work and IT @ 11 Nov 2008 01:45 pm by ayoi
This is NOT UTMS
Unified Threat Management System or UTMS. Yup, that’s the new hype now. Who needs separate box for firewalls, IPS, IDS, Anti-Virus, Spam filter, VPN, DNS, Mail server and many others when you can have it all in one bundled up in one machine or box? Just like nowadays, we can have a machine that can be our fax machine, scanning documents, printer and as a photocopier as well. Cool eh? Yeah cool until a simple power failure will render that huge machine useless..
Sometimes I do feel tired with these blabla VS blabla kind of things. Like IPS VS IDS, Linux VS Windows, Linux VS BSD.. I dun think these kind of arguments beneficial to any of us, besides to those respective zealots (I guess bigots is too strong and not that appropriate). The main goal is to reduce the risk of being compromised as low as possible. In other words, we try to frustrate the attackers as much as possible. For that to happen, I believe we should implement as many measure as possible.
I didn’t say that UTMS device is no good for your organization as it would be like telling you that having a photocopier with fax, printing, scanning bundled with it will be no good for you as well. To be honest, it would be wonderful to have this device in your office (I have mine as well). It saves a lot of trouble when you need to print and photocopy documents but here in the office, we have another fax and printer machine as well. Just in case…
So it is the same thing with UTMS. This device is wonderful. It saves a lot of trouble and time to configure, maintain and monitor this device compared to having separate machine for every function. But then if you decided to solely depend on this particular device and removing others, I dun think it is a wise idea.
1). Emplacement.
Most of the time this device will be placed as an inline device at the network perimeter segment. Some people will have it deploy in front of their current firewall and some deploy UTMS behind it. Anyway that depends on what kind of functionality that you want to use for this UTMS. For me, I’ll use the AntiVirus and content filtering /IPS capability of this machine to supplement my firewall. So the most appropriate emplacement for this device is behind the firewall. This solely based on what layer of traffic it can see. Let the firewall monitor the lower layers of the network and this UTMS concentrate on the higher layers.
2). Performance.
One of my sceptical areas on this device capability. When you have all kind of functions enabled in this device, somehow someway I do believe it will downgrade your network performance. Whether the impact is low or significant, still the effect is there. So far we did test one UTMS and the performance of the network slightly affected (and we did not enable the full IPS policy). Of cause based on the brochure, you can see all the wonderful testing results and nice throughput numbers printed on it (I dun think any company will provide bad statistic on their product’s performance anyway). Maybe if I can have my hand on some others UTMS, perhaps my view on this will change. I hope…
3). UTMS replacing IDS
We had a discussion to have this UTMS device replacing exisiting IDS. I strongly object this kind of approach based on few factors where one of it is I strongly advocate that IDS should remain. This UTMS should remain as a preventive device placed at the network perimeter. If any unknown attacks occur, at least we still have IDS to collect all the necessary information or data that will assists analyst on dissecting or performing stringent analysis on those attacks. I dun think it is viable to ask UTMS to collect all those data. The same mantra, when prevention fails, we still have our detection capability intact.
4). Fail Open?
The most interesting thing is the device that we’ve tested has this capability – bypass. Meaning if this device failed or broke down, it will let the network traffics bypass this device inbound or outbound the network. Cool eh? At least if this UTMS someday decided to kill itself, you still can use your network facility to browse to the internet. Just imagine this situation. Because of this wonderful device has many capability in it, you decided to replace your firewalls with this wonder machine. Let say we have this one attacker who decided to test your firewall (UTMS in your case) capability by sending thousands of malformed packets from spoofed sources coupled with worms as well. Your UTMS decided to react frantically, the IPS and anti virus functions within the UTMS decided to join the party and in the end your UTMS decided that it is a good time to shut down itself. But because of the wonderful bypass capability that this UTMS has, even though the machine is no longer online, the traffic still will can travel back and forth your network. For the attackers, since the guard is dead, he can do what ever he wants without any interference from this security device. Cool eh? 
There are many points that I want to post but since I have a meeting later on, perhaps I just skip those.
Anyway some of you might not agree with me and like any other postings that I’ve made here, you are free to voice out your opinions and views. Maybe I am too sceptical or I view UTMS from wrong angle. Maybe you can share your experience of using this device with me.
SANS Mentor Program.
Yeah, I’ve received an invitation email from Stephen Northcutt, The SANS Technology Institute to join the SANS Mentor Program. I was invited because I managed to get some acceptable score for my GCIH exam last month. Anyway I believe few of my colleagues also received this invitation before but I do not have any idea what are their response to the invitation. So I just fill in the online Mentor application form and wait for the result. Of cause they need to evaluate on the applicants and I dun think they will simply approve whoever apply for this program.
The purpose of joining this program? Besides I see this as an opportunity for me to contribute something to our local security industry, perhaps I also can learn other things. Not only on technology or technical matters, but also on the soft skills as well like presentation skills etc. To be honest, I do admire how Ed Skoudis giving his lectures that makes you keep on listening and did not fell asleep . He can write also which another aspect that amazed me as well. Where did he find the time eh?
Having UTMS is like having an MPV. Yeah, its kind of cost saving, can carries a lot of people or things around. And having dedicated IDS, firewall or Proxy is kind of having a Dodge Viper. Not many can tag along, but one thing for sure when its come to performance the Viper will be far ahead of UTMS.
Regarding the Fail Open: it is totally depend on your priority. If security come in second, then who cares. For example, for one weird reason one of the Mail filtering in X organization have quarantined an email regarding of US30M transaction. USD30M is a humongous amount of money but at that moment, the X company policy is security 1st and everything else later. But after that incident, their policy change to money first security later.
No solution can fit into every single organization, in another word there is no silver bullet for every problem. Heck, you cant save the world man!
Kewl.. But for that email filter thingy, IMHO the company should not change their policy though. I think they should respond to that kind of event accordingly. Identify on the reason why the email was blocked or quarantine. is it because of the faulty filtering rules? Or the email perhaps contain some documents that contain malicious macros in it. Or maybe the email was sent in html format and some malware like worm hide itself in between the codes.
There are many reasons that may caused that email to be blocked. So it is time for the security guy to start earn their pay.
We can never save the world but at least we can strive to make her a better place..
I have some of the same concerns on UTM, but in the end, the economics and efficiency will prevail I think.
Congratulations of the invitation to join the SANS Mentor program. As you say, not everyone that gets invited gets selected, but if you let them know you have a blog, it improves the odds
Drop me a note if I can help! Stephen Northcutt
Hohoho..
Congrates from me as well..
Atleast we’re gonna have our own SANS Mentor locally
Gud luck..
What say u bebeh
Thanks for the comment Mr. Northcutt. About the items that you’ve asked in the email, I’ll try to find out the solution a.s.a.p
wa hepi too… congrats