product is best for your enterprise.

IT must evaluate the unified threat management (UTM) features available on the market in order to deliver the best Internet security and wide area network (WAN) access to users. The UTM features highlighted in this tip will help IT determine which product is best for their enterprise.

Just as beauty is in the eye of the beholder, what makes a killer feature set for today’s -- and tomorrow’s -- security appliances is in the mind of its maker. While those makers or vendors do their homework to try and meet the needs of their customers with what they offer, WAN managers should be aware that UTM, or unified threat management, provides the most efficient and workable technology to combat network threats related to Internet and WAN access. To find the best Internet security solutions, look for the UTM features described in the bulleted list below.

If you look at the security appliance landscape over the last decade, you will be forcibly struck by the speed and volume of changes, along with the new technology introductions that have taken place. Ten years ago, nobody had heard ofunified threat management. The term was only introduced in 2004 by IDC, but by 2010 it had grown to comprise 12% of the total global security market (InfoTech Vendor Landscape: IT Security Appliances).

UTM features found today: Leading edge and bleeding edge

  • Network firewall: Where the earliest firewalls cut out at Layer 3 or 4 of the OSI model, modern firewalls go all the way to Layer 7 and usually incorporate stateful processing and deep packet inspection (DPI), as well as all the basic port and protocol filtering capabilities.
  • Network intrusion detection and intrusion prevention (IDS/IPS): These devices not only watch traffic flow for signs of tampering or intrusion, but they are increasingly able to act automatically to block various types of attacks and shut down attempts at denial of service (DoS and DDoS).
  • Anti-malware protection: Security appliances with UTM capability now routinely screen incoming files, messages and other content for signs of malware, including viruses, worms, rootkits, spyware and so forth.
  • Anti-spamprotection: UTM security appliances will typically perform various types of spam detection and filtering, to prevent unwanted and especially malicious email from crossing the network boundary.
  • Virtual private network (VPN) concentrator: UTM devices that include VPN concentrators typically support all of the major VPN types (and more), including SSL/TLS, SSH, IPsec, L2TP, and MPPE. It’s not unusual for such devices to support hundreds to thousands of simultaneous connections.
  • Content filtering: Content filtering can be a bit fuzzy and usually attempts to map AUP provisions into effective content controls. Under this heading you’ll find whitelisting and blacklisting techniques, URL filtering, protocol filtering and actual content inspection techniques put to work.
  • Load balancing: If security slows communications down, users will find ways to get around it, often using unsecure means. Security vendors recognize this and offer load balancing to permit customers to manage end-user performance expectations and provide sufficient handling capacity to match.
  • Data loss protection: This permits organizations to tag critical or sensitive data and automatically copy it across the Internet to offsite storage (for a fee, of course, which is why vendors also love this technology). But data loss protection does permit restores to occur, even if entire branch office sites are offline or unavailable.
  • Uniform console and reporting facility: With such an incredible assortment of functions, a single console, dashboard and reporting facility are an absolute must. Most vendors’ offerings work with one or more of their appliances under a single coherent view.
  • Network management integration: Security is just one part of overall network management, and thus security appliances must integrate with enterprise level management systems. All of the major vendors -- including Cisco, Fortinet, IBM/ISS, SonicWALL/NSA, and Watchguard/Firebox, among many others -- support ready integration with enterprise management systems from vendors such as IBM (Tivoli), HP (OpenView), CA Unicenter, BMC Business Service Management and so forth, and even open source options such as OpenNMS, Quest Big Brother, Nagios and more.
  • Network configuration and change managementintegration: NCCM is a key ingredient in modern service management frameworks such as ITIL, COBIT and Frameworx. Security appliances stand ready to accept change instructions from NCCM systems and report back on outcomes and configuration and compliance data.

That’s one huge, honkin’ list of current capabilities, not all of which are available from every one of the security appliance vendors. Given such an incredible grab bag of stuff, it’s mind-boggling to speculate about what the future will hold. The next article trots out my best guesses as to what’s coming down the road for future unified threat management appliance features.

This was last published in March 2011

Dig Deeper on Network Security