Download How UTM Solutions Provide the Most Complete

How UTM Solutions Provide the
Most Complete Security at the Best Price
A Business Overview
July 2010
THE THREAT IS EVOLVING
Keeping corporate networks safe is more challenging every year, and network security has become one of
the most critical issues facing businesses today. New and ever-changing threats appear with alarming
regularity, and no organization is immune from risk. In the early days of the Internet, Internet security was
primarily about protecting your servers from bored teenagers who were writing malicious code to impress
their friends. Today, the threat has evolved and attacks are much more sophisticated. A few years ago,
malware was primarily delivered via simple email attachments, but now infections are just as likely to
spread from compromised websites.
Online crime is now organized and financially motivated, especially in countries like Russia and Ukraine,
where it can be difficult to make a successful prosecution against known criminals. An elaborate supply
chain has developed with criminals focusing in their particular area of expertise. Developers buy
vulnerability information and then write sophisticated malware-generation programs like Neosploit, which
are then sold on to attackers. Some hackers specialize in writing phishing emails to scam innocent
consumers, whereas others make a market in the sale of stolen credit cards. Shadowy organizations like the
Russian Business Network provide hosting solutions for cybercrime and phishing scams, guaranteeing that
illicit websites will remain reachable, avoiding law enforcement efforts to shut them down.
The most recent Data Breach Investigations Report by Verizon reported that over 285 million records were
compromised in 2008, the majority of which were credit card data. Major data breaches like Hannaford
Brothers Co., TJ Maxx, and Heartland Payment systems in the United States have made headlines. In
August 2009, many of the technical details of these breaches became public when a Miami man, Albert
Gonzales, and two Russian hackers were indicted for these crimes. SQL injections (see table below) were
the key vector of attack. 1
1
Hacker charged with Heartland, other breaches; Robert Lemos, SecurityFocus 2009-08-18
http://www.securityfocus.com/news/11557
WatchGuard Technologies
www.watchguard.com
Attacks Can Take Many Forms
When a network is breached by intruders, a Denial of Service (DoS) attack, or a malicious virus, the entire
organization becomes vulnerable. This can leave a company’s operational resources, customer data,
proprietary tools and technologies, and intellectual capital in danger of being stolen, misused, or vandalized
by third parties. Network attacks can take many forms, as this table shows.
TYPES OF NETWORK ATTACKS
Network
Intrusion
In an intrusion scenario, a hacker with no access privileges attempts to penetrate a network remotely for
malicious purposes. Some of the more common intrusion types include SQL injection and cross-site
scripting.
SQL injection – an attack that is essentially the insertion of SQL characters in the input fields of a
web application in order to execute the attacker's choice of SQL query on the victim's backend
database. Albert Gonzales used SQL injection in the high profile compromises of Hannaford
Brothers and Heartland Payment Systems.
Cross-site scripting (XSS) – another attack performed through web browsers that takes advantage
of poorly-written web applications. One common form is for an attacker to trick a user into clicking on
a specially crafted, malicious hyperlink. The link appears to lead to an innocent site, but the site is
actually the attacker's, and includes embedded scripts. Typically, it collects data the victim might
enter, such as a credit card number or password.
DoS/DDoS
Attacks
In a DoS attack, targeted systems or networks are rendered unusable, often by monopolizing system
resources. A Distributed Denial of Service (DDoS) involves many computer systems – possibly hundreds
to hundreds of thousands – all sending traffic to a few specific targets. Major sites such as Facebook and
Twitter were taken down by Denial of Service attacks in the summer of 2009.
Viruses and
Worms
A virus is a computer program that infects other programs with copies of itself, but which is transferred
from system to system by some outside mechanism such as email. A virus executes and does its
damage when the program it has infected executes. This is distinct from a worm, which is a computer
program that is capable of repeatedly copying itself to other computer systems. Worms can carry viral
code.
Adware and
Spyware
Adware is a software application which installs itself, often without the user's permission, and displays
advertising banners while the program is running. They may appear as pop-up windows or as a bar that
appears on a computer screen. It may also change browser properties such as the homepage. Spyware
is similar to adware but often does not reveal its presence by pop-ups or other means. It uses code to
track a user's personal information and pass it on to third parties without the user's authorization or
knowledge.
Rootkits
A rootkit embeds itself into an operating system and intercepts commands that other programs use to
perform basic functions, like accessing files on the computer's hard drive. It hides between the operating
system and the programs that rely on it, controlling what those programs can see and do.
DNS
Poisoning
Domain Name System (DNS) servers are duped into re-directing traffic originally heading to a benign
destination to a malicious website instead.
Botnet
Many of these attacks emanate from large networks of innocent computers, known as botnets, which
have been compromised with malicious code. The attacker (the botherder) remotely controls these
zombie or slave computers through a communication channel, such as Internet Relay Chat (IRC), P2P,
2
or HTTP, and even HTTPS, and uses them to launch coordinated attacks.
2
WatchGuard offers an excellent white paper on understanding botnets, available at
http://www.watchguard.com/infocenter/whitepapers/botnet.asp
www.watchguard.com
page 2
Networks become vulnerable every time a business experiences growth and change. As networks become
more complex and are expected to do more to support and drive business objectives, a simple firewall is not
capable of providing the security your network needs. This is where a unified threat management (UTM)
solution can be the answer. Also known as multi-function firewalls, UTM combines many security
technologies into one easy-to-manage appliance.
It’s Not Just Large Corporations
Major corporations and brand names most often make the headlines, but small businesses and
government agencies are vulnerable too.
 An August 2009 article in the Washington Post: “European cyber-gangs target small US
3
firms” details losses from recent attacks.
 Cyber criminals stole $750,000 from a school district near Pittsburgh.
 Unique Industrial Product Co., a Texas plumbing equipment supply company, lost $1.2
million when attackers planted malware on corporate computers to initiate 43 transfers out of
their company account within 30 minutes. Most of the stolen funds went directly to Eastern
Europe.
 A Maine construction company is suing a bank for not taking adequate precautions that could
have prevented cyber thieves from stealing more than half-a-million dollars from the
company's account.
 Unhappy with government plans to apply filtering and censorship to the Internet, an
anonymous group organized a coordinated DDoS attack against the Attorney General and
4
other state agencies in Australia.
WHY UNIFIED THREAT MANAGEMENT?
Unified threat management appliances, also known as multi-function firewalls, have evolved from
traditional firewall and VPN appliances into products that have many additional capabilities, such as URL
filtering, spam blocking, spyware protection, intrusion prevention, gateway antivirus, and a centralized
management, monitoring, and logging function. Traditionally, these functions were handled by multiple
systems.
Unified Threat Management Solutions Are Cost-effective
Integrating multiple security capabilities into a single appliance mean that you can purchase and use fewer
appliances, eliminating the cost of building layered security with separately purchased solutions. Aside
from the bundled price advantages, organizations find it easier to have one vendor to deal with for
purchasing, support, and ongoing maintenance.
Stops Attacks at the Network Gateway to Keep Your Business Moving
The multi-functional security approach offered by UTM appliances lets you avert catastrophe by blocking a
broad range of network threats before they have the opportunity to enter your network. For example,
malicious code will not have the opportunity to disable security at the desktop or server level. Your
business-critical files and applications remain available to keep your staff on the job.
3
More examples can be found at: http://www.washingtonpost.com/wpdyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews
4
http://www.computerworld.com.au/article/318011/pm_site_suffers_anonymous_ddos_attack
www.watchguard.com
page 3
Easy to Set Up and Use
Having separate security systems means different management consoles to configure for each system.
Because the management paradigms of these systems are typically very different, it can be time-consuming
to make sure the different security policies on each system work together and provide adequate protection.
In addition, log information from each system will be stored in different formats in different locations,
making detection and analysis of security events difficult.
Whether you are an IT expert or a security novice, a UTM solution with centralized management,
monitoring, and logging provides indispensable ease of use for configuring and managing your security. A
UTM solution makes it easy to build coherent security policies, simplifies administration tasks such as log
file management, auditing, and compliance reporting, and lowers operational costs when compared with the
complexity of setting up separate security systems to defend against various specific threats.
ZERO DAY PROTECTION
Signatures Are Only Part of the Solution
Signature-based solutions, for years the mainstay of every network security arsenal, use a database of
known signature files to identify and block malicious traffic before it enters a network. They provide
protection against threats such as trojans, buffer overflows, arbitrary execution of malicious SQL code,
instant messaging and peer-to-peer usage (such as Napster, Gnutella, and Kazaa), and policy violations.
Once an exploit threat has been unleashed and identified however, it can take anywhere from a few hours to
a few weeks for corresponding signature files to become available for download. This security “downtime”
creates a window of vulnerability during which networks are open to attack.
In today's dynamic threat environment, with thousands of new threats released every year, and worms able
to propagate across the world in a few minutes, signatures are often not available soon enough. Many
signature databases are doubling in size every year as the security companies continue to keep up with the
explosive growth in malware. Security architects have recognized that this is a trend that cannot continue
indefinitely and more focus is now being placed on developing defensive techniques that are not based on
signatures alone.
WATCHGUARD UNIFIED THREAT MANAGEMENT
An Efficient Layered Approach
Although hundreds of new attacks are developed each year, the majority of these attacks fall into a few
major classes. WatchGuard offers a layered security approach that provides zero day protection, designed
to protect against these major classes of attacks. In many cases the WatchGuard UTM can offer protection
against a brand new attack without requiring any updates or configuration changes.
The WatchGuard family of UTM appliances provides powerful protection for growing enterprises,
defending against both known and unknown attacks, and giving maximum protection while minimizing
impact on network performance.
www.watchguard.com
page 4
As shown in the diagram above, the WatchGuard architecture consists of different security layers working
cooperatively with one another to dynamically detect, block, and report on malicious traffic while passing
benign traffic through as efficiently as possible. Each layer performs different security functions. Zero day
protection is a consistent theme throughout the different layers.
Deep Packet Inspection
The Deep Packet inspection level provides full layer 7 proxy inspection of the network traffic. Traffic is
filtered before it is passed on to the additional UTM services, and several defenses are provided:
Protocol Anomaly Detection – Internet standards for data traffic are enforced to detect and block nonconforming traffic and isolate threats.
Behavioral Analysis – Hosts exhibiting suspicious behaviors are identified and potential denial of
service attacks can be blocked.
Pattern Matching – High-risk file types known to propagate viruses or attacks are flagged and deleted
before they enter your network.
Data flows smoothly while traffic is scanned, and viruses, worms, spyware, trojans, and other malicious
attacks are proactively blocked at the edge of your network.
Application Blocking
The application-blocker feature is used to prevent services such as AIM, Yahoo, IRC, and MSN
Messenger. This protects against IM-based security threats, including exploits which allow the attacker to
gain control of a machine running an IM client, and infections by viruses transferred in files over IM.
Peer-to-Peer (P2P) applications such as Napster, GNUtella, Kazaa, BitTorrent, Winny, and eDonkey2000
can also be blocked. Peer-to-Peer presents two problems. First, it uses up valuable bandwidth that is better
used for business purposes. Second, it is a well-known vector for transmitting spyware (Kazaa in
particular).
www.watchguard.com
page 5
Boost Protection with Security Service Subscriptions
The UTM suite of security subscriptions builds on the core firewall functionality by providing additional
security services to boost protection in critical attack areas.
Gateway AntiVirus
Gateway AntiVirus identifies and blocks worms, spyware, and trojans from entering your network and
executing dangerous payloads. The Gateway AV service is very efficient – only scanning files not blocked
by the pattern-matching capabilities, greatly reducing the number of files which need to be scanned.
Gateway AntiVirus is complementary to existing desktop and server solutions. Indeed, it’s a good idea to
have a different antivirus vendor on the gateway vs. at the desktop to provide a second-level check. The
GAV solution does not just look for email-borne viruses, it can also be used to analyze traffic over HTTP,
FTP, and all other major protocols. WatchGuard uses the AVG engine, which is rated very highly in Virus
Bulletin reviews. 5 Signature delivery is automatic, and signature update checks can be programmed for any
desired interval, including every hour. All significant compression/decompression algorithms are
supported, including ZIP, RAR, TAR, GZIP, ARC, and CAB files.
Consistent with the zero day protection philosophy, WatchGuard GAV does not rely on signatures alone.
Static Heuristic analysis looks for suspicious data constructions in code that are typical of viruses. Dynamic
Heuristic analysis uses code emulation to weed out malicious content. Executable code is started inside the
protected environment of a virtual computer within the engine, and analyzed for actions typical for viruses.
The GAV service can be used to provide both inbound and outbound virus protection. For example, if an
infected USB stick is connected to a laptop, the WatchGuard GAV can prevent the spread of this malware
through the internal network.
Reputation Enabled Defense
Reputation Enabled Defense delivers a secure web browsing experience through a reputation service that
scores URLs as good, bad, or unknown. URLs with bad reputations are immediately blocked, while URLs
with good reputations are passed through without further AV scanning, for substantial gains in web
processing time. In fact, with Reputation Enabled Defense, the typical savings in web processing overhead
can be 30% to 50%, resulting in faster browsing times and greater throughput at the gateway.
The reputation service relies on a powerful, cloud-based reputation database that aggregates data from
multiple feeds, including industry-leading anti-virus engines. Harnessing threat intelligence from millions
of users worldwide, Reputation Enabled Defense offers a layer of protection that acts as a powerful first
line of defense from web threats. Continuous updates to the reputation database allow it to stay current with
dynamic web content and changing web conditions for real-time protection – no waiting for hourly or daily
updates to be sent to you. And reputation scores are determined for specific URLs, not just the site or IP
address.
By preempting threats before they enter the network, Reputation Enabled Defense helps reduce computing
overhead incurred by anti-virus scanning, and helps speed delivery of approved content. In essence,
WatchGuard takes web security beyond the appliance and network, using the cloud to assist with the
burden of AV scanning.
5
Independent lab testing found AVG to have greater than 90% reactive detection rate. Virus Bulletin RAP test results:
Feb-Aug 09 www.virusbtn.com
www.watchguard.com
page 6
Intrusion Prevention
WatchGuard Intrusion Prevention Service (IPS) provides in-line protection from attacks that comply with
protocol standards but carry malicious content. It is a signature-based service designed to protect against a
broad range of attacks including cross-site scripting, buffer overflows, and SQL injections.
There are over 15,000 signatures across a range of protocols. Each signature has an associated severity
level, and users can specify different responses depending on the severity of the threat:

Autoblock adds the offending site to the blocked senders list, disabling all future communication
from that IP address

Drop the connection

Allow the transaction (with or without logging)
The IPS can also detect and block outbound spyware communication to malicious hosts, preventing
sensitive data from being sent out by spyware programs. This activity can be logged or alerted on so that
the system administrator can identify and remediate infected machines.
The WatchGuard proprietary intrusion prevention engine integrates tightly with other functions, reducing
false positives and speeding execution while producing alarms and comprehensive log information. If
necessary, specific signatures can be excluded. Common Vulnerabilities and Exposures (CVE) names are
provided when relevant, making it easier to reference and share data across separate network security tools.
Anti-Spam with Virus Outbreak Detection
More and more spam/malware is being sent across the Internet, and more rapidly than ever before. The
statistics are astonishing:

85-90% of all email is spam/malware

85% of unwanted mail is sent by zombies/bots

4 million new spam attacks are launched every day
The security industry has struggled for years to combat the spam problem. Solutions that designate spam
based on the email content are ineffective because there are so many ways for spammers to hide or
obfuscate content. (V I @ G R A , [email protected], \./iagra, Viiagra, V?agr?, V--i--a--g--r-a, V!agra etc.).
The WatchGuard spamBlocker service utilizes Commtouch Recurrent Pattern Detection (RPD™)
technology for real-time anti-spam detection that provides powerful protection. Rather than evaluating
keywords and content, this technology analyzes large volumes of Internet traffic in real time to identify the
repetitive components, or DNA, of each outbreak as soon as they emerge. Billions of messages are sampled
each week, and advanced algorithms detect, identify, and classify new outbreaks – typically within 1-2
minutes. This technology provides four key benefits:

Extremely fast response to new outbreaks

Near zero false positives make it the best service in the industry at distinguishing spam attacks
from legitimate communication

High spam detection rate protects networks from more than 98% of unwanted e-mails

Language agnostic to block spam regardless of the language, content, or format of the message
WatchGuard includes a quarantine server which can be used to isolate suspicious spam and virus messages
for further review by the end users.
The anti-spam service also includes virus outbreak detection, which takes a new approach to malware
defense. Instead of focusing on hunting for new viruses and racing to catch them with a signature or
heuristic, WatchGuard uses the same anti-spam email monitoring technology to identify and block new
www.watchguard.com
page 7
malware outbreaks as they emerge. Zero-Hour AntiVirus identifies and blocks email-borne malware in the
first critical hours of an outbreak.
URL Filtering Service
One of the best ways to avoid security problems is to avoid those websites that are infested with malware.
WebBlocker, the WatchGuard web filtering service, helps to keep your network and end users secure from
viruses, worms, and spyware by preventing users from reaching sites that are known phishing sites or
distribution points for malicious applications.
But hackers and criminal activity are not the only concern for business today around Internet usage.
Unlimited Internet access can greatly impact productivity in the workplace, and inappropriate use of
Internet can expose organizations to lawsuits.
WebBlocker, the WatchGuard URL filtering capability, enables you to configure not only who gets web
access and who doesn’t, but also what type of web access is available. Using an intuitive set of controls,
you can quickly select which categories of web pages users get access to, and what time of day they get
access. WebBlocker uses over 54 categories to help you block content you don’t want to allow on your
network. For example, blocking pornography can assist in enforcing company policy on sexual harassment
in the workplace, and blocking sports content may increase workplace productivity.
One of the greatest benefits of WebBlocker is the ability to protect children from inappropriate content. In
the United States, the Children’s Internet Protection Act (CIPA) is a federal law enacted by Congress to
address concerns about access to offensive content over the Internet on school and library computers. CIPA
imposes requirements for URL filtering on any school or library that receives federal funding for Internet
access. Many organizations today use WebBlocker to meet the needs of CIPA and ensure a safe browsing
experience for children.
WebBlocker includes a local override feature that allows a user to type in a password to go to a website that
is blocked by the WebBlocker policy. For example, in a school, a teacher could use the override password
to allow a student to access an approved site that is blocked by WebBlocker content categories. With the
WebBlocker customizable exceptions lists, per-person authentication, and provision for different access
policies depending on the time of day, you’ll be able to efficiently enforce organizations policies.
Common Reporting and Alerting
The advantage of a single UTM bundle is that it provides a common interface for reporting and alerting
against the different services mentioned above. Each of the services described above can be managed
through one of two interfaces:

Win32-based client GUI (WatchGuard System Manager)

Web-based, clientless GUI
Some of the predefined reports that are included with the WatchGuard UTM appliance include:

Web Trend Summary

Web Activity Audit

Most Popular Domains

Intrusion Prevention Summary

Antivirus Service Summary by Virus

Detail by Virus

spamBlocker Summary
www.watchguard.com
page 8
XTM – PROTECTING YOURSELF AGAINST A SOPHISTICATED ENEMY
Roadmaps should evolve with the changing business environment. The threat landscape has evolved over
the past few years and it will continue to do so. Organizations need to partner with leading vendors that
grow and adapt their solutions. WatchGuard continues to drive innovation and is taking the traditional
UTM appliance to the next level, XTM – extensible threat management. WatchGuard has introduced the
Fireware XTM operating system across all products to provide a consistent interface for product
capabilities and management and reporting across all products in the organization.
Fireware XTM features that add to the improved protection of the system include:
HTTPS inspection – Attackers are learning to obfuscate their activities by hiding it in encrypted web
traffic. Phishers have started using HTTPS more often to make their compromised sites appear to be more
legitimate. The bot named Gheg, for example, uses encrypted port 443 (HTTPS) to communicate with the
botnet’s command and control server. An effective security solution needs to provide a deep packet
inspection of the HTTPS traffic and not just HTTP. In response to this burgeoning threat, WatchGuard
designed the Fireware XTM operating system to inspect HTTPS traffic.
Figure 1: When a user behind a typical firewall requests encrypted data from an HTTPS website, that data – whether
it’s safe or dangerous – will be returned fully encrypted. Because the typical firewall does not decrypt this traffic, it
enters the network regardless of its payload.
Fireware XTM HTTPS inspection works on both incoming and outgoing traffic, and inspects not only
packet headers but also payload (body content). The firewall can be configured to apply the Gateway AV
and IPS services against the HTTPS traffic once it has been decrypted.
Figure 2: When a user behind a WatchGuard Fireware XTM firewall makes the same request as in Figure 1 to receive
encrypted data, the firewall is able to decrypt the HTTPS traffic into normal HTTP. It can then inspect it for anomalies, reencrypt the data, and pass it along to the user. The user’s communication remains confidential, while the network has an
additional layer of protection from encrypted threats.
VoIP – Widespread adoption of new technologies brings new security concerns. Organizations worldwide
are realizing tremendous cost savings and quality improvement by integrating their voice calls with existing
IP infrastructure, but VoIP is susceptible to hacks like any other network-based technology. Many firewall
vendors have updated their solutions so that they can co-exist with VoIP, but this is not enough.
www.watchguard.com
page 9
Because VoIP runs mingled with your IP network, its most serious threat is that any hole in VoIP provides
a stepping-stone to all your network data. Specific security measures must be applied. Fireware XTM
comes standard with Application Layer Gateways that intercept and inspect VoIP-related protocols such as
H.323 and Session Initiation Protocol (SIP). Fireware XTM allows you to hide your network topology,
prevents directory harvesting, and has the ability to deny calls compressed in certain codecs.
FireCluster – The best security solution in the world is of no use if it is not running with high levels of
availability. Fireware XTM introduced Active/Active high availability configurations along with the
existing Active/Passive capability, ensuring the high levels of availability and uptime expected by
enterprise customers.
CONCLUSION
The evolution of traditional network security practices into comprehensive XTM solutions brings with it a
level of protection never before available to corporate networks. As sophisticated network threats appear
with increasing frequency, this integrated, layered security approach, including layer 7 proxies, signaturebased services, zero day protection, and URL-based filtering, provides the strongest one-stop protection for
any growing network infrastructure.
For more information on WatchGuard security solutions and what they can do to protect your business
network, visit www.watchguard.com, or contact your authorized WatchGuard reseller.
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
WEB:
www.watchguard.com
NORTH AMERICA SALES:
+1.800.734.9905
INTERNATIONAL SALES:
+1.206.613.0895
www.watchguard.com
ABOUT WATCHGUARD
Since 1996, WatchGuard Technologies has provided reliable, easy to manage security appliances to
hundreds of thousands of businesses worldwide. WatchGuard’s award-winning extensible threat
management (XTM) network security solutions combine firewall, VPN, and security services. The
extensible content security (XCS) appliances offer content security across email and web, as well as data
loss prevention. More than 15,000 partners represent WatchGuard in 120 countries. WatchGuard is
headquartered in Seattle, Washington, with offices in North America, Latin America, Europe, and Asia
Pacific. For more information, please visit www.watchguard.com.
No express or implied warranties are provided for herein. All specifications are subject to change and any
expected future products, features, or functionality will be provided on an if and when available basis.
©2009 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard Logo, and
Fireware are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United
States and/or other countries. All other trademarks and tradenames are the property of their respective
owners. Part.No.WGCE66659_071510
page 10