In an effort to help IT managers better secure their organisations, Computerworld brings you answers - provided by AusCERT's experts - on a few of the more common questions around key security technologies. Here we look at United Threat Management (UTM).
What do you really need when it comes to UTM?
This is another question that each business will need to answer individually based on what they want to protect, and the anticipated level of exposure to threats.
Most firewalls these days are not classical firewall devices, they typically include some features that used to apply to the term “UTM”. With this in mind organisations considering a “UTM solution” should look at the following features:
- Simplicity – how easy is the device to configure and manage?
- What do I want the device to do? Antispam? Firewall? Content filter? Antivirus?
- Vendor responsiveness to support and device replacement. Remember you may be replacing a large chunk of our security infrastructure with this device.
What should be your evaluation and selection criteria and why? How should you go about comparing offerings?
- Does the product integrate well with my existing infrastructure?
- How easy is it to keep the device up to date?
- Does the vendor have a strong history in this area?
As with all technology, it must first meet the needs of the business, if you first establish these requirements, a matrix can be designed with which to compare products.
What are the prime considerations for UTM?
- Selective SSL decryption capabilities (e.g. webmail but not internet banking)
- Active Directory or other directory integration functionality
- Support for multiple authentication mechanisms (RSA, Kerberos etc)
- Does the device work well in a failover configuration?
- Does the device work well in a failover configuration?
- Does the device support High Availability (HA) configurations?
- Is the device capable of using redundant ISP settings?
- Granular configurable reporting and blocking is usually desirable.
- Simple updating with data from multiple sources, including up to date vendor “known bad” lists, and bulk rule updating.
- Deep packet inspection capabilities may be highly desirable.
- VPN capabilities may be desirable.
- Remote encrypted logging capabilities.
- Multi user with configurable access levels.
In your mind what are the key UTM Do's and Don’t’s?
- Do fit a solution to the problem you’re trying to solve, rather than simply purchasing a product because of all its bells and whistles.
- Do thoroughly assess the protections offered and how they map to your business requirements.
- Ensure the system matches the risk profile of the business.
- Avoid including features you don’t need, and can’t turn off.
Consider your need for intrusion detection and blocking – most forms of intrusion prevention and detection system will need to “learn” normal activity in your current environment, and can be a daunting task for security administrators to configure.
Remember that when you consolidate security infrastructure in this way, a remotely exploitable vulnerability in any component of the UTM system can disable a significant portion of your security infrastructure. Make sure you have a plan for such a contingency.