UTM thwarts blended attacks

Unified threat-management appliances provide increased intelligence to detect network threat activity through the correlation and analysis of data from various security engines. This approach provides an alternative to a piecemeal implementation of separate systems.

IDC established this product category, with a minimum feature set that includes a firewall, intrusion detection/prevention system (IDS/IPS) and antivirus capabilities. Many UTM appliances have been expanded to include VPNs, antispam, antispyware and Web content filtering.

Most of these security capabilities operate at the application layer to detect spam, viruses, worms and other sophisticated forms of attack, as well as potentially offensive or unauthorized content. Therefore, every UTM appliance must be able to perform deep packet inspection from Layers 3 through 7. Some threats can span several packets, requiring a multipacket payload-reassembly mechanism to thwart them in real time.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Unified threat-management appliances provide increased intelligence to detect network threat activity through the correlation and analysis of data from various security engines. This approach provides an alternative to a piecemeal implementation of separate systems.

IDC established this product category, with a minimum feature set that includes a firewall, intrusion detection/prevention system (IDS/IPS) and antivirus capabilities. Many UTM appliances have been expanded to include VPNs, antispam, antispyware and Web content filtering.

Most of these security capabilities operate at the application layer to detect spam, viruses, worms and other sophisticated forms of attack, as well as potentially offensive or unauthorized content. Therefore, every UTM appliance must be able to perform deep packet inspection from Layers 3 through 7. Some threats can span several packets, requiring a multipacket payload-reassembly mechanism to thwart them in real time.

Despite the security integration advantages offered by UTM appliances, their complex packet-processing requirements raise concerns about performance. For this reason, UTM systems should deploy some means of hardware acceleration.

The performance issue has two dimensions: throughput and latency. Hardware acceleration affords improvement in both dimensions, and some UTM systems can achieve a throughput of up to 70Gbps with a total latency of less than 50 msec.

Performance also can be a problem with stand-alone systems. Individually, they can offer satisfactory throughput with sufficiently low latency, but when implemented in a serial fashion, as required by the piecemeal defense-in-depth approach, the latency is cumulative.

Because many enterprise networks now support delay-sensitive applications, such as VoIP, the total latency can quickly exceed the recommendation for these mission-critical applications. UTM solutions help overcome latency issues by reassembling the data once for multiple security features rather than reassembling the content for each security feature individually.

With its integration of multiple security engines into a single appliance, UTM makes it easier for administrators to enforce detailed security policies throughout the enterprise. It also makes it possible to detect blended threats that employ a combination of attacks (such as a mix of viruses, worms, Trojans and denial-of-service attacks) crafted to circumvent a single line of defense.

With UTM solutions, the integrated security engines work together, enabling the system to inspect real-time traffic - whether as packets or entire files - from multiple vantage points. For example, a seemingly harmless e-mail may pass through an antivirus system. But the message may contain an HTML-based attachment that ultimately points to a Trojan. Because a UTM solution can use a combination of antispam, antivirus, antispyware and other security engines, it can detect such blended threats more readily.

The combination of multiple security engines within a UTM solution establishes a new approach for the detection and remediation of blended threats.