Introduction (Describe the features the UTM Device

must have )
UTM or Universal Threat Management was coined in 2004
under the supervision of research based company IDC for
defining a class of products that defined multiple security
firewalls. Unified Threat Management (UTM) devices can be
considered to be a useful tool for reducing risks present in a
companys infrastructure working at a reduced level of cost
sharing compared to the use of other standalone devices. The
next generation firewalls has been defined by (Gartner, 2013)
in order to identify the unique features associated with
application control and application identification for firewalls.
Majority of the firewall used in the industry today needs to pass
the scrutiny of the testing practices conducted by auditors in
order to secure the business assets and financial reporting
process come out with a clear position. UTM security
appliances products operate on the principle of multiple
security features integrated in one box. In order to be included
in the category as opposed to other priority, the appliance
must have its own set of features that is synchronous to the
series of network properties like firewall definition, intrusion
detection and a complete prevention through a gateway based
antivirus. In such UTM devices that give sufficient network
capacity, frequent updates, power redundancy and high
availability, the individual entities suffering from device level
redundancy is difficult to separate based on IDC report of 2004.
Threat management security appliances are based on activity

of Next Generation Firewall combining the many features of

network intrusion prevention systems (IPS) through regular
firewall functional tabs and models. UTM include multi
functional security capabilities which behave in a separate
manner in a network based anti-virus and a good filter for
malware avoidance.

Are there any additional features included for specific

vendors
A firewall has a limited inbuilt capability to ensure sensitive
data has a functional leakage protection (DLP) capability.
Encrypted traffic prohibits firewalls from reading incoming
traffic while Wi-Fi networks are prone to direct attack to bypass
firewalls. Inspite of providing a full range of compatible features
in a compatible domain, vendors search for certain salient
features that may have a significant impact to the overall
network behavior when capabilities of the network are fully
switched on using content-aware security, for analyzing data
Leakage Protection (DLP) and the intrusion caused due to
network access control (NAC). Application control requires the
user to monitor and control adding web application firewall
functionality. Such measures are carried out by the organization
to overcome cost ratio and provide a consolidated solution for
resource management. A security solution for the UTM can be
analyzed based on firewall monitoring instance. Although a
firewall between two ports work on a HTP requests along port
80 for the traffic between two hosts, it is highly probable that
SQL injection attack via port 80 to the web server, sends

erroneous feedback to the backend database which ultimately

corrupts the system. A UTM or IPS system blocks that attack,
while a firewall would not unlike in a small or medium sized
business whereby UTM makes more sense because all the
functionalities get bundled in a single stack for security. In a
large enterprise, the functionality is modularized or reduced
into operational inspection based on state transition detected
by firewalls, IPS devices, anti-virus, anti-malware, layer-7
inspection, etc.

Support answer with suitable example for specific

product
As the firewall have evolved from stateful firewall to next
generation firewall system, many types of security modules
network like IPSs and full stack inspection are included into
appliances. We take such an instance from Fortinet UTM. The
characteristic needs derived from a Fortinet are as follows:
1. Risk analysis: Unified threat management needs to look into
the inner working of a business solution by evaluating and
making a risk analysis in a timely manner into the processes
and assets the device is made to protect.
2. Modules for future use: A UTM device may be used for disk
protection for blocks. Various characteristic modules are
used that involve firewall, IPS, web filtering, email gateway
antivirus, anti spam, virtual private networking and other
devices. There may also be a scenario whereby the strength
to scan non HTTP traffic that comes through instant message

threats and ftp peer to peer threat that is difficult to

approach.
3. Operating costs: The cost of modules that include provisions
for software version upgrade requires various upgrade
patches provided only through a seamless technical support
package that work for certain hours during the complete
duration .
4. Training: Administrators run devices and have to be made
familiar with products of a company that require the least or
a minimum user friendly learning time in order to implement
the new device will be necessary to reduce the training
expenses at competitive costs which are at times online
learning systems.
5. Signatures: The privacy of the vendors and the strict policy
to keep their signature databases proprietary and secret.
The privacy of the content can be regulated by the user
whereby the user can disabled, log or drop from the entire
firewall. The vendors do not need to customize rules in the
signature database for emergency protection as separate
vendors rules can be created and distributed for the
identification of the latest threats that affects network. If
firewall avoids such a real time scenario a vendor can be
facing a day of maximum threats in the environment or
targeted attacks in the network for the future. There is also
a chance to apply the same effect filters on the machine
such as email and web filtering.

6. Roadmaps: In security updates there is a constant need to

monitor the latest threats and ability of the firewall to keep
ahead of the threats. A vendor should be able to guide short
term and strategic roadmaps for the system that identifies
the type of threats which may proliferate due to the present
abnormalities associated with system which increases when
IPv6 is not continued , the service life of device can lag
behind.
7. Sufficient network capacity: All the devices of a circuit are
found to suffer from a variety of bottleneck, whereby only a
few standalone devices cannot restrict the traffic as a UTM
device. A UTM device may be required to manage and
accomplish the dual requirements of protection and speed
whereby vendors furnish and develop custom boards of
ASICs. In order to verify the capacity and capability of the
board, certain specifications such as maximum throughput,
number and types of ports, memory size and disk space
need to be evaluated for a strong response. IPS rule the
process of tuning and module maximization that enables the
circuit to work with better capabilities. The UTM device
needs to integrate with the network for the administer to run
it, and not affect network performance.
8. Frequent updates: There is a need for frequent update in the
security application to identify the risk from new and
evolving threats and address them failing resulting them to
perceived state of decreasing protection. It may be possible

that some modules of a UTM device, is not updated on a

frequent basis based on which the status signature of the IPS
and the list of websites to be blocked by the web-filter and
antivirus protection does not show the frequent updates
that are needed for a system control monitoring.
9. Support level: During licensing with signatures, often there
may be issues caused as a result of bugs in the product that
might bring a network to a standstill point whereby all the
standalone devices stop working. One of the risks of using
network based IPS can be a condition whereby the signature
is blocking legitimate traffic bound to the network. The best
prevention any IDS company applies for signature is to
manually extract and write quality signatures giving a
holistic provision for updated protection to clients against
digital fraud.
10.

Power redundancy: A device in the network must be

capable to support the load and power redundancies existing

in power supplies. A lack of this feature at any level
indicates that the system is missing something in the
product design.
11.

IPS failure mode fail open/fail closed: Many parts of the

network equipment is vulnerable due to the underlying

hardware failures that can be prevented when parsing
protocols as IPS whereby a non-working IPS can be
detected by the machine. If the IPS is not provided the right
network cards, it may fail to open for a network losing its

defense control to the outer world.

Most of the system can

have identical failover configuration with an unknown buffer

overflow that might render both the system useless without
reinstating the good nature of the system.
12.

Alerting / forensic evidence: The device should be able

to generate logs for administrative activities and identify the

configuration changes associated with the network for
continuing the normal system maintenance activities
associated with the system. It can turn on debugging in each
of the devices involved in a multi time sharing based
methodology for accessing VPN tunnel for analyzing a
deformed or a poorly developed signature for virus
detection. The IPS module also has the ability to include
packets for alerts when they are logged into the system but
get blocked without any interference. Security information
and event management system aggregates correlated data
from security feeds in the use of network discovery and
vulnerability assessment system in governance and risk for
website assessment and monitoring systems applications
and scanners , penetration testing tools and intrusion
detection systems enterprise antivirus and unified threat
management. These include devices providing seamless
portability for network firewalls whereby UTM provides a
layered security in threat management in a closed network
of VPNS backup, and a seamless update and backup and
recovery involved in anti-spam for email services.

With the help of suitable diagram explain why it is

necessary to implement more than one UTM
The drawbacks of UTM are
1. The use of signature based systems is not good enough to
protect against unknown threats.
2. Once vulnerability is discovered, there is a firewall tries to
quarantine the system against the bug while a threat is
being analyzed and a rule is created, tested and distributed
often referred as the window of vulnerability.
3. Signatures are written to detect a specific attack due to a
payload attached with the system for modifying the output
as the alternation is used by the attacker for bypassing the
signature.
4. A signature database must be highly efficient if too many get
created the device performance is significantly reduced.

Advantage of using a custom based security solution on

a customer work station instead of using a UTM device
with the same features on UTM device
The main advantage of a UTM device is the development of a
centralized management scheme for a solid custom based
security on a customer work station. There is always a
probability to use separate devices to configure a UTM device
for measuring the power of increasing latency of the operation.
Two sets of UTM devices will not compromise the security

Information and event Management (SEIM) allowing the device

to gather more security log data from different systems and
compile the entire data set for review in one expert location.
Many UTM devices are used this days for various purposes.
Among them presumbably the market share is consumed by
Fortinet (18.9%) CheckPoint(17.8%) SonicWall(9.3%)
Juniper(5.8%) Cisco(5.4%) WatchGuard(5.1%) McAfee(4.2%)
Sophos (2.2%) while others are PAN, Stonesoft, Barracuda , HP
according to the IDC WorldWide.
Among them the leaders are Checkpoint, Fortinet, Palo Alto and
challengers are Dell SonicWall, Sophos and the uncompetitive
are the Cisco Juniper Mc Afee, StoneSoft WatchGuard while the
Rookies are Sourcefire. Checkpoint serves as a excellent
management platform milking their client base allowing to
manage diverse infrastructure of multiple devices. They have
different architectures allowing to manage multiple devices
accurately with different appliances. They have respectable
client-base. Checkpoint have been obsessed with the changes
with the aging platform. Checkpoint has a few negatives having
a aging platform but integrated and have not evolved much.
They are expensive and their licensing is complicated. and 1.3
billio in revenue.
Fortinet :High performing appliances in application control
which is best in performance with best value of price in total
cost of ownership. They dedicate a lot to research and
development. Research and development is in their core while

lot of money on Engineering and brain power inside. They have

a ultra unified stack ( hardware,software, content) which gives
them a lot of performance in terms of applicability. High
performance with the total cost in ownership and much more
affordable in Engineering And third part certifications. Their
marketing is pretty bad and people have relegated with the
UTM Market. They have a massive R& D but have a weak
central management and reporting system for analysis. Fortinet
is a decent company having a 552 million revenue.
Last Leader is Palo Alto which is deeply admiring and a high
buzz coefficient . Palo Alto blasted into the market space. They
have the best buzz. They have a novel approach to application
control which is pretty interesting and unique over the other
market platforms . They have a great reporting which is unique
having good reporting and a excellent act of directory
integration. They have also captured accounts and integrated
with minimal third party claims. There performance claims are
however facing a lot of question. Most of these include the
direct response issue ad the cache bypass feature. One can
bypass of the application control of Palo Alto which is an issue
in any UTM service. As a result the performance plummets. Any
individual working with Palo Alto knows that they have a ultra
premium pricing. They have a infuriating commit process. So
even doing all the changes during trouble shooting one needs
to sit for the results to come up. They are also smallest in
space but have a market cap of 3 Billion due to their high stock

price. They have however done an amazing job in blazing

ahead of the path.
Explain why the hardware prices differ according to the
price of the UTM device
The hardware prices of the UTM differ based on the UTM
Impressive performance and good NSS reviews. Their ability to
define a clear strategic vision and not hindered by the legacy
features. Good set of features at a very reasonable price where
Sophos star has been rated as a very influential factor in their
development being one of the least expensive. It is found to
provide a good set of features at a minimum of price. GUI is a
work under progress at present. A UTM device does not
guarantee security of network as it serves as one of the many
layers you can use to protect your network. Security of the
system requires many elements to have a look at UTM devices
and identify the elements of security for the vendors to benefit
small or medium sized business as shown in the figure.

Figure 1: Enterprise net Load Balancing [Ref 3]

Based on the figure above, it can be said that point products
create excessive marketing overhead causing mistakes and
security vulnerabilities. There is a seamless interdependence
between technology vendors. Tipping point identifies due to
lack of cohesion among security data. Multiple point of failure
problems is minimized and difficulty in virtual zing unifying to
a common security platform. Various ways to deploy the
security platform.
[1]

Traditional firewall /VPN

[2]

IDS and IPS

[3]

Web Filter and Application Control

[4]

Web proxy reverse proxy and caching

[5]

Core Firewall

[6]

SSL VPN

[7]

Remote Endpoint

[8]

Wireless Networking

[9]

BYOD Networks

[10] SSL Inspection and Scanning

Net Sentron is a network security appliance designed and
sold by Kobely development Inc for Surrey British Columbia
based IT service company. Net Sentron appliance is a firewall
website content filter and virtual private network control device
often referred as a unified threat management product. Zone
Alarm secure Wireless Router Z100G is a discontinued unified
threat management security router for home and SOHO Market.
A bypass switch is used as a hardware device to provide a fullproof access port for inline monitoring appliance for intrusion
prevention system(IPS) in all the devices of the firewall, WAN
that developers can integrate together for analysis. A well
known developer and vendor in this field that makes
operational instruments such as hardware that provides end to
end encryption, email in the World Wide Web and application
security software in the mobile device network security is
Sophos. This acts as a unified threat management product
providing security to organizations and business. Untangle
plays the role of a privately held business company with its
major operations out of Sunnyvale, California creating the
logistic support for the software and hardware versions of the
Untangle firewall for computer network application . The
company offers User Identity based network security in the

next Generation Firewalls allowing visibility and granular

control for data. Real time solutions include installed antivirus
solutions running in individual machines that guard against
malware. Other alternative solutions include UTM Hardware and
network firewalls, for cloud based antivirus and online scanner.
Next generation of firewall use DPI to prevent attacks from a
percentage of virus and worms, the signature of the malware fit
within the payload of the DPI inspection scope.
Explain whether is it necessary to implement additional
computing if the UTMs are already deployed in the
Network.
IDS IPS are well suited to perform the task. In a network
related enterprise IPS are used as it provides for greater
visibility unlike traditional point players that act as
underperforming UTM/NGFW products. According to the NSS
report for IPS Sourcefire had been ranked at the top spot for
detection accuracy. Checkpoint and Fortinet are now
overperforming Tipping Point Juniper and IBM ICS based on the
characteristic effects of web filter, application control and web
proxy. Web filtering is a absolute commodity while application
control is tricky to implement. Blacklisting is easier than whitelisting application. Proxy support by the function is good.
Core firewall is the ideal firewall for internal segmentation. This
is used to terminate LAN to control access, Implement IDS
application and virtual zing core firewall that can provide a
better business unit segment. Virtualized security can be

bought as hardware and also using a private cloud, creating

multiple security in a single hypervisor.
Conclusion
The challenges of utilizing UTMs are many as there are multiple
parts of business including web filter networking security and
all different peak frames which are no longer associated as a
point product and have a lot of turfs. So defining a role for UTM
is very important. There are different teams for different
components web filter and IPS. The management is divided into
different groups which are composed of multiple domains in
their work. The major limitations of UTM are they suffer from
single points of failure. Most of the SGW of today are complaint
with the latest technology due to pairing. All of them have 10
GB and have high performance by collapsing point products to
a common platform. The difference between the products
depends on the price where Fortinet is cheap and usability
where Palo Alto excels. All the products utilize a deployment
capability to catch the market. Unfortunately, most unified
threat management systems (UTMs) are designed for SMB
deployment involving simplicity of the management system as
one of the most critical design requirements. It is quite well
known that IPS incorporated into a UTM firewall will have the
same functionalities and controls and protections offered by
standalone IPS. There are not many UTM firewalls that can be
sustained with embedded IPSes; whereby various management
systems for the IPS can be a part of these products that can be

quite different from the firewall parts. The prospective UTM

firewall vendor has bundled the IPS and firewall functionality
into a integrated and a homogenous single web interface to
identify the product where the IPS works on second rate
management tools. This may be fine in environments the only
priority of the system is to control as in branch offices or places
where a small set of systems need protection. Although IPS
offers greater visibility for small vendors, IDS scores better in
terms of visibility, network forensics, and analysis capabilities.
However the IDS management console has been found to work
not in a proper manner in case the information is not properly
extracted from the site. UTM devices are known to configure
this error through their service in future devices. Fortinet is
working by integrating the firewall using end point tool. The
next tool to be used is likely going to be non availability
management and patch management scenario. Sophos has a
plan to end point to the firewall. Once the UTM devices
features are determined, the auditors job is to identify the
usage of automated compliance mechanisms to be used as in
the best possible scenario for cost/benefit ratio in reducing risk.
In spite of the complexities for the proper deployment of a
UTM device, generic load balancing capabilities can be
achieved by the deployment of a UTM device in two or more
standalone machines and looking forward to their acquisition,
maintenance and requirements for the proper deployment.
These type of information discussed above is a deliberate

attempt to help you successfully choose and validate a UTM

device that fits as the network which serves all the provisions
of the system.

References
[1]Gartner Magic Quadrant for Unified Threat Management, Greg Young
and Jeremy DHoinne, 19 July 2013.
[2]IDC, Worldwide Threat Management Security Appliances 2004-2008
Forecast and 2003 Vendor Shares: The Rise of the Unified Threat
Management Security Appliance, 2004.
[3] Enterprise Internet (WAN) Link Connectivity Redundancy and Load
Balancing Linkhttp://www.excitingip.com/1393/enterprise-internet-wanlink-connectivity-redundancy-and-load-balancing/ Accessed on 14th April,
2015,