If you’re planning on taking the Security+ exam, you should have a basic understanding of unified threat management (UTM).
For example, can you answer this question?
Q. Your organization wants to combine some of the security controls used on the network. What could your organization implement to meet this goal?
A. SSO
B. UTM
C. VPN
D. VLAN
More, do you know why the correct answer is correct and the incorrect answers are incorrect? Answer and explanation at end of this post.
Unified Threat Management Goals
Unified threat management (UTM) is a single solution that combines multiple security controls. The overall goal of UTMs is to provide better security, while also simplifying management requirements. In many cases, a UTM device will reduce the workload of administrators without sacrificing security.
As IT-based threats first began appearing, security experts created various solutions to deal with each of them. When attackers began releasing malware to infect computers, vendors created antivirus software. Attackers started attacking networks, and in response, security experts developed and steadily improved firewalls. When organizations recognized a need to control what sites users can visit, organizations implemented proxies with URL filters.
Although all of these solutions are effective, they are also complex. Administrators often find it challenging to manage each of these solutions separately. Because of this, UTM security appliances have become quite popular.
Unified Threat Management Appliance
A web security gateway is a type of UTM appliance and it can protect against multiple threats. This includes threats from malicious software (malware) coming in as an email attachment, malicious code embedded in web browser pages, and spam. They usually include other firewall capabilities, but their real strength is in content filtering.
Many content filters actively monitor data streams by inspecting the packets in search of malicious code or behaviors. For example, users’ email may contain malicious attachments. By inspecting all the packets associated with an email and its attachments, a content filter can detect the malicious content and filter it.
Cisco sells the Web Security Appliance (WSA), which includes several features, including threat defense, content inspection, malware protection, and data loss prevention (DLP) capabilities. Most of these capabilities scan transmissions coming into a network. However, DLP scans data going out of a network. For example, a DLP system can scan all outgoing emails looking for confidential or sensitive information. It would block these emails and identify the user sending them.
Unified Threat Management Capabilities
UTM security appliances combine the features of multiple security solutions into a single appliance. For example, a UTM security appliance might include a firewall, antivirus protection, anti-spam protection, URL filtering, and content filtering.
In general, a computer appliance is a hardware device designed to provide a specific solution. For example, spam appliances scan all incoming email and strip off spam. The intent of the word appliance is to evoke a sense of simplicity. For example, you don’t have to know the details of how a toaster works to make toast. Similarly, you don’t have to know the details of how a computer appliance operates to use it.
UTM security appliances include multiple capabilities, including:
- URL filtering. URL filters within a UTM security appliance perform the same job as a proxy server. They block access to sites based on the URL. It’s common to subscribe to a service and select categories to block access to groups of sites. Administrators can also configure URL filters manually to allow or block access to specific web sites. As an example, if an administrator realizes that users are routinely connecting to a peer-to-peer (P2P) file sharing site, the administrator can add the URL to the filter, and block access to that site.
- Malware inspection. Malware often comes into a network via spam, or malicious web pages. The malware inspection component of a UTM appliance screens incoming data for known malware and blocks it. Organizations often scan for malware at email servers and at individual systems as part of a layered security or defense-in-depth solution.
- Content inspection. Content inspection includes a combination of different content filters similar to a web security appliance. It monitors incoming data streams and attempts to block any malicious content. It can include a spam filter designed to inspect incoming email and reject spam. It can also block specific types of transmissions, such as streaming audio and video, and specific types of files such as Zip files.
Remember this
A web security gateway and a unified threat management appliance both combine multiple security controls into a single appliance. They can inspect data streams and often include URL filtering, malware inspection, and content inspection components.
Q. Your organization wants to combine some of the security controls used on the network. What could your organization implement to meet this goal?
A. SSO
B. UTM
C. VPN
D. VLAN
Answer is B. A unified threat management (UTM) device combines multiple security controls into a single device.
Single sign-on allows users to sign on once and access multiple resources without signing on again.
Users can access a private network over a public network via a virtual private network (VPN).
You can configure a virtual local area network (VLAN) on a switch to group computers together logically.