Managed Security Services

Fire-Proofing Your Network With UTM,
Part 2: Deploying a UTM appliance — continued

by Lisa Phifer VP Core Competence, Inc. [December 28, 2007]

Layered defenses
Under the hood, all UTM products start with a traffic inspection engine that examines not just TCP/IP headers, but also application content (e.g., mail text, file attachments). However, the way that application content is actually inspected depends on the product. For example, SonicWALL inspects arriving messages packet-by-packet, without reassembly or application proxies. IBM ISS combines stateful packet inspection with Application Layer Gateways (ALGs) that can give each proxy a specific protocol (see Figure 2-2).

With any UTM firewall, understanding application coverage is critical. Just about any firewall can permit or deny packets that traverse known ports. But some UTM virus scanners are limited to SMTP, while others can scan SMTP, POP3, IMAP, HTTP, and/or FTP. Some UTM spam filters are turned on or off globally, while others can be set to filter only specified protocols or mailboxes. Some products can only examine web requests or responses that arrive unencrypted, while others can add/strip SSL at the gateway. So don't make assumptions. Identify the application protection you need and then shop for a UTM product that can deliver it.

Presenting a unified front
In principal, UTM firewalls provide multiple integrated security services that can be configured and monitored through one unified interface. In practice, products run the gamut from completely independent services that run on UTM chassis blades to firewalls that control everything from a single set of policies, using drill-down to configure service-specific parameters. In the end, what matters most is not creating a singe GUI, but delivering a truly useable GUI.

UTM products developed for SMBs often simplify administration by eliminating less common options. Set-up wizards are the norm, and some admins go no further. It is therefore important to understand how much protection your UTM appliance delivers "out of the box." To reduce impact and optimize throughput, some products do nothing more than "deny all inbound" unless explicitly told otherwise. Remember: installing an anti-X license does not necessarily mean that service is actually enabled.

On the other hand, experienced administrators may find UTM over-simplification frustrating. For example, those accustomed to tuning spam filters by keywords or weights may chafe when limited to a simple "slider" threshold. To address advanced needs, some vendors offer more detailed settings in high-end UTM platforms. Others bury advanced options under CLI commands that are accessible only via Telnet/SSH. But even then, don't expect your new UTM to have all of the bells and whistles that your old best-of-breed security system had.

Here is how the Proventia M-series GUI attempts to strike a balance between unification, simplicity, and flexibility:

• Typical firewall/IPS policies are created and enabled by default. After the set-up wizard ends, the MX1004 can detect over 1000 known threats, responding automatically with actions defined by the ISS X-Force security research organization. IPS activities are clearly visible from a status page (Figure 2-3), with alerts linked to X-Force descriptions (Figure 2-4).

 

Figure 2-3: Proventia intrusion summary page

Figure 2-4: Proventia alert with X-Force description

• Anti-X services are disabled by default, but enabled from simple checkbox panels, accessed through a tree-and-tab style GUI. As we will show in Part 3, just a few GUI options are presented for each service. Many more advanced parameters are available, but hidden under separate panels (Figure 2-5).

This approach makes it very easy to install the appliance and make basic exceptions (e.g., disabling a frequent alert that is normal in your network). Cryptic advanced parameters tend to discourage fiddling by novices, while affording more control to experienced admins. However, the GUI stops short of integrating firewall policies with anti-X options. For example, IPS exceptions can be made for specified addresses, but those exceptions cannot currently reference firewall policy network objects.

We managed our MX1004 directly through its secure Java web GUI, but remote office/branch office appliances can also be managed through SiteProtector. That product provides centralized asset management, provisioning, event analysis, and reporting for all IBM/ISS Proventia products, including desktop and server security programs, vulnerability scanners, intrusion detection systems, and UTM appliances.

Go to page three: What's going on? >

< Back to Part 2, page 1