Unified Threat Management: A Defensive Suite for the 21st Century - Essay Example

Unified Threat Management: A Defensive Suite for the 21st Century? [ID Unified Threat Management is a new wave in cyber-security. UTM solutions vary, but in essence, UTM solutions are appliances or software packages that try to provide comprehensive threat management. It is no longer the 1990s, where the omnipresent and singular concern was viruses: Even individual end-users behind home networks face a bevy of threats from spam, scammers, fraudulent offers, spyware (whether illicit or created by “legitimate” companies), malware, viruses, keyloggers, identity theft, credit and debit card interceptions and fraud, and advertising and spam-forwarding malware, let alone corporate, government or NGO networks. Making distinctions between these threats is often an exercise in futility: Thus, the birth of the UTM movement. Unfortunately, at present, UTMs benefits are apocryphal: Though arguably superior to existing offerings, they are far from complete security suites. Definition UTM is operationally defined by SC Magazine thusly: “[T]o be a true UTM, according to analyst firm IDC anyway, the product must include, at minimum, a firewall, intrusion detection and prevention and anti-virus functionality” (2007). This paper assumes this definition. Justification SonicWall argues that the reason for UTM is because the vast majority of consumers, whether individual home networks or large corporate and government networks, are not just doing one thing online at any given time, or even through any one application (2008)! “Network communications no longer just rely on store-and-forward applications like e-mail. It has now grown to include real-time collaboration tools, Web 2.0 applications, instant messenger (IM) and peer-to-peer applications, Voice over IP (VoIP)...” (2008). Consider games and digital distribution platform Steam. In one program, there is a friends list, social networking utilities and functionalities, games, digital backup, downloading and peer-to-peer transfer protocols, IM and online store functionality! Threats proliferate under that environment. A virus transferred from e-mail can be used to spam the addresses on ones IM list. A keylogger hidden in a torrent can gather credit card information put into a browser. There are no clear lines between threats; why make there be a clear line in protection and defense? Problems The problem that many IT security professionals see with UTM is that focused programs are likely to have functionalities and specializations that a general solution might not (SC Magazine, 2007). “The bad news is that this creates a single point of failure. It also creates a bit of a dilemma for security architects. If one buys a first rate UTM, especially one with a lot of anti-malware capability, how does one justify purchasing an additional anti-malware gateway? While I suspect that next year at this time we will see almost no pure anti-malware gateways (we’re almost there now), today there are a few very competent anti-malware gateways available.” To evaluate the tradeoffs between specialization and generalization, financial cost-benefit, etc., let us examine three UTM products. Product #1 SonicWave offers an elite solution centering on multi-core processing, using the multiple cores to offer unparalleled (pun not intended) speed and delivery of security service (2008). While most of their solutions include multi-core processing, their E-Class NSA service is offered at consumer sites for $28,000 to $50,000 dollars depending on the model (SonicGuard). Let us analyze the $50,000 product, the E8500 with a GAV/IPS Bundle and one year of service. SonicWaves multi-core systems are premised on the notion that responses to security threats needs to be taken with the utmost of celerity in real time. They argue that “stateful” solutions only scan packet headers, which isnt helpful given that most threats now use spoofed headers and try to slip in like a Trojan horse through packet data. But to analyze every packet down to the data level and make threat assessments requires immense processing power, and to do it in real time is impossible for one processor. But with multi-core systems, the E8500 can scan the data using Deep Packet Inspection technology, which normally slows throughput in single-core systems. SonicWalls RFDPI doesnt have to “halt and store” data and “traffic in memory”. This requirement is frequently a bugaboo to administrators: Either they have to halt or slow all traffic, or completely ignore threats during peak times of traffic. RFDPI also doesnt limit the size of downloads and has no limit on amount of users it can protect: It is fully scalable. The multi-core architecture not only lets multiple processors handle loads faster by splitting data up and performing firewall, anti-virus, anti-spyware, intrusion prevention, content filtering, application control and clean VPN services simultaneously, parallel processing across services and packets, but it also reduces power consumption. The E8500 offers multiple deployment packages with various hierarchies. It can take Internet data and split it among multiple departments, as a central-site gateway, or it can be used as an in-line UTM solution. “Deployed as a Central-site Gateway the NSA Series provides a high-speed scalable platform, providing network segmentation and security using VLAN’s and security zones. Redundancy features include WAN Load balancing, ISP fail-over and stateful high availability” (SonicGuard). Meanwhile, “Mode Layer 2 bridge mode provides inline intrusion detection and prevention, adds an additional level of zone-based security to network segments or business units and simplifies layered security. Additionally, this enables administrators to limit access to sensitive data by specific business unit or database server” (SonicGuard). Competitors to the E8500 use packet reassembly, which creates a chokepoint. Using parallel processing, the E8500 can split threatening packets away from the data source, send any associated packets harm-free, and do so without the chokepoint of having to reassemble the packets before scanning them. The E8500, while expensive, seems to be worth the cost. It provides multiple justifications that regular security doesnt. 1. A specific parallel-processing architecture that reduces throughput. Why buy a UTM solution if you can just use a regular server with good software? SonicWall justifies the expenditure, at least in theory, by creating a unique hardware architecture. 2. With this hardware architecture and with DPI, why not just do everything at one point? The E8500 is already searching every packet, data and header, for threats. Why bother using it to do so through an anti-virus, then do it all again through a different spyware, another through a different spam filter, etc.? For $28,000 to $50,000, the E8500 doesnt come cheap, and therefore would only really be useful for businesses and organizations that have a high need for security (IT companies, small banks, etc.) A home couldnt possibly justify this much money for the performance improvement. Product #2 The CISCO ASA 5500 series is relatively cheap, $1,000, but is higher than low-to-mid tier like the Fortinet and Check point products (CRN, 2008). The fact that its provided by an established hardware provider indicates that it is likely to have excellent support and design. CRN agrees. Cisco ASA 5500 Series Adaptive Security Appliances are easy-to-deploy solutions that integrate firewall, Unified Communications (voice/video) security, SSL and IPsec VPN, intrusion prevention (IPS), and content security services in one flexible and modular appliance. As a key component of the Cisco Self-Defending Network, the Cisco ASA 5500 Series provides intelligent threat defense and secure communications services that stop attacks before they impact business continuity. In addition, the UTM appliance is designed to protect networks of all sizes, enabling organizations to lower their overall deployment and operations costs while delivering comprehensive multilayer security. The ASA 5500 series certainly doesnt benchmark as well as the 25-fold more expensive SonicWave. Various versions offer throughputs up to 1 Gbps, and the 1 Gbps options are the last two and substantially more expensive. Most of them offer below 500 Mbps firewall throughput. Maximum concurrent VPN sessions range from 25 to 5000. But many licensing options are available for an exact security package. The 1 Gbps options meet the standard home network but still slow down most business networks. But Ciscos suites of software services is still extensive (Cisco, 2010). Take their comprehensive endpoint security for the SSL VPN alone. “SSL VPN deployments enable universal access from both secure and noncorporate-managed endpoints, and provide the ability to extend network resources to diverse user communities. With this extension of the network, the points for potential network security attacks also increase. Whether users are accessing the network from a corporate-managed PC, personal network-accessible device, or public terminal, Cisco Secure Desktop minimizes data such as cookies, browser history, temporary files, and downloaded content left behind after an SSL VPN session terminates. Endpoint posture checking for full network access users is also available through integration with the Cisco NAC Appliance and Cisco NAC Framework” (Cisco, 2010). The endpoint security, unlike the cheaper Check Point Safe, begins at pre-connection posture and asset assessment, moves on to controlling what data is saved and transferred during the session, kills keystroke loggers both based on a database and on monitoring scripts that behave like keyloggers, Product #3 Now let us analyze a relatively bargain-bin product: The Check Point Safe 500, available for around $250 (Check Point, 2010). The Check Point Safe 500 is specifically targeted at small businesses. Unlike the SonicGuard, it does not have 4 gigabytes of RAM, flash memory and multiple processors. It only supports up to 100 Mbps. Its VPN throughput is a mere 35 Mbps and its firewall throughput 190 Mbps, compared to the 2-8 Gbps throughput performance of the SonicGuard. Most home networks use 100 Mbps or 1 Gbps Ethernet, so the SonicGuard is faster than a home network while the Check Point Safe is slower. Nonetheless, while the hardware is less spiffy and the software is not as advanced, it is no slouch in protection, according to CRN. “Check Points UTM-1 Total Security appliances are all-inclusive, turn-key solutions that include a comprehensive set of tools required by businesses to secure their network and adhere to regulatory compliance mandates. The appliance combines the firewall, gateway antivirus and anti-spyware, messaging security with anti-spam, intrusion prevention, Web-filtering and IPSec/SSL VPN in one easily deployed solution. In addition, each appliance includes integrated centralized management, along with complete security updates, hardware support and discounted customer support for up to three years. Customers can choose from five different models, depending on size and security needs” (2008). However, one of the ways that the CheckPoint is so cheap is that the basic models only come with licenses and features for firewall, IM monitoring, secure hotspot/guest management/wireless management, etc. Gateway antivirus, embedded spam blocking, decompression and filtering services are not included and must be licensed as add-ons. Comparison of All Three Products These three options transparently vary massively. Points of difference include Number and power of processing cores Maximum concurrent connections Maximum concurrent VPN interactions Maximum firewall throughput Maximum VPN throughput The quality of the LAN switch, whether its 10/100 or 10/100/1000, or 10/100/1000/higher Degree of overlap between services (anti-spam, anti-virus, anti-spyware, etc.) Whether or not the UTM analyzes data at the header level or only the packet level Degree and quality of deep packet inspection Degree of scalability Whether they use a database -only approach or use a smart approach Consider the differences between, say, HijackThis and Norton. Programs like Norton tend only to have a highly comprehensive database of threats. They check for all current threats and threat behaviors then finish. If the hackers have found a new way or place to hide the same threat, Norton might miss it. Meanwhile, HijackThis simply brings up all the things that are running: BHOs, startup programs, etc. Suspicious programs are manually killed at the registry level. HJT is “dumb” in the sense that it is indiscriminate but “smart” in the sense that it searches everywhere threats might hide and considers everything a threat before proven otherwise; Norton is “dumb” in the sense that it can miss an obvious threat right under its nose but “smart” in that it is automatic and requires no judgment calls or research by the end consumer. Similarly, many firewalls simply act to stop all or most incoming traffic that isnt specifically authorized! At LAN parties, most people turn off firewalls because end-consumer firewalls cant tell the difference between a virus and the game activity. A firewall worth its salt has to be smart: It has to make judgment calls as to what data to allow, what data to monitor but allow, and what data to halt without question. The cheaper products, like Check Point Safe, only do Nortons approach: They effectively only run a database. This is because keeping and maintaining a database of existing threats is computationally simplistic at both the hardware and software level: Search the packets, see if they match known threats, kill them. The firewall services are smarter, but still require a lot of end-user permission management. But Ciscos smart keylogger detection and every aspect of SonicWaves product searches comprehensively not just for old threats in original form, but old threats gussied up in disguise and new threats. They look for threatening behavior and suspicious activity, not just known and confirmed threats. They analyze for data that isnt where its supposed to be and make decisions. Of course, how often are viruses really evolving? While they are constantly changing, most anti-viruses are updated within hours or days of the threat. The threat will be quickly found and killed, and likely will never get secure data because data like passwords is already difficult to find and simple firewalls can detect unwanted traffic associated with sending data procured from a Trojan or keylogger. Most businesses can tolerate a few new threats getting through thanks to bad sanitation. It is when a business absolutely cannot risk any loss of their data or any threat that they must spend thousands more on protection. Similarly, most businesses dont need to worry about unorthodox uses of their firewall. They likely will be just using VPNs, IMs, VoIP, e-mail and browsing. But this doesnt mean that the expensive solutions arent worth it. For a company that cannot tolerate any risk, having smart scanning is valuable. A company that handles sensitive, private or expensive proprietary information or has a large amount of traffic cant tolerate even a 1% failure rate. Further, if the company is very large, slowing the Internet and local backbone the way that the lower-cost products do is inexcusable. Where the cost varies the most, then, between these services is the general network speed allowed by the UTM option and the quality and intelligence between the scanning of packets. Comparison between Like UTM and Non-UTM Solution It is increasingly difficult to find solutions that are not UTM in some fashion. Most appliances include anti-virus, anti-spam, e-mail filtering, anti-spyware and numerous other elements. One of the few companies remaining that provides a non-UTM hardware solution is Kaspersky (2010). “The new technology makes use of a hardware-based antivirus solution whose primary function is to neutralize the most widespread type of threat – malicious programs that store themselves or infect files on a computers hard drive. The patented antivirus program scans data that is written to the hard disk, identifying and blocking malicious programs”. It is illustrative to analyze the difference between this appliance and the UTM appliances examined above. The first obvious difference is that Kasperskys is not a full device: It is not an independent appliance. Rather, it is installed into the system bus or disk controller. Kasperskys is designed specifically to deal with threats like rootkits and viruses that hide deep in the registry or in the System folder. “Since it is implemented on the hardware rather than software level, the technology is not dependent on the operating systems configuration and can effectively combat malicious programs that elevate their privileges in the system, e.g., dangerous malware such as rootkits. Rootkits hook the operating systems functions, enabling them to actively resist their detection and removal by software antivirus solutions that operate in the same environment. Specifically, rootkits can block an antivirus application from being started, track its actions and recover the malicious processes removed by the antivirus application, modify removal settings in the system registry, etc. Such activity will be ineffective in the case of a hardware solution that does not operate in the infected operating systems environment, and the rootkit can be quickly neutralized” (Kaspersky, 2010). The second difference is that it has only recently been patented. Specialized technology has actually been eclipsed by generalized technology to such a degree that it is actually an innovation to create non-UTM solutions. Finally, Kasperskys does not bother providing comprehensive spam protection, comprehensive e-mail filtering and protection, comprehensive anti-spyware, etc. Note that, while there is some overlap between spyware and viruses, they are two conceptually different categories. “Legitimate” programs like CometCursor can install spyware or adware programs that create popups, monitor search patterns, etc. These arent designed to harm the computer, but do provide advertising content the end-user is not likely to want, and they do slow down the computer, clutter the registry, etc. Kasperskys is not designed to look for all of these types of data the same way that a program like SpyBot is. In fact, oddly enough, the biggest competition for UTM appliances is non-UTM software. There are numerous free e-mails that have excellent spam protection, free anti-virus software like AVG or Avast or trial versions of market applications that can be kept functioning nearly indefinitely, free anti-spyware programs like SpyBot Search and Destroy, etc. Indeed, most Disadvantages and Advantages The advantages and disadvantages of UTM are clear. Advantages UTM means that only one defense needs to be updated. If a leak is found, only one hole needs to be plugged. In terms of pricing and cost, having one single large purchase is more convenient. Further, managing paying licenses for every threat type can be deeply impractical and make it hard to predict ones cyber-security budget. One product can be put onto the books and be done. The distinctions between spam, malware, viruses, scams, etc. are increasingly academic. Security holes caused by a virus can be exploited by malware. Viruses and adware turn peoples computers or e-mail accounts into de facto spambots. If new types of threats emerge that are at present not anticipated, UTM is more likely to be able to account for it than a piecemeal approach. Software and hardware conflicts and testing are much easier with a UTM system. If theres a conflict with a companys default computer type and the UTM system, the problem can be hammered out with the UTM providers tech support. But with up to dozens of separate, redundant security suites, the likelihood of them interfering with each other, with other necessary software, or with the companies preferred hardware is much higher. Redundancy and overlaps means that companies are paying for the same service twice. By putting everything into one unified defense architecture, that architecture can be far more efficient and cost-effective. SonicWaves special parallel processing hardware and design, for example, is highly optimized for the specific task of cyber-security. Disadvantages If a hacker or threat finds a way to get through the UTM defense, there is nothing left. Redundancy provides for some degree of backup. (That having been said, A UTM can encourage a false sense of security among sysadmins. UTMs are by necessity more expensive. UTMs control the companies network design, infrastructure and orientation far more strictly. One can arrange Nortons any way one pleases, but the UTMs featured above all created specific throughputs and flowcharts for design that had to be followed to be effective. UTMs are often overly aggressive with blacklisting IPs and often respond to dangerous IPs after the fact (NetGear, 2009). Conclusion The promise of the UTM is not quite complete. Critical reviews of UTMs have found mistakes in terms of design, the philosophies of companies adopting UTM solutions, etc. Yet ultimately, UTM is inevitable. When software, firmware and hardware get smart enough to be able to detect unwanted intrusions and threats and respond to them automatically, there will be no point in telling those programs only to look for spam and viruses and not for spyware, or only for scammers and keyloggers but not for other Trojans. And even now, nothing prevents people from beginning with a UTM solution, examining risks to their company, then adding on additional protection. If people are already jury-rigging defenses, why not start with a comprehensive one? Works Cited CIO. “The Advantages of Multi-Core UTM”. CISCO. “Cisco ASA 5500 Series SSL / IPsec VPN Edition”. Product description. Retrieved from CheckPoint. “CheckPoint SafeOffice UTM Appliances”. Product description. CRN. “10 Hot UTM Products”. October 29, 2008. Retrieved from http://www.crn.com/slide- shows/security/211800106/10-hot-utm-products.htm. Accessed 1/1/2011. Gupta, Vinita. “UTM vs. standalone”. Express Computer. 2001. Retrieved from http://www.expresscomputeronline.com/20080303/market01.shtml . Accessed 1/1/2011. Kaspersky Lab. “Kaspersky Lab patents cutting edge hardware anti-virus solution”. 2010. Retrieved from http://www.kaspersky.com/news?id=207576021 . Accessed 1/1/2011. McAfee. “UTM Firewall/SnapGear: Options to configure your UTM Firewall to accommodate a public block of IP addresses supplied by your ISP”. Corporate Knowledge Base. Retrieved from https://kc.mcafee.com/corporate/index?page=content&id=KB62420 . Accessed 1/1/2001. Prosecure. “The Advantages of the STM/UTM Cloud Based Approach to Spam Filtering”. October 23, 2009. Retrieved from http://forums.prosecure.netgear.com/showthread.php?t=462 . Accessed 1/1/2001. SC Magazine. “Unified threat management 2007”. July 12, 2007. Schultz, Keith. “UTM appliances whip blended security threats”. March 6, 2006. Retrieved from http://www.infoworld.com/d/security-central/utm-appliances-whip-blended-security- threats-043 . Accessed 1/1/2011. SonicGuard. “NSA E8500 Appliance”. Product outline. Retrieved from http://www.sonicguard.com/NSA-E8500.asp SonicWall. “The Advantages of Multi-Core UTM”. 2008. Snyder, Joel. “Testing All-in-one firewalls”. Network World. November 12, 2007. http://www.linuxworld.com/reviews/2007/111207-utm-firewall-test.html Strom, David. “UTM: Ten Questions before you Buy”. Datamation. April 13, 2007. Retrieved from http://itmanagement.earthweb.com/article.php/3670986/UTM-Ten-Questions- Before- you-Buy.htm . Retrieved 1/1/2011. Violino, Bob. “UTM Appliances: How to Choose Em and Use Em”. IT World. Read More