NSE 1: Unified Threat Management (UTM) : Study Guide

Unified Threat Management (UTM) UTM Features
NSE 1: Unified Threat Management (UTM)

Study Guide
NSE 1: Unified Threat Management (UTM) Study Guide

Last Updated: 8 April 2016
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
UNIFIED THREAT MANAGEMENT (UTM).........................................................4
The Key to UTM: Consolidation....................................................................................................................4
UTM Features .........................................................................................................................4

UTM Distributed Enterprise Advanced Features ..........................................................................................6
Extended UTM Features.........................................................................................................6

Evolving UTM Features ................................................................................................................................7
UTM Functions........................................................................................................................9
Where UTM Fits In ..............................................................................................................9
UTM: Scalable Deployment..........................................................................................................................10
Summary .................................................................................................................................11
KEY ACRONYMS ...........................................................................................12

GLOSSARY...................................................................................................14
REFERENCES ...............................................................................................16
Unified Threat Management (UTM)

Unified threat management (UTM) provides administrators the ability to consolidate multiple security
features into a single management console. Through this simplified management approach,
administrators can define security policies and integrate them in one place, often through one device,
instead of needing to coordinate configurations on multiple control panels, on multiple devices. This
integrated approach to security control is an extension of the philosophy that resulted in integration of
multiple security functions into hardware and software appliances, compared to legacy network security
systems that used single- or dual-function add-on appliances that resulted in complex hardware,
software, and management control systems (Figure 1).
Figure 1. Legacy network security add-ons vs. UTM architecture

UTM provides administrators the ability to monitor and manage multiple, complex security-related
applications and infrastructure components through a single management console. Because UTM is
designed as an integrated solution, it does not suffer complexities such as the need to coordinate multiple
configurations that administrators face with multiple, single-purpose security devices in legacy systems.
The Key to UTM: Consolidation

Similar to next-generation firewall (NGFW), one of the strengths of UTM is integration of components and
functions into both hardware appliances and associated security software applications. The advantage to
UTM is that it goes beyond the NGFW focus of high performance protection of data centers by
incorporating a broader range of security capabilities to provide administrator-friendly, threat-unfriendly
management.
UTM Features
UTM can be added to a network as either cloud services or network appliances. They integrate
firewall, intrusion detection system (IDS), anti-malware, anti-spam, content filtering, and VPN
capabilities (Figure 2). These can be installed and updated as necessary to keep pace with emerging
threats.[1]
Figure 2. Unified Threat Management (UTM).

Firewall. Firewalling is the most basic, necessary, and commonly deployed network security technology,
which uses sets or rules or policies to determine which traffic is allowed into or out of a system or
network. UTM integrates enhanced security capabilities with this firewall foundation, rather than adding
on separate security devices.[2]
Intrusion Detection System (IDS). IDS detects intrusion attempts on the host or network, but does not
necessarily react by sending a message to the firewall to block the threat.[2] IDS is an integrated feature in
Intrusion Prevention System (IPS), which does block intrusion attempts.
Antivirus/Antimalware. Antivirus/Antimalware (AV/AM) protects against network-based spread of
viruses, spyware, and other types of malware attacks. Antivirus can be used to scan e-mail for viruses,
but it doesnt stop there. You can also scan File Transfer Protocol (FTP) traffic, instant messaging (IM),
and web content. Some solutions support Secure Sockets Layer (SSL) content scanning, which means
that you can scan the secure counterparts to those types of traffic for viruses as well, such as HTTPS,
SFTP, POP3S, and so on. A UTM virus filter examines all files against a database of known virus
signatures and file patterns for infection. If no infection is detected, the file is allowed to pass to the
recipient. If an infection is detected, the UTM solution deletes or quarantines the infected file and,
depending on the protocol, notifies the user. [3]
Antispam. Antispam detects and removes unwanted e-mail (spam) messages by examining many
aspects of the email, using a variety of techniques [3]. These may be as simple as comparing the sender
or email to databases of known bad messages and spam server addresses[2].
Content filtering. Content filters block traffic to and/or from a network by IP address, domain name/URL,
type of content (for example, adult content or file sharing), or payload. They maintain a list of trusted
sites and a list of forbidden sites, and prevent users from violating acceptable use policies or from
being exposed to malicious content. [3]
VPN. A Virtual Private Network (VPN) transmits data between two private networks that are separated
by a public network, such as the Internet. Most VPN protocols create a private, encrypted channel for
traffic while it travels between networks. As a result, if someone on the public network would intercept
and examine those packets while theyre being transmitted across the Internet, that person would not
be able to read the traffic. This secures VPN traffic from unauthorized access. VPN packets wrap their
encrypted data inside a new protocol envelope a technique known as encapsulation. A VPN is
often called a tunnel through the Internet. [3]
Unified Threat Management (UTM) Extended UTM Features
UTM Distributed Enterprise Advanced Features

Enterprise devices may have more advanced features, such as identity-based access control, load
balancing, intrusion prevention (IPS), Quality of Service (QoS), SSL/SSH inspection, and application
awareness[1].
Application control. Application control can identify and control applications, software programs,
network services, and protocols. In order to protect networks against the latest web-based threats,
application control should be able to detect and control Web 2.0 apps like YouTube, Facebook, and
Twitter. Enterprise-class app control provides granular policy control, letting you allow or block apps
based on vendor, app behavior, and type of technology. For example, you can block specific sites, block
only your users ability to follow links or download files from sites, or block games but allow chat.
Access control. If the UTM system tracks user names, IP addresses, and/or Active Directory user
groups, it can enforce identity-based policies. When a user logs on and tries to access network
resources, UTM applies a firewall policy based on the requested application or destination. Access is
allowed only if the user belongs to one of the permitted user groups.
Load balancing. Load balancing distributes traffic across multiple servers, devices, or links. It increases
application performance, improves resource utilization, and reduce apparent response times. With data
compression and an independent SSL encryption processor, a server load balancer can increase
transaction throughput and reduce CPU usage on web servers, providing acceleration for web application
traffic.
Intrusion Prevention System (IPS). An IPS looks for network traffic not just virus-infected files, but
parts of the protocols themselves that may be trying to exploit vulnerabilities, and blocks it. An IPS can
make alarms or alerts for administrators, and log information as events occur, so they can provide
information to better handle threats in the future, or provide evidence for possible legal action[3].
Quality of Service (QoS). To minimize latency and jitter for sensitive applications, networks often apply
QoS. Quality of service involves controlling and managing network resources by setting priorities for
specific types of data (video, audio, or files) on the network. QoS is usually applied to network traffic for
video on demand, IPTV, VoIP, streaming media, videoconferencing and online gaming. [4]
SSL/SSH inspection. This provides the ability to inspect encrypted content that uses Secure Socket
Layer (SSL) or Transport Layer Security (TLS) cryptography by performing an authorized man-in-themiddle interception of the encrypted traffic. While the traffic is intercepted, it is temporarily unencrypted
and therefore can be inspected by other UTM features such as DLP, web filtering, and antivirus. Some
popular secure protocols are HTTPS, FTPS, and mail protocols SMTPS, POP3S, and IMAPS. [2]
Application awareness. Web application firewall (WAF) solutions provide specialized, layered
application threat protection for medium and large enterprises, application service providers, and SaaS
providers. Web application firewalls protect your web-based applications and Internet-facing data from
OSI Layer 7 DDoS and more sophisticated attacks such as SQL injection, cross-site scripting (XSS)
attacks, and data leaks. Web vulnerability assessment modules add scanning capabilities to provide a
comprehensive solution for PCI DSS section 6.6 compliance requirements.
Tradeoffs. The main advantage to UTM is reducing operational complexity. In particular, reducing
operational complexity for network administrators increases the likelihood that they will use the available
protection features to optimize network security. However, while simplification presents the advantage
of security optimization by administrator, the main drawback may be positioning UTM as a single point
of failure in a system or network unless it is deployed as a high availability (HA) cluster.
Extended UTM Features

One of the key factors that enables specialized UTM products to achieve high performance and boost
network throughput is incorporating custom application-specific integrated circuits (ASICs) into UTM

hardware. Using custom-designed ASICs is a more challenging design process, but the tradeoff is
achieving better system performance because the circuits are optimized for the devices intended
functions. Even with high-performance ASICs, however, as more UTM capabilities are activated,
performance will decrease. Planning and configuration are critical in achieving optimum performance.
UTM can integrate some capabilities that do not exist in NGFW, such as data leak prevention (DLP),
which helps prevent unauthorized transfer of sensitive information to someone outside the organization
via email, web pages, and transferred files. DLP uses methods such as inbound/outbound filtering and
fingerprinting.
DLP filtering scans inbound and outbound files, searching for text string and patterns that, when
compared against the DLP database, determine whether the content will be allowed, blocked, or
archived.
Fingerprinting is where each document is encoded with a unique fingerprint. When scanning files to
determine whether it is sensitives and should not be allowed to leave the network, DLP compares the
traffic with the fingerprint for a complete or partial match.
Protocols that DLP can scan varies. For example, FortiGate can scan HTTP, FTP, SMTP, POP3, IMAP,
and instant messaging protocols for Yahoo!, MSN, and AOL messaging services[2]. DLP has the same
limitations as antivirus scanning maximum file size, data fragmentation (but not necessarily packet
fragmentation), and encryption all of which may limit effective data leak detection and therefore
prevention.
Evolving UTM Features

UTM integration continues to evolve as technologies, user trends, and threats evolve. With this focus on
being flexible and future-ready, additional technologies are increasingly being integrated to UTM devices.
Switching. By integrating switch management into UTM, this again reduces the number of physical
hardware devices and control monitors necessary to manage network security. From this integrated
control panel, individual ports can be switched on or off to physically isolate network traffic, and to ensure
that only authorized access devices are connected.
Wireless LAN (WLAN). Integrating wireless LAN management into UTM provides more than added
economy of hardware. Integrating WLAN into UTM provides a simplified method to ensure each network
on the full infrastructurephysical, WLAN, and VPNmay be controlled together to maintain consistent
security policies and controls across all networks on the control interface. This approach also detects and
eliminates potential blind spots and better prevents unauthorized or rogue wireless access to the
combined network. WLAN is also important for SMB networks where secure wireless coverage
sometimes must be a substitute for wired connectivity.
WAN optimization. This improves application and network performance to remote offices and authorized
remote users, mostly through these five methods [3]:
Protocol optimization. Improves efficiency of FTP, HTTP, TCP, and other protocols to
accelerate network performance.
Byte caching. Locally caches data to reduce WAN bandwidth usage.
Web caching. Locally caches commonly requested web pages to avoid downloading them
again over the WAN.
SSL offloading. Offloads SSL or TLS decryption/encryption from the web server, usually to a
specialized device, to improve performance.
Secure tunneling. Secures traffic crossing the WAN.
Figure 3. LAN control.

Power over Ethernet (PoE). This allows UTM to provide power to external devices, much like Universal
Serial Bus (USB). With PoE, power can be supplied over Ethernet data cables along extensive cable
lengths, either on the same conductors as data or on a dedicated conductor in the same cable (Figure 4).
USB data and power capabilities are designed for up to 5m (16ft), compared to PoE capability up to 100m
(330ft) or even more with new PoE-plus developments.
Figure 4. Typical Power over Ethernet (PoE) cable configuration

UTM devices with PoE enable you to connect wireless access points, 3G/4G extenders, Voice over
Internet Protocol (VoIP) handsets, and IP cameras to the network security platform while keeping the
devices away from system main power supplies. Depending on how PoE is applied, some advantages
over other technologies include lower cost because of combined cabling for power and data, ability to
remotely cycle appliance power, and fast data rates.
3G/4G. 3G/4G extenders can integrate with UTM to provide a secure WAN connection for SMB and
distributed enterprise locations, with ability to serve as a secondary failover connection to the wired WAN
link for business continuity or, if desired, as a primary WAN link.
Unified Threat Management (UTM) UTM Functions
UTM Functions
UTM provides many integrated functions beyond the scope
of NGFW. Two of these important functions focus on
threats inherent in technologies used daily by users in
systems and networks of all sizes: email and the Web.
UTM has solutions to help protect your networks from
these continually evolving threats.
Antispam. One of most widely used buttons on email
applications is the one that allows users to mark messages
from a particular sender as spam, which routes it to a
spam folder. The user receives no alert when spam later
arrives and it is often automatically deleted periodically.
UTM has antispam, too. Anti-spam capabilities integrated into UTM may
detect threats using a variety of methods, including:
Blocking known spammer IP addresses.
Blocking email with any URL associated with known spam sites.
Comparing email hashes against those for known spam messages.

Those that match may be blocked without knowledge of actual message content.
Comparing the client IP address and sender email address to lists of allowed/blocked addresses.
Making a DNS lookup on the domain name to see if the domain exists or is blacklisted.
Blocking email based on matching message keywords or key phrases in a banned word/phrase
filter list. [3]
Intrusion Prevention Systems (IPS). IPS performs a dual protection function. Depending on UTM
configuration, IPS can protect the internal network from attacks that originate from outside the network
perimeter as well as those that originate from within the network itself. IPS is also discussed as a
component of NGFW. In a UTM solutions environment, the IPS component provides a range of security
tools to both detect and block malicious activity, including:
Predefined signatures. A database of malicious attack signatures is included, which is updated

regularly to keep pace with newly identified threats.
Custom signatures. Customizable entries that add to the standard threat signature library to add
protection against new, little known, or unknown attacks.
Out-of-band mode. Alternately referred to as one-arm IPS mode, the component may be
programmed to operate as only an Intrusion Detection System (IDS), detecting but not acting
upon identified threats and attacks. In this configuration, such identified threats/attacks would be
analyzed on a separate switch port.
Packet logging. This feature provides the option to save network packets that match identified
IPS signatures and analyze the log files with analysis tools.[3]
Where UTM Fits In

As network magnitude and function complexity grow, so also must the capabilities of the security
apparatus. One of the considerations for both SMB and smaller, remote offices tied to a corporate
headquarters or central database is consideration of implementing UTM security as an all-in-one
solution that provides flexible, future-ready security that is user-friendly and threat-complex. Figure 5
Unified Threat Management (UTM) Where UTM Fits In

illustrates how UTM may be deployed to support branch offices in a distributed enterprise network, while
NGFW and Advanced Threat Protection (ATP) technology is maintained at the central office where more
staff can monitor and manage security parameters at all network locations.
Home Office / Headquarters. Next Generation Firewall (NGFW)
Application Visibility & Control. Identify and control applications on a network regardless of the
port, protocol, or IP address used.
Advanced Threat Protection (ATP). Sophisticated on-device and cloud-based detection and
mitigation techniques block Advanced Persistent Threats (APTs) that target specific people or
functions within an organization, and use extensive evasion techniques to remain stealthy for long
periods before exfiltrating data.
Remote / Branch Offices. Unified Threat Management (UTM)
Content security & web filtering. Combines sophisticated filtering capabilities together with a
powerful policy engine to create a high performance and flexible web content filtering solution.
Antispam. Real-time email protection against spam.
IPS/IDS. Intrusion detection and prevention systems monitor, log, identify and block malicious
network activity.
Figure 5. UTM scalability
UTM: Scalable Deployment

Because UTM may be configured to provide network security tailored to specific environments, UTM is
designed for deployment across a broad range of organizational needs. The integrated hardware and
software features of UTM make it ideal for SMB networks, while simultaneous control of wired, VPN, and
wireless infrastructure components provide the means for distributed enterprise and select large
enterprise deployment (Figure 5). Across these various deployment environments, UTM provides
enhanced and cost-effective network security options.
SMB networks. Simple controls and multiple scalable options. Provides option for control and
scalable security for businesses with limited physical space and IT staff, or branch offices where IT
policy and control is managed from a central location (Figure 5).
Distributed enterprise networks. Simultaneous control of wired, VPN, and wireless infrastructure
components, with centralized control with advanced features to effectively run operations up to a
global scale.
10
Unified Threat Management (UTM) Summary

Like many other sectors of the technology industry, UTM deployment may be accomplished in various
ways. A common method for vendorsfollowing traditional hardware procurement paradigmswas to
license UTM infrastructure based on the amount of features included in the deployment package. In other
words, the standard was an a la carte menu of options.
Figure 6. Fortinets concept of Connected UTM

However, in an effort to provide a better option for organizations wanting to upgrade to the UTM security
model, leading UTM companies developed a new licensing model that more closely reflects the bundle
model offered by cable and DSL companies (Figure 6). Fortinet, recognized by Gartner as a leader in
UTM development and implementation along with CheckPoint, offers a bundle concept that includes the
purchased hardware, software updates, security feature updates for all included security components,
and system support[2]. This not only provides simplified licensing and reduced costs, but also enables
better future budget planning for UTM system customers.
Summary
NGFW improved on the basic gatekeeping security of edge firewalls by introducing such features as IPS,
deep packet scanning, network application identification, and access control. However, beyond those
capabilities, adding security functions meant additional appliances and software configurations,
increasing operational complexity for the network administrator.
Because increased operational complexity often results in bypassing of processes in the interest of
time or administrator overload, development was needed for a new dynamic vision of a flexible, futureready security solution to meet the needs of todays network environments and keep paceor think
ahead ofadvanced threats of the future. This integrated network security conceptUnified Threat
Management (UTM)is in place today and ready for tomorrows evolving challenges.
Overcoming the difficulties of patching together legacy systems with newer, state-of-the-art systems,
UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have
international reach. Combining user-simple interfaces with threat-complex protections, as well as cost
effective procurement, operations, and support, UTM provides an optimum system to best ensure
continued network operations in a secure environment.
11
Key Acronyms
Key Acronyms
AAA
Authentication, Authorization, and
IDC
International Data Corporation
Accounting
IDS
Intrusion Detection System
AD
Active Directory
IM
Instant Messaging
ADC
Application Delivery Controller
IMAP
Internet Message Access Protocol
ADN
Application Delivery Network
IMAPS Internet Message Access Protocol
ADOM Administrative Domain
Secure
API
Application Programming Interface
IoT
Internet of Things
APT
Advanced Persistent Threat
IP
Internet Protocol
ASIC
Application-Specific Integrated Circuit
IPS
Intrusion Prevention System
ASP
Analog Signal Processing
IPSec Internet Protocol Security
ATP
Advanced Threat Protection
IPTV
Internet Protocol Television
AV
Antivirus
IT
Information Technology
BYOD Bring Your Own Device
J2EE
Java Platform Enterprise Edition
CPU
LAN
Local Area Network
Central Processing Unit
DDoS Distributed Denial of Service
LDAP Lightweight Directory Access Protocol
DLP
Data Leak Prevention
LLB
Link Load Balancing
DNS
Domain Name System
LOIC
Low Orbit Ion Cannon
DoS
Denial of Service
MSP
Managed Service Provider
DPI
Deep Packet Inspection
MSSP Managed Security Service Provider
DSL
Digital Subscriber Line
NGFW Next Generation Firewall
FTP
File Transfer Protocol
NSS
NSS Labs
GB
Gigabyte
OSI
Open Systems Infrastructure
GbE
Gigabit Ethernet
OTS
Off the Shelf
Gbps
Gigabits per second
PaaS
Platform as a Service
GSLB Global Server Load Balancing

GUI
PCI DSS Payment Card Industry Data Security
Graphical User Interface
Standard
HTML Hypertext Markup Language
PHP
PHP Hypertext Preprocessor
HTTP Hypertext Transfer Protocol
PoE
Power over Ethernet
HTTPS Hypertext Transfer Protocol Secure
POP3 Post Office Protocol (v3)
IaaS
Infrastructure as a Service
POP3S Post Office Protocol (v3) Secure
ICMP
Internet Control Message Protocol
QoS
ICSA
International Computer Security
RADIUS
In User
Association
Quality of Service
Remote Authentication Dial-
12
Key Acronyms
System
Message Logging
RDP
Remote Desktop Protocol
TCP
SaaS
Software as a Service
TCP/IP Transmission Control Protocol/Internet
SDN
Software-Defined Network
SFP
Small Form-Factor Pluggable
TLS
Transport Layer Security
SFTP
Secure File Transfer Protocol
UDP
User Datagram Protocol
SIEM
Security Information and Event
URL
Uniform Resource Locator
Management
USB
Universal Serial Bus
SLA
Service Level Agreement
UTM
Unified Threat Management
SMB
Small & Medium Business
VDOM Virtual Domain
SMS
Simple Messaging System
VM
Virtual Machine
SMTP Simple Mail Transfer Protocol
VoIP
Voice over Internet Protocol
SMTPS Simple Mail Transfer Protocol Secure
VPN
Virtual Private Network
SNMP Simple Network Management Protocol
WAF
Web Application Firewall
SQL
Structured Query Language
WANOpt Wide Area Network Optimization
SSL
Secure Socket Layer
WLAN Wireless Local Area Network
SYN
Synchronization packet in TCP
WAN
Wide Area Network
XSS
Cross-site Scripting
Syslog Standard acronym for Computer
Transmission Control Protocol
Protocol (Basic Internet Protocol)
13
Glossary
Glossary
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of malware
attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and reporting on
malicious code. By intercepting and inspecting application-based traffic and content, antivirus protection
ensures that malicious threats hidden within legitimate application content are identified and removed
from data streams before they can cause damage. Using AV/AM protection at client servers/devices adds
an additional layer of security.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:
Intrusion Prevention (IPS)
Deep Packet Inspection

(DPI)
Network App ID & Control
Access Enforcement
Distributed Enterprise
Capability
Extra Firewall Intelligence
Third Party Management

Compatibility
VPN
Application Awareness
IPS. Intrusion Prevention System (IPS) protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including out-of-band
mode (or one-arm IPS mode, similar to IDS). IPS can be installed at the edge of your network or within
the network core to protect critical business applications from both external and internal attacks.
Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.
UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as either
cloud services or network appliances, integrating:
Intrusion Prevention (IPS)
Content Filtering
Quality of Service (QoS)
Anti-Malware
VPN Capabilities
SSL/SSH Inspection
14
Glossary
Anti-Spam
Identity-based Access
Control
Load Balancing
Application Awareness
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires usually the
Internet to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
15
References
References
1.
Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential
Guide, 2014.
2.
Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
3.
Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
4.
Janssen, C., Quality of Service (QoS), in Techopedia.com. n.d.
16

NSE 1: Unified Threat Management (UTM) : Study Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NSE 1: Unified Threat Management (UTM) : Study Guide

Uploaded by

Copyright:

Available Formats

Unified Threat Management (UTM) UTM Features