Professional Documents
Culture Documents
NSE 1: Unified Threat Management (UTM) : Study Guide
NSE 1: Unified Threat Management (UTM) : Study Guide
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
UNIFIED THREAT MANAGEMENT (UTM).........................................................4
The Key to UTM: Consolidation....................................................................................................................4
UTM Functions........................................................................................................................9
Where UTM Fits In ..............................................................................................................9
UTM: Scalable Deployment..........................................................................................................................10
Summary .................................................................................................................................11
UTM Features
UTM can be added to a network as either cloud services or network appliances. They integrate
firewall, intrusion detection system (IDS), anti-malware, anti-spam, content filtering, and VPN
capabilities (Figure 2). These can be installed and updated as necessary to keep pace with emerging
threats.[1]
Protocol optimization. Improves efficiency of FTP, HTTP, TCP, and other protocols to
accelerate network performance.
Web caching. Locally caches commonly requested web pages to avoid downloading them
again over the WAN.
SSL offloading. Offloads SSL or TLS decryption/encryption from the web server, usually to a
specialized device, to improve performance.
UTM Functions
UTM provides many integrated functions beyond the scope
of NGFW. Two of these important functions focus on
threats inherent in technologies used daily by users in
systems and networks of all sizes: email and the Web.
UTM has solutions to help protect your networks from
these continually evolving threats.
Antispam. One of most widely used buttons on email
applications is the one that allows users to mark messages
from a particular sender as spam, which routes it to a
spam folder. The user receives no alert when spam later
arrives and it is often automatically deleted periodically.
UTM has antispam, too. Anti-spam capabilities integrated into UTM may
detect threats using a variety of methods, including:
Blocking email with any URL associated with known spam sites.
Comparing the client IP address and sender email address to lists of allowed/blocked addresses.
Making a DNS lookup on the domain name to see if the domain exists or is blacklisted.
Blocking email based on matching message keywords or key phrases in a banned word/phrase
filter list. [3]
Intrusion Prevention Systems (IPS). IPS performs a dual protection function. Depending on UTM
configuration, IPS can protect the internal network from attacks that originate from outside the network
perimeter as well as those that originate from within the network itself. IPS is also discussed as a
component of NGFW. In a UTM solutions environment, the IPS component provides a range of security
tools to both detect and block malicious activity, including:
Custom signatures. Customizable entries that add to the standard threat signature library to add
protection against new, little known, or unknown attacks.
Out-of-band mode. Alternately referred to as one-arm IPS mode, the component may be
programmed to operate as only an Intrusion Detection System (IDS), detecting but not acting
upon identified threats and attacks. In this configuration, such identified threats/attacks would be
analyzed on a separate switch port.
Packet logging. This feature provides the option to save network packets that match identified
IPS signatures and analyze the log files with analysis tools.[3]
Application Visibility & Control. Identify and control applications on a network regardless of the
port, protocol, or IP address used.
Advanced Threat Protection (ATP). Sophisticated on-device and cloud-based detection and
mitigation techniques block Advanced Persistent Threats (APTs) that target specific people or
functions within an organization, and use extensive evasion techniques to remain stealthy for long
periods before exfiltrating data.
Content security & web filtering. Combines sophisticated filtering capabilities together with a
powerful policy engine to create a high performance and flexible web content filtering solution.
IPS/IDS. Intrusion detection and prevention systems monitor, log, identify and block malicious
network activity.
10
Summary
NGFW improved on the basic gatekeeping security of edge firewalls by introducing such features as IPS,
deep packet scanning, network application identification, and access control. However, beyond those
capabilities, adding security functions meant additional appliances and software configurations,
increasing operational complexity for the network administrator.
Because increased operational complexity often results in bypassing of processes in the interest of
time or administrator overload, development was needed for a new dynamic vision of a flexible, futureready security solution to meet the needs of todays network environments and keep paceor think
ahead ofadvanced threats of the future. This integrated network security conceptUnified Threat
Management (UTM)is in place today and ready for tomorrows evolving challenges.
Overcoming the difficulties of patching together legacy systems with newer, state-of-the-art systems,
UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have
international reach. Combining user-simple interfaces with threat-complex protections, as well as cost
effective procurement, operations, and support, UTM provides an optimum system to best ensure
continued network operations in a secure environment.
11
Key Acronyms
Key Acronyms
AAA
IDC
Accounting
IDS
AD
Active Directory
IM
Instant Messaging
ADC
IMAP
ADN
Secure
API
IoT
Internet of Things
APT
IP
Internet Protocol
ASIC
IPS
ASP
ATP
IPTV
AV
Antivirus
IT
Information Technology
J2EE
CPU
LAN
DLP
LLB
DNS
LOIC
DoS
Denial of Service
MSP
DPI
DSL
FTP
NSS
NSS Labs
GB
Gigabyte
OSI
GbE
Gigabit Ethernet
OTS
Gbps
PaaS
Platform as a Service
Standard
PHP
PoE
IaaS
Infrastructure as a Service
ICMP
QoS
ICSA
RADIUS
In User
Association
Quality of Service
Remote Authentication Dial-
12
Key Acronyms
System
Message Logging
RDP
TCP
SaaS
Software as a Service
SDN
Software-Defined Network
SFP
TLS
SFTP
UDP
SIEM
URL
Management
USB
SLA
UTM
SMB
SMS
VM
Virtual Machine
VoIP
VPN
WAF
SQL
SSL
SYN
WAN
XSS
Cross-site Scripting
13
Glossary
Glossary
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of malware
attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and reporting on
malicious code. By intercepting and inspecting application-based traffic and content, antivirus protection
ensures that malicious threats hidden within legitimate application content are identified and removed
from data streams before they can cause damage. Using AV/AM protection at client servers/devices adds
an additional layer of security.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:
Access Enforcement
Distributed Enterprise
Capability
VPN
Application Awareness
IPS. Intrusion Prevention System (IPS) protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including out-of-band
mode (or one-arm IPS mode, similar to IDS). IPS can be installed at the edge of your network or within
the network core to protect critical business applications from both external and internal attacks.
Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.
UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as either
cloud services or network appliances, integrating:
Content Filtering
Anti-Malware
VPN Capabilities
SSL/SSH Inspection
14
Glossary
Anti-Spam
Identity-based Access
Control
Load Balancing
Application Awareness
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires usually the
Internet to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
15
References
References
1.
Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential
Guide, 2014.
2.
Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
3.
Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
4.
16