This article is about the two types of Unified Threat Management solutions (UTM) – hardware and software. We will discuss the plus and minus points of both of them. We will also have a look at the open-source UTM for SMB, which you can download and install free of cost.

If you are looking for a broad introduction to Unified Threat Management, click on the given link. Basically a Unified Threat Management is an network security approach to consolidate the various individual security modules employed at the network perimeter in to a single platform/appliance in order to save cost as well as bring in unified management of the individual modules (Like Anti-Spam, Anti-Virus, VPN, Firewall, IPS, Content Filtering, Spyware protection etc). But when individual devices are consolidated in that fashion, there is one major limitation – the performance. As the network performance depends on the performance of the network perimeter security device and as network are scaling up to 10GE, this becomes a crucial factor. Let us look at how hardware based UTM and software based UTM solutions compare with respect to performance and other crucial factors.

Hardware/Appliance based UTM:

Of course, the hardware is just a part of a UTM solution, and it also consists of a security operating system/ and the various security modules. But, these two are common for both hardware and software UTM. We are referring to the UTM with custom built hardware, which is sold as a single appliance integrated with all the modules. These UTM appliances employ specialized hardware like customized processors and Application Specific Integrated Circuits (ASIC) to accelerate performance (Instead of using general computer/server hardware).

Historically, Routers and Firewalls have taken such an approach and been very successful. Initially, they were software programs running on a PC, then they were housed in a custom built hardware unit with specialised processors and ASIC chips. ASIC technology is a proven technology to improve throughput. Security specific ASIC processors contribute to the hardware acceleration of the security inspection process and hence greatly improve performance. One major advantage with this approach is that, hardware optimization could be extended through to the application layer of the OSI model.

There could be different types of processors employed to carry out different functions, in an appliance based UTM. For example, there is a main processor and there could be other co-processors to offload the work of the main processor. Some of these co-processors can be employed specifically for certain purposes like performing high-speed comparisons (from the memory) of objects to known threat patterns which is used to accelerate anti-virus, IPS and other application level security technologies for which such functions are crucial. There could be other specialized co-processors for performing high intensity tasks like encryption etc, which if done by the main processor, would inadvertently increase the load. The co-processors can also be placed at unique locations in an appliance based UTM. Some of them can be placed directly after the network interface, for example, to offload the main processor of functions related to firewall, policies, detecting protocol anomalies, expediting the delivery of latency sensitive traffic etc. at interface level itself (without taking them to the main processor) and if necessary transmit state information (and not actual packets) to the main processor improving performance drastically.

Software based UTM:

These type of UTM solutions are available as software downloads from the website of the vendors and the security functionalities that they are capable of, are activated via software licenses. So, these UTM’s can be downloaded on to a general computer server (according to the minimum specifications provided by the vendor) without a specific appliance for that purpose.

There are some advantages of such an approach. First, the rate of processor development (Speeds, multi-cores etc) is much faster for the computer servers than specialized ASIC based processors. The computer servers are made in bulk, increasing the possibility of getting a better price-performance ratio. But this is not always the case, as the computer servers for such applications are generally over-sized, and it is better to do so.

Generic Computer servers used for such a purpose is more flexible – they give redundant power supplies, RAID disks, slots for adding memory, etc. The hardware replacement is even more flexible as they are maintained along with the other computer systems and can be done by any system integrator, and hence there is no vendor lock-in(for hardware). These computer servers are available and serviceable at any part of the world.

Software based UTM’s are scalable. If more processing power is needed, more processors could be inserted. If more memory is needed, more memory is inserted. This approach also allows the UTM’s to offload some functions to a second gateway allowing for good amount of expansions, if the software licenses are taken in to consideration. Some vendors also support portability. That is, if a certain security module is not required in the head office (Like Anti-Spam), but required at the branch office, it could be transferred there.

All the expansions/upgrades/purchasing additional modules can be done on the fly by just purchasing software licenses over the Internet. That saves a lot of time and effort. Most of the software UTM’s support the multi-core processor technology used in today’s servers thereby allowing distributed computing – offloading different processes to different servers, improving the performance of the UTM.

Open-source implementations are possible and have actually been achieved – There is a software UTM called Untangle, which can be downloaded from the given link from their website which is free of cost (basic modules) and is open-source (registered with the GPL). It enables in a single platform, technologies like web-filter, virus blocker, ad-blocker, spam-blocker, firewall, intrusion prevention, VPN etc. and is basically a combination of various open-source technologies available for individual security modules. It can be useful for SMB companies and home offices, which don’t want to invest in professional UTM solutions. Of course, a computer server according to the specifications (based on the number of users) specified in their website needs to be dedicated for this one to run.

excITingIP.com

In case you have any questions, you could get in touch with us via the contact form or leave a comment below. You could also participate in the discussions in the Forum.

In this article, we have a look at a broad range of network security threats that concerns an enterprise user, what is Unified Threat Management (UTM) and why it is required, the types of UTM – hardware based, software based and distributed model, and the advantages and limitations of UTM based network security solutions.

A broad look at the threats affecting network security:

Enterprise networks face a wide range of security threats, which penetrate through the network perimeter. Threats from viruses (through email attachments) and worms are pretty common. Spam mails coming to the user mailboxes are not dangerous until they contain some links pointing to sites which involve in phishing and pharming where the user credentials, bank account details etc. can be stolen. A rootkit is a type of threat which embeds itself in to an operating system and interprets the commands that other programs use to do basic functions like accessing files etc, and manipulate them. There are then threats from the Internet like ad-ware (which produces pop up ads every time a program is run) or spy-ware which acts in the background without the knowledge of the user and secretly passes on user activities to recipients across the Internet. And then there are attacks that are carried on the enterprise networks to stall its functioning like the Denial of Service attacks or the Distributed Denial of Service attacks where the attackers generate a lot of requests that servers cannot handle and thereby preventing it from servicing the genuine requests. There are also hackers who try to penetrate the network from a remote location using sophisticated tools either to steal some classified information/business secrets or some other malicious intent like defaming an organization/ blocking the websites hosted by an organization etc.

What is Unified Threat Management (UTM)?

Hitherto, there were separate devices for guarding against each category of network security threats. A firewall was used for determining which ports are open to outsiders and which applications can be accessed by the users etc, an anti-virus engine was used to filter all the emails and the attachments coming in to the organization, an web filter was used to block/allow website access to the employees selectively and so on. But after a point of time, many of the perimeter network defence mechanisms were integrated and consolidated on a single platform. That is what we call a UTM – Unified Threat Management approach. These days there are even Xtensible Threat Management platforms that offer even more management features and functionalities than a UTM.

So, UTM brings the following network security technologies in to a single system/platform:
¤ Firewall
¤ Anti-Spam
¤ Anti-Virus
¤ Web/URL filtering
¤ Network Intrusion/Spyware protection
¤ Virtual Private Network (VPN)
And probably some more, depending on the vendor.

Types of UTM:

UTM’s are mostly Hardware/appliance based. These appliances come with specialized ASIC chip-sets which are tailor made to handle the processing that is required to scan for multiple threats simultaneously. Apart from the hardware, they feature a network security operating system which is highly robust and integrates with all the individual components of the UTM. The individual components themselves are license based – you could purchase a UTM with a basic firewall, anti-virus and anti-spam engines alone or you could purchase the entire gamut of network security technologies supported by them. Actually, UTM’s are pretty flexible – their components could be selected individually. The individual licences need to be upgraded after their license period is over (Normally once in a year).

There are Software based UTM’s too. The licensing is similar to the hardware based UTM’s, but the network security operating system and the individual UTM components (like anti-spam, IPS etc) are hosted on standard computer servers with a certain minimum configuration based on the number of users and the applications that are run simultaneously.

There are Distributed UTM’s. Actually they do not comprise of a single appliance to combat the various network security threats, but multiple hardware boxes from the same vendor, each specialized in its own functionality (like separate boxes for IPS, Web-Filtering etc) but still having a common management interface which makes them virtually a single appliance that can be controlled on a single platform.

There are advantages and disadvantages to each type and individual deployment scenarios also influence the type of UTM deployed. Hardware/appliance based UTM’s are more popular.

Advantages of UTM:

¤ One of the driving factors (at least in the SMB segment) for the adoption of UTM is the cost savings that it gives over point network security devices. With UTM, there are fewer physical devices to buy, single management interface, lesser complexity and fewer technical staff required to maintain.

¤ UTM avoids repetition of processes and hence saves time. Common processes (like scanning packets) once for each functionality would be time consuming. So, they are done once and used for all the applicable modules. For example, the packets are not scanned separately once for anti-spam and once more for gateway level anti-virus, hence saving time and processing power.

¤ With UTM, there is transparency of events and sharing of knowledge between different security modules, whic helps in identifying network threats more efficiently.

¤ Multiple devices can be managed from single place (especially for remote locations and branch offices) and flexible grouping policies can be created from the central management console itself.

¤ Single management interface to create uniform policy across the enterprise and across the different modules – the settings of a given domain can be established transparently and notified from the central administration interface.

¤ Single and familiar interface for analysing the results of multiple security modules which does event analysis, event correlation, detailed logging and reporting for all the security modules.

¤ Multiple patches, multiple upgrades and hence multiple maintenance contracts for each security module can be avoided using UTM’s.

¤ A UTM is not only deployed at the network perimeter of data centres, but it is also deployed at multiple locations (with varying functionalities and security modules, which can be flexibly configured) across the network like remote offices, network choke points etc.

¤ UTM provides both preventive and reactive protection for the network security threats. It also provides protection for various infrastructure elements like networks, applications, services etc.

¤ UTM solutions allow for the purchase of minimum functionalities (security modules) at the beginning and then add additional functionalities as the needs increase.

Dis-advantages of UTM:

¤ There are always existing investments in point security solutions like Firewalls etc, which may be considerable.

¤ Not all processing can be consolidated as some protection methods rely on different inspection techniques (Scanning for virus is different from deep inspection of packets in a firewall, for example).

¤ UTM introduces a single point of failure for all the network security elements, unless a high availability configuration is deployed.

¤ Normally, all the different security modules need to be bought from a single vendor (or their partners) creating a vendor lock-in on a longer term.

¤ When processing peaks are reached, certain vendors disable some functionalities (like IPS for example) to keep the system running. So, if the UTM has not been sized according to the maximum utilization requirements, there could be some compromise in the functionality.

¤ There is always challenge from cloud computing initiatives and UTM’s might have to be deployed in a virtual manner (One UTM divided in to several logical units, each serving different locations etc.) in the future, which is not possible currently.

¤ Some UTM devices may not have the granular features supported by stand alone technologies and hence those functionalities are either ignored or additional investments in terms of add-on’s needs to be made.

¤ There is always a possibility of performance constraint as there are limitations in hardware processing capabilities to handle so many applications/users simultaneously.

This article provides an introduction to what is URL Filtering, why it is needed and how it is done at enterprise level. We also have a look at the various factors involved in categorizing the websites and updating them. The advantages and dis-advantages of URL filtering are also discussed.

What is URL Filtering?

Suppose you type the name of your favourite social networking site on the web browser and it displays a message like “The policy of this organization doesn’t allow you to browse that website” and does not let you access the site from office, there is a URL filter that has been put in place by your IT department. So, a URL filter is used to basically categorize the websites on the internet and either allow/block the access to them to the web users of the organization either by referring to an already categorized central database (maintained by URL filtering vendors) or by classifying the websites in real time. URL filtering can also be made applicable only during certain times of a day or days of a week, if required.

Why is URL Filtering required?

URL filtering is required to stop the users of an organization from accessing those websites during working hours that:

¤ Drains their productivity
¤ Lets them view objectionable content from work place
¤ Is bandwidth intensive and hence creates a strain on resources

How URL Filtering is done?

URL Filtering is basically done by the URL Filtering vendors by maintaining a highly categorized database of most of the websites in the internet and either allowing access to them or dis-allowing access to them to the internet users of an organization either at all times or during certain times of a day. The policies of which categories of sites is to be allowed/dis-allowed to the users of an organization could be set by the IT department  personnel of enterprise companies through a web-based interface provided by URL filters. So, there is a local hardware appliance or software application running on a server that connects to a central database of the URL filtering vendors which enable to block individual websites.

There might be a local database, which is updated fully or partially from the central database. But updating them completely might have its own productivity problems like bandwidth or memory usage. Some vendors update such databases (local) as and when the users visit the websites (it typically takes only few milliseconds to do so).

A website can be categorized in a single category or multiple categories and the blocking can be done appropriately. For example, websites can be allowed to be accessed if they are categorized as sports but not if they are categorized as sports and gambling.

Generally, the URL Filtering companies rate the websites based on their domain names (In addition to the URL’s) as one domain can have multiple URL’s that tend to increase frequently. Optionally, even the IP addresses of the domain names can be included while rating the domains. The sub-domains also need to be classified in-addition to the main domains (For blogs, etc) and the intermediate pages need to be classified in addition to the primary pages or based on primary pages (Like translation sites or sites that display images from other websites). Websites in multiple languages may also be needed to be categorized similarly.

Categorizing websites in Real-time:

Since the internet is so huge, it is practically impossible to categorize the entire list of websites present in it. So, when certain sites are being accessed by the user, the URL filtering systems categorize them ‘on the fly’ or in Real-time. This typically takes only a couple of hundred milliseconds and the local databases are automatically updated along with the central database.

This categorization is automatically done by learning machines (automated software applications like website crawlers) which retrieves the key pieces/keywords (or sometimes all the words) of the web site’s content and context to decide on the most appropriate category. Even the links from the websites to other sites is analyzed for placing it in the relevant category. These learning machines are trained by human professionals by feeding it with training data (which contains the websites categorized by human professionals) and adjusting its setting to reflect the same results, over a considerable period of time.

Human Intervention:

There are times when the learning machines are not able to classify websites and all such websites are categorized by human professionals, who actively participate in training them, analysing the results and abnormalities etc. Site submissions are also accepted from all the users, which is reviewed by professionals for classification (for the websites that are not already classified).

Advantages and Disadvantages of URL Filtering:

As mentioned earlier, URL filtering helps organizations improve productivity by making sure that employee time is not spent in unnecessary activities during office hours. These URL filtering can also help by preventing malicious code/spyware, phising etc. which may be potentially harmful to the organization. Some vendors also help block Peer-to-Peer software’s and Instant messaging which use more resources, wastes time and is also a security threat.

Over-blocking can cause issues with users (Example, some commercial spyware needs to be installed for certain applications to work and blocking them might deny access to those applications to the users). And over-blocking can also result in more help-desk tickets that need to be attended to, and resolved by the support team. If that happens frequently, then both the time of the user and the support team is utilized excessively. Sometimes, there is a problem with certain websites that have been already classified and then become threat sites/ avoidable sites at a later stage.

excITIngIP.com

In case you have any questions, you could get in touch via the contact form or leave a comment below. You could also participate in the discussions in the Forum.

This article provides an overview of the various options available for securing enterprise email communications like anti-spam, anti-virus, zero-hour anti-virus, content policies, outbound email attachment scanning for DLP, email encryption, confidential data leakage protection and protection for web-based confidential data leakage (through http and ftp) for organizations.

Email security for enterprise companies can be achieved in a variety of ways – through a dedicated email security appliance, shared email security appliance, hosted on-demand (managed) email security or software based email security servers. The email security can also be a part of UTM (Unified Threat Management) solutions for smaller companies. The advantage of having a unified email security approach is that the following options for email security can be enforced at the gateway level with a single scan for individual email messages for all the below options.

Anti-Spam: Spam messages (especially the automated ones) are a point of concern for any organization. So, this is one of the primary offerings of email security. Some vendors use reputation based email spam detection where they maintain large databases of spamming email and IP addresses and quarantine incoming mails based on this list and some vendors use pattern analysis algorithms which check for structural and content attributes based on spamming methodologies analysed previously like SMTP rate control, MX record verification, image spam analysis, pornographic spam analysis etc. to identify and stop spam at the gateway level. Most of the bigger vendors use both the above techniques. Some vendors also do out-bound spam analysis and verification to prevent botnets (which are automated programs) sitting in your network and sending spam outside. There is a user level notification of spam messages/ management. The only concern for companies are the false positives – which may identify a normal message as spam.

Anti-Virus and Zero-Hour Anti-Virus: Gateway level antivirus scans all the incoming mails for any known viruses (through available signatures that keep updating regularly). This is different from PC based anti-virus. So, the mails are scanned, and if any virus is found, it is cleaned and sent to the user. If it is not possible to immediately remedy the virus, the message is held for quarantine, user is intimated and it is sent after a signature is received for that virus. Since most of the damage is done by viruses before a signature is produced for the attack, zero hour antivirus scans the message for any possibilities of a virus through pattern analysis and similarities with known viruses and any such positives are held at the gateway level until signatures are made available for them.

Content Policies: This module defines and enforces acceptable user policies for message content and attachments. Some examples include enforcing maximum message limit, allowable attachment types, maximum number of recipients/ attachments etc. for emails. Custom footer messages and disclaimers can be added automatically for all outgoing emails, if desired. An in-built offensive language dictionary can be used to monitor the mails for the usage of abusive or offensive language inside the organization or for outbound mails. Custom dictionaries can be created with additional keywords to be monitored.

Outbound Files/Attachment Scanning (DLP): Data Leakage Prevention is a concern for organization dealing with a lot of intellectual property/ financial information etc. So, this module can analyse and classify the confidential documents (which is generally intimated by the user through a special email address or set by the administrator) and continuously monitor for such classified information (either in full or part) in the outbound message stream and blocks any mails containing such information. Such messages can be held back with an intimation to the user or manager for appropriate review. A lot of file types including zip files etc. can be scanned to prevent intellectual property theft through the corporate email.

Confidential Information Leakage protection: There are certain confidential information like social security numbers, credit card numbers or health care information that can be sent out through a corporate email for nefarious purposes. So, this module identifies and prevents the leakage of such sensitive information like PHI – Personal health information or PFI – Personal financial information either through plain text or in an attachment. This is especially useful if an organization is required to comply for regulations like the HIPAA for health care segment etc. The identification is done based on NPI (Non Public Information) directories as well as common information identifier directories where the patterns for such information (like number of characters and the  starting digit for identifying credit card numbers, for example) are stored. Custom information like customer specific records, billing codes, account numbers, etc. can also be included.

Email Encryption: Encryption and decryption can be centrally managed at the gateway level for important emails that are either specified by users to be encrypted or automatically required to be encrypted (based on structural data matches for health care, financial information, confidential information, previously defined keywords, message origin/ destination etc. When the receiver receives the email, they may need to authenticate via email answer back, LDAP/AD based authentication, PKI smart card authentication, user name/ password etc. to receive the decryption keys.

Web based Confidential data leakage monitoring: The policies for SMTP based email (described above) can also be applied for http based email (like gmail, hotmail etc), http based communications (like message boards, blogs, file storage sites etc) and ftp based communications. This module generally monitors for web based traffic (provided this appliance is set as the default gateway for internet traffic) and works in conjunction with email security appliance for all the security modules described above to be applied for web based applications. In this case, only monitoring and reporting is possible and data leakage cannot be stopped.

excITingIP.com

In case you have any questions, you could get in touch with us through the contact form or leave a comment below. You could also participate in the discussions in the Forum.

This article attempts to see if bulk enterprise security policies can be applied to portable devices like USB pen drives, mp3 players, cellphones connecting through USB, CD/DVD media, Digital Cameras etc, if they can be managed from a central software application, and the features offered by such an application for Data Leakage Prevention.

Well, let us accept it. Portable devices like USB Storage drives are the hardest to manage in an enterprise. An employee can easily copy confidential information and take it home. Or a contractor can simply plug in the USB drive to a well intentioned employee’s PC and take information in the absence of the employee. Can these portable devices be monitored? Can the data leakage be prevented through them?

Yes. There are some software applications which give central management and data leakage protection for the most vulnerable part of the network – the USB drives.

Traditionally, companies have blocked all access to a USB drive in enterprise PC’s. That has never been an employee friendly policy. Even if an employee wants to make a presentation and wants to transfer a PPT, he needs to request the IT department – and that is what we call productivity hampering! Some solutions these days, allow selective access: They give access to only USB mouse/printers etc, and block access to USB pen drives. But again, it is the same story. Some companies used to physically verify if USB devices are being carried into a company, but since they are so small generally employees/guests need to volunteer information about them or they may not get noticed. And it is not a practical idea too because USB storage is available in the form of cellphones, MP3 players and even some watches come with built in USB drives – how would you block all these at the gate?

Well, these software applications described above for monitoring USB based devices can even extend network security policies to portable devices. Some of them integrate with Active Directory to enable easy creation of enterprise wide policies. These policies can be anything like blocking access to USB drives and portable devices to certain employees (like contract workers), limit certain devices to read-only (Like CD/DVD media), or let un-restricted access from certain PC’s (top management etc). In fact, a white list of corporate approved devices can be created and all other devices can be barred from connecting to the network port. Quite complex operation that, but if you are primarily dealing with Intellectual Property related businesses, it could come in handy.

You could monitor a variety of actions like connection/dis-connection of the USB based devices, when they connected, PC name, date, type of device connected, connection allowed/blocked, file type accessed, file name accessed, file read/write copy summary, whether the device connects locally, wirelessly, or from remote, popular files read from the servers etc. You could also selectively dis-allow certain devices like MP3 players, Digital Cameras to access the PC’s on your network and give read-only permissions to CDs and DVDs. Now, that’s a lot of options! So, you could view these information in the form of log reports or graphical charts.

In case if allowed data is being copied, you could set an instruction to encrypt the data with standards based AES 256 bit encryption. It is decrypted only if the employee types the password. So, even if the corporate USB drives are lost, sensitive data cannot be stolen. You could set a policy to automatically encrypt files being copied to USB storage media.

In case some policies need to be over-ridden, you could do it on a one time basis, but if you end up doing it all the time, maybe you need to rethink the policy structure! You could also run these applications in silent mode – just to monitor employee activity and reporting only to the top management if some un-wanted activity is reported, but not actually block any access or you could communicate to the employee by screen prompts that an activity is not allowed as per the company policies and they are violating the policy and hence the access is denied so that they would be more careful from the next time!

Some vendors also bundle virus/malicious software scanning and automatically block such USB drives from connecting to a computer (which could be most handy).

excITingIP.com

In case you have any questions, you could contact us through the contact form or leave a comment below. You could also participate in the discussions in the Forum.