UTM devices; the coarse-grained filter for your network
‘UTM’ is one of those topics that tends to polarize a room of geeks. You get folks saying UTM is great stuff and you have folks who say it’s a waste of time. I happen to find use in UTM. I utilize UTM devices for satellite offices. Here’s how it works;
Our network topology is a distributed WAN network with a few major offices and several satellite offices, all scattered throughout the world. Starting in ’06 we started deploying IPS and UTM devices. The major offices all get network IPS units behind the existing, beefcake firewalls and the satellite offices get UTM devices in lieu of a firewall.
My thought behind this approach is this; the satellite offices don’t have a full-time IT staff and the networks are likely not maintained as well as the main offices. Therefore if I can get a coarse-grained filter further away from the host, say right at the perimeter, I can catch a lot of the major, most popular threats before they reach the host.
The UTM devices I deploy provide several services, as their name implies; they are a firewall, an AV device, and an IPS device, all in one. Granted, having all this inspection going on at the gateway has a negative impact on traffic. For that reason I’ve spec’ed the devices somewhat larger than the office needs and since the satellite offices have far fewer users, the impact on performance is negligible, but the benefits are substantial.
With the IPS portion, I get a form of ‘virtual patching’ at the network perimeter. The units I deploy are hybrid IPS devices, meaning they utilize both attack signatures and malicious behavior signatures. This is an absolute necessity any more, as typically the malicious behavior signatures are effective in detecting variations on a base attack. This gives me a broad spectrum of protection and is more proactive than waiting for the vendor to detect an attack, analyze it, write a signature for it, then get that signature to its customers and get them to deploy it to production.
There are nay-sayers out there who will tell you IPS is useless technology and is easily defeated. To them all I have to say it IPS/UTM is not a panacea, but just another weapon in a vast arsenal used to defend the network. The lock on your front door can easily be picked by someone who knows what they are doing. Do you therefore remove the locks on your doors?
UTM for me is a coarse-grained filter I deploy at the gateway. Sure there will be attacks that get past it. For those I have patch management and antivirus at the host level, both of which I hope are, for the most part up to date. Nothings perfect but if you deploy defense in depth and understand where your weaknesses are, you stand a far better chance of surviving the never-ending barrage of onslaughts from the Intarweb.
