We believe that by getting the basics right and understanding where your vulnerabilities lie you can devise a strategy to help keep you safe and secure and think about what solutions will prevent any weaknesses from being exploited. Take networks for example, there are many potential ways to attack a network and for each there is also a mitigating product. Worried about data leaking out of the organisation? Deploy a DLP solution. Worried about web content that staff are accessing? Deploy a web filter.
There are many products used by IT departments to protect the network including:
- Traditional firewall
- Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS)
- Web Application Firewall
- Web Filtering
- Data Loss Prevention (DLP)
- Mobile Device Management (MDM)
However, when you consider the footprint of these devices, be it rack space or VM appliances, that’s quite a few different deployments needed. All these will likely be installed onto an application server, require OS licencing, on top of each product’s own licensing, and add to that any further licences for backups that may be on a per server basis and this becomes both expensive and difficult to manage. This is where a UTM (Unified Threat Management) can start to look very attractive.
A UTM is an umbrella term for appliances that offer a variety of security related functionality in a single product They offer a simpler solution by consolidating the functions into one single interface with far simpler, usually modular, licensing. The single product also allows staff to be trained on a single management interface without having to attend multiple courses from different vendors. However, each UTM vendor goes about this differently and each have their own strengths and weaknesses.
The UTM disassembled
I like to think of the UTM as a castle, with multiple turrets working together to spot threats far off being equivalent to the firewall, the drawbridge being the client VPN access and AV being the knights escorting scouting parties. All of these functions are working together smoothly to ward off even the most determined attacks. Compare this to a mixed-vendor setup, where each product is its own fortification. In this case each fortification may see a suspicious spy within their camps, but without a full coherent picture all fail to spot the threat within.
Another benefit of the UTM is the oversight it has of the network allowing for better co-operation between modules (such as the firewall, AV and so on) to spot and isolate so called blended threats, as well as give a single pane of glass when it comes to reporting, meaning you no longer have to run off reports in different products and sift through the data to trace an intrusion – excellent if you’re wanting to also feed this data into a SIEM (Security Information Event Management) solution which provides digital forensics.
Some UTM solutions have extended their offering by providing installable agents that can ensure your users experience the same policies for web filtering, DLP, AV and so on, even when they are not in the office. Others have offered remote office devices that can be shipped to a site directly without prior configuration and installed by non-IT remote hands (the devices then check in to HQ after their serial number or ID is added to the UTM) allowing quick and easy branch office networks to be configured and secured without a costly site visit.
Given their positioning at the network perimeter, most UTMs also offer web filtering, load balancing, client VPN access, IDS/IPS, Anti-spam and DLP making these fantastic all round devices. One thing to be aware of is ensuring you correctly size the device for the network, as running all the functions can be intensive if not sized appropriately. UTMs unfortunately also present a single point of failure when more and more features are enabled with one vulnerability having the potential to bring down the whole castle. Because of this, it is crucial to ensure the devices are patched regularly and good security practices are adhered to such as complex passwords, appropriate file permissions… in short the Cyber Essentials 10 Steps.
UTMs have quickly evolved to match the threat landscape and several vendors have offerings on the market each excelling at various areas, so with the security strategy in place you’ll be able to choose a product that’s the best fit for your business and needs.
An additional benefit is that UTMs often come in a variety of deployment options – physical, virtual or cloud, the virtual appliance allows an excellent opportunity to test drive a trial version and use as a proof of concept before committing to a rollout.
One of the biggest benefits of using a single vendor is the intelligence and synergy this provides between different security elements. For example, Sophos’ XG offering allows the perimeter firewall and servers to check the status of the endpoint trying to communicate, ensuring only those which are safe (recently patched and scanned) are able to. Sandboxing is also available with many UTM appliances which combats the threat of ransomware by running suspicious files in a secure environment and monitoring their behaviour. Returning to the medieval analogy, this is similar to the Kings cup-bearer whose responsibility was to guard and test the kings’ cup before he consumed it.
The UTM, working as part of a considered IT security strategy, offers an all-round, easy to manage solution to ensure your realm is completely secure with no hidden tunnels or open doors posing a threat to the organisation. In summary, deploying a UTM appliance will:
- Reduce the cost and simplify management of security across your estate
- Reduce licensing complications, bringing it all into a single vendor and product
- Improve security with products that work together intelligently regardless of the user's location in front or behind the firewall
- Provide a wealth of reporting to assist with auditing and compliance requirements