By Kurt Seifried (kurt@seifried.org)

One of the latest trends in information security is Unified Threat Management (UTM), in fact Information Security magazine (June 2006) ran a story on this topic. In a nutshell UTM is the combining of security functionality (i.e. anti-virus and network traffic scanning, alerting, firewalling, etc.) into a single appliance or software suite. The article in Information Security magazine covers five in favor of UTM but fails to consider any of the risks.

The arguments for UTM are compelling: consolidation and cost, performance, complexity, management and flexibility. Ideally if a UTM product is properly built, installed, configured and maintained the management of a single device should be easier then product from four different vendors for example. As well by combining multiple functions into one device the number of appliances and devices present on a network can be reduced, simplifying network management.

However these benefits come with some significant risks and potential costs.

Devices that combine multiple functions into a single platform have a great deal of added complexity. For example a stateful firewall is unlikely to contain security flaws that allow it to be remotely compromised. However several IDS products have been found to be prone to remote attacks through various network protocols such as SMB or HTTP. This is due to the added complexity of packet inspection, and the simple fact that the majority of software on such devices (firewalls, IDS’s, anti-virus scanning, etc.) runs with high level privileges that if exploited allow the device to be rapidly compromised. Historically most security vendors have created products with little or no separation of privileges, by running all the software with at highly privileged levels (such as “root” or in ring 0) things “simply work” and there is no need to break a monolithic program into smaller pieces. Additionally the majority of data inspection and protocol inspection software is plagued by poor or difficult to understand documentation of the protocol, and varied vendor implementations. A perfect example of this is the Ethereal packet inspector for UNIX and Windows, over the years literally dozens of remotely exploitable flaws have been found in it’s protocol inspection code.

This creates a situation where network have a small number of highly critical security devices placed at network choke points and other strategic locations that are potentially vulnerable to compromise. Attackers are given more avenues of attack, rather then having to find a vulnerability in the network code of a product they can send email attachments, HTTP uploads, downloads, form information, SOAP requests, malformed XML data and so on. With the complexity and volume of potential interactions involved it is virtually certain that exploitable security vulnerabilities will be found in UTM products. Combined with the fact that such products will be running software with high level privileges it becomes a virtual certainty that products can be compromised and controlled by attackers at some point.

Unfortunately there is no simple solution to this issue. Hopefully vendors will use privilege separation, and write software that is more robust and less prone to security failures. However until this occurs you may wish to reevaluate your UTM strategies.

Related posts:

1. Miniature Computers That Can Break Your Network Wide Open
2. The Unanticipated Consequences of IPv6
3. Watching Old Software Decay - Time Zone Changes
4. Is your laptop the same as your suitcase?
5. Remember the Blue Screens?

Posted by Kurt.Seifried on Monday, October 23rd, 2006, at 8:00 am, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.