What is UTM
The firewall is an appliance NW device for security, but what you can do is control up to layer 4 , that is, to control communication , depending on the source and destination IP addresses and TCP / UDP port numbers.
However, in recent years, various countermeasures such as anti-virus measures have become required , and it is not efficient to invest capital in each security measure.
UTM (Unified Threat Management) appeared there. In addition to the conventional firewall function, UTM has various security functions such as anti-virus, IPS, spam, URL filter, etc. Security that can apply necessary functions at necessary timing by adding licenses It is a product.
There are four main functions of UTM.
It detects and blocks viruses of http, mail communication, and file sharing communication.Although there are many signature bases, recently, countermeasures against zero day attack by sandbox (behavior detection) are increasing.
Detects spam mails · tags / quarantines mail subjects.
Detection is notified to the administrator by logging , tagging to the mail subject is attracted to the mail recipient, guidance to the spam folder, guarantee to the spam folder, quarantine is stored in the HDD of the UTM main body, logged in from the end user and quarantined We will provide functions such as to see.
Web content filter / URL filter
Restrict access to undesirable Web sites.
IPS / IDS
Detect and block malicious communication that communicates with known vulnerabilities and communication of undesirable software (P2P etc.).
Decrypt SSL / TLS
Of the above attacks, it is not possible to detect encrypted communication (SSL / TLS communication such as https, SSH, etc.) about anti-virus and IPS / IDS.Therefore, as necessary, we often implement a function of decrypting and checking and passing encrypted communication if there is no problem.
There are two patterns of decoding as follows.
- Install secret key in UTM.It is a method used mainly for protecting in-house servers etc. where secret keys are available.The disadvantage is that it is necessary to extract the secret key which is the essential security point from the server, and to manage it in two places.
- Communicate encrypted communication (operate as Proxy).It is a method to use when you want to manage communication to an external https server etc. that the secret key is not available.As a disadvantage, a warning screen surely appears in the browser etc.Because it is a different certificate (a certificate installed in UTM) that hits the URL of the destination you want to communicate on the browser.
In URL filter, in case of http, we see "Host field" in "http header" and "path coming after GET command", but in https case the http header is not seen as encrypted.
However, at the time of negotiation at the pre-stage of encryption, it is possible to steal the digital certificate's Common Name and grasp the communication destination by the common name of the certificate.So you can decide whether to filter it without decrypting it.