check point. What is it, what is it eaten with, or briefly about the main thing

The article discusses the role of UTM-systems in terms of network security requirements imposed by business. A basic analysis of the "balance of power" in the global and Russian markets is carried out. By UTM-systems (universal security gateways) we mean a class of multifunctional network devices, mainly firewalls, which contain many functions, such as anti-spam, anti-virus, intrusion protection (IDS / IPS) and content filtering.

Introduction

The risks of using networks are known. However, in modern conditions, it is no longer possible to abandon the latter. Thus, it remains only to minimize them to an acceptable level.

In principle, two approaches can be distinguished in ensuring integrated security. The first is often called classical or traditional. Its essence is based on the axiom “a specialized product is better than a multifunctional combine”.

However, along with the growth of the possibilities of various solutions, the "bottlenecks" of their joint use began to appear. So, due to the autonomy of each product, there was a duplication of functional content, which, ultimately, affected the performance and the final cost, not for the better. In addition, there were no guarantees that different solutions from different manufacturers would "peacefully coexist" with each other, and not conflict. This, in turn, also created additional difficulties for the implementation, management and maintenance of systems. Finally, the question arose of the interaction of various solutions with each other (the exchange of information to build the “big picture”, the correlation of events, etc.) and the convenience of managing them.

From a business point of view, any solution should be effective not only in the practical aspect. It is important that, on the one hand, it allows to reduce the total cost of ownership, and on the other hand, it does not increase the complexity of the infrastructure. Therefore, the question of the appearance of UTM systems was only a matter of time.

What are Universal Security Gateways (UTM)?

We give a brief description of the most popular solutions.

Fortinet (there is FSTEC certification)

Fortinet offers a wide range of devices, from the FortiGate-20 series for small businesses and offices to the FortiGate-5000 series for very large enterprises and service providers. FortiGate platforms use the FortiOS operating system with FortiASIC ​​coprocessors and other hardware. Each FortiGate appliance includes:

• Firewall, VPN and Traffic Shaping;
• Intrusion Prevention System (IPS);
• Antivirus / Antimalware;
• Integrated Wi-Fi controller;
• Application control;
• Protection against data leaks;
• Search for vulnerabilities;
• IPv6 support;
• Web filtering;
• Antispam;
• VoIP support;
• Routing/switching;
• WAN optimization and web caching.

Devices receive dynamic updates from the global research center FortiGuard Labs. Also, products based on FortiGate have sophisticated network functionality, including clustering (active/active, active/passive) and virtual domains (VDOM), which make it possible to separate networks that require different security policies.

Check Point (there is FSTEC certification)

Check Point highlights the following benefits for its Check Point UTM-1 appliances:

• Proven technologies trusted by Fortune 500 companies;
• Everything you need to protect your network: functionality, updates and security management;
• Protecting networks, systems and users from many types of attacks from the Internet
• Ensuring confidentiality by protecting remote access and communication between nodes;
• Quick and easy security deployment and administration with many security features in one device and a wide range of devices for companies of all sizes - from small office to large enterprise;
• Protect against emerging new threats with the Check Point Update Service.

All UTM devices can include software blades such as: FireWall, VPN, intrusion prevention system, SSL VPN, virus, spyware and spam protection, specialized web application firewall and web filtering. Other Software Blades can be added as desired. More technical specifications can be found.

Dell

Another industry leader, more focused on large companies than on medium and small businesses. The acquisition in 2012 of Sonicwall has had a positive impact on the portfolio of solutions offered. All solutions, from the SuperMassive E10800 to the TZ 100, are built on the proprietary Network Security SonicOS Platform and include:

• Next-Generation Firewall;
• Application control;
• Deep analysis of packets (including those encrypted with SSL);
• Organization of VPN and SSL VPN;
• Antivirus;
• Web filtering;
• Intrusion Prevention System (IPS).

More technical specifications can be found.

WatchGuard (certified by FSTEC)

In the UTM line, WatchGuard is represented by Firebox X devices based on the multi-layer architecture of Intelligent Layered Security. The architecture consists of six protection layers interacting with each other:

• "External security services" - offer technologies that extend network protection beyond the firewall;
• "Data integrity" - checks the integrity of the packets and their compliance with the protocols;
• "VPN" - checks encrypted external connections of the organization;
• A firewall with dynamic analysis restricts traffic from sources to those destinations and ports that are allowed in accordance with the security policy;
• "Deep analysis of applications" - ensures their compliance with the application layer of the ISO model, cuts off dangerous files by pattern or file type, blocks dangerous commands and converts data to avoid leakage;
• "Content Security" - analyzes and arranges traffic for the corresponding application. Examples of this are signature-based technologies, spam blocking services, and URL filtering.

Due to this, suspicious traffic is dynamically detected and blocked, while normal traffic is allowed inside the network.

The system also uses its own:

• Antivirus / intrusion prevention system on the gateway;
• webblocker;
• spam blocker.

More technical specifications can be found.

Sophos (there is a FSTEC certificate)

The model range of the company's devices is represented by the UTM xxx line (from the younger model UTM 100 to the older UTM 625). The main differences are in throughput.

The solutions include a range of integrated network applications:

• DPI firewall;
• Intrusion detection system and web filtering;
• Email security and protection
• Content filters;
• Antivirus traffic control;
• Network service (VLAN, DNS, DHCP, VPN);
• Reporting.

The solutions allow you to ensure the security and protection of network segments and network services in the telecommunications infrastructure of SOHO, SME, Enterprise, ISP and provide control and fine cleaning of IP traffic at the network level. application levels (FW, IDS/IPS, VPN, Mail Security, WEB/FTP/IM/P2P Security, Anti-virus, Anti-spam).

More technical specifications can be found.

NETASQ

NETASQ, part of the EADS Corporation, specializes in building defense-grade firewalls to reliably protect networks of any size. NETASQ UTM devices are certified by NATO and the European Union, and also comply with the EAL4+ class of the Common Criteria for Assessing Information Technology Security.

The company highlights the advantages of its products:

1. NETASQ Vulnerability Manager;
2. Anti-spam with mailing filtering;
3. Integration with Kaspersky Anti-Virus;
4. URL filtering with continuous updates from the cloud;
5. Filtering inside SSL/TLS;
6. VPN solutions with hardware acceleration;

The company's portfolio includes both hardware and virtual UTM screens (U series and V series, respectively). The V series is certified by Citrix and VMware. The U series, in turn, has an impressive time between failures (MTBF) - 9-11 years.

More technical specifications can be found.

Cisco (there is a FSTEC certificate)

The company offers solutions for both large (Cisco ASA XXX Series) and small/medium businesses (Cisco Small Business ISA XXX Series). Solutions support features:

• Application control and application behavior;
• Web filtering;
• Botnet protection;
• Protection against Internet threats in a mode as close as possible to real time;

Also provided:

• Support for two VPN networks for communication between offices and partners, expandable to 25 (ASA 5505) or 750 (ASA 5520) employees
• Support from 5 (ASA 5505) to 250 (ASA 5550) LAN users from anywhere

More technical specifications can be found.

Juniper Networks

The functional direction of UTM is supported by the SRX Series and J Series device lines.

The main advantages include:

• Comprehensive multi-layered protection including anti-malware, IPS, URL filtering, content filtering and anti-spam;
• Application control and protection using user role-based policies to counter attacks on Web 2.0 applications and services;
• Pre-installed, quick connect UTM tools;
• Minimum costs for the purchase and maintenance of a secure gateway within a single manufacturer of a protective complex.

The solution consists of several components:

• Antivirus. Protects your network from malware, viruses, spyware, worms, Trojans and other attacks, as well as email and web threats that can put your business and corporate assets at risk. The anti-malware protection system built into UTM is based on the anti-virus engine of Kaspersky Lab.
• IPS. Various detection methods are used, incl. protocol and traffic anomaly detection, contextual signatures, SYN flood detection, spoofing fraud detection, and backdoor detection.
• AppSecure. Application-aware security suite that analyzes traffic, provides rich application visibility, enforces application firewall rules, controls application usage, and secures the network.
• Enhanced Web Filtering (EWF) provides protection against potentially malicious websites in several ways. The technology uses 95 categories of URLs, which allows you to organize their flexible control, helps administrators track network activity and ensures compliance with corporate policies for using web resources. EWF uses real-time, real-time reputation analysis based on the latest generation network that checks more than 40 million websites per hour for malware. EWF also maintains an aggregate risk score for all URLs, both categorized and uncategorized, allowing companies to monitor and/or block sites with a bad reputation.
• Antispam.

More technical specifications can be found.

conclusions

The Russian market of UTM systems is definitely of interest to both manufacturers and potential buyers. However, due to well-established "traditions", manufacturers have to conduct a simultaneous "battle" both on the front of certification and building a partner channel, and in the field of marketing and promotion.

So, one can already observe today how almost all of the companies examined are working on translating materials into Russian, acquiring new partners, and also certifying their solutions. For example, in 2012, Dell established a separate company, Dell Russia, specifically for the Russian market (the company will not even deal with its "closest neighbors" - Ukraine and Belarus). Domestic developers also do not stand still, developing their solutions. It is noteworthy that many manufacturers (both domestic and foreign) integrate third-party modules into their products. The anti-virus module is indicative in this regard: various UTM systems use ClamAV, Kaspersky Anti-Virus, Avira AV, Dr.Web, etc.

Nevertheless, the conclusion is clear: the Russian market is being considered seriously and for the long term. So far, no one is planning to retreat, which means that we are ahead of the struggle for a place under the domestic sun. After all, “No. 1 in the World” is not at all the same as “No. 1 in Russia”.

Recently, the so-called UTM devices have become increasingly popular in the world, combining a whole range of IT security functions in one hardware system. To better understand these products and understand their advantage over conventional solutions, we turned to Rainbow Technologies. Our questions are answered by Dejan Momcilovic, Head of Partner Relations at Rainbow.

Dejan Momcilovic, Head of Partner Relations at Rainbow

Alexey Share: Could you tell us about UTM (Unified Threat Management) products in general? What are they and what are they used for?

Dejan Momcilovic: Recently, when talking about information security, the media are increasingly using a new term - UTM devices. The concept of Unified Threat Management (UTM), as a separate class of equipment for protecting network resources, was introduced by the international agency IDC, which studies the IT market. According to their classification, UTM solutions are multifunctional software and hardware systems that combine the functions of different devices: a firewall, a network intrusion detection and prevention system, and the functions of an anti-virus gateway.
UTM devices are used to easily, quickly and efficiently build a network resource security system. They are especially popular with SMB (Small and Medium Business) companies due to their ease of use and cost effectiveness.
To be called a full UTM, a device must be active, integrated and layered. That is, it must perform the following three functions. First, to provide multi-level protection in the network. Secondly, to perform the functions of an anti-virus filter, an intrusion prevention system and protection against spyware at the network gateway level. Third, protect against insecure websites and spam. Each function is responsible for certain operations. For example, multi-layered protection provides active deep traffic analysis and transmits information about suspicious traffic to various modules of the device, which are engaged in traffic anomaly detection, host behavior analysis and file signature scanning.
Separately, it is worth dwelling on protection from unsafe websites and spam. The uncontrolled movement of company employees on the Internet increases the likelihood of infection with spyware, Trojans and many viruses. In addition, labor productivity is reduced, network bandwidth is reduced, and it may even happen that the company will have to answer before the law for certain violations. The URL Filtering Service allows you to block websites with insecure or objectionable content. You can organize access to Web resources based on the day of the week, departmental needs, or individual user requests. As far as spam is concerned, it can completely fill up the mail server, overload network resources and negatively affect the productivity of employees. It can also carry various types of dangerous attacks, including viruses, social engineering or phishing. By using a dedicated spam blocking service, you can effectively stop unnecessary traffic at your network gateway before it enters the network and causes harm.


Alexey Share: What is the advantage of UTM solutions compared to other IT security products?

Dejan Momcilovic: You can purchase and install individual devices such as a firewall, antivirus gateway, intrusion prevention system, etc. And you can use one device that performs all these functions. Compared to using separate systems, working with the UTM complex has a number of advantages. First, the financial benefit. Integrated systems, unlike multi-layered security solutions that are built using many separate devices, use much less hardware. This is reflected in the final cost. A fully integrated solution can include firewall, VPN, layered security, anti-virus filter, intrusion prevention, anti-spyware, URL filter, and central monitoring and control systems.
Secondly, stop attacks on the network gateway without interrupting the workflow. A layered approach avoids disaster by blocking network attacks where they try to penetrate the network. Since the levels carry out protection jointly, the traffic checked by a certain criterion is not checked again at other levels by the same criterion. Therefore, the traffic speed is not reduced and speed-sensitive applications remain available for operation.
Thirdly, ease of installation and use. Integrated, centrally managed systems make it easy to configure and manage devices and services. This greatly simplifies the work of administrators and reduces operational costs. The ability to install and deploy systems with ease using wizards, optimal default settings, and other automated tools removes many of the technical barriers to quickly building a network security system.
There is another important difference between UTM systems and traditional solutions. The fact is that signature-based solutions have been the backbone of the security solutions arsenal for many years and use a database of known patterns to detect and block malicious traffic before it enters the network. These systems provide protection against threats and policy violations such as Trojan horses, buffer overflows, accidental execution of malicious SQL code, instant messaging and point-to-point communication (used by Napster, Gnutella and Kazaa).
At the same time, after identifying and identifying a suspected threat, it can take from several hours to several weeks before the corresponding signature files are available for download. This "lag" creates a window of vulnerability (Figure 1) during which networks are open to attack:

Rice. 1. "Attack Life Cycle and Vulnerability Window"

In UTM devices, layered security works in conjunction with signature-based solutions and other services to provide more effective protection against advanced threats that appear at an alarming rate.


Alexey Share: What UTM solutions does your company represent? What functions do they perform?

Dejan Momcilovic: Rainbow Technologies is a distributor of the American company WatchGuard in Russia and the CIS countries. According to the world famous analytical agency IDC, WatchGuard is the leader in sales of UTM-devices for SMB in the US and Europe (2005 data). A line of Firebox X UTM devices is supplied to our market, designed for both large corporations and small firms.
Firebox X Edge is a firewall and VPN endpoint for small businesses. It is designed for remote offices and mobile users and protects corporate resources from "unintentional threats" from remote users that occur when accessing the network.

firebox x edge

Firebox X Core by WatchGuard is the flagship line of UTM devices that provides Zero-Day Protection - protection against new and unknown threats before they even appear and are detected. The traffic that enters the network is checked at many levels, thanks to which it is actively blocked: viruses, worms, spyware, trojans and mixed threats without the use of signatures.

Firebox X Peak is UTM protection for more extensive networks, providing firewall bandwidth up to 1 Gb.


Alexey Share: How do your UTM products differ from competitors' UTM products?

Dejan Momcilovic: Today, only UTM devices from foreign manufacturers are presented in Russia. Moreover, most of them, presenting their devices and calling them UTM, simply combine the functionality of independent network security devices (such as a firewall, anti-virus gateway, intrusion detection / prevention system) in one case with a single monitoring and control system. Along with the undeniable advantages mentioned earlier, this approach also has serious disadvantages:

Separate devices, when using a common platform, consume a large amount of computing resources, which leads to increased requirements for the hardware component of such a solution, thereby increasing the overall cost.

Being formally united in one box, separate devices are, in essence, independent of each other and do not exchange with each other the results of the analysis of the traffic passing through them. This results in traffic entering or leaving the network having to pass through all devices, often subject to duplicate checks. As a result, the speed of traffic passing through the device drops sharply.

Due to the lack of interaction between the individual functional blocks of the device, noted above, the likelihood of potentially dangerous traffic entering the network increases.

At the heart of WatchGuard's UTM solutions is the Intelligent Layered Security (ILS) architecture, which eliminates the above disadvantages of other UTM solutions. Let's take a closer look at how ILS works. This architecture is at the heart of WatchGuard's Firebox X line of UTM devices and provides effective protection for growing businesses. Using dynamic interaction between layers, ILS ensures security at optimal device performance.
The ILS architecture consists of six protection layers (Figure 2) interacting with each other. Due to this, suspicious traffic is dynamically detected and blocked, while normal traffic is allowed inside the network. This allows you to resist both known and unknown attacks, providing maximum protection at minimum cost.

Rice. 2. "Architecture of Intelligent Layered Security and UTM"

Each protection layer performs the following functions:

1. External security services interact with internal network protection (anti-viruses on workstations, etc.).

2. The data integrity check service checks the integrity of the packets passing through the device and the compliance of these packets with the transmission protocols.

3. The VPN service checks traffic for belonging to encrypted external connections of the organization.

4. A stateful firewall restricts traffic to sources and destinations according to the configured security policy.

5. Application deep analysis service cuts dangerous files by patterns or file types, blocks dangerous commands, converts data in order to avoid leakage of critical data.

6. Content Inspection Service uses technologies based on signature, spam blocking and URL filtering.

All these layers of protection actively interact with each other, transmitting data obtained from traffic analysis in one layer to all other layers. What allow:

1. Reduce the use of computing resources of the UTM device, and by reducing the hardware requirements, reduce the overall cost.

2. Achieve a minimal slowdown in the passage of traffic through the UTM device, due to not all, but only the necessary checks.

3. Resist not only known threats, but also provide protection against new, yet unidentified attacks.

Alexey Share: What technical support do users of your UTM products get?

Dejan Momcilovic: The basis of all WatchGuard solutions is the continuous support of network perimeter security at the highest level, which is achieved using the LiveSecurity electronic service. Subscribers are regularly provided with software updates, technical support, expert recommendations, measures to prevent possible damage from new attack methods, etc. All Firebox X products are provided with a free 90-day subscription to the LiveSecurity service, which is by far the most complete in IT -industry system of remote technical support and services.
LiveSecurity consists of several modules. These, in turn, include: real-time technical support, software support and updates, trainings and manuals, as well as special LiveSecurity Broadcasts messages (prompt notification of threats and methods of dealing with them).

Firebox X

Alexey Share: How much do your UTM solutions cost and how much does it cost to run them annually? Where can you buy your products?

Dejan Momcilovic: We do not work with end users as we do not have a retail sales structure - this is our trade policy. You can purchase WatchGuard Firebox X UTM devices from our partners - system integrators or resellers, a list of which is available on the website http://www.rainbow.msk.ru. They also provide information on the retail price of these devices.


Alexey Share: What are your forecasts for sales of UTM devices in our country?

Dejan Momcilovic: Worldwide sales of UTM devices are growing. And our market is no exception. Compared to 2002, the segment of UTM-devices grew by 160% by 2005 (according to the research of the world market by the IDC agency). This figure indicates very rapid growth, and despite the fact that the Russian market is significantly "lag" behind the US and Europe, we also predict a significant increase in the popularity of UTM devices in the very near future.


Alexey Share: Thanks for taking the time to answer all of our questions. Good luck and all the best!

The modern Internet is fraught with many threats, so admins spend the lion's share of their time on network security. The appearance of multifunctional UTM protection devices immediately attracted the attention of security specialists. they combine multiple protection modules with ease of deployment and management. Today you can meet many implementations, so choosing is sometimes not so easy. Let's try to understand the features of popular solutions.

What is UTM?

With the growth of network and virus attacks, spam, and the need to organize secure data exchange, enterprises need a reliable and easy-to-manage protection tool. The issue is especially acute in the networks of small and medium-sized businesses, in which there is often no technical and financial ability to deploy heterogeneous security systems. And there are usually not enough trained specialists in such organizations. It is for these conditions that multifunctional multi-layer network devices were developed, called UTM (Unified Threat Management, unified protection device). Having grown out of firewalls, UTMs today combine the functions of several solutions - a firewall with DPI (Deep Packet Inspection), an intrusion protection system (IDS / IPS), anti-spam, anti-virus and content filtering. Often such devices have the ability to organize VPN, user authentication, load balancing, traffic accounting, etc. All-in-one class devices with a single settings console allow you to quickly put them into operation, and later it is also easy to update all functions or add new ones. All that is required from a specialist is an understanding of what and how to protect. The cost of UTM is generally lower than purchasing multiple apps/devices, so the overall cost is lower.

The term UTM was coined by Charles Kolodgy of IDC (International Data Corporation) in the "World wide Threat Management Security Appliances 2004-2008 Forecast" document published in September 2004 to refer to generic security devices that can handle the ever-increasing the number of network attacks. Initially, the presence of only three functions (firewall, DPI and antivirus) was implied, now the possibilities provided by UTM devices are much wider.

The UTM market is quite large, and shows an annual increase of 25-30% (gradually replacing the "clean" firewall), and therefore almost all major players have already presented their solutions, both hardware and software. Which one to use is often a matter of taste and trust in the developer, as well as the availability of adequate support and, of course, specific conditions. The only point is that you should choose a reliable and productive server, taking into account the planned load, because now one system will perform several checks, and this will require additional resources. At the same time, you need to be careful, the characteristics of UTM solutions usually indicate the bandwidth of the firewall, and the capabilities of IPS, VPN and other components are often an order of magnitude lower. The UTM server is a single point of access, the failure of which will effectively leave the organization without the Internet, so a variety of recovery options will not be superfluous either. Hardware implementations often have additional coprocessors used to process certain kinds of data, such as encryption or context parsing, to offload the main CPU. But the software implementation can be installed on any PC, with the possibility of further trouble-free upgrade of any component. In this regard, OpenSource solutions are interesting (Untangle, pfSense, Endian and others), which allow significant savings on software. Most of these projects also offer commercial versions with advanced features and technical support.

Platform: FortiGate
Project website: fortinet-russia.ru
License: paid
Implementation: hardware

The Californian company Fortinet, founded in 2000, is today one of the largest suppliers of UTM devices oriented to different workloads from a small office (FortiGate-30) to data centers (FortiGate-5000). FortiGate appliances are a hardware platform that provides protection against network threats. The platform is equipped with a firewall, IDS / IPS, anti-virus traffic check, anti-spam, web filter and application control. Some models support DLP, VoIP, traffic shaping, WAN optimization, fault tolerance, user authentication for accessing network services, PKI, and others. The mechanism of active profiles allows you to detect atypical traffic with automatic response to such an event. Anti-Virus can scan files of any size, including those in archives, while maintaining a high level of performance. The web filtering mechanism allows you to set access to more than 75 categories of websites, specify quotas, including those depending on the time of day. For example, access to entertainment portals can only be allowed outside business hours. The application control module detects typical traffic (Skype, P2p, IM, etc.) regardless of the port, traffic shaping rules are specified for individual applications and categories. Security zones and virtual domains allow you to break your network into logical subnets. Some models have Layer 2 LAN switch interfaces and WAN interfaces, and RIP, OSPF, and BGP routing is supported. The gateway can be configured in one of three options: transparent mode, static and dynamic NAT, which allows you to painlessly implement FortiGate in any network. To protect access points, a special modification with WiFi is used - FortiWiFi.
To cover systems (Windows PCs, Android smartphones) that operate outside the protected network, FortiClient agent software can be installed on them, which includes a complete set (firewall, antivirus, SSL and IPsec VPN, IPS, web filter, antispam and much more). FortiManager and FortiAnalyzer are used to centrally manage multiple devices manufactured by Fortinet and analyze event logs.
In addition to the web and CLI interface, for basic configuration of FortiGate/FortiWiFi, you can use the FortiExplorer program (available in Win and Mac OS X), which offers access to the GUI and CLI (commands resemble Cisco).
One of the features of FortiGate is a specialized set of FortiASIC ​​chips, which provide content analysis and network traffic processing and allow real-time detection of network threats without affecting network performance. All devices use a specialized OS - FortiOS.

Platform: Check Point UTM-1
Project site: rus.checkpoint.com
License: paid
Implementation: hardware

Check Point offers 3 lines of UTM class devices: UTM-1, UTM-1 Edge (remote offices) and [email protected](small companies). The solutions contain everything you need to protect your network - firewall, IPS, anti-virus gateway, anti-spam, tools for building SSL VPN and remote access. The firewall is able to distinguish between traffic inherent in most applications and services (more than 200 protocols), the administrator can easily block access to IM, P2P networks or Skype. Provides web application protection and a URL filter, the Check Point database contains several million sites, access to which can be easily blocked. The anti-virus scans HTTP/FTP/SMTP/POP3/IMAP streams, has no file size limits and can work with archives. Models UTM-1 with the letter W are available with a built-in WiFi hotspot.
IPS uses various methods of detection and analysis: vulnerability signatures, analysis of protocols and behavior of objects, anomaly detection. The analysis engine is able to calculate important data, so 10% of the traffic is carefully checked, the rest passes without additional checks. This reduces the load on the system and improves the efficiency of UTM. The anti-spam system uses several technologies - IP reputation, content analysis, black and white lists. OSPF, BGP and RIP dynamic routing is supported, several user authentication methods (password, RADUIS, SecureID, etc.) are supported, a DHCP server is implemented.
The solution uses a modular architecture, the so-called Software Blades (software blades) allow, if necessary, to expand the functionality to the desired level, providing the required level of security and cost. So you can retrofit the gateway with Web Security blades (discovery and protection of web infrastructure), VoIP (VoIP protection), Advanced Networking, Acceleration & Clustering (maximum performance and availability in branched environments). For example, the Web Application Firewall and Advanced Streaming Inspection technologies used in Web Security allow real-time processing of the context, even if it is split into several TCP packets, substitution of headers, hiding data about the applications used, redirecting the user to a page with a detailed description of the error .
Remote control is possible by means of web and Telnet/SSH. For centralized configuration of multiple devices, the Check Point SmartCenter can be used, which uses its Security Management Architecture (SMART) technology to manage all Check Point elements included in a security policy. SmartCenter's capabilities are extended with add-on modules that provide policy visualization, LDAP integration, updates, reports, and more. All UTM updates are received centrally using the Check Point Update Service.

Platform: ZyWALL 1000
Project website: zyxel.ru
License: paid
Implementation: hardware

Most of the security gateways produced by ZyXEL can be safely attributed to UTM in terms of their capabilities, although according to the official classifier today there are five ZyWALL USG 50/100/300/1000/2000 models in this line, oriented for small and medium networks (up to 500 users). In ZyXEL terminology, these devices are referred to as the "Network Security Center". For example, ZyWALL 1000 is a high-speed access gateway designed to solve network security and traffic control problems. Includes Kaspersky streaming antivirus, IDS/IPS, content filtering and spam protection (Blue Coat and Commtouch), bandwidth control and VPN (IPSec, SSL and L2TP over IPSec VPN). By the way, when buying, you should pay attention to the firmware - international or for Russia. The latter uses a 56-bit DES key for IPsec VPN and SSL VPN tunnels due to customs union restrictions.
Access policies are based on several criteria (IP, user and time). Content filtering tools make it easy to restrict access to sites of a certain subject and the operation of some programs IM, P2P, VoIP, mail, etc. The IDS system uses signatures and protects against network worms, trojans, backdoors, DDoS and exploits. Anomaly Detection and Prevention technology analyzes packets passing through the gateway at OSI layers 2 and 3, identifying inconsistencies, detects and blocks 32 types of network attacks. End Point Security features allow you to automatically check the type of OS, the presence of an active antivirus and firewall, the presence of installed updates, running processes, registry settings, and others. The administrator can disable access to the Network for systems that do not meet certain parameters.
Implemented multiple Internet access reservation and load balancing. It is possible to transmit VoIP over SIP and H.323 protocols at the firewall and NAT levels, and in VPN tunnels. A simple organization of VLANs and the creation of virtual alias interfaces are provided. Authentication is supported by means of LDAP, AD, RADIUS, which allows you to configure security policies based on rules already adopted in the organization.
Updates of the bases of the main components and activation of some functions (Commtouch anti-spam, increase in the number of VPN tunnels) are carried out using connection cards. Configuration is done using CLI and web interface. The wizard helps you make the initial settings.

OS: Untangle Server 9.2.1 Cruiser
Project website: untangle.com
License: GPL
Implementation: software
Hardware platforms: x86, x64
System requirements: Pentium 4 or AMD equivalent, 1 GB RAM, 80 GB disk, 2 NICs.

Any *nix distribution can be configured as a full-fledged UTM solution, everything you need for this is available in the package repositories. But there are also disadvantages: you will have to install and configure all the components yourself (and this already requires some experience), and, importantly, this way we lose a single management interface. Therefore, in this context, ready-made solutions built on the basis of OpenSource systems are very interesting.
The Untangle distribution, produced by the company of the same name, appeared in 2008 and immediately attracted the attention of the community with its approach. Debian served as its basis, all settings are made using a simple and intuitive interface. Initially, the distribution kit was called Untangle Gateway and was oriented for use in small organizations (up to 300 users) as a full-fledged replacement for the proprietary Forefront TMG to provide secure Internet access and protect the internal network from a number of threats. Over time, the functions and capabilities of the distribution kit became wider and the name was changed to Untangle Server, and the distribution kit is already able to provide work for more users (up to 5000 and more, depending on the server's capacity).
Initially, Untangle's protection functions are implemented as modules. After installing the base system, there are no protection modules, the administrator chooses what he needs on his own. For convenience, the modules are divided into 5 packages (Premium, Standard, Education Premium Education Standard and Lite), the availability of which is determined by the license, and the packages themselves are divided into two groups according to their purpose: Filter and Services. All OpenSource applications are collected in free Lite, which contains 13 applications that provide traffic scanning for viruses and spyware, content filter, banner and spam blocking, firewall, protocol control, IDS / IPS, OpenVPN, access policies (Captive Portal). The Reports module, included in the Lite package, allows the administrator to receive reports on all possible situations - network activity, protocols, detected spam and viruses, user activity with the ability to send the result by email and export to PDF, HTML, XLS, CSV and XML. They are based on popular OpenSource applications such as Snort, ClamAV, SpamAssasin, Squid, etc. In addition, the Untangle server provides all network functions - routing, NAT, DMZ, QoS, has DHCP and DNS servers.
Available in commercial packages: load balancing and Failover, channel and application bandwidth control, a module for working with Active Directory, settings backup and some other functions. Support is also provided for a fee, although answers to many questions can be found on the official forum. In addition, the project offers ready-made servers with Untangle preinstalled.
A user-friendly interface written in Java is offered for configuration, all changes and work statistics are displayed in real time. When working with Untangle, the administrator does not need to have deep knowledge of *nix, it is enough to understand what you need to get as a result. Installing the distribution kit is quite simple, you just need to follow the wizard's prompts, another wizard later helps you configure the gateway.

Endian Firewall

OS: Endian Firewall Community 2.5.1
Project website: endian.com/en/community
License: GPL
Hardware platforms: x86
System requirements: CPU 500 MHz, 512 MB RAM, 2 GB

Endian Firewall developers offer several versions of their product, implemented both as a hardware and software platform. There is also a version for virtual machines. All releases are licensed under the GPL, but only the Community Edition ISO image and source code are available for free download. The operating system is based on CentOS and contains all Linux-specific applications that provide firewall functions, IDS / IPS, anti-virus scanning of HTTP / FTP / POP3 / SMTP traffic, spam protection, content filtering, anti-spoofing and anti-phishing modules, reporting system. It is possible to create a VPN using OpenVPN and IPsec with key or certificate authentication. The content filter contains ready-made settings for more than 20 categories and subcategories of sites, there is a blacklist and contextual filtering functions. Using ACLs, you can specify access options for an individual user, group, IP, time, and browser. Statistics are kept on connections, traffic, user work. When certain events occur, a message is sent to the admin's email. Provides local user authentication, Active Directory, LDAP and RADIUS. The interface makes it easy to create VLANs, manage QoS, SNMP is supported. Initially, the distribution comes with ClamAV antivirus, optionally using the Sophos antivirus engine.
For settings, the web interface and command line are used. Initial settings are made using a wizard that allows you to set the type of connection to the Internet, assign interfaces (LAN, WiFi, DMZ). Multiple IP addresses can be assigned to the external interface, MultiWAN is supported. For convenience of settings, network interfaces are divided into zones - RED, ORANGE, BLUE and GREEN, firewall rules already contain settings that determine the exchange between them. The settings are divided into groups, the names of which speak for themselves; with due care, it is very easy to figure it out.

Conclusion

Comprehensive UTM systems are gradually replacing traditional solutions like firewalls, so it's worth taking a closer look at them. Depending on the specific conditions, different options are suitable. OpenSource Endian Firewall and Untangle are quite capable of protecting small and medium networks. Of course, UTM does not replace, but complements the protections installed on individual PCs, creating an additional line of defense at the entrance to the LAN.

The concept of Unified Threat Management (UTM), as a separate class of equipment for protecting network resources, was introduced by the international agency IDC, which studies the global IT market. According to the introduced classification, UTM solutions are multifunctional software and hardware systems that combine the functions of different devices: a firewall, a network intrusion detection and prevention system, and the functions of an anti-virus gateway.

The Russian market of UTM devices is represented only by foreign manufacturers. Moreover, some companies, presenting their solutions and calling them UTM, simply combine the functionality of independent network security devices (such as a firewall, anti-virus gateway, intrusion detection / prevention system) in one case with a single monitoring and control system. Such devices cannot be considered a full-fledged UTM system.

The abbreviation UTM stands for Unified Threat Management, which can literally be translated into Russian approximately as: unified threat management. In this article, we will look at exactly what functions a device must perform in order to be considered a full-fledged UTM, what are the advantages of using such systems, and what types of threats they can protect against.

Not so long ago, Rainbow Technologies, the distributor of WatchGuard Technologies in Russia and the CIS countries, announced the appearance on the domestic market of a new series of Firebox X e-Series UTM devices. Organizations today face complex and ever-changing groups of threats that are redefining the concept of a secure network. WatchGuard's latest generation of Unified Threat Management (UTM) appliances provides a simple solution to this problem by integrating core security features into a single, affordable, highly intelligent appliance.

What is UTM?

UTM is a new trend in the information security market. UTM devices integrate firewall, VPN gateway and many advanced features such as URL filtering, spam blocking, anti-spyware, intrusion prevention, anti-virus software, centralized management and control system. That is, those functions that are traditionally implemented separately. But to be a full-fledged UTM, the device must be active, integrated and layered. Those. it should be a complex system, and not a set of different solutions assembled in one package, with the function of centralized management and monitoring.

The world-famous research firm IDC considers UTM the fastest growing, vigorously developing segment of the security devices market for Western Europe. In our market, among the WatchGuard solutions presented by Rainbow Technologies, Firebox X Core e-Series UTM devices are the most in demand. They are designed for networks of various sizes and are very popular among small and medium businesses for their cost-effectiveness, ease of setup and high level of protection.

The Firebox X Edge e-Series is ideal for small networks and remote offices. Edge can be used as a standalone network security device or as a VPN tunnel termination solution. The Firebox X Edge e-Series includes: stateful firewall, VPN, URL filtering, and advanced network settings and traffic management to increase network configuration options. This device has an intuitive interface that greatly simplifies the implementation and administration processes. Centralized management with WSM (WatchGuard System Manager) simplifies the administration of network environments consisting of multiple Fireboxes. These are upgradeable and expandable devices that provide 100 megabit firewall bandwidth and 35 megabit VPN (Virtual Private Network) bandwidth.

The Firebox X Peak e-Series comes with eight Gigabit Ethernet ports and is used primarily in complex, extensive networks. There are also models that support fiber optic interfaces. Firebox X Peak e-Series is the highest performing UTM product line. These WatchGuard solutions feature true Zero Day protection and firewall throughput up to 2 gigabits per second. Combining advanced security technology with advanced network management capabilities, the Firebox X Peak e-Series is the ideal solution for the most demanding security policies.

Among the WatchGuard solutions presented on the domestic market by the official distributor, Rainbow Technologies, the most popular is the Firebox X Core e-Series line. These UTM devices are designed for networks of various sizes and are in great demand among enterprises of medium and small businesses for their cost-effectiveness, ease of configuration and high level of security. Let us consider in detail their capabilities and functional characteristics.

The Firebox X Core e-Series provides the most comprehensive security in its class, combining a variety of protections: firewall, VPN, Zero Day protection, attack prevention system, gateway antivirus, anti-spyware system, anti-spam and URL filtering. This approach allows you to provide reliable protection against mixed network attacks, as well as save financial and labor resources that are usually spent on managing and configuring a whole range of individual solutions.

Multi-level protection

The Firebox X Core e-Series is based on the ILS (Intelligent Layer Security) layered architecture. Thanks to it, security levels carry out protection together, and traffic checked at other levels according to a certain criterion is not re-checked according to the same criterion. Therefore, the data transfer rate is not reduced and sensitive applications remain available for operation.

The WatchGuard ILS architecture consists of six layers of security that work closely together to dynamically detect, block, and report malicious traffic while allowing normal traffic to pass as efficiently as possible.

For further reasoning, let's assume that a layer is a logical construct that defines an abstract boundary between the components of a network security infrastructure. Thus, we will consider each type of security technology as a separate layer.

Layered ILS architecture

The ILS engine is the brain of this architecture. Designed to allow each layer to take advantage of information from other layers, enhance their capabilities and allow them to share information about the traffic passing between them, it provides maximum protection, reliability and performance. Let's take a look at what each layer is:

External security services. Provide technologies to extend protection beyond the firewall and information that enables more efficient end user/administrator work.

Data integrity. Checks the integrity of passing data packets and the conformity of the packet with the protocol

Virtual Private Network (VPN). Provides security and privacy for external connections

Firewall with dynamic parsing. Restricts traffic to only those sources, destinations, and ports that are allowed by the security policy.

Deep application analysis. Ensures compliance with ISO model application layer protocol standards by blocking suspicious files by pattern or file type, blocking dangerous commands, and modifying data to avoid leakage of critical system information.

Content security. Analyzes and restricts traffic according to content, includes numerous services such as antivirus, intrusion prevention system, anti-spyware and spam protection, URL filtering.

Although six levels are distinguished in the described model, and the engine is taken as the seventh level of security, each of them includes many functionalities and capabilities. All are easily expandable to include new ways to counter unknown threats.

Zero Day Protection

Unlike solutions that rely solely on signature-based scanning, Firebox X Core has technology that allows you to provide reliable protection against various types of attacks and their various variations, without the need for signatures. As long as other networks remain open to attacks during the window of the vulnerability (the time it takes for signatures to be released), the network that uses Firebox continues to be protected.

Centralized control system

WSM (WatchGuard System Manager) is an intuitive graphical user interface used to manage the capabilities of Firebox X Core, Peak and Edge UTM solutions. WSM provides full logging, drag-and-drop VPN creation, real-time system monitoring. Since a single interface works to manage all the functions of the security system, there is a significant saving of time and financial resources.

Expert support and support

WatchGuard LiveSecurity Service is the most comprehensive support and maintenance service on the market today. Subscribers are regularly provided with software updates, technical support, expert advice, measures to prevent possible damage from new methods of attack, etc. Firebox X Core e-Series are provided with a free 90-day subscription to the LiveSecurity service, which consists of several modules. These, in turn, include real-time technical support, software support and updates, training and operation manuals, as well as special LiveSecurity Broadcasts messages - prompt notification of threats and methods to combat them.

Additional security services

Every security service on the Firebox X Core e-Series works in conjunction with the built-in Zero Day protection, creating the optimal combination of all the necessary features to effectively protect network resources. These features are fully integrated into the UTM device, so no additional hardware is required.

Subscriptions to all necessary services are issued on the device itself, and not on a per-user basis, which helps to avoid additional financial costs. To provide continuous protection, all services are constantly updated and can be centrally managed using the WSM system.

Let's take a closer look at the functional characteristics of each additional service:

SpamBlocker blocks up to 97% of unwanted email in real time.

WatchGuard's spamBlocker protection services use Commtouch® Recurrent Pattern Detection™ (RPD) technology to protect against spam streams in real time with 99.95% accuracy without the use of signatures or filters.

Instead of working with keywords and email content, this technology analyzes large volumes of Internet traffic to calculate the repeating component for each stream as soon as it appears. Up to 500 million messages are processed per day, after which special algorithms calculate, identify and classify new flows within 1-2 minutes.

These same algorithms separate spam and normal messages. SpamBlocker uses this technology to provide real-time protection against spam attacks by constantly comparing messages suspected of being spam with those stored in the Commtouch detection center (which holds about 20,000,000 samples). This technology has the following advantages:

• Extremely fast response to new streams;
• Virtually zero chance of a Type I error, which makes this service the best in the industry in terms of separating normal messages from spam attacks;
• High percentage of spam detection - up to 97% of unwanted email is blocked;
• Independence from message language. Thanks to the use of the main characteristics of mail traffic in real time, spam is effectively blocked regardless of the language, content or message format.

Based on the properties of the bulk of messages rather than specific content, language, or format, SpamBlocker provides real-time protection against spam, including phishing attacks, and maintains high bandwidth for other network traffic.

Gateway Antivirus/Intrusion Prevention Service with Anti-Spyware

A system based on persistent signature protection on the gateway, working against viruses, trojans, spyware, network exploits, web crawlers, blocking IM and P2P applications and other mixed threats.

WatchGuard's intrusion prevention service provides built-in protection against attacks that, while conforming to protocol standards, may carry unwanted content. Based on signatures, it is designed to protect against a wide range of attacks, including cross-site scripting, buffer overflows or SQL injections (inserts into SQL queries).

The two main problems associated with the use of intrusion prevention systems are speed and the likelihood of a Type I error. The tight integration of WatchGuard's IPS service with other ILS layers virtually eliminates them.

Since the other layers of ILS block 70-80% of attacks (application deep analysis is especially effective), signatures are not required to block them. This reduces the total number of signatures and increases the speed of data processing, while reducing the probability of a Type I error, which is proportional to the amount of data being checked and the number of signatures used. WatchGuard's intrusion prevention system uses only about 1,000 signatures to achieve a comparable or even better level of protection with some other systems that can have up to 6,000 signatures.

Spyware is distributed in many other ways besides P2P, including embedded files, cookies, and downloaders. Spyware can track everything you type on your keyboard, rummage through files looking for passwords and credentials, and fill your display screen with advertisements. It also slows down systems and eats up network traffic. WatchGuard's intrusion prevention service includes both signature-based and unique scanning methods to block spyware at various points in its lifecycle, including installation, the moment of communication for reporting with the parent host, and post-installation activity of the application. All this is done by a set of interrelated procedures:

• Website blocking. The Intrusion Prevention Service engine blocks access to known spyware repositories or file servers that distribute spyware during HTTP sessions.
• Signature-based content validation. The intrusion prevention engine will continuously scan traffic against a constantly updated database of signatures to detect and block downloadable spyware, including veiled bootstrapping software.
• Stop at setup. In order to successfully configure spyware, it needs a special application that it needs to contact to communicate installation data and request initial configuration data from the parent host. The intrusion prevention system detects and blocks this communication.
• Stop at work. As soon as the infected machine starts working on the internal network, spyware will try to use the network connection in order to create a communication channel for additional actions. The intrusion prevention system will detect and block these processes, which may include information theft, installation of additional spyware, and advertising.

The WatchGuard intrusion prevention engine is tightly coupled with other firewall functions and produces reports that are fully integrated into the reporting system. This allows the system administrator to easily identify the network element infected with spyware and remove it.

WebBlocker increases productivity and reduces risk by blocking access to insecure sources on the network, and also manages employee access to the Internet.

WebBlocker uses a database of sites and software tools of the world's leading Web filtering company SurfControl. In order to categorize and fully cover the full range of Web pages, WebBlocker uses multiple categories to help block content that you don't want to let into your network. are blocked

known sites that contain spyware or unwanted content to help protect your online resources; entertainment sites are blocked, which increases the productivity of employees.

With customizable exclusion lists, user authentication, and the ability to set different policies for different times of day, WebBlocker greatly enhances security policy.

Upgrading options

If you try to evaluate the total amount of monetary investment required to deploy, manage and modernize a set of security solutions designed to meet the broad requirements of today's networks, it becomes obvious that using the Firebox X Core e-Series is more profitable from a financial point of view.

As requirements grow, you can easily expand the capabilities of the UTM device. For example, to increase speed and bandwidth, the device is upgraded by purchasing a special license. It also provides for the possibility of switching the hardware platform to a more functional operating system.

Operating system

All Firebox X Core e-Series models come with the Fireware operating system. For complex network environments, it may be necessary to upgrade to the more advanced Fireware Pro system, which provides the following additional features:

• traffic management;
• Gives confidence that the necessary bandwidth will be allocated for critical applications;
• Failover system (active/passive mode);
• Ability to build a failover cluster;
• Dynamic routing (protocols BGP, OSPF, RIP);
• Maximum network flexibility and efficiency thanks to dynamically updated routing tables.

To reinstall the operating system on a Firebox UTM device, you only need to purchase a special license.

Combining and transforming traditional security into integrated UTM devices enables enterprises to move to a new, higher level of protection for their local networks. The WatchGuard approach, based on a special technology implemented in the ILS architecture, which allows integrating several layers of protection at once together with additional functions, is undoubtedly an effective protection for any: both already formed and developing network infrastructure. The use of full-fledged UTM devices, such as the WatchGuard Firebox, is of particular relevance in these days, when more and more sophisticated types of threats appear with increasing frequency.