Unified Threat Management (UTM)

Definition

UTM system is a type of network hardware appliance, virtual appliance or cloud service that protects businesses from security threats in a simplified way by combining and integrating multiple security services and features.

Unified threat management consolidates multiple security and networking functions all on one appliance to protect small and medium businesses while simplifying their infrastructure. This allows business leaders to spend more time and resources on revenue growth and profitability. It’s also enables them to fully utilize a mobile workforce, cloud services, and other emerging technologies for a competitive advantage.

UTM devices are often packaged as network security appliances that can help protect networks against combined security threats, including malware and attacks that simultaneously target separate parts of the network.

Capabilities of UTM

UTM systems often include several network security technologies, including:

• Antispam services block or tag incoming email-based attacks by scanning inbound and outbound Simple Mail Transfer Protocol email traffic. Antispam filtering enables businesses to use third-party server-based spam block lists or to create their own local whitelists and blacklists to filter email messages. Antivirus scanning for web and email means that UTM devices scan email and web application traffic for malware. Some UTM systems scan for other network security threats carried in application traffic, such as instant messaging services that hackers use to spread malware.
• UTM devices and services may also offer application control to whitelist applications and flag which applications may and may not be used, and when. Application control is important for network security because many apps are either malicious or contain vulnerabilities that attackers can use to compromise network security.
• Thefirewall is the oldest and most basic network security function. Firewalls restrict the establishment of network connections between hosts inside and outside the organization with the intention of reducing or eliminating exposure to external hosts, networks or protocols that are known to be vectors for network threats.
• Intrusion detection andintrusion prevention technologies identify and prevent attacks by detecting when an attacker is attempting to access the network and preventing those types of attacks from occurring. The most effective UTM devices and services address this type of security threat through a combination of methods, including detecting attacks based on malware signatures, anomalies or reputation-based detection to stop both known and unknown attacks.
• Virtual private network functions are often included with UTM devices and services. While most UTM network security functions are meant to detect and stop attacks, VPNs are designed specifically to protect an organization’s network activity from unauthorized manipulation or eavesdropping. A VPN provides a protected tunnel through which network activity can pass. A VPN can be configured to tunnel all the traffic from mobile hosts to a UTM device, enabling all UTM network security checks to be applied to mobile traffic and reducing the number of security incidents involving these devices.
• Webfiltering for content and URL filtering capabilities cover a range of techniques that determine if a web request involving a website or URL should be permitted or not. Some UTMs use analytic techniques that are able to scan websites for security violations that indicate a website may pose a security threat.

How UTM Works?

UTM systems typically do this using inspection methods that address different types of threats.
These methods include:

• Flow-based inspection, also known as stream-based inspection, samples data that enters a UTM device, and then uses pattern matching to determine whether there is malicious content in the data flow.
• Proxy-based inspection acts as a proxy to reconstruct the content entering a UTM device, and then executes a full inspection of the content to search for potential security threats. If the content is clean, the device sends the content to the user. However, if a virus or other security threat is detected, the device removes the questionable content, and then sends the file or webpage to the user.