Managed Security Services

Fire-Proofing Your Network With UTM,
Part 2: Deploying a UTM appliance

In part 2 of our Unified Threat Management series, we illustrate SMB UTM deployment by taking the IBM ISS Proventia MX1004 network multi-function security appliance for spin.

by Lisa Phifer VP Core Competence, Inc. [December 28, 2007]

In Part 1 of this series, we examined the drivers behind Unified Threat Management (UTM): an integrated, network-based approach to snuffing out contemporary security threats. Here, in Part 2, we explain how UTM appliances fit into SMB networks by deploying one entry-level product as an example: the IBM ISS Proventia Network Multi-Function Security MX1004.

Security in a box
UTM firewalls are available today from dozens of vendors, including Astaro, Check Point, Cisco, Crossbeam, eSoft, Fortinet, Juniper, Nokia, Secure Computing, SonicWALL, and WatchGuard. Every UTM offering has its own strengths, but our goal here is not to compare products. Rather, we chose to illustrate SMB UTM with IBM/ISS Proventia because this appliance requires precious little configuration to provide visible pre-emptive network protection.

To help us illustrate UTM, IBM/ISS shipped us the MX1004, an entry-level multi-function network security appliance designed to support up to 100 users. The MX1004 starts at $1,540 for the appliance plus $340 for a Security Content license that includes all services except anti-virus. Enabling the Sophos anti-virus service requires a separate license, priced from $163 for 5 users. Since signature and URL databases must be continually updated to fight new threats, plan to renew both of these licenses annually.

The MX1004 is the baby of the Proventia M-series, sized and priced for remote office / small business networks. Big brother MX3006 can handle 500 users in a mid-size business, while top-of-the-line MX5010 aims at larger networks up to 2500 users. Form factor, hardware resources, and network interfaces differ across the series, but all members support the same security services and are configured through the same local or remote management interfaces.

According to ISS, M-series firewall capacity ranges from 100 Mbps (MX 1004) to 1.6 Gbps (MX5010). But, with any UTM product, real-life goodput depends upon configured policy. For example, turning on IPS or URL filters may not noticeably dent M-series performance, but virus scanning drops throughput roughly 60 percent. When selecting a UTM appliance, it is therefore important to think about not just where the appliance will be placed, but how it will actually be used.

Network topology
Small businesses and remote/branch office networks tend to treat UTM appliances as perimeter firewall replacements. A UTM appliance that is deployed at the network edge not only blocks unauthorized Internet traffic, but stops web server hacks, strips viruses, discards spam, foils phishing URLs, and closes spyware back-channels.

In larger networks, UTM platforms can be used to complement other security systems. For example, a UTM platform can offload e-mail virus and spam filtering from mail servers, letting them focus on the small percentage of messages that appear legitimate. Or a UTM platform can be placed in front of an end user LAN, insulating desktops from spyware without slowing traffic sent to other systems that behave more predictably.

Most firewalls operate as routers, using NAT for internal address hiding and external IP sharing. Accordingly, most UTM appliances are also used this way, but some can support transparent mode operation as an in-line layer 2 bridge.

Use transparent UTM to add new defenses without disrupting existing systems. We chose this mode to avoid changing our firewall policies, internal routes, or desktops. We just connected the MX1004's outside interface to our firewall's inside interface, and then connected the MX1004's inside interface to our small office network. Impact was so minimal that users didn't notice UTM until we turned on spam filters.

Use routed UTM to replace an existing network gateway (firewall or router), or when you want to use features like VPN, NAT, or subnet-specific policies. For example, most branch office UTM gateways use VPN tunnels to connect back to central servers at HQ. However, since we chose transparent mode, we could not exercise the MX1004's VPN feature (terminates up to 100 IPsec/L2TP tunnels).

Selection criteria that apply to firewalls also apply to UTM appliances, including footprint, power consumption, number and type of interfaces, VLAN support, and high availability. In our small office, we used just two of four available 10/100 Ethernet ports and did not tap the MX1004's active-passive high availability option. However, because we use VLAN tags to isolate guest WLAN and test traffic, the MX1004's lack of VLAN support did limit where we could place it.

Go to page two: Layered Defenses