A simple guide to Unified Threat Management Systems

(UTMs)
A Report by Rishabh Dangwal

admin@theprohack.com

www.theprohack.com

Disclaimer
This is a case study which by no means intends to infringe copyrights
of any researcher/analyst. I have compiled the information from the
web and believe it will be most useful to you. The original research
credit goes to Micky Johnson, the original Fortinet whitepaper, and
countless datasheets of the UTM vendors and resources on Google. This
document by no means shall be used as a complete reference to UTM’s
and may contain errors, but I hope it will help you test the tides of
UTM scene in a much better way.
Abstract – The objective of this singular report is to explore the UTM architecture, its inner workings
and how we can build a high performance UTM. We have come a long way from single purpose routers
to super specialized devices which rely on customized processors and Application Specific Integrated
Circuits (ASIC) to deliver high-performance traffic forwarding between networks and applications. The
evolution can be thankfully credited to the increase in performance requirements, which once
implemented, were adopted by as an industry standards.

EVOLUTION –A little Background of UTM technology

UTMs can be simply expressed as Next generation Firewalls, have evolved specifically from conventional
firewalls. The first firewalls were software firewalls which were itself evolved from software routers.
Later on as technology evolved, and hardware routers came into scene, hardware firewalls arrived
which were nothing more than routers with packet filtering capabilities. Furthermore, the technology
matured from basic packet filtering to a more complex control technology which included stateful
packet inspection and finally to full application layer inspection devices (IEEE, 1997). Around the year
2000, VPN’s appeared and gained acceptance as the mainstream technology to connect networks
securely, remotely. Firewalls followed closely by integrating VPN’s with Firewall which was the natural
choice as enterprise solutions required both firewalls and VPNS.

As the prices for bandwidth fell along with the cost of cryptographic hardware needed to encode and
decode the traffic, the need for specialized hardware rose which may be used to accelerate the
performance.
Unified Threat Management

In mid 2004, International Data Corporation (IDC) defined UTM platforms as to minimally include
firewall, VPN, intrusion prevention and antivirus features. Touted as “Next Generation Firewalls”, we
have two approaches to design the UTM’s since their inception.

 Licensing and Integrating Approach (Multi vendor UTM)

 In-house Development Approach (Single vendor UTM)

The above figure illustrates the core architecture and development approach of developing UTMs

Licensing and Integrating Approach (Multi vendor UTM)

The first design approach tried to get the best of worlds by integrating specialized technologies from
different security vendors. For e.g.:

Cyberoam UTM licenses Antivirus from Kaspersky, AntiSpam by Commtouch , both who
specialize in Antivirus and AntiSpam technologies.
These UTM’s provided an integrated interface to manage all the integrated technologies in the easiest
possible manner, while some others require specific management interfaces.

Advantages
Combines the best of all worlds
Less time required in development and
deployment of a new UTM box
Single Management interface
Cost effective
Limitations
Research and advancement dependent on
different vendors, hindrance in optimization of
individual applications
Again, the time is dependent on different security
vendors
The interface may not be adequate
If one of security vendor was compromised
globally, the UTM was gone as the technology is
outsourced
Cannot take full benefit of hardware acceleration
resources due to multivendor technologies
Embedding of new technologies is difficult

In-house Development Approach (Single vendor UTM)

The second design approach is the more difficult out of two, which requires ground up development of a
UTM device from scratch, and involves the provision of each security function natively. This was not
flawless, each security function must pass a set of market guidelines and standards set by standalone
security products effectively in order to be accepted. However, with time, the core functions provided
by UTM platforms—firewall, intrusion prevention and antivirus—had matured since the onset of the
UTM era, so building competent security functions was both possible and cost effective. Also, this
approach had a better management interface as the platform incorporated all the technologies since
inception.

Advantages
Unified architecture from scratch
Research and advancement dependent on own
pace, better optimization of applications
Limitations
All the technologies may/may not be adequate as
compared to their professional standalone
counterparts
More time required in development and
deployment of a new UTM box

Unified and Best management interface High cost of development

In-house code fills security gaps and poses less Security through obscurity is not always a very
threat of compromise. good idea.
Can take full benefit of hardware acceleration
resources, which leads to exponential
performance gains
Embedding of new technologies is easier
Why UTM’s are required more than ever?

1. With advent of technology, blended attacks against organizations has led to older specialized
protection devices/services obsolete.
2. The integrated approach allows the administrator to worry about only one device, not the
whole flurry of firewalls, antivirus & IDS/IPS.
3. With falling costs, the attackers have got more speed at their dispense, hence they can carry out
more attacks & hence we need more functionality on a single device to counter those.

UTM – Impact Assessment

Unified Threat Management – What actually it does?

At its heart, a UTM does the core work of collection of data and detection of unwanted and malicious
data. As quoted by Mick Johnson,

Collection involves picking the packets off the wire and processing them through the network
stack, reassembling and deciphering packet header information and identifying the relevant
payloads. Detection is the task of scanning those payloads for data that signify a particular traffic
stream is malicious or unwanted. A given portion of traffic might apply to either collection or
detection at different stages: the source IP address must be checked against a set of firewall
rules before being used to identify a TCP stream for reassembly and HTTP-level scanning for
viruses.
That said, the process is quite complex in nature and spans through the 6 layers of OSI model.

The factors identified above have made the detection phase correspondingly more important. With
time, the packet header size has remained the same however more information can be funneled
through packet payloads. Finally with each added security function or application in a UTM adds extra
workload to the detection phase, irrespective of the amount of traffic which leads to a massive
performance drop when a specific type of inspection is turned on.

UTM Components

While there are many components in a UTM appliance, there are three major components to high-
performance UTM systems:

1. Specialized hardware,
2. Specialized software and
3. Evolving security content

Specialized Hardware

Two major types of specialized UTM co-processing hardware contribute to performance scalability—
content processors and network processors. These processors work in conjunction with the general
purpose processor. The general purpose processor works in concert with the other specialized
processors similarly to the way that the brain works with the spine and peripheral nervous system to
perform system activities.
Content Processors / Content ASIC

Content Processors allow for the design and deployment of next-generation networking systems
that can make packet or message processing decisions based on an awareness of the packet or
message content.

Primary Functions
 Acceleration - Content processors can accelerate antivirus, intrusion prevention and
other application level security technologies.
 Deep Packet Inspection - Perform Deep Packet inspection and can modify and re-write
content on the fly.
 Scanning logic - Content processors implement only scanning logic in hardware, and
don’t store threat pattern data, which continue to be stored by memory.
 Encryption / Decryption - Content processors can also contain cryptographic engines
that relieve the general purpose processor from the high intensity calculations that take
place during encrypted communications.
 Analyse - Can perform both message-based and packet-by-packet analysis and some
can keep track of content across multiple packets.
 Hardware acceleration - Prime candidate for hardware acceleration as they help
counter performance taxing applications like VPN
Network Processors

A network processor is an integrated circuit which has a feature set specifically targeted at the
networking application domain and performs high sped processing of Network flows. Network
processors are typically software programmable devices and would have generic characteristics
similar to general purpose central processing units that are commonly used in many different
types of equipment and products. This type of processors typically are placed in line between
the general purpose processor and network ports, directly receiving traffic and performing some
functions automatically.

Primary Functions
 Pattern matching - the ability to find specific patterns of bits or bytes within packets in a
packet stream.
 Key lookup for example, address lookup - the ability to quickly undertake a database
lookup using a key (typically an address on a packet) to find a result, typically routing
information.
 Data bitfield manipulation - the ability to change certain data fields contained in the packet
as it is being processed.
 Queue management - as packets are received, processed and scheduled to be send
onwards, they are stored in queues.
 Control processing - the micro operations of processing a packet are controlled at a macro
level which involves communication and orchestration with other nodes in a system.
  Quality of service (QoS) enforcement - identifying different types or classes of packets and
providing preferential treatment for some types or classes of packet at the expense of other
types or classes of packet.
 Access Control functions - determining whether a specific packet or stream of packets
should be allowed to traverse the piece of network equipment.
 Encryption and Decryption of data streams - built in hardware-based encryption engines
allow individual data flows to be encrypted/decrypted by the processor.
 Act as a basic router - Packet or frame discrimination and forwarding, that is, the basic
operation of a router or switch. They also allow for quick allocation and re-circulation of
packet buffers.
 Decrease load on system - The latest generation of network processors can be
programmed with the current firewall and IPS policy, filtering traffic, detecting protocol
anomalies and expediting delivery of latency-sensitive traffic at the interface level— without
burdening the rest of the system

Specialized Software

At its core, a UTM consists of an operating system which integrates all the applications together. To
facilitate the integration of specialized hardware with software, special programming approaches are
needed. This needs the required ability to modify and optimize the source code, else all the tasks will be
run on CPU and hence we will notice an overall performance drop on all levels. It’s highly unlikely that a
3rd party security vendor will optimize their code according to the hardware; they just tend to license
their code for the platform. Also, combination of multiple technologies means there is a high probability
of incompatible software and code and redundant operations which further degrade performance

The basic approach for multivendor UTM is to license the software from 3rd party security vendors and
integrate them for highest compatibility, for e.g., if they deploy a Linux based OS as the core of their
UTM device, then they might opt for a Linux based antivirus in order to increase performance rather to
risk it by virtualizing a windows based OS just for the applications.

Single UTM vendors on the other hand go for the integrated approach and can optimize it according to
their needs. The developers can eliminate threats as fast as possible by innovating on new trends and
make UTM a true Next generation firewall.
A Brief Intro to Antivirus, Anti Spam and Content Filtering technologies

Antivirus

Antivirus or anti-virus software is used to prevent, detect, and remove computer viruses, worms, and
trojan horses.

Detection Methods

 Signature Based
 Heuristics/Meta-Heurisitcs
 Rootkit Analysis

Antivirus in UTMs

 Generic Antivirus – Antivirus is fully deployed at device with only suspicious files
sent for analysis and signature creation.
 Gateway Anti-Virus – This technique allows applications across the enterprise to
check files for viruses by providing a SOAP-based virus scanning web service. Client
applications attach files to SOAP messages and submit them to the Gateway Anti-
Virus web service. This may be used with active caching.
 Cloud Antivirus – Cloud antivirus is a technology that uses lightweight agent
software on the protected computer, while offloading the majority of data analysis
to the provider's infrastructure.

Anti Spam

Antispam software combats spam using various techniques.

Detection Methods

 Authentication and reputation

 SMTP proxy
 Challenge/response systems
 Checksum-based filtering
 DNS-based blacklists
 Enforcing RFC standards
 Greeting delay
 Greylisting
 Invalid pipelining
 Sender-supported whitelists and tags
 Rule-based filtering
 Statistical content filtering
 Antispam in UTMs

 Generic Antispam / Inhouse Antispam– Antispam is fully deployed at device with

only suspicious mails sent for analysis and signature/reputation creation.
 3rd Party Antispam – Mails may be checked using a secure connection to the 3rd
party service provider for spam and false positive detection.

Content Filtering & URL filtering

Content filtering is the technique whereby content is blocked or allowed based on analysis of its
content, rather than its source or other criteria.

Detection Methods

 Attachment - The blocking of certain types of file (e.g. executable programs).

 Bayesian
 DNS Based filtering
 Char-set
 Content-encoding
 Heuristic
 HTML anomalies
 Language
 Mail header
 Mailing List
 Phrases
 Proximity
 Regular Expression
 URL-Filtering based on the URL

Content Filtering in UTMs

 Generic Content Filtering / In house– Filtering is fully deployed at device with only
suspicious content sent for analysis and signature/reputation creation.
 3rd Party Content Filtering – content may be checked using a secure connection to
the 3rd party service provider for spam and false positive detection.
 UTM – Competitive Product Analysis

Cyberoam Checkpoint WatchGuard Juniper Sonicwall IBM

Device Model 100ia UTM-1 XTM 510 SRX 240 NSA 3500 IBM Proventia
13x series / 27x (Supports MX 5008
series virtualization)
Firewall 1.25 Gbps 1.5 Gbps 1.5 Gbps 1.5 Gbps 1.5 Gbps 1.6 Gbps
Throughput
Antivirus Kaspersky Gateway/Clam AVG Kaspersky McAfee Sophos
Antivirus Kaspersky
Anti Spam CommTouch In house In house Sophos In house In house
Authentication LDAP, RADIUS RADIUS, LDAP, RADIUS, RSA XAUTH/ Active
Active Windows SecureID, RADIUS, Directory,
Directory, Active LDAP Active LDAP,
RADIUS Directory, Directory, RADIUS, X509
VASCO, RSA SSO,
SecurID, web- LDAP,
based, local Terminal
Services,
Citrix, Internal
User
Database
Content Filtering In House Websense In house Websense In House In house
Sessions per 10K / 400K NA / 600K NA / 100K 9K / 128K 4K / 325K 9.58K / 150K
second/Concurrent
Sessions

Epilogue

The future is now gentlemen..with the onset of technologies, we have quite a lot of exotic things to
work with. I will be exploring XTMs and more on UTMs in future , as well as on more security devices. I
hope this document served some purpose to you.

Stay Gold

Rishabh Dangwal

www.theprohack.com