Unified Threat Management
There is a Chinese proverb that states “One chopstick is easily broken while a bundle of chopsticks are not”. This proverb comes from a story about a man who had three sons who were constantly arguing and getting nothing done. In fact, they actually worked against each other and impeded each other’s progress. The father explained if they worked together that not only would the work get done, but it would be completed faster, and with a much higher degree of quality.
Today’s network infrastructure security systems have the same type of problem. In order to assess and address each threat to a network, a separate tactic has been developed. Even if the threats are of a similar type, different approaches to thwarting the vulnerability are employed. This methodology eventually begins working against each other as they are all using a shared resource which has its limitations. Storage space, network speed, CPU cycles are finite and eventually when over taxed will begin to bog down a network to the point that time out flags begin to register and data either becomes corrupt or in some cases lost. The managed services Tampa team at MHD Communications is keenly aware of this type of network and strives to keep a balance between network viability and safety.
In order to facilitate a more cohesive and synergistic approach the Unified Threat Management (UTM) philosophy has been developed. In its simplest form, UTM takes several threat categories and binds them to each other through a set of similar data acquisition methods and evaluation. As an example, one of the threats to an enterprise can be websites that are used to gather information through the use of malware and other like methods. Instead of maintaining a database of corrupt domains separate from other threats the data is stored in a manner that can be used by anti-virus software. In addition, the IP addresses of the domains can now be used by low level packet readers to help make intrusion decisions. Finally, the data can be used to monitor outgoing traffic as a threat from within and handled accordingly.
There are several categories of threat deterrents that the UTM takes into consideration. The following are just a few along with a brief explanation.
- Anti-Malware, Anti-Virus:In a nutshell, a software program that through the use of either a defined signature or sophisticated heuristic algorithms, detects malicious software stored on computing devices. These devices include but are not limited to, computers, smart phones, tablets, some storage devices, and printers.The software not only identifies the harmful virus but can quarantine it until the user decides what to do with the offending intruder.
- Firewall Protection: Firewalls, through the use of a rule set designed to protect a network from malicious intrusion, are the front line when dealing with outside threats. When employed properly, it is the single most effective method for foregoing any type of external threat.Monitoring data streams, establishing a base-line, and flagging anomalies are key to preventing zero-day intrusions. In addition, using the same baseline can signal when data requests have accelerated and monitor where those requests are coming from. Ports can be shut down and traffic assessed automatically before any intrusion can occur. In the Tampa Bay area, MHD Communications is a leader in UTM appliance deployment and monitoring. Fortinet and their UTM appliances are the backbone of security for the clientele of MHD Communications and offers a wide variety of economical solutions for the SMB owner.
- Email Protection:Monitoring incoming email to ensure that there are not any malicious messages or attachments. Some email viruses are presented in such a way that they are easy to detect. Through unorthodox headers or attachments that are unfamiliar to the user these emails can be destroyed at even the provider level.Other infiltration methods are more sophisticated and can look like the email is coming from a friend, relative, or co-worker. These are the types of emails that can multiply quickly and deploy damaging software such as ransomware. Sophisticated ransomware is extremely hard to detect and if a site is infected can cost thousands of dollars. Through heuristic email evaluation methods as well as employee education, this type of threat can be halted.
- Deep Packet Inspection (DPI):This type of protection can be costly in both resources and speed. If the appliance and its accompanying firmware are not of the highest caliber then there is a degradation in service.DPI for all intents and practical purposes takes apart the packet at levels three and four of the OSI model. All headers, transport and routing data, messaging, and data are disassembled, evaluated, saved to a database, and then if the packet is found to be within defined tolerances sent on to its destination. Packet inspection at this level can find zero-day virus attacks, DDoS attacks, and anomalies within a pre-built base line for alerting network engineers of a possible data breach. The data can then be presented to the engineer through third party vendors to make finding the variance faster.Normally at least four CPUs and accompanying high speed memory are necessary for this type of processing within the appliance. In addition, the algorithms used in the firmware for the evaluation of the data must be optimized at the machine level, not an interpretive language through a virtual machine.
UTM takes into consideration the sophistication of the new network marauder. Through the use of multiple attacks through different venues malicious intrusions had become commonplace. With the advent of a Unified front against the Threat, it is much easier to Manage the network and maintain its integrity. In the next installment, we will discuss Fortinet and its appliance line for UTM deployment.