Ideco is a UTM solution out of the box. UTM devices guarding a computer network

Recently, the so-called UTM devices have become increasingly popular in the world, combining a whole range of IT security functions in one hardware system. To better understand these products and understand their advantages over conventional solutions, we turned to Rainbow Technologies. Deyan Momchilovich, Head of Partner Relations at Rainbow, answers our questions.

Deyan Momchilovich, Head of Partner Relations Department, Rainbow

Alexey Dolya: Could you tell us about UTM products (Unified Threat Management) in general? What is it and what are they used for?

Deyan Momchilovich: Recently, when talking about information security, the media are increasingly using a new term - UTM devices. The concept of Unified Threat Management (UTM), as a separate class of equipment for protecting network resources, was introduced by the international agency IDC, which studies the IT market. According to their classification, UTM solutions are multifunctional hardware and software systems that combine the functions of different devices: firewall, network intrusion detection and prevention systems, and anti-virus gateway functions.
UTM devices are used to easily, quickly and efficiently build a security system for network resources. They are especially popular with SMB (Small and Medium Business) companies due to their ease of use and cost effectiveness.
To be called a full-fledged UTM, a device must be active, integrated, and layered. That is, it should perform the following three functions. First, provide multi-layered security across the network. Secondly, it serves as an anti-virus filter, intrusion prevention system and anti-spyware protection at the network gateway level. Third, protect against unsafe websites and spam. Moreover, each function is responsible for certain operations. For example, multi-layered protection provides proactive in-depth analysis of the data flow and provides information about suspicious traffic to various modules of the device, which are engaged in detecting traffic anomalies, analyzing host behavior, and file signature scanning.
Separately, it is worth dwelling on protection from unsafe websites and spam. The uncontrolled movement of company employees on the Internet increases the likelihood of infection with spyware, Trojans and many viruses. In addition, labor productivity decreases, network bandwidth decreases, and it may even happen that the company will have to be held accountable before the law for certain violations. The URL Filtering service allows you to block sites with unsafe or objectionable content. You can organize access to Web resources based on the day of the week, department needs, or individual user requests. When it comes to spam, it can completely fill up your mail server, overload network resources, and negatively impact employee productivity. It can also carry various types of dangerous attacks, including viruses, social engineering, or phishing. By using a dedicated spam blocking service, you can effectively stop unnecessary traffic on the network gateway before it enters the network and causes harm.


Alexey Dolya: What is the advantage of UTM solutions over other IT security products?

Deyan Momchilovich: Individual devices such as firewall, anti-virus gateway, intrusion prevention system, etc. can be purchased and installed. Or you can use one device that performs all these functions. Compared to using separate systems, working with the UTM complex has a number of advantages. First, the financial benefit. Integrated systems, in contrast to layered security solutions that are built with many separate devices, use much less hardware. This is reflected in the total cost. A fully integrated solution can include firewall, VPN, multi-layered security, antivirus filter, intrusion prevention and anti-spyware systems, URL filter, and centralized monitoring and management systems.
Second, stopping attacks on the network gateway without interrupting the workflow. A layered approach avoids disaster by blocking network attacks where they attempt to infiltrate the network. Since the levels provide protection together, the traffic checked by a certain criterion is re-checked, at other levels, by the same criterion, it is not checked again. Therefore, the traffic speed does not decrease and the speed-sensitive applications remain available for work.
Third, ease of installation and use. Integrated systems with centralized management make it easy to configure and manage devices and services. This greatly simplifies the work of administrators and lowers operational costs. The ability to easily set up and deploy systems using wizards, optimal defaults, and other automated tools removes many of the technical barriers to quickly building network security.
There is one more important difference between UTM systems and traditional solutions. The point is that signature-based solutions have been the backbone of a security arsenal for many years and use a database of known patterns to detect and block malicious traffic before it enters the network. These systems provide protection against threats and security policy violations such as Trojans, buffer overflows, accidental execution of malicious SQL, instant messaging and point-to-point communication (used by Napster, Gnutella and Kazaa).
However, once a suspected threat has been identified and identified, it can take from several hours to several weeks to create the corresponding signature files available for download. This "lag" creates a vulnerability window (Fig. 1), during which networks are open to attack:

Rice. 1. "Attack life cycle and vulnerability window"

In UTM devices, layered security works in conjunction with signature-based solutions and other services to better protect against complex threats that emerge with alarming frequency.


Alexey Dolya: What UTM solutions does your company provide? What functions do they perform?

Deyan Momchilovich: Rainbow Technologies is a distributor of the American company WatchGuard in Russia and the CIS countries. According to the world renowned analytical agency IDC, WatchGuard is the # 1 selling UTM device for SMB in the US and Europe (2005 data). A line of UTM devices Firebox X is supplied to our market, designed for both large corporations and small firms.
The Firebox X Edge is a small business firewall and VPN endpoint device. It is designed for remote offices and mobile users and protects corporate resources from "unintentional threats" from remote users when accessing the network.

Firebox x edge

WatchGuard's Firebox X Core is the flagship UTM product line that delivers Zero-Day Protection - protecting against new and unknown threats before they even occur and are detected. Traffic entering the network is scanned at many levels, which actively blocks: viruses, worms, spyware, Trojans, and mixed threats without the use of signatures.

Firebox X Peak is UTM protection for more extensive networks, providing up to 1 GB of firewall bandwidth.


Alexey Dolya: How are your UTM products different from your competitors' UTM products?

Deyan Momchilovich: Today, only foreign manufacturers UTM devices are presented in Russia. Moreover, most of them, presenting their devices and calling them UTM, simply combine the functionality of independent network security devices (such as: firewall, anti-virus gateway, intrusion detection / prevention system) in one case with a unified monitoring and control system. Along with the undeniable advantages mentioned earlier, this approach also has serious disadvantages:

Individual devices using a common platform consume a large amount of computing resources, which leads to increased requirements for the hardware component of such a solution, thereby increasing the overall cost.

Being formally united in one box, the individual devices are essentially independent from each other and do not exchange the results of the analysis of the traffic passing through them with each other. This causes traffic entering or leaving the network to pass through all devices, often subject to duplicate checks. As a result, the speed of traffic passing through the device drops sharply.

Due to the lack of interaction between the individual functional blocks of the device, noted above, the likelihood of potentially dangerous traffic entering the network increases.

At the heart of WatchGuard's UTM solutions is Intelligent Layered Security (ILS) architecture, which eliminates these disadvantages inherent in other UTM solutions. Let's take a closer look at how ILS works. This architecture is at the heart of WatchGuard's Firebox X range of UTM appliances and provides effective protection for growing businesses. By leveraging dynamic interactions between layers, ILS provides security at optimal device performance.
The ILS architecture consists of six layers of protection (Figure 2) that interact with each other. Due to this, suspicious traffic is dynamically detected and blocked, and normal traffic is allowed inside the network. This allows you to resist both known and unknown attacks, providing maximum protection at the lowest cost.

Rice. 2. "Architecture of Intelligent Layered Security and UTM"

Each layer of protection performs the following functions:

1. External security services interact with the internal protection of the network (antiviruses on workstations, etc.).

2. The data integrity checker checks the integrity of the packets passing through the device and the compliance of these packets with the transmission protocols.

3. The VPN service checks the traffic for belonging to encrypted external connections of the organization.

4. Dynamic stateful firewall restricts traffic to sources and destinations according to the configured security policy.

5. The deep application analysis service cuts dangerous files by patterns or file types, blocks dangerous commands, converts data in order to avoid the leakage of critical data.

6. The Content Inspection Service uses signature-based technologies, spam blocking, and URL filtering.

All these layers of protection actively interact with each other, transferring data obtained from traffic analysis in one layer to all other layers. What allow:

1. Reduce the use of computing resources of the UTM device, and by reducing the hardware requirements, reduce the overall cost.

2. To achieve the minimum slowdown in traffic passing through the UTM device, thanks to not all, but only the necessary checks.

3. Resist not only known threats, but also provide protection against new, not yet identified attacks.

Alexey Dolya: What kind of technical support do users of your UTM products receive?

Deyan Momchilovich: At the heart of all WatchGuard solutions is the continuous maintenance of the highest level of security at the network perimeter, which is achieved through the LiveSecurity electronic service. Subscribers are regularly provided with software updates, technical support, expert advice, measures to prevent possible damage from new attack methods, etc. All Firebox X products are backed by a free 90-day subscription to LiveSecurity, the most comprehensive service in IT today. -industry with a system of remote technical support and services.
LiveSecurity consists of several modules. These, in turn, include: real-time technical support, software support and updates, trainings and guides, as well as LiveSecurity Broadcasts special messages (prompt notification of threats and methods of combating them).

Firebox x

Alexey Dolya: How much do your UTM solutions cost and how much does it cost to run them annually? Where can you buy your products?

Deyan Momchilovich: We do not work with end users, since we do not have a retail sales structure - this is our trade policy. You can purchase WatchGuard Firebox X UTM devices from our partners - system integrators or resellers, the list of which is available on the website http://www.rainbow.msk.ru. You can also get information about the retail cost of these devices from them.


Alexey Dolya: What are your forecasts for the sales of UTM devices in our country?

Deyan Momchilovich: All over the world, sales of UTM devices are growing. And our market is no exception. Compared to 2002, the segment of UTM devices by 2005 grew by 160% (according to the research of the world market by the IDC agency). This figure speaks of a very rapid growth, and, despite the fact that the Russian market is significantly "lagging" behind the US and Europe, we also forecast a significant increase in the popularity of UTM devices on it in the very near future.


Alexey Dolya: Thank you for your time and answering all the questions. Good luck and all the best!

It is believed that UTM and NGFW are one and the same. I want to dispel this opinion.

What came first?

That's right, first there were UTM (Unified Threat Management). It is an all-in-one system. Someone clever guessed to put several protection engines on one server at once. Security officers got the opportunity to get both control and operation of several security engines out of one box. Now the firewall, VPN, IPS, antivirus, web filter and antispam are working together. Someone else is installing other engines, for example, DLP. Now mandatory is the SSL and SSH decryption engine and the application parsing and blocking engine at all 7 layers of the OSI ISO model. As a rule, engines are taken from different vendors or even free ones, for example, IPS from SNORT, clamav antivirus or iptables firewall. Since the firewall is still a router or switch for traffic, the dynamic routing engine is also most often from some manufacturer. As demand grew, large players appeared in the market who were able to buy up several good developments for the operation of the desired engine and combine their work within one UTM device. For example, Check Point bought IPS from NFR, Cisco bought IPS from Sourcefire. Popular brands are visible in the Gartner UTM square. In 2017, the leaders of UTM according to Gartner are Check Point, Fortinet and Sophos.

Cons of the UTM architecture. Why did NGFW appear?

Fig 1. An example of the architecture of the UTM.

The first architectural problem of UTM was that all the engines inside in turn transmitted network packets to each other and waited for the previous engine to finish its work in order to start its own. As a result, the more functions a vendor builds into their device, the slower it works. As a result, users of such devices have to disable IPS and antivirus or some of their signatures in order for traffic to go at all. That is, they kind of paid as for a security device, but they only use it as a router. It was necessary to come up with something so that the protection engines would not wait for each other and work in parallel.
A new move by NGFW manufacturers was that they used specialized chips that simultaneously look at the same traffic. This became possible, since each processor began to be responsible for its own function: IPS signatures are flashed into one, antivirus signatures into the other, and URL signatures into the third. You can enable all signatures in all engines - traffic is fully protected without degrading performance. Programmable chips of this type are called FPGA (Programmable Logic Integrated Circuit) or FPGA in English literature. They differ from ASICs in that they can be reprogrammed on the fly and perform new functions, for example, checking for new signatures, after a microcode update, or any other function. This is what NGFW uses - all updates are stitched directly into FPGA chips.

Fig 2. An example of the architecture of the Palo Alto Networks NGFW.

The second architectural problem of UTM it became that all file operations required the work of the hard disk. What is the read speed from the hard drive? 100 Megabytes per second. What will UTM do if your data center has 10Gbps speed? If 300 people in your company decide to download a daddy with files over the Microsoft network (SMB protocol), then what will UTM do? Bad UTMs will just load 100% and stop working. For this case, advanced UTMs have built-in various mechanisms for auto-disabling the protection engines: antivirus-bypass, ips-bypass, and others, which disable security functions when the hardware load exceeds its capabilities. And if you need to not only save the file, but also unpack the archive? The speed of work decreases even more. Therefore, UTMs are mainly used in small companies where speeds were not important, or where security is an option.

Practice shows that as soon as the network speed increases, then in UTM you have to turn off all engines except routing and packet firewall, or just install a regular firewall. That is, for a long time already there was a task to somehow speed up the work of the file antivirus.

A new architectural shift for the first NGFW manufacturer, which appeared in 2007, was that files were no longer saved to disk, that is, all traffic analysis, decoding and assembly of files for scanning by antivirus began to be performed in memory. This greatly improved the performance of the protection devices and decoupled them from the performance of the hard drives. Network speeds grow faster than hard drive speeds. Only the NGFW will save the security guards. Now, according to Gartner, there are two leaders in NGFW: Palo Alto Networks and Check Point.

How do they work with level 7 applications in UTM and NGFW?

With the advent of NGFW, customers have a new opportunity - defining Layer 7 applications. Network engineers are studying the OSI ISO seven-layer networking model. At the 4th level of this model, TCP and UDP protocols operate, which in the last 20 years of IP networks was considered sufficient for traffic analysis and traffic management. That is, a conventional firewall simply displays IP addresses and ports. And what is done at the next 5-7 levels? The next generation firewall sees all levels of abstraction and shows which application transferred which file. This greatly enhances IT professionals' understanding of network interactions and enhances security by exposing tunneling inside open applications and blocking the application, not just the port. For example, how to block skype or bittorent with a regular old generation firewall? Yes, no way.

UTM vendors eventually added an application definition engine. However, they have two traffic control engines - port 4 at the TCP, UDP and ICMP level and at the level of searching for application content in traffic such as teamviewer, tor, skype. It turned out that UTM has several policies: one controls ports, the second controls applications. And this creates a lot of difficulties, as a result, no one uses the application control policy.

I am attaching a presentation on the topic of visualization at the application level. It also touches on the topic of Shadow IT. But more on that later ..

Internet Control Server allows you to solve more than 80 tasks, deploy additional network services. However, if your priority is to guarantee the security of your local network and resistance to various cyber threats, you can use only data protection tools in ICS.

The corporate network must be protected from intrusion, destruction or unauthorized modification, while being available during business hours for prompt data acquisition. The absolute reliability of a local network can only be guaranteed by an integrated approach to the formation of an information security system. IKS KUB protects:

1. Computer networks or individual nodes from unauthorized access (firewall).
2. Local network from the penetration of malicious files. The Internet Control Server integrates the anti-viruses ClamAv (free module), Kaspersky Anti-Virus, Dr.Web (commercial modules).
3. Confidential information from leaks (DLP module).
4. Corporate network from botnets.
5. Mail server against spam, phishing attacks (Kaspersky Anti-Spam module).
6. Telephony (fail2ban service).

IKS KUB is a software and hardware solution, and this allows not only to exclude the possibility of spending on additional software and equipment, but also to significantly increase the degree of network security.

Management and monitoring

ICS KUB with the possibility of centralized management makes it possible to significantly facilitate the work of the system administrator in multi-branch organizations, where structural divisions are located in physically remote offices. The solution meets all the requirements of system setup, workflow and disaster recovery, allowing the technician to complete all settings from a single interface.

Magazines. Reports

This functionality is especially important for system administrators, as it allows you to track user activity for any required period.

Standard reports in IKS:

• general summary report;
• by user activity;
• consumption by traffic volume;
• top 5 IP addresses and domains.

It is also possible to view user statistics grouped by traffic categories.

The report designer allows you to collect data by criteria that are not presented in standard reports (by mime types, protocols, interfaces, domains, address groups, traffic sources, time).

The system log in the ICS displays messages about user actions, changes in service statuses and system errors. To be aware of what is happening and respond quickly, the system administrator can select the type of events of interest, set up notifications by e-mail, jabber or icq and remotely control it using additional commands.

Access control and traffic accounting

Today, almost any local network is connected to the Internet, therefore, in order to avoid wasting traffic during working hours, it is necessary to control the access of employees to the external network.

IKS CUB will allow:

• assign different access rights for individual employees and user groups;
• restrict bandwidth for individual sites, quota traffic by time and users (for example, allow the use of the network for personal purposes during non-business hours);
• choose a way to authorize users. ICS CUBE supports authorization by IP, MAC, login / password, through a domain controller, VPN connection, agent program;
• filter traffic by built-in and integrated categories, lists of the Ministry of Justice and Roskomnadzor;
• keep a system log, compile reports of user activity (there are built-in standardized + report designer).

These capabilities will allow you to monitor the network activity of each user registered on the network.

Intrusion detection and protection system (IDS / IPS)

The ICS uses an open source IPS / IDS system - Suricata (multitasking, high-performance, supports the use of GPU in IDS mode, allows to process traffic up to 10Gbit). ICS CUB allows to reveal facts of unauthorized access to the network or excessive suspicious network activity of users.

The ICS intrusion prevention system works by ensuring accessibility to internal and published services. Internet Control Server records and stores information about suspicious activity, blocks botnets, Dos attacks, as well as TOR, anonymizers, p2p and torrent clients.

The network traffic is monitored in real time, and when a threat is detected, various measures are taken: connection reset, logging of detected signatures, or traffic passing. IPS defragments packets, reorders TCP packets to protect against packets with modified SEQ and ACK numbers.

Safe VPN

VPN in ICS CUB is a virtual private network that allows you to combine users who are physically remote from each other (freelancers, structural units in different offices, partners, employees working remotely) into a single logical network. Despite the fact that data transmission is carried out via an external public network, the security of the connection and data transmission is ensured by the logical network using super-encryption.

IKS KUB supports the following types of remote connections: PPTP, L2TP, PPoE, GRE / IPIP, OpenVPN.

Stable and secure VPN-connection to the Internet Control Server allows you to resolve urgent issues in real time, even after hours.

The article examines the role of UTM systems in the context of business network security requirements. A basic analysis of the "balance of power" in the global and Russian markets is carried out. By UTM systems (universal security gateways) we mean a class of multifunctional network devices, mainly firewalls, which contain many functions, such as antispam, antivirus, intrusion protection (IDS / IPS) and content filtering.

Introduction

The risks of using networks are known. However, in modern conditions, it is no longer possible to abandon the latter. Thus, all that remains is to minimize them to an acceptable level.

In principle, two approaches can be distinguished in ensuring integrated security. The former is often called classic or traditional. Its essence is based on the axiom “a specialized product is better than a multifunctional harvester”.

However, along with the growth of the possibilities of various solutions, bottlenecks began to appear in their joint use. So, due to the autonomy of each product, there was a duplication of functional content, which, ultimately, affected the speed and the final cost not for the better. In addition, there was no guarantee that different solutions from different manufacturers would "peacefully coexist" with each other and not conflict. This, in turn, also created additional difficulties for the implementation, management and maintenance of systems. Finally, the question arose of the interaction of various solutions with each other (exchange of information to build a "general picture", correlation of events, etc.) and the convenience of managing them.

From a business point of view, any solution must be effective, not only in practical terms. It is important that it, on the one hand, allows to reduce the total cost of ownership, and on the other, does not increase the complexity of the infrastructure. Therefore, the question of the emergence of UTM systems was only a matter of time.

What are Universal Security Gateways (UTM)?

Let's give a short description for the most popular solutions.

Fortinet (FSTEC certified)

Fortinet offers a wide range of devices, from the FortiGate-20 series for small businesses and offices to the FortiGate-5000 series for very large enterprises and service providers. FortiGate platforms use the FortiOS operating system with FortiASIC ​​coprocessors and other hardware. Each FortiGate device includes:

• Firewall, VPN and Traffic Shaping;
• Intrusion Prevention System (IPS);
• Anti-virus / Anti-malware;
• Integrated Wi-Fi controller;
• Application control;
• Protection against data leaks;
• Search for vulnerabilities;
• IPv6 support;
• Web filtering;
• Antispam;
• VoIP support;
• Routing / switching;
• WAN optimization and web caching.

Devices receive dynamic updates from the global research center FortiGuard Labs. Also, products based on FortiGate have complex network functionality, including clustering (active / active, active / passive) and virtual domains (VDOM), which make it possible to separate networks that require different security policies.

Check Point (FSTEC certified)

Check Point highlights the following benefits for its Check Point UTM-1 appliances:

• Proven technology trusted by Fortune 500 companies;
• Everything you need to protect your network: functionality, updates and security management;
• Protecting networks, systems and users from many types of attacks from the Internet
• Ensuring confidentiality by protecting remote access and communication between nodes;
• Deploy and administer security quickly and easily with multiple security features in one device and a wide range of devices for businesses of all sizes - from small office to large enterprise;
• Protect against new emerging threats with the Check Point Update Service.

All UTM devices can include software blades such as: FireWall, VPN, Intrusion Prevention System, SSL VPN, Virus, Spyware and Spam Protection, Dedicated Web Application Firewall and Web Filtering. Additional Software Blades can be added as desired. More details on the technical characteristics can be found.

Dell

Another industry leader, more focused on large companies than medium and small businesses. The 2012 acquisition of Sonicwall has a positive impact on the portfolio of solutions. All solutions, from SuperMassive E10800 to TZ 100, are built on the proprietary Network Security SonicOS Platform and include:

• Next-Generation Firewall;
• Application control;
• Deep research of packages (including those encrypted using SSL);
• VPN and SSL VPN organization;
• Antivirus;
• Web filtering;
• Intrusion Prevention System (IPS).

More details on the technical characteristics can be found.

WatchGuard (there is a FSTEC certificate)

In the UTM line, WatchGuard is represented by Firebox X devices based on the Intelligent Layered Security architecture. The architecture consists of six layers of protection that interact with each other:

• "External Security Services" - offer technologies that extend network protection behind a firewall;
• Data Integrity - checks the integrity of packets and their compliance with protocols;
• "VPN" - checks the encrypted external connections of the organization;
• Dynamic analysis firewall restricts traffic from sources to those destinations and ports that are allowed in accordance with the security policy;
• "Deep Application Analysis" - ensures their compliance with the application level of the ISO model, cuts dangerous files by pattern or file type, blocks dangerous commands and transforms data to avoid leakage;
• Content Security - Analyzes and manages traffic for the respective application. Examples of this are signature-based technologies, spam blocking services, and URL filtering.

Due to this, suspicious traffic is dynamically detected and blocked, and normal traffic is allowed inside the network.

The system also uses its own:

• Antivirus / Intrusion Prevention System at the gateway;
• WebBlocker;
• SpamBlocker.

More details on the technical characteristics can be found.

Sophos (there is a FSTEC certificate)

The model range of the company's devices is represented by the UTM xxx line (from the younger UTM 100 model to the older UTM 625). The main differences are throughput.

The solutions include a range of integrated network applications:

• DPI firewall;
• Intrusion detection system and web filtering;
• Email security and protection
• Content filters;
• Anti-virus traffic control;
• Network service (VLAN, DNS, DHCP, VPN);
• Reporting.

The solutions allow you to ensure the security and protection of network segments and network services in the telecommunications infrastructure SOHO, SME, Enterprise, ISP and provide control and fine-tuning of IP traffic at the network level. application levels (FW, IDS / IPS, VPN, Mail Security, WEB / FTP / IM / P2P Security, Anti-virus, Anti-spam).

More details on the technical characteristics can be found.

NETASQ

NETASQ, part of EADS, specializes in defense-grade firewalls to reliably protect networks of all sizes. NETASQ UTM devices are certified by NATO and the European Union, and also comply with the EAL4 + class "General criteria for assessing the security of information technology".

The company highlights the advantages of its products:

1. NETASQ Vulnerability Manager;
2. Antispam with filtering mailings;
3. Integration with Kaspersky Anti-Virus;
4. URL filtering with continuous updates from the cloud;
5. Filtering inside SSL / TLS;
6. VPN solutions with hardware acceleration;

The company's portfolio includes both hardware and virtual UTM screens (U series and V series, respectively). V Series is Citrix and VMware certified. The U Series, in turn, has an impressive MTBF of 9-11 years.

More details on the technical characteristics can be found.

Cisco (FSTEC certificate)

The company offers solutions for both large (Cisco ASA XXXX Series) and small / medium businesses (Cisco Small Business ISA XXX Series). Solutions support functions:

• Application control and application behavior;
• Web filtering;
• Botnet protection;
• Protection against Internet threats in a mode as close to real time as possible;

Also provided:

• Supports two VPNs for communication between offices and partners, expandable to 25 (ASA 5505) or 750 (ASA 5520) employees
• Supports 5 (ASA 5505) to 250 (ASA 5550) LAN users from anywhere

More details on the technical characteristics can be found.

Juniper Networks

The UTM functional direction is supported by the SRX Series and J Series product lines.

The main benefits include:

• Comprehensive, multi-layered protection including anti-malware, IPS, URL filtering, content filtering, and anti-spam;
• Control and protect applications using policies based on user roles to counter attacks on Web 2.0 applications and services;
• Pre-installed, quickly connected UTM tools;
• Minimal costs for the purchase and maintenance of a secure gateway within a single manufacturer of the security complex.

The solution consists of several components:

• Antivirus. Protects your network from malware, viruses, spyware, worms, Trojans and other attacks, as well as email and web threats that can put your business and corporate assets at risk. The anti-malware protection system built into the UTM is based on the anti-virus engine of Kaspersky Lab.
• IPS... Various detection methods are used, incl. protocol and traffic anomaly detection, context signatures, SYN flood detection, spoofing fraud, and backdoor detection.
• AppSecure... An application-aware suite of security services that analyzes traffic, provides extensive application visibility, enforces firewall rules for applications, controls application usage, and protects the network.
• Enhanced Web Filtering (EWF) provides protection against potentially harmful websites in several ways. The technology uses 95 categories of URLs for flexible control, helps administrators track network activity, and enforces corporate policies for the use of web resources. The EWF employs fast, real-time reputational analysis based on a state-of-the-art network that checks more than 40 million websites per hour for malicious code. The EWF also maintains a cumulative hazard count for all URLs, both categorized and uncategorized, allowing companies to track down and / or block poorly reputable sites.
• Antispam.

More details on the technical characteristics can be found.

conclusions

The Russian market for UTM systems is definitely of interest to both manufacturers and potential buyers. However, due to well-established "traditions", manufacturers have to wage a simultaneous "battle" both on the front of certification and building a partner channel, and in the field of marketing and promotion.

So, one can already observe today how almost all of the companies considered are working on translating materials into Russian, acquiring new partners, and also certifying their solutions. For example, in 2012 Dell established a separate company Dell Russia specifically for the Russian market (the company will not even deal with its “closest neighbors” - Ukraine and Belarus). Domestic developers are also moving forward, developing their solutions. It is noteworthy that many manufacturers (both domestic and foreign) integrate third-party modules into their products. The anti-virus module is indicative in this regard: various UTM systems use ClamAV, Kaspersky Anti-Virus, Avira AV, Dr.Web, etc.

Nevertheless, the conclusion is obvious: the Russian market is being considered seriously and for the long term. So far, no one is planning to retreat, which means that a fight for a place under the domestic sun awaits us ahead. After all, “No. 1 in the World” is not at all the same as “No. 1 in Russia”.

The concept of Unified Threat Management (UTM), as a separate class of equipment for protecting network resources, was introduced by the international agency IDC, which studies the global IT market. According to the introduced classification, UTM solutions are multifunctional hardware and software systems that combine the functions of different devices: firewall, network intrusion detection and prevention systems, and anti-virus gateway functions.

The Russian market of UTM devices is represented only by foreign manufacturers. Moreover, some companies, presenting their solutions and calling them UTM, simply combine the functionality of independent network security devices (such as: firewall, anti-virus gateway, intrusion detection / prevention system) in one building with a unified monitoring and control system. Such devices cannot be considered a full-fledged UTM system.

The abbreviation UTM stands for Unified Threat Management, which literally can be translated into Russian roughly as: Unified Threat Management. In this article, we will look at exactly what functions a device must perform in order to be considered a full-fledged UTM, what are the advantages of using such systems and what types of threats they can protect.