Unified threat-management appliances provide increased intelligence with which to detect network threat activity. They do so through the correlation and analysis of data from various security engines. This approach provides an alternative to piecemeal implementation of separate systems.
This product category has a minimum feature set that includes a firewall, intrusion detection/protection system (IDS/IPS) and antivirus capabilities. Many UTM appliances have been expanded to include VPNs, antispam, antispyware and web content filtering.
Most of these security capabilities operate at the application layer, with the aim of detecting spam, viruses, worms and other sophisticated forms of attack, as well as potentially offensive or unauthorised content. Therefore, every UTM appliance must be able to perform deep-packet inspection from Layer 3 through to Layer 7. Some threats can span several packets, requiring a multi-packet payload-reassembly mechanism to thwart them in real-time.
Despite the security integration advantages offered by UTM appliances, their complex packet-processing requirements raise concerns about performance. For this reason, UTM systems should deploy some means of hardware acceleration.
The performance issue has two dimensions: throughput and latency. Hardware acceleration affords improvement in both dimensions, and some UTM systems can achieve a throughput of up to 70Gbit/s with a total latency of less than 50ms.
Performance can also be a problem with stand-alone systems. Individually, they can offer satisfactory throughput featuring sufficiently low latency, but when implemented in a serial fashion, as required by the piecemeal defence-in-depth approach, latency is cumulative.
Because many enterprise networks now support delay-sensitive applications, such as VoIP, total latency can quickly exceed the recommendation for these mission-critical applications. UTM solutions help overcome latency issues by reassembling the data once for multiple security features rather than reassembling the content for each security feature individually.
With its integration of multiple security engines into a single appliance, UTM makes it easier for administrators to enforce detailed security policies throughout the enterprise. It also makes it possible to detect blended threats that employ a combination of attacks (such as a mix of viruses, worms, trojans and denial-of-service attacks) crafted to circumvent a single line of defence.
With UTM solutions, the integrated security engines work together, enabling the system to inspect real-time traffic — whether as packets or entire files —from multiple vantage points. For example, a seemingly harmless email message may pass through an antivirus system. But the message could contain an HTML-based attachment that ultimately points to a trojan. Because a UTM solution can use a combination of antispam, antivirus, antispyware and other security engines it can detect such blended threats more readily.
The combination of multiple security engines within a UTM solution marks a new approach to the detection and remediation of blended threats.
James is director of project management for Fortinet. He can be reached at