If you’re planning to take the SY0-501 version of the Security+ exam, you should understand many security technologies. This includes unified threat management (UTM) devices that combine multiple security controls to provide better security.
For example, can you answer this question?
Q. You need to configure a UTM security appliance to restrict traffic going to social media sites. Which of the following are you MOST likely to configure?
A. Content inspection
B. Malware inspection
C. URL filter
D. DDoS mitigator
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
UTM Device
Unified threat management (UTM) is a single solution that combines multiple security controls. The overall goal of UTMs is to provide better security, while also simplifying management requirements. In many cases, a UTM device will reduce the workload of administrators without sacrificing security.
As IT-based threats first began appearing, security experts created various solutions to deal with each of them. When attackers began releasing malware to infect computers, vendors created antivirus software. Attackers started attacking networks, and in response, security experts developed and steadily improved firewalls. When organizations recognized a need to control what sites users can visit, organizations implemented proxies with URL filters.
Although these solutions are effective, they are also complex. Administrators often find it challenging to manage each of these solutions separately. Because of this, UTM security appliances have become quite popular.
UTM security appliances combine the features of multiple security solutions into a single appliance. For example, a UTM security appliance might include a firewall, antivirus protection, anti-spam protection, URL filtering, and content filtering.
In general, a computer appliance is a hardware device designed to provide a specific solution. For example, spam appliances scan all incoming email and strip off spam. The intent of the word appliance is to evoke a sense of simplicity. For example, you don’t have to know the details of how a toaster works to make toast. Similarly, you don’t have to know the details of how a computer appliance operates to use it.
UTM Capabilities
UTM security appliances include multiple capabilities, including:
• URL filtering. URL filters within a UTM security appliance perform the same job as a proxy server. They block access to sites based on the URL. It’s common to subscribe to a service and select categories to block access to groups of sites. Administrators can also configure URL filters manually to allow or block access to specific web sites. As an example, if an administrator realizes that users are routinely connecting to a peer-to- peer (P2P) file sharing site, the administrator can add the URL to the filter, and block access to that site.
• Malware inspection. Malware often comes into a network via spam, or malicious web pages. The malware inspection component of a UTM appliance screens incoming data for known malware and blocks it. Organizations often scan for malware at email servers and at individual systems as part of a layered security or defense-in-depth solution.
• Content inspection. Content inspection includes a combination of different content filters. It monitors incoming data streams and attempts to block any malicious content. It can include a spam filter to inspect incoming email and reject spam. It can also block specific types of transmissions, such as streaming audio and video, and specific types of files such as Zip files.
• DDoS mitigator. A DDoS mitigator attempts to detect DDoS attacks and block them. This is similar to how intrusion prevention systems (IPSs) block attacks.
UTM Output
The output of the UTM varies depending on the device and what it sees. For example, if it detects malware, it will typically raise an alert and send it to administrators.
A common security issue with UTMs is a misconfigured content filter. For example, if the spam filter is misconfigured, it can block valid mail or allow too much spam into the network. Administrators adjust the sensitivity of the spam filter to meet the needs of the organization. For example, one organization might find it unacceptable to block emails from customers or potential customers. Administrators would adjust the sensitivity allowing more spam into the network to meet this need.
It’s common to place UTM appliances at the network border, between the Internet and the intranet (or the private network). This allows it to intercept and analyze all traffic to and from the Internet. However, the placement is dependent on how the UTM appliance is being used. As an example, if it is being used as a proxy server, it can be placed within the DMZ.
Administrators would configure the clients to use the UTM appliance for proxy servers ensuring that all relevant traffic goes through it.
Q. You need to configure a UTM security appliance to restrict traffic going to social media sites. Which of the following are you MOST likely to configure?
A. Content inspection
B. Malware inspection
C. URL filter
D. DDoS mitigator
Answer is C. You would most likely configure the Uniform Resource Locator (URL) filter on the unified threat management (UTM) security appliance. This would block access to the peer-to-peer sites based on their URL.
Content inspection and malware inspection focus on inspecting the data as it passes through the UTM, but they do not block access to sites.
A distributed denial-of-service (DDoS) mitigator will attempt to block incoming DDoS attack traffic.
See Chapter 3 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on implementing a secure network.