NS0-175 learn - Cisco and NetApp FlexPod Design Specialist Updated: 2023

What is unified threat management?

Unified threat management is an all-in-one security implementation that helps protect businesses from online security risks. A UTM solution includes features like network firewalls, antivirus software, intrusion detection and virtual private networks. Many businesses may prefer UTM software platforms, but hardware options, such as dedicated firewalls and router networking devices, are also available.

By implementing a UTM program throughout your organization, you provide a single security source for all of your information technology (IT) needs that can scale as your business grows. 

Why is unified threat management important?

By its very nature, technology is constantly changing. Unfortunately, this includes cybercrime; as technology progresses and we become more connected, the number of threats keeps growing. 

A business can’t predict when or how the next data breach will occur. It could be through a text, email, pop-up ad, or even a vulnerability in your business website. 

This unpredictability is why it’s critical to implement a comprehensive UTM program throughout your organization. A UTM is like a cybersecurity force guarding against the most common vulnerabilities hackers could exploit. By essentially guarding every virtual entry point, a UTM is a great preventive security measure for any business.

Why is unified threat management necessary?

The history of information security and palliative technologies goes back to the 1980s, when perimeter security (through firewalls and screening routers) and malware protection (primarily in the form of early antivirus technologies) became available. 

As threats evolved in sophistication and capability, other elements to secure business networks and systems became available. These solutions include email checks, file screening, phishing protection, and allow lists and block lists for IP addresses and URLs.

From the mid-’90s to the first decade of the 21st century, there was an incredible proliferation of point solutions to counter specific threat types, such as malware, IP-based attacks, distributed denial-of-service (DDoS) attacks, and rogue websites with drive-by downloads. This explosion led to an onslaught of data security software and hardware designed to counter individual threat classes. 

Unfortunately, a collection of single-focus security systems lacks consistent and coherent coordination. There’s no way to detect and mitigate hybrid attacks that might start with a rogue URL embedded in a tweet or email message, continue with a drive-by obtain when that URL is accessed, and really get underway when a surreptitiously installed keylogger teams up with timed transmissions of captured data from a backdoor uploader. 

Worse yet, many of these cyberattack applications are web-based and use standard HTTP port addresses, so higher-level content and activity screening is necessary to detect and counter unwanted influences. 

What does a unified threat management solution include?

The basic premise of UTM is to create powerful, customized processing computer architectures that can handle, inspect, and (when necessary) block large amounts of network traffic at or near wire speeds. It must search this data for blacklisted IP addresses, inspect URLs for malware signatures, look for data leakage, and ensure all protocols, applications, and data are benign. 

Typical UTM solutions usually bundle various functions, such as the following.

• Proxy services: Proxy services block revealing details of internal IP addresses on networks and examine communications and data transfers at the application level.
• Stateful packet inspection: Stateful packet inspection distinguishes legitimate network communications from suspect or known malicious communication forms.
• Deep packet inspection: Deep packet inspection (DPI) enables network packets’ data portion or payload to be checked. This protects against malware and permits data checks to block classified, proprietary, private, or confidential data leakage across network boundaries. This kind of technology is called data loss prevention (DLP). DPI technology also supports all kinds of content filters.
• Real-time packet decryption: Real-time packet decryption exploits special hardware (which essentially reproduces software programs in the form of high-speed circuitry to perform complex data analysis) to permit deep inspection at or near network wire speeds. This lets you apply content-level controls even to encrypted data and to screen such data for policy compliance, malware filtering, and more.
• Email handling: Email handling includes malware detection and removal, spam filtering, and content checks for phishing, malicious websites, and blacklisted IP addresses and URLs.
• Intrusion detection and blockage: Intrusion detection and blockage observes incoming traffic patterns to detect and respond to DDoS attacks, as well as more nuanced and malicious attempts to breach network and system security or obtain unauthorized access to systems and data.
• Application control: Application control (or filtering) observes applications in use – especially web-based applications and services – and applies security policies to block or starve unwanted or unauthorized applications from consuming network resources or accomplishing unauthorized access to (or transfer of) data.
• Virtual private network: The best VPN services let remote users establish secure private connections over public network links (including the internet). Most organizations use this technology to protect network traffic en route from sender to receiver.

Modern UTM systems incorporate all these functions and more by combining fast special-purpose network circuitry with general-purpose computing facilities. The custom circuitry that exposes network traffic to detailed and painstaking analysis and intelligent handling does not slow down benign packets in transit. It can, however, remove suspicious or questionable packets from ongoing traffic flows, turning them over to scanners or filters. 

The UTM agency can then perform complex or sophisticated analyses to recognize and foil attacks, filter out unwanted or malicious content, prevent data leakage, and ensure security policies apply to all network traffic.

Unified threat management providers

UTM solutions usually take the form of special-purpose network appliances that sit at the network boundary, straddling the links that connect internal networks to external networks via high-speed links to service providers or communication companies.

By design, UTM devices coordinate all aspects of a security policy, applying a consistent and coherent set of checks and balances to incoming and outgoing network traffic. Most UTM device manufacturers build their appliances to work with centralized, web-based management consoles. This lets network management companies install, configure and maintain UTM devices for their clients. 

Alternatively, IT managers and centralized IT departments can take over this function. This approach ensures that the same checks, filters, controls, and policy enforcement apply to all UTM devices equally, avoiding the gaps that the integration of multiple disparate point solutions (discrete firewalls, email appliances, content filters, virus checkers, and so forth) can expose.

Top UTM providers

These are some of the most respected UTM providers:

• FortiGate Next-Generation Firewall (NGFW): Offering comprehensive online security features, FortiGate NGFW stands out with its ease of use, scalability, and support. By consolidating multiple security services within a single platform, FortiGate reduces security costs and improves risk management, while the automated threat protection prevents common attacks like ransomware, command-and-control, and other firewall incidents.
• Check Point Next-Generation Firewall: Designed to provide versatile, intuitive online protection, Check Point NGFWs can perform more than 60 security services through a single dashboard. Check Point NGFWs come with the proprietary SandBlast Zero-Day Protection, which uses CPU-based threat detection to identify zero-day attacks sooner, and can scale on demand. With unified security management across your networks, clouds, and Internet of Things devices, Check Point NGFWs are an efficient UTM solution.
• WatchGuard Firebox: Catering to SMBs and distributed enterprises, WatchGuard Network Security’s Firebox is a complete security platform that doesn’t sacrifice the user experience. Equipped with a powerful firewall, antivirus services, spam and content filters, and many other security features, WatchGuard Firebox is a complete UTM platform that’s ready to use right out of the box. 

How to choose the right UTM provider

When choosing a business UTM solution, you should seek the standard functions described above as well as these more advanced features: 

• Support for sophisticated virtualization technologies (for virtual clients and servers, as well as virtualized implementations for UTM appliances themselves)
• Endpoint controls that enforce corporate security policies on remote devices and their users
• Integrated wireless controllers to consolidate wired and wireless traffic on the same device, simplifying security policy implementation and enforcement, and reducing network complexity

Advanced UTM devices must also support flexible architectures whose firmware can be easily upgraded to incorporate new means of filtering and detection and to respond to the ever-changing threat landscape. UTM makers generally operate large, ongoing security teams that monitor, catalog, and respond to emerging threats as quickly as possible, providing warning and guidance to client organizations to avoid exposure to risks and threats.

Some of the best-known names in the computing industry offer UTM solutions to their customers, but not all offerings are equal. Look for solutions from reputable companies like Cisco, Netgear, SonicWall and Juniper Networks. You’re sure to find the right mix of features and controls to meet your security needs without breaking your budget.

IT InfoSec certifications that address UTM

As a visit to the periodic survey of information security certifications at TechTarget’s SearchSecurity confirms, more than 100 active and ongoing credentials are available in this broad field. However, not all of the best IT certifications address UTM directly or explicitly. 

While no credential focuses exclusively on UTM, some of the best InfoSec and cybersecurity certifications cover UTM aspects in their exam objectives or the associated standard body of knowledge that candidates must master:

• ISACA Certified Information Systems Auditor (CISA)
• Cisco security certifications – CCNA Security, CCNP Security, CCIE Security
• Juniper security certifications – JNCIS-SEC, JNCIP-SEC, JNCIE-SEC, JNCIA-SEC
• (ISC)2 Certified Information Systems Security Professional (CISSP)
• SANS GIAC Certified Incident Handler (GCIH)
• SANS GIAC Certified Windows Security Administrator (GCWN)
• Global Center for Public Safety certifications (CHPP and CHPA Levels I-IV)

Of these credentials, the generalist items (such as CISA, CISSP, and CHPP/CHPA) and the two SANS GIAC certifications (GCIH and GCWN) provide varying levels of coverage on the principles of DLP and the best practices for its application and use within the context of a well-defined security policy. 

Out of the above list, the CISSP and CISA are the most advanced and demanding certs. The Cisco and Juniper credentials concentrate more on the details of specific platforms and systems from vendors of UTM solutions.

With the ever-increasing emphasis on and demand for cybersecurity, any of these certifications – or even entry-level cybersecurity certifications – can be a springboard to launch you into your next information security opportunity.

Eduardo Vasconcellos contributed to the writing and research in this article.