UTM, or unified threat management, seems to have become a misused term; anyone who puts together something more than a firewall in the same box calls it a UTM.
So what are the key elements your credit union should look for? Read on:
1) Firewall – of course your credit union needs this, but in light of the other features that you will want, packet filtering, stateful inspection and proxy create a more flexible solution; so your firewall must be a hybrid.
2) IDS/IPS – this today is a must; you can’t have edge protection without proper IPS, and it is ridiculous to buy a separate one after you have spent all the money for a UTM device. This feature should be fully integrated with the firewall, to achieve a next generation firewall protection, and should be INLINE with the firewall, able to communicate with it to stop/tear down connections that are sending rogue packets.
3) Email protection – should be much more than just an anti-virus, or AV, product. Should be policy protection, to block unwanted attachments, hidden, compressed or otherwise. Should be protection for the server, integrated with the firewall and IPS. Should be protection from vulnerabilities that affect your credit union’s protocols and servers.
4) Antivirus – protocols to be protected are, at a minimum: SMTP, POP3, IMAP, FTP, and HTTP.
- AV is too generic a term; one single AV is no longer acceptable as no one can really keep up; best is to have more than one
- Real time AV – this is an emerging technology; but if you want to hope to block emerging threats, you need zero day protection, you need a real time AV
5) Antispam. Hackers use all kinds of ways to get in; your credit union needs to have protection against all of them. Antispam should have a proven record of at least 98% protection, should not be using old spam lists but should be based on more modern techniques, such as SPF check and many others. We still see too many systems that use old methods that cause way too many false positives and yield poor overall results
6) Web access policy – a credit union must be able to control where its employees are allowed to go on the Internet, and this in turn enhances protection as it prevents users from landing on dangerous websites.
7) VPNs – modern devices should support IPSEC for compatibility, but should also offer SSL as a full VPN, with roaming AND site-to-site solutions. PPTP is still there, as it is free and inexpensive, but not mandatory at this point.
8) Updates – the Internet moves too fast for updates to be pulled from the devices. Real-time push updates are now a must.
9) Monitoring/management – this is important because expert configuration is 50% of the protection.
A true UTM device should be seamless – the final result being stronger than the sum of the parts. The antispam should be able to communicate with the IPS, so that a spammer attacking your device will be blocked before the email is even delivered.
The antispam should also be able to use the categorization abilities of the web access policy to see if a URL in an email should be allowed or not. The IPS and the firewall should be fully integrated. And the list goes on …
New functions that are emerging as required on the UTM are DLP and Vulnerability Scanning. These functions thus far have been done using separate devices; more and more companies are demanding to see them integrated with the gateway protection.
2012 will see the introduction of encrypted protocol scanning. As the trust model of SSL/TSL is being broken by more and more attacks, it will become very important that this model be transferred back under the control of the experts, at the gateway, moving it away from the desktop. Hence scanning SSL/TSL at the gateway becomes mandatory.
Lastly, it’s important that the technology offered for one credit union branch, for instance, is the same provided for all branches. For example, you want the same AV protection, nothing less.
Remember, viruses don’t treat one branch any better than they treat your headquarters!
Pierluigi Stella is chief technology officer at Network Box USA in Houston, Texas.