Tuesday, 20 November 2012

SRX Unified Threat Management (UTM) Overview

Unified Threat Management (UTM) is a suite of security features that include Anti-virus, Web-filtering, Content filtering and Anti-spam. This post will focus on an overview of UTM and UTM security features. Understanding the high-level overview and operation will make UTM configuration and troubleshooting seem much less daunting.

Protocol Support & Processing Order
The UTM process only supports the following protocols SMTP, POP3, IMAP, HTTP and FTP. A full proxy is done (on the protocols previously mentioned) allowing the SRX to parse protocol traffic and pass this along to the configured modules. If multiple modules are configured for a single protocol they processed in a specific order. The following outlines the UTM modules, the protocols they support and the order they are processed.
  1. Web Filtering (HTTP)
  2. Content Filtering (SMTP, POP3, IMAP, HTTP and FTP)
  3. Anti-Spam (SMTP)
  4. Anti-Virus (SMTP, POP3, IMAP, HTTP and FTP)

Web Filtering
The web filtering module gives administrators the ability to control access to websites. The order of processing is blacklist, whitelist, user-configure category, dynamic category. This module supports three types of web filtering

1. Integrated Web Filtering
This web filtering solution intercepts HTTP traffic and identifies the URL. The URL is evaluated against categories on the SRX device (local or cached from a 3rd party server such as SurfControl), once a category is determined the SRX device will allow/block access to the web page. This solution does require a license.

2. Redirect Web Filtering
This web filtering solution intercepts HTTP traffic and identifies the URL. The URL is sent to a 3rd party server (such as Websense) and the server informs the device to allow/block access to the web page. This solution does NOT require a license, however it does require an external Websense server.

3. Local Web Filtering
This web filtering solution also intercepts HTTP traffic and identifies the URL. The URL is referenced against user configured whitelist and blacklist, if the URL does not match these lists the configured default action will apply. This solution does NOT require a license.

Content Filtering
The content filtering module provides administrators the ability to block certain types of content. This module provides content filtering on all UTM supported protocols and can specifically identify content by MIME type, file extension and protocol commands.

The anti-spam module provides administrators the ability to control SMTP email messages. Messages can be blocked/allowed based on the senders or proxy source IP address. Identification can be done by 3rd party Server Block List (SBL) which is an IP address database of known email spammers, or by user configured blacklists and whitelists. This module only supports the SMTP protocol.

The anti-virus module provides administrators the ability to detect and block malicious code also known as viruses. This module supports two types of anti-virus.

1. Full Anti-virus Protection
This anti-virus solution provides full file based scanning on all UTM supported protocols. Full anti-virus protection will collect all packets until the data/file can be reconstructed, once reconstructed this file is scanned against a pattern database. The scanning engine and database are provided by Kaspersky Labs. The database is downloaded to the SRX unit and refreshed every 60 minutes by default.

2. Sophos Anti-virus Protection 
The Sophos anti-virus solution is very similar to the full file based protection described above. The main difference is that pattern databases are not downloaded to the SRX device. Instead a checksum is send to a external (Sophos) server and the pattern matching is done on the external server. Some results are cached to increase performance  however the pattern matching for the most part is done externally. This provides a lower CPU footprint option that might be better for smaller SRX devices, and also provides quicker response to new viruses. An additional feature unique to Sophos anti-virus protection is Uniform Resource Identifier (URI) scanning. This feature scans the URI against a known list of URIs associated with viruses and will close sessions going to URIs that are identified as a virus risk. The URI scanning feature is only available for http.  All UTM protocols (SMTP, POP3, IMAP, HTTP and FTP) are supported by Sophos anti-virus protection.

2. Express Anti-virus Protection
This anti-virus solution is the least CPU intensive of all anti-virus solutions. The express anti-virus engine is provided by Juniper and leverages hardware based pattern matching. The Content Security Accelarator (CSA) provides the hardware based pattern matching. The signature database is also provided by Juniper and only focuses on critical viruses and is therefore smaller than the full anti-virus databased. The scanning engine is also not as comprehensive as the full anti-virus and Sophos scanning engines. Specifically there are limitations around scanning archived and compressed files.

Licensing Summary
The screenshot below is a nice summary of all of the UTM modules outlining if licensing is required.

Configuration Structure
The diagram below outlines the configuration structure of UTM features and modules. This diagram can be used as a foundation point when thinking about configuration of various UTM modules.

The next posts will focus on UTM configuration examples.

No comments:

Post a Comment