A simple guide to Unified Threat Management Systems (UTMs)

A Report by Rishabh Dangwal

admin@theprohack.com

www.theprohack.com

Disclaimer

This is a case study which by no means intends to infringe copyrights of any researcher/analyst. I have compiled the information from the web and believe it will be most useful to you. The original research credit goes to Micky Johnson, the original Fortinet whitepaper, and

countless datasheets of the UTM vendors and resources on Google. This document by no means shall be used as a complete reference to UTM’s

and may contain errors, but I hope it will help you test the tides of UTM scene in a much better way.

Abstract – The objective of this singular report is to explore the UTM architecture, its inner workings and how we can build a high performance UTM. We have come a long way from single purpose routers to super specialized devices which rely on customized processors and Application Specific Integrated Circuits (ASIC) to deliver high-performance traffic forwarding between networks and applications. The evolution can be thankfully credited to the increase in performance requirements, which once implemented, were adopted by as an industry standards.

EVOLUTION –A little Background of UTM technology

UTMs can be simply expressed as Next generation Firewalls, have evolved specifically from conventional firewalls. The first firewalls were software firewalls which were itself evolved from software routers. Later on as technology evolved, and hardware routers came into scene, hardware firewalls arrived which were nothing more than routers with packet filtering capabilities. Furthermore, the technology matured from basic packet filtering to a more complex control technology which included stateful packet inspection and finally to full application layer inspection devices (IEEE, 1997). Around the year 2000, VPN’s appeared and gained acceptance as the mainstream technology to connect networks securely, remotely. Firewalls followed closely by integrating VPN’s with Firewall which was the natural choice as enterprise solutions required both firewalls and VPNS.

As the prices for bandwidth fell along with the cost of cryptographic hardware needed to encode and decode the traffic, the need for specialized hardware rose which may be used to accelerate the performance.

Unified Threat Management

In mid 2004, International Data Corporation (IDC) defined UTM platforms as to minimally include firewall, VPN, intrusion prevention and antivirus features. Touted as “Next Generation Firewalls”, we have two approaches to design the UTM’s since their inception.

Licensing and Integrating Approach (Multi vendor UTM)

In-house Development Approach (Single vendor UTM)

The above figure illustrates the core architecture and development approach of developing UTMs

Licensing and Integrating Approach (Multi vendor UTM)

The first design approach tried to get the best of worlds by integrating specialized technologies from different security vendors. For e.g.:

Cyberoam UTM licenses Antivirus from Kaspersky, AntiSpam by Commtouch , both who specialize in Antivirus and AntiSpam technologies.

These UTM’s provided an integrated interface to manage all the integrated technologies in the easiest possible manner, while some others require specific management interfaces.

Advantages Limitations Combines the best of all worlds Research and advancement dependent on

different vendors, hindrance in optimization of individual applications

Less time required in development and deployment of a new UTM box

Again, the time is dependent on different security vendors

Single Management interface The interface may not be adequate Cost effective If one of security vendor was compromised

globally, the UTM was gone as the technology is outsourced

Cannot take full benefit of hardware acceleration resources due to multivendor technologies

Embedding of new technologies is difficult

In-house Development Approach (Single vendor UTM)

The second design approach is the more difficult out of two, which requires ground up development of a UTM device from scratch, and involves the provision of each security function natively. This was not flawless, each security function must pass a set of market guidelines and standards set by standalone security products effectively in order to be accepted. However, with time, the core functions provided by UTM platforms—firewall, intrusion prevention and antivirus—had matured since the onset of the UTM era, so building competent security functions was both possible and cost effective. Also, this approach had a better management interface as the platform incorporated all the technologies since inception.

Advantages Limitations Unified architecture from scratch All the technologies may/may not be adequate as

compared to their professional standalone counterparts

Research and advancement dependent on own pace, better optimization of applications

More time required in development and deployment of a new UTM box

Unified and Best management interface High cost of development In-house code fills security gaps and poses less threat of compromise.

Security through obscurity is not always a very good idea.

Can take full benefit of hardware acceleration resources, which leads to exponential performance gains

Embedding of new technologies is easier

Why UTM’s are required more than ever?

1. With advent of technology, blended attacks against organizations has led to older specialized protection devices/services obsolete.

2. The integrated approach allows the administrator to worry about only one device, not the whole flurry of firewalls, antivirus & IDS/IPS.

3. With falling costs, the attackers have got more speed at their dispense, hence they can carry out more attacks & hence we need more functionality on a single device to counter those.

UTM – Impact Assessment

Unified Threat Management – What actually it does?

At its heart, a UTM does the core work of collection of data and detection of unwanted and malicious data. As quoted by Mick Johnson,

Collection involves picking the packets off the wire and processing them through the network stack, reassembling and deciphering packet header information and identifying the relevant payloads. Detection is the task of scanning those payloads for data that signify a particular traffic stream is malicious or unwanted. A given portion of traffic might apply to either collection or detection at different stages: the source IP address must be checked against a set of firewall rules before being used to identify a TCP stream for reassembly and HTTP-level scanning for viruses.

That said, the process is quite complex in nature and spans through the 6 layers of OSI model.

The factors identified above have made the detection phase correspondingly more important. With time, the packet header size has remained the same however more information can be funneled through packet payloads. Finally with each added security function or application in a UTM adds extra workload to the detection phase, irrespective of the amount of traffic which leads to a massive performance drop when a specific type of inspection is turned on.

UTM Components

While there are many components in a UTM appliance, there are three major components to high-performance UTM systems:

1. Specialized hardware, 2. Specialized software and 3. Evolving security content

Specialized Hardware

Two major types of specialized UTM co-processing hardware contribute to performance scalability—content processors and network processors. These processors work in conjunction with the general purpose processor. The general purpose processor works in concert with the other specialized processors similarly to the way that the brain works with the spine and peripheral nervous system to perform system activities.

Content Processors / Content ASIC

Content Processors allow for the design and deployment of next-generation networking systems that can make packet or message processing decisions based on an awareness of the packet or message content.

Primary Functions

Acceleration - Content processors can accelerate antivirus, intrusion prevention and other application level security technologies.

Deep Packet Inspection - Perform Deep Packet inspection and can modify and re-write content on the fly.

Scanning logic - Content processors implement only scanning logic in hardware, and don’t store threat pattern data, which continue to be stored by memory.

Encryption / Decryption - Content processors can also contain cryptographic engines that relieve the general purpose processor from the high intensity calculations that take place during encrypted communications.

Analyse - Can perform both message-based and packet-by-packet analysis and some can keep track of content across multiple packets.

Hardware acceleration - Prime candidate for hardware acceleration as they help counter performance taxing applications like VPN

Network Processors

A network processor is an integrated circuit which has a feature set specifically targeted at the networking application domain and performs high sped processing of Network flows. Network processors are typically software programmable devices and would have generic characteristics similar to general purpose central processing units that are commonly used in many different types of equipment and products. This type of processors typically are placed in line between the general purpose processor and network ports, directly receiving traffic and performing some functions automatically.

Primary Functions

Pattern matching - the ability to find specific patterns of bits or bytes within packets in a packet stream.

Key lookup for example, address lookup - the ability to quickly undertake a database lookup using a key (typically an address on a packet) to find a result, typically routing information.

Data bitfield manipulation - the ability to change certain data fields contained in the packet as it is being processed.

Queue management - as packets are received, processed and scheduled to be send onwards, they are stored in queues.

Control processing - the micro operations of processing a packet are controlled at a macro level which involves communication and orchestration with other nodes in a system.

Quality of service (QoS) enforcement - identifying different types or classes of packets and providing preferential treatment for some types or classes of packet at the expense of other types or classes of packet.

Access Control functions - determining whether a specific packet or stream of packets should be allowed to traverse the piece of network equipment.

Encryption and Decryption of data streams - built in hardware-based encryption engines allow individual data flows to be encrypted/decrypted by the processor.

Act as a basic router - Packet or frame discrimination and forwarding, that is, the basic operation of a router or switch. They also allow for quick allocation and re-circulation of packet buffers.

Decrease load on system - The latest generation of network processors can be programmed with the current firewall and IPS policy, filtering traffic, detecting protocol anomalies and expediting delivery of latency-sensitive traffic at the interface level— without burdening the rest of the system

Specialized Software

At its core, a UTM consists of an operating system which integrates all the applications together. To facilitate the integration of specialized hardware with software, special programming approaches are needed. This needs the required ability to modify and optimize the source code, else all the tasks will be run on CPU and hence we will notice an overall performance drop on all levels. It’s highly unlikely that a 3rd party security vendor will optimize their code according to the hardware; they just tend to license their code for the platform. Also, combination of multiple technologies means there is a high probability of incompatible software and code and redundant operations which further degrade performance

The basic approach for multivendor UTM is to license the software from 3rd party security vendors and integrate them for highest compatibility, for e.g., if they deploy a Linux based OS as the core of their UTM device, then they might opt for a Linux based antivirus in order to increase performance rather to risk it by virtualizing a windows based OS just for the applications.

Single UTM vendors on the other hand go for the integrated approach and can optimize it according to their needs. The developers can eliminate threats as fast as possible by innovating on new trends and make UTM a true Next generation firewall.

A Brief Intro to Antivirus, Anti Spam and Content Filtering technologies

Antivirus

Antivirus or anti-virus software is used to prevent, detect, and remove computer viruses, worms, and trojan horses.

Detection Methods

Signature Based

Heuristics/Meta-Heurisitcs

Rootkit Analysis

Antivirus in UTMs

Generic Antivirus – Antivirus is fully deployed at device with only suspicious files sent for analysis and signature creation.

Gateway Anti-Virus – This technique allows applications across the enterprise to check files for viruses by providing a SOAP-based virus scanning web service. Client applications attach files to SOAP messages and submit them to the Gateway Anti-Virus web service. This may be used with active caching.

Cloud Antivirus – Cloud antivirus is a technology that uses lightweight agent software on the protected computer, while offloading the majority of data analysis to the provider's infrastructure.

Anti Spam

Antispam software combats spam using various techniques.

Detection Methods

Authentication and reputation

SMTP proxy

Challenge/response systems

Checksum-based filtering

DNS-based blacklists

Enforcing RFC standards

Greeting delay

Greylisting

Invalid pipelining

Sender-supported whitelists and tags

Rule-based filtering

Statistical content filtering

Antispam in UTMs

Generic Antispam / Inhouse Antispam– Antispam is fully deployed at device with only suspicious mails sent for analysis and signature/reputation creation.

3rd Party Antispam – Mails may be checked using a secure connection to the 3rd party service provider for spam and false positive detection.

Content Filtering & URL filtering

Content filtering is the technique whereby content is blocked or allowed based on analysis of its content, rather than its source or other criteria.

Detection Methods

Attachment - The blocking of certain types of file (e.g. executable programs).

Bayesian

DNS Based filtering

Char-set

Content-encoding

Heuristic

HTML anomalies

Language

Mail header

Mailing List

Phrases

Proximity

Regular Expression

URL-Filtering based on the URL

Content Filtering in UTMs

Generic Content Filtering / In house– Filtering is fully deployed at device with only suspicious content sent for analysis and signature/reputation creation.

3rd Party Content Filtering – content may be checked using a secure connection to the 3rd party service provider for spam and false positive detection.

UTM – Competitive Product Analysis

Cyberoam Checkpoint WatchGuard Juniper Sonicwall IBM

Device Model 100ia UTM-1 13x series / 27x series

XTM 510 SRX 240 (Supports virtualization)

NSA 3500 IBM Proventia MX 5008

Firewall Throughput

1.25 Gbps 1.5 Gbps 1.5 Gbps 1.5 Gbps 1.5 Gbps 1.6 Gbps

Antivirus Kaspersky Gateway/Clam Antivirus

AVG Kaspersky McAfee Kaspersky

Sophos

Anti Spam CommTouch In house In house Sophos In house In house Authentication LDAP,

Active Directory, RADIUS

RADIUS RADIUS, LDAP, Windows Active Directory, VASCO, RSA SecurID, web-based, local

RADIUS, RSA SecureID, LDAP

XAUTH/ RADIUS, Active Directory, SSO, LDAP, Terminal Services, Citrix, Internal User Database

Active Directory, LDAP, RADIUS, X509

Content Filtering In House Websense In house Websense In House In house Sessions per

second/Concurrent Sessions

10K / 400K NA / 600K NA / 100K 9K / 128K 4K / 325K 9.58K / 150K

Epilogue

The future is now gentlemen..with the onset of technologies, we have quite a lot of exotic things to work with. I will be exploring XTMs and more on UTMs in future , as well as on more security devices. I hope this document served some purpose to you.

Stay Gold

Rishabh Dangwal

www.theprohack.com