Maximizing Network Security

Every connection to a business network should have protection, and the level of security must meet the same standards and requirements found at the company’s corporate network gateway, or primary gateway. Companies pay most attention to security at the primary gateway because that is the most obvious point to secure , but the fact is that other network gateways, such as remote offices, partner gateways and VPN users represent potential entry points for an attacker.

In many cases, the highest vulnerability level exists at the branch office because deploying security technologies at remote offices was cost prohibitive in the past. Many organizations consider themselves safe if their remote offices only access the internet through dedicated leased lines which force all traffic through the primary gateway. This is an expensive measure that does not result in good security for the remote office. First of all, as seen in recent attacks against retail store networks, attackers can infiltrate the remote office itself, through wireless networks, social engineering or other means. Second, attackers could infiltrate the ISP which provides the leased lines, also through social engineering or other means, and without good security at the branch office, attacks from the leased line network would be impossible to detect.

In the past, good security was too expensive for the remote office, but now, Unified Threat Management (UTM) products have changed that situation. UTMs offer multiple security solutions in a single platform, allowing organizations to beef up security at a much lower price point. The challenge is that not all UTMs are the same, so how do you make sure security is significantly improved?

Price, security capability and throughput

A UTM is a good choice for improving the security level of remote offices and other network gateways, but it is critical that you get the facts on exactly how much “security” you are getting above and beyond a simple firewall. It is important to evaluate each security module in a UTM to make sure you are getting the security you expect. Also make sure you get an answer per model, since some low-end UTMs contain less security capability than their high-end brethren. Good questions to ask are:

• For Intrusion Prevention, ask: How many vulnerabilities or attacks is the UTM capable of blocking? How many vulnerabilities or attacks does the UTM block by default? Default coverage is one of your best indicators of the quality of the Intrusion Prevention system, since false-positive prone attack signatures are typically turned off by default.
• For Antivirus, ask: How many viruses/spyware/malware does your UTM detect by default? How effective is behavioral malware detection? What is the false positive rate?
• For URL Filtering, ask: What is the size of your URL database in number of URLs? How many URLs are updated daily?
• For Anti-spam, ask: What is the percentage of spam that is blocked with a default policy? What is the false positive rate?
• If I turn on the security features above, what is the throughput going to be, and what are the performance limitations?
• Are there any third party tests validating the information above for each model?
• If your company has many remote offices, ask the vendor if there are any special central management capabilities or services which will reduce the cost of managing a large number of remote offices.
• If compliance regulations are one of the reasons you are considering UTM, ask your vendors which compliance requirements they can meet and what materials they have to show how they meet those requirements. 

Remember that the reason you are considering a UTM is to improve security significantly above a firewall only, so be sure you are getting the extra security you expect.

Matthew Ward is the Business Line Manager for Proventia Multi-Function Security appliance product line for IBM Internet Security Systems. Ward is responsible for defining and delivering revenue-generating products and functionality based upon an in-depth understanding of prospect and customer problems related to the deployment and management of network security products.