An introduction to network security. Topical issues of security of corporate data transmission networks

Threats and vulnerabilities of wired corporate networks

At the initial stage of the development of network technologies, the damage from virus and other types of computer attacks was small, since the dependence of the world economy on information technology was small. Today, in the context of a significant dependence of business on electronic means of access and exchange of information and an ever-growing number of attacks, the damage from the smallest attacks leading to wasted computer time is estimated at millions of dollars, and the total annual damage to the global economy is tens of billions of dollars.

Information processed in corporate networks is especially vulnerable, which is facilitated by:
an increase in the amount of information processed, transmitted and stored in computers;
concentration in databases of information of various levels of importance and confidentiality;
expanding the access of the circle of users to the information stored in the databases and to the resources of the computer network;
an increase in the number of remote workplaces;
widespread use of the global Internet and various communication channels;
automation of information exchange between users' computers.

Analysis of the most common threats to which today's wired corporate networks are exposed shows that threat sources can range from unauthorized intrusions to computer viruses, and human error is a significant security threat. It should be borne in mind that sources of security threats can be located both inside the corporate information system - internal sources, and outside it - external sources. This division is quite justified because for the same threat (for example, theft), the methods of counteraction for external and internal sources are different. Knowledge of possible threats, as well as vulnerabilities of corporate information systems is necessary to select the most effective means of ensuring security.

The most frequent and dangerous (in terms of the amount of damage) are unintentional errors of users, operators and system administrators serving the corporate information system. Sometimes such errors lead to direct damage (incorrectly entered data, an error in the program that caused the system to stop or crash), and sometimes they create weak points that can be exploited by attackers (these are usually administrative errors).

According to the US National Institute of Standards and Technology (NIST), 55% of IP security breaches are due to unintentional errors. Working in the global IP makes this factor quite relevant, and the source of damage can be both the actions of users of the organization and users of the global network, which is especially dangerous. In fig. 2.4 is a pie chart illustrating statistics on the sources of security breaches in the corporate information system.

Theft and fraud are in second place in terms of damage. In most of the cases investigated, the perpetrators were staff members of the organizations, who were well versed in working hours and protective measures. The presence of a powerful information channel of communication with global networks in the absence of proper control over its work can further facilitate such activities.

Rice. 2.4. Sources of security breaches

Offended employees, even former ones, are familiar with the order in the organization and are able to harm very effectively. Therefore, upon dismissal of an employee, his rights of access to information resources should be canceled.

Deliberate attempts to obtain NSD through external communications account for about 10% of all possible violations. Although this figure does not seem to be that significant, experience with the Internet shows that almost every Internet server is subjected to intrusion attempts several times a day. Tests by the Agency for the Protection of Information Systems (USA) showed that 88% of computers have weaknesses in terms of information security, which can be actively used to obtain NSD. Cases of remote access to information structures of organizations should be considered separately.

Before building a security policy, it is necessary to assess the risks to the organization's computing environment and take appropriate action. It is obvious that the costs of an organization to control and prevent security threats should not exceed the expected losses.

These statistics can provide guidance to the administration and staff of the organization where to direct efforts to effectively reduce threats to the security of the corporate network and system. Of course, it is necessary to address physical security issues and measures to reduce the negative impact on security of human errors, but at the same time, it is necessary to pay the most serious attention to solving network security problems to prevent attacks on the corporate network and the system, both from the outside and from within the system.

If we consider the information security system of any large company, then this is not only an antivirus, but also several other programs for protection in all directions. The time for simple IT security solutions is long gone.

Of course, the basis of a general information security system for any organization is the protection of a standard workstation from viruses. And here the need to use an antivirus remains unchanged.

But the requirements for corporate security in general have changed. Companies need complete end-to-end solutions that can not only protect against today's most complex threats, but also stay ahead of the curve.

"More and more large companies are building a security system based on the defense-in-depth principle."

Moreover, earlier echelons were lined up on various elements of the IT infrastructure, but now multilevel protection should be even on individual elements of the IT environment, primarily on workstations and servers.

What threats faced companies in 2014

In terms of threats, targeted attacks on corporations and government structures have become a huge information security problem in recent years. Many of the techniques previously used by hackers to attack home users are now being applied to businesses as well.

These include modified banking Trojans that target employees of financial departments and accounting departments, and various ransomware programs that began to work within corporate information networks, and the use of social engineering methods.

In addition, network worms have gained popularity, and in order to remove them, the entire corporate network must be shut down. If a similar problem is faced by companies with a large number of branch offices located in different time zones, then any network interruption will inevitably lead to financial losses.

According to a study conducted by Kaspersky Lab in 2014 among information security specialists, most often Russian companies are faced with

malware,
unwanted mail (spam),
attempts to unauthorized entry into the system by phishing.
vulnerabilities in the installed software,
risks associated with the behavior of company employees.

The problem is aggravated by the fact that cyber threats are far from static: they multiply every day, become more diverse and complex. To better understand the current situation in the field of information security and the consequences to which even a single computer incident can lead, let us present everything in figures and facts obtained on the basis of data from Kaspersky Lab on the analysis of the events of 2014.

Cyber Threat Statistics

By the way, it is mobile devices that continue to be a separate "headache" for information security specialists today. The use of personal smartphones and tablets for work purposes is already permissible in most organizations, but the proper management of these devices and their inclusion in the general information security system of the company is not practiced everywhere.

"According to Kaspersky Lab, 99% of malware specializing in mobile devices is targeted at the Android platform today."

To understand where such a number of threats come from, and to imagine how fast they are increasing in number, it is enough to say that Kaspersky Lab specialists process 325,000 samples of new malware every day.

Malware usually reaches users' computers in two ways:

through vulnerabilities in legal software
using social engineering methods.

Of course, a combination of these two techniques is very common, but attackers do not neglect other tricks either.

Targeted attacks, which are becoming more common, are a separate threat to businesses.

"The use of illegal software, of course, further increases the risks of becoming a successful target for a cyber attack, primarily due to the presence of more vulnerabilities in it."

Vulnerabilities sooner or later appear in any software. These can be errors during the development of the program, obsolete versions or individual code elements. Be that as it may, the main problem is not the presence of a vulnerability, but its timely detection and closure.

By the way, recently, and 2014 is a vivid evidence of this, software vendors are increasingly beginning to close the vulnerabilities in their programs. However, there are still enough gaps in applications, and cybercriminals actively use them to penetrate corporate networks.

In 2014, 45% of all vulnerability incidents were caused by holes in the popular Oracle Java software.

In addition, in the past year, there was a kind of turning point - a vulnerability was discovered in the popular encryption protocol OpenSSL, called Heartbleed. This bug allowed an attacker to read the contents of memory and intercept personal data on systems using vulnerable versions of the protocol.

OpenSSL is widely used to protect data transmitted over the Internet (including information that the user exchanges with web pages, emails, messages in Internet messengers), and data transmitted over VPN (Virtual Private Networks) channels, therefore potential damage from this vulnerability was huge. It is possible that attackers could use this vulnerability as a start for new cyber espionage campaigns.

Attack victims

In general, in 2014, the number of organizations that became victims of targeted cyber attacks and cyber espionage campaigns increased by almost 2.5 times. Over the past year, almost 4.5 thousand organizations in at least 55 countries, including Russia, have become the target of cybercriminals.

Data theft has occurred in at least 20 different sectors of the economy:

state,
telecommunication,
energy,
research,
industrial,
healthcare,
construction and other companies.

Cybercriminals gained access to such information:

passwords,
files,
geolocation information,
audio data,
screenshots
webcam snapshots.

Most likely, in some cases these attacks were supported by government agencies, while others were more likely carried out by professional groups of cyber mercenaries.

In recent years, Kaspersky Lab's Global Threat Research and Analysis Center has tracked the activities of more than 60 criminal groups responsible for cyberattacks around the world. Their participants speak different languages: Russian, Chinese, German, Spanish, Arabic, Persian and others.

The consequences of targeted operations and cyber espionage campaigns are always severe. They inevitably end in hacking and infection of the corporate network, disruption of business processes, leakage of confidential information, in particular intellectual property. In 2014, 98% of Russian companies faced some kind of cyber incidents, the sources of which were usually located outside the enterprises themselves, and in another 87% of organizations there were incidents caused by internal threats.

"The total amount of damage for large companies averaged 20 million rubles for each successful example of a cyber attack."

What companies fear and how things really are

Every year Kaspersky Lab conducts research in order to find out the attitude of IT specialists to information security issues. A 2014 study showed that the vast majority of Russian companies, or rather 91%, underestimate the amount of malware that exists today. Moreover, they do not even assume that the number of malware is constantly increasing.

Curiously, 13% of IT professionals said they weren't worried about internal threats.

Perhaps this is due to the fact that in a number of companies it is not customary to separate cyber threats into external and internal. In addition, there are those among Russian IT and information security managers who still prefer to solve all problems with internal threats by means of prohibitions.

However, if something is forbidden to a person, this does not mean at all that he does not do it. Therefore, any security policy, including prohibition, requires appropriate control tools to ensure that all requirements are met.

As for the types of information that cybercriminals are primarily interested in, the study has shown that companies' perceptions and the actual state of affairs are quite different.

So, the companies themselves are most afraid of losing

customer information,
financial and operational data,
intellectual property.

A little less business worries about

information on the analysis of competitors' activities,
payment information,
personal data of employees
data on corporate bank accounts.

"In fact, it turns out that cybercriminals most often steal internal operational information of companies (in 58% of cases), but only 15% of companies consider it necessary to protect this data in the first place."

For safety, it is equally important to think over not only technologies and systems, but also to take into account the human factor: the understanding of the goals by the specialists who build the system, and the understanding of the responsibility of the employees who use the devices.

Recently, attackers are increasingly relying not only on technical means, but also on the weaknesses of people: they use social engineering methods that help to extract almost any information.

Employees, taking away data on their device, should understand that they bear exactly the same responsibility as if they took paper copies of documents with them.

The company's staff should also be well aware that any modern technically complex device contains defects that can be exploited by an attacker. But in order to take advantage of these defects, an attacker must gain access to the device. Therefore, when downloading mail, applications, music and pictures, it is necessary to check the reputation of the source.

It is important to be wary of provocative SMS and emails and to check the source's credibility before opening an email and following a link.

In order for the company to still have protection against such accidental or intentional actions of employees, it should use modules to protect data from leaks.

"Companies need to regularly remember about working with personnel: starting with improving the qualifications of IT employees and ending with explanations of the basic rules of safe working on the Internet, no matter what devices they use there."

For example, this year Kaspersky Lab released a new module that implements data leakage protection functions -

Cloud protection

Many large companies use the cloud in one way or another, in Russia most often in the form of a private cloud. It is important to remember here that, like any other human-made information system, cloud services contain potential vulnerabilities that can be exploited by virus writers.

Therefore, when organizing access even to your own cloud, you need to remember about the security of the communication channel and about the end devices that are used on the side of employees. Equally important are internal policies governing which employees have access to data in the cloud, or what level of secrecy information can be stored in the cloud, etc. The company must formulate transparent rules:

what services and services will run from the cloud,
what - on local resources,
what kind of information should be placed in the clouds,
what should be kept "at home".

Based on the article: Time for "hard" decisions: security in the Enterprise segment.

We note right away that, unfortunately, there is no protection system that will give 100% results at all enterprises. After all, every day there are more and more new ways to bypass and hack the network (be it home or home). However, the fact that multi-layered security is still the best option for securing a corporate network remains unchanged.

And in this article we will analyze the five most reliable methods of protecting information in computer systems and networks, and also consider the levels of computer protection in a corporate network.

However, we will immediately make a reservation that the best way to protect data on the network is the vigilance of its users. All employees of the company, regardless of their job duties, must understand and, most importantly, follow all the rules of information security. Any extraneous device (be it a phone, flash drive or disk) should not be connected to the corporate network.

In addition, the company's management should regularly conduct conversations and safety checks, because if employees are negligent about the security of the corporate network, then no amount of protection will help it.

Protecting the corporate network from unauthorized access

1. So, first of all, it is necessary to ensure the physical security of the network. That is, access to all server cabinets and rooms should be provided to a strictly limited number of users. Disposal of hard drives and external media must be strictly controlled. After gaining access to data, attackers can easily decrypt passwords.
2. The first "line of defense" of a corporate network is a firewall, which will provide protection against unauthorized remote access. At the same time, it will ensure the "invisibility" of information about the structure of the network.

The main firewall schemes include:

- using a filtering router in its role, which is designed to block and filter outgoing and incoming flows. All devices on the secured network have access to the Internet, but return access to these devices from the Internet is blocked;
- a shielded gateway that filters potentially dangerous protocols, blocking their access to the system.

3. Anti-virus protection is the main line of defense of the corporate network from external attacks. Comprehensive anti-virus protection minimizes the possibility of worms entering the network. First of all, it is necessary to protect servers, workstations, and the corporate chat system.

Today, one of the leading companies in anti-virus protection in the network is Kaspersky Lab, which offers such a complex of protection as:

- control is a complex of signature and cloud methods for controlling programs and devices and ensuring data encryption;
- providing protection of the virtual environment by installing the "agent" on one (or each) virtual host;
- protection of "data center" (data processing center) - management of the entire structure of protection and a single centralized console;
- protection against DDoS attacks, round-the-clock traffic analysis, warning of possible attacks and traffic redirection to the "cleaning center".

These are just a few examples from the whole complex of protection from Kaspersky Lab.

4. Protection. Today, many company employees work remotely (from home), in this regard, it is necessary to ensure maximum protection of traffic, and encrypted VPN tunnels will help to implement this.

One of the disadvantages of attracting "remote workers" is the possibility of losing (or stealing) the device from which the work is carried out and then gaining access to the corporate network to third parties.

5. Competent protection of corporate mail and spam filtering.

Corporate email security

Companies that process large amounts of email are primarily susceptible to phishing attacks.

The main ways to filter spam are:

- installation of specialized software (these services are also offered by Kaspersky Lab);
- creation and constant replenishment of "black" lists of ip-addresses of devices from which spam mailing is conducted;
- analysis of email attachments (analysis should be carried out not only of the text part, but also of all attachments - photos, videos and text files);
- Determination of the "mass" of messages: spam messages are usually identical for all mailings, this helps to track them to anti-spam scanners, such as "GFI MailEssentials" and "Kaspersky Anti-spam".

These are the main aspects of protecting information on a corporate network, which work in almost every company. But the choice of protection also depends on the very structure of the corporate network.

Network and information security

Securing the corporate network

High security and regulatory compliance are a must for enterprise deployment projects.

To protect their own information resources, enterprises are implementing network security solutions in the infrastructure that guarantee the security of the network and business data at all levels:

firewall
VPN managed networks
search and block network intrusion attempts
protection of endpoints of traffic exchange
corporate anti-virus system.

Connection security

For employees on business trips or working from home, the service of remote access to the corporate network has become a work necessity.

More and more organizations are allowing partners to remotely access their networks to reduce system maintenance costs. Therefore, protecting the endpoints of traffic exchange is one of the most important tasks of securing a company's network.

The places where the corporate network connects to the Internet is the network's security perimeter. Incoming and outgoing traffic intersects at these points. Corporate users' traffic goes outside the network, and Internet requests from external users to access web and email applications enter the company's network.

Because the endpoints have a persistent Internet connection, which typically allows external traffic to enter the corporate network, it is a prime target for malicious attacks.

When building a corporate data security network, firewalls are installed at the network boundaries at the points of access to the Internet. These devices allow you to prevent and block external threats when terminating VPN tunnels (see Fig. 1).

Fig. 1 The security perimeter of the corporate network

A suite of integrated secure connectivity solutions from Cisco Systems keeps your information private. The network examines all endpoints and access methods across all company networks: LAN, WAN and wireless mobile network

Full availability of firewall and VPN services is ensured. Firewall features provide stateful application layer filtering for inbound and outbound traffic, secure outbound access for users, and DMZ network for servers that need to be accessed from the Internet.

The system integrator of IC "Telecom-Service" builds corporate security networks based on multifunctional security devices Cisco Systems, Juniper Networks and Huawei Technologies, which reduce the number of required devices in the network.

End-to-end corporate network security solutions from Cisco Systems, Juniper Networks and Huawei Technologies have a number of advantages that are important for effective business:

reduction of IT budgets for operation and maintenance of software and hardware
increased network flexibility
reduction of implementation costs
lower total cost of ownership
increased control through unified management and the introduction of security policies
increase in profits and increase in performance indicators of the enterprise
reducing security threats to the network and storage
application of effective security policies and rules at the end nodes of the network: PCs, PDAs and servers
reducing the time to implement new security solutions
effective network intrusion prevention
integration with software of other developers in the field of security and management.
comprehensive network access control

Cisco Security Products at All Network Layers

Endpoint Security: The Cisco Security Agent protects computers and servers from worm attacks.

Built-in firewalls: the PIX Security Appliance, Catalyst 6500 Firewall Services Module, and firewall feature set protect the network in and around the network.

Network Intrusion Protection: IPS 4200 Series sensors, Catalyst 6500 IDS Service Modules (IDSM-2), or IOS IPS sensors identify, analyze and block malicious unwanted traffic.

Detection and elimination of DDoS attacks: The Cisco Traffic Anomaly Detector XT and Guard XT ensure normal operation in the event of service disruption attacks. Cisco Traffic Anomaly Detector Services and Cisco Guard provide robust protection against DdoS attacks on Catalyst 6500 series switches and 7600 series routers.

Content Security: Access Router Content Engine module protects Internet-facing business applications and ensures error-free delivery of web content.

Intelligent Network and Security Administration Services: Finds and blocks unwanted traffic and applications in Cisco routers and switches.

Management and monitoring:

Products:

CiscoWorks VPN / Security Management Solution (VMS)

CiscoWorks Security Information Management System (SIMS) - security status information management system

Built-in device managers: Cisco Router and Security Device Manager (SDM), PIX Device Manager (PDM), Adaptive Security Device Manager (ASDM) quickly and efficiently monitor, monitor security services and network activity.

Cisco Network Admission Control (NAC) Technology

Network Admission Control (NAC) is a set of technologies and solutions based on an industry-wide initiative under the patronage of Cisco Systems.

NAC uses the network infrastructure to enforce security policies across all devices seeking to access network resources. This reduces the potential damage to the network from security threats.

Secure remote access to corporate VPN for employees and partners is provided by multifunctional security appliances using SSL and IPsec VPN protocols, built-in blocking services to prevent and prevent IPS intrusions.

Self-Defending Network - Cisco Self-Defending Network Strategy

The Self-Defending Network is Cisco's evolving future strategy. The technology allows you to protect business processes of an enterprise by detecting and preventing attacks, adapting to internal and external network threats.

Businesses can leverage the intelligence of network resources, streamline business processes, and reduce costs.

Cisco Security Management Pack

The Cisco Security Management Pack is a collection of products and technologies designed to provide scalable administration and enforcement of security policies for a self-defending Cisco network.

The integrated Cisco product automates security management tasks using key components: the management manager and Cisco Security MARS, a monitoring, analysis and response system.

Cisco Security Management Manager provides a simple interface for configuring firewall, VPN, and intrusion prevention systems (IPS) on Cisco security appliances, firewalls, routers, and switches.

This is exactly the result of a survey of more than 1000 heads of IT departments of large and medium-sized European companies, commissioned by Intel. The purpose of the survey was the desire to identify the problem that is of the greatest concern to industry professionals. The answer was quite expected, more than half of the respondents named the problem of network security, a problem that requires an immediate solution. Other results of the survey can be called quite expected. For example, the factor of network security leads among other problems in the field of information technology; its importance has increased by 15% compared to the situation that existed five years ago.
According to the survey results, highly qualified IT specialists spend over 30% of their time on solving exactly security issues. The situation in large companies (with more than 500 employees) is even more alarming - about a quarter of respondents spend half of their time solving these issues.

Balancing Threats and Defense

Alas, the problem of network security is inextricably linked with the fundamental technologies used in modern telecommunications. It just so happened that when developing a family of IP-protocols, the priority was given to the reliability of the network as a whole. At the time of the emergence of these protocols, network security was provided in completely different ways, which are simply unrealistic to use in a global network. You can loudly complain about the short-sightedness of the developers, but it is almost impossible to radically change the situation. Now you just need to be able to defend against potential threats.
The main principle in this skill should be balance between potential threats to network security and the level of protection needed... A commensuration must be ensured between the cost of security and the cost of potential damage from realized threats.
For a modern large and medium-sized enterprise, information and telecommunication technologies have become the basis for doing business. Therefore, they turned out to be the most sensitive to the impact of threats. The larger and more complex the network, the more efforts it requires to protect it. Moreover, the cost of creating threats is orders of magnitude less than the cost of neutralizing them. This state of affairs forces companies to carefully weigh the consequences of possible risks from various threats and choose appropriate methods of protection against the most dangerous.
Currently, the greatest threats to corporate infrastructure are actions associated with unauthorized access to internal resources and blocking the normal operation of the network. There are quite a number of such threats, but each of them is based on a combination of technical and human factors. For example, the penetration of a malicious program into a corporate network can occur not only due to the network administrator's neglect of security rules, but also due to the excessive curiosity of a company employee who decides to use a tempting link from mail spam. Therefore, one should not hope that even the best technical security solutions will become a panacea for all ills.

UTM class solutions

Security is always a relative concept. If there is too much of it, then the use of the system itself, which we are going to protect, becomes much more difficult. Therefore, a reasonable compromise becomes the first choice in network security. For medium-sized enterprises, by Russian standards, such a choice may well help to make class decisions UTM (Unified Threat Management or United Threat Management), positioned as multifunctional devices for network and information security. At their core, these solutions are hardware and software systems that combine the functions of different devices: a firewall, a network intrusion detection and prevention system (IPS), and an anti-virus gateway (AV). Often, these complexes are responsible for solving additional tasks, for example, routing, switching or supporting VPN networks.
Oftentimes, UTM solution providers offer to use them in small businesses. Perhaps this approach is partly justified. Still, it is both easier and cheaper for small businesses in our country to use a security service from their Internet provider.
Like any universal solution, UTM equipment has its pros and cons.... The former can be attributed to the savings in money and time for implementation in comparison with the organization of protection of a similar level from separate security devices. UTM is also a pre-balanced and tested solution that can easily solve a wide range of security problems. Finally, solutions of this class are not so demanding on the level of qualifications of technical personnel. Any specialist can easily cope with their configuration, management and maintenance.
The main disadvantage of UTM is the fact that any functionality of a universal solution is often less effective than similar functionality of a specialized solution. That is why when high performance or high security is required, security professionals prefer to use solutions based on the integration of separate products.
However, despite this disadvantage, UTM solutions are becoming in demand by many organizations that are very different in scale and type of activity. According to Rainbow Technologies, such solutions have been successfully implemented, for example, to protect the server of one of the Internet home appliances stores, which was subjected to regular DDoS attacks. Also, the UTM solution made it possible to significantly reduce the volume of spam in the mail system of one of the car holdings. In addition to solving local problems, there is experience in building security systems based on UTM solutions for a distributed network covering the central office of the brewery and its branches.

UTM manufacturers and their products

The Russian market for UTM class equipment is formed only by the proposals of foreign manufacturers. Unfortunately, none of the domestic manufacturers has yet been able to offer their own solutions in this class of equipment. The exception is the software solution Eset NOD32 Firewall, which, according to the company, was created by Russian developers.
As already noted, in the Russian market, UTM solutions may be of interest mainly to medium-sized companies, in the corporate network of which there are up to 100-150 workplaces. When selecting UTM equipment for presentation in the review, the main selection criterion was its performance in various modes of operation, which could provide a comfortable work for users. Often vendors specify performance specifications for Firewall, IPS Intrusion Prevention, and AV Virus Protection.

Solution Check Point bears the name UTM-1 Edge and is a unified protection device that combines a firewall, an intrusion prevention system, an anti-virus gateway, as well as VPN and remote access tools. The firewall included in the solution controls the work with a large number of applications, protocols and services, and also has a mechanism for blocking traffic that clearly does not fit into the category of business applications. For example, instant messaging (IM) and peer-to-peer (P2P) traffic. Antivirus gateway allows you to track malicious code in e-mail messages, FTP and HTTP traffic. In this case, there are no restrictions on the size of files and decompression of archive files is carried out on the fly.
UTM-1 Edge has advanced VPN capabilities. Supports dynamic OSPF routing and VPN client connectivity. The UTM-1 Edge W comes with a built-in IEEE 802.11b / g WiFi hotspot.
When large-scale deployments are required, UTM-1 Edge seamlessly integrates with Check Point SMART to greatly simplify security management.

Cisco traditionally pays special attention to network security issues and offers a wide range of necessary devices. For the review, we decided to choose a model Cisco ASA 5510, which is focused on ensuring the security of the corporate network perimeter. This equipment is part of the ASA 5500 series, which includes UTM class modular protection systems. This approach allows you to adapt the security system to the peculiarities of the functioning of the network of a particular enterprise.
The Cisco ASA 5510 comes in four basic packages - firewall, VPN, intrusion prevention, and anti-virus and anti-spam. The solution includes additional components such as the Security Manager system to form the management infrastructure of the branched corporate network, and the Cisco MARS system, designed to monitor the network environment and respond to security breaches in real time.

Slovak Eset company supplies software package Eset NOD32 Firewall class UTM, including, in addition to the functions of a corporate firewall, an anti-virus protection system Eset NOD32, means of filtering mail (antispam) and web traffic, systems for detecting and preventing network attacks IDS and IPS. The solution supports the creation of VPN networks. This complex is built on the basis of a server platform running Linux. The software part of the device is developed domestic company Leta IT controlled by the Russian representative office of Eset.
This solution allows you to control network traffic in real time, it supports content filtering by categories of web resources. Provides protection against DDoS attacks and blocks port scan attempts. Eset NOD32 Firewall solution includes support for DNS servers, DHCP and bandwidth management. The traffic of mail protocols SMTP, POP3 is monitored.
Also, this solution includes the ability to create distributed corporate networks using VPN connections. At the same time, various modes of combining networks, authentication and encryption algorithms are supported.

Fortinet company offers a whole family of devices FortiGate class UTM, positioning their solutions as capable of ensuring network protection while maintaining a high level of performance, as well as reliable and transparent operation of enterprise information systems in real time. For the review, we have chosen FortiGate-224B model, which is designed to protect the perimeter of a corporate network with 150 - 200 users.
FortiGate-224B equipment includes the functionality of a firewall, VPN server, web traffic filtering, intrusion prevention systems, as well as anti-virus and anti-spam protection. This model has built-in Layer 2 LAN switch and WAN interfaces, eliminating the need for external routing and switching devices. For this, RIP, OSPF and BGP routing is supported, as well as user authentication protocols before providing network services.

SonicWALL company offers a wide range of UTM devices, from which the solution was included in this review NSA 240... This equipment is the junior model in the line, focused on use as a security system for a corporate network of a medium-sized enterprise and branches of large companies.
This line is based on the use of all means of protection against potential threats. These are firewall, intrusion protection, virus and spyware protection gateways. There is a filtering of web traffic for 56 categories of sites.
As one of the highlights of its solution, the SonicWALL company notes the technology of deep scanning and analysis of incoming traffic. To avoid performance degradation, this technology uses parallel data processing on a multiprocessor core.
This equipment supports VPN, has advanced routing capabilities and supports various network protocols. Also, the solution from SonicWALL is able to provide a high level of security when serving VoIP traffic using the SIP and H.323 protocols.

From the product line WatchGuard company a solution was chosen for the review Firebox X550e, which is positioned as a system with advanced functionality to ensure network security and is focused on use in networks of small and medium-sized enterprises.
UTM solutions from this vendor are based on the principle of protection against mixed network attacks. For this, the equipment supports a firewall, an attack prevention system, anti-virus and anti-spam gateways, filtering web resources, as well as a system for countering spyware.
This equipment uses the principle of joint protection, according to which network traffic checked according to a certain criterion at one level of protection is not checked by the same criterion at another level. This approach allows you to ensure high performance of the equipment.
Another advantage of its solution, the manufacturer calls support for the Zero Day technology, which ensures the independence of security from the presence of signatures. This feature is important when new types of threats appear that have not yet been effectively counteracted. Typically, the "window of vulnerability" lasts from several hours to several days. When using Zero Day technology, the likelihood of negative consequences of the vulnerability window is noticeably reduced.

ZyXEL offers its UTM class firewall solution for use in corporate networks with up to 500 users. it ZyWALL 1050 solution is intended for building a network security system, including full-fledged protection against viruses, intrusion prevention and support for virtual private networks. The device has five Gigabit Ethernet ports that can be configured for use as WAN, LAN, DMZ and WLAN interfaces depending on the network configuration.
The device supports transmission of VoIP applications traffic via SIP and H.323 protocols at the firewall and NAT level, as well as transmission of packet telephony traffic in VPN tunnels. This ensures the functioning of mechanisms to prevent attacks and threats for all types of traffic, including VoIP traffic, an anti-virus system with a full signature base, content filtering for 60 categories of sites and protection against spam.
The ZyWALL 1050 solution supports a variety of private network topologies, VPN concentrator mode and VPN zoning with uniform security policies.

Main characteristics of UTM

Expert opinion

Dmitry Kostrov, Project Director of the Directorate of Technological Protection of the Corporate Center of MTS OJSC

The scope of UTM solutions mainly extends to companies related to small and medium-sized enterprises. The very concept of Unified Threat Management (UTM), as a separate class of equipment for protecting network resources, was introduced by the international agency IDC, according to which UTM solutions are multifunctional software and hardware systems that combine the functions of different devices. Typically, these are firewall, VPN, network intrusion detection and prevention systems, as well as anti-virus and anti-spam gateway and URL filtering functions.
In order to achieve truly effective protection, the device must be multi-layered, active and integrated. At the same time, many manufacturers of protective equipment already have a fairly wide range of UTM-related products. Sufficient ease of deployment of systems, as well as obtaining an "all-in-one" system makes the market for these devices quite attractive. The total cost of ownership and return on investment for these devices appear to be very attractive.
But this UTM solution is like a "Swiss knife" - there is a tool for every occasion, but a real drill is needed to punch a hole in the wall. There is also a possibility that the emergence of protection against new attacks, signature updates, etc. will not be as fast, in contrast to the support of individual devices, standing in the "classic" scheme of protecting corporate networks. There also remains the problem of a single point of failure.