Study Guide for NSE 1: Unified Threat Management 2016

(UTM)

Study Guide
for NSE 1: February 1

2016
Unified
Threat
Management
(UTM)
This Study Guide is designed to provide information for the Fortinet Fortinet
Network Security Expert Program – Level 1 curriculum. The study guide
presents discussions on concepts and equipment necessary as a
Network
foundational understanding for modern network security prior to taking Security
more advanced and focused NSE program levels.
Solutions

i
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)

Contents
Figures............................................................................................................................................... iii
Unified Threat Management (UTM) ......................................................................................................... 1
The Key to UTM: Consolidation ........................................................................................................ 1
UTM Features ...................................................................................................................................... 2
UTM Distributed Enterprise Advanced Features ............................................................................... 3
Extended UTM Features ...................................................................................................................... 5
Evolving UTM Features .................................................................................................................... 5
UTM Functions .................................................................................................................................... 8
Where UTM Fits In… ............................................................................................................................ 9
UTM: Scalable Deployment ............................................................................................................ 10
Summary ........................................................................................................................................... 12
Key Acronyms........................................................................................................................................ 13
Glossary ................................................................................................................................................ 15
References ............................................................................................................................................ 16

ii
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)

Figures
Figure 1. Legacy network security add-ons vs. UTM architecture ............................................................. 1
Figure 2. Unified Threat Management (UTM). ......................................................................................... 2
Figure 3. LAN control. .............................................................................................................................. 6
Figure 4. Typical Power over Ethernet (POE) cable configuration. ............................................................ 7
Figure 5. UTM scalability........................................................................................................................ 10
Figure 6. Fortinet’s concept of “Connected UTM.” ................................................................................. 11

iii
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)

Unified Threat Management (UTM)

Unified Threat Management (UTM) is a security management approach providing administrators the
ability to monitor and manage multiple security-related applications and infrastructure components
through a single management console. Through this simplified management approach, UTM provides
administrators the ability to protect both local and branch offices from potential threats, rather than
having to depend on coordination with remote site administrators or multiple control panels. This
integrated approach to security control is an extension of the philosophy that resulted in integration of
multiple security functions into hardware and software appliances, compared to legacy network security
systems that used single- or dual-function add-on appliances that resulted in complex hardware,
software, and management control systems (Figure 1).

Figure 1. Legacy network security add-ons vs. UTM architecture

UTM provides administrators the ability to monitor and manage multiple, complex security-related
applications and infrastructure components through a single management console. Because UTM is
designed as an integrated solution, it does not suffer the problems of network address translation,
overheating, or throughput difficulties caused by activating multiple security services in legacy systems.

The Key to UTM: Consolidation

Similar to NGFW, one of the strengths of UTM is integration of components and functions into both
hardware appliances and associated security software applications. The advantage to UTM is that it goes
beyond the NGFW focus of high performance protection of data centers by incorporating a broader
range of security capabilities to provide administrator-friendly, threat-unfriendly management. Using
firewall capabilities as a foundation, UTM integrates additional VPN, intrusion detection and prevention,
and secure content management capabilities.

1
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
UTM Features
UTMs are generally acquired as either cloud services or network appliances, and integrate firewall,
intrusion detection system (IDS), anti-malware, spam and content filtering, and VPN capabilities
(Figure 2). These can be installed and updated as necessary to keep pace with emerging threats.[1]

Figure 2. Unified Threat Management (UTM).

Firewall. The most basic, necessary, and deployed network security technology, which uses sets or rules
or policies to determine which traffic is allowed into or out of a system or network. UTM builds on this
foundation to integrate—rather than add on—enhanced security capabilities.[2]

Intrusion Detection System (IDS). IDS is capable of detecting potential threats to the network, but does
not react by sending a message to the firewall to block the threat.[2] IDS is an integrated feature in
Intrusion Prevention System (IPS).

Antivirus/Antimalware. Antivirus/Antimalware (AV/AM) provides multi-layered protection against

viruses, spyware, and other types of malware attacks. It enables scanning for e-mail for viruses, but it
doesn’t stop there. You can also apply anti-virus protection to File Transfer Protocol (FTP) traffic, instant
messaging (IM), and web content at the network perimeter. Some solutions support Secure Sockets
Layer (SSL) content scanning, which means that you can protect the secure counterparts to those types
of traffic as well, such as HTTPS, SFTP, POP3S, and so on. A UTM virus filter examines all files against a
database of known virus signatures and file patterns for infection. If no infection is detected, the file is
sent to the recipient. If an infection is detected, the UTM solution deletes or quarantines the infected
file and notifies the user. [3]

2
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Antispam. This is a module that detects and removes unwanted email (spam) messages by applying
verification criteria to determine if the email fits defined parameters as spam traffic. Anti-spam filtering
can block many Web 2.0 threats like bots, many of which arrive in your users’ e-mail boxes. Multiple
anti-spam technologies incorporated into UTM detects threats through a variety of techniques [3].These
parameters may be as simple as a list of senders identified by a user or comparison against databases of
known bad messages and spam server addresses[2].

Content filtering. These devices block traffic to and/or from a network by IP address, domain
name/URL, type of content (for example, “adult content” or “file sharing”), or payload. They maintain a
whitelist of trusted sites and a blacklist of forbidden sites to prevent users from violating acceptable use
policies or being exposed to malicious content. [3]

VPN. A Virtual Private Network (VPN) uses special protocols to move packets of information across the
Internet securely. In general, VPN protocols encrypt traffic going from sender to receiver. This makes
such traffic appear completely garbled to anyone that might intercept and examine those packets while
they’re on the Internet. VPNs use encryption to protect the traffic they carry from unauthorized access.
Because the VPN packets wrap the encrypted data inside a new protocol envelope — a technique
known as encapsulation — a VPN creates a private, encrypted “tunnel” through the Internet. [3]

UTM Distributed Enterprise Advanced Features

Enterprise customers may have access to more advanced features, such as identity-based access
control, load balancing, intrusion prevention (IPS), Quality of Service (QoS), SSL/SSH inspection, and
application awareness[1].

Access (Application) control. Application control can identify and control applications, software
programs, network services, and protocols. In order to protect networks against the latest web-based
threats, application control should be able to detect and control Web 2.0 apps like YouTube, Facebook,
and Twitter. Enterprise-class app control provides granular policy control, letting you allow or block
apps based on vendor, app behavior, and type of technology. For example, you can block specific sites,
block only your users’ ability to follow links or download files from sites, or block games but allow chat.

Another feature of application control is the ability to enforce identity-based policies on users. The UTM
system tracks user names, IP addresses, and Active Directory user groups. When a user logs on and tries
to access network resources, UTM applies a firewall policy based on the requested application or
destination. Access is allowed only if the user belongs to one of the permitted user groups.

3
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Load balancing. Load balancing distributes traffic and routes content across multiple web servers. This
load balancing increases application performance, improves resource utilization and application stability
while reducing server response times. With data compression and independent SSL encryption
processor, this capability increases further transaction throughput and reduce processing requirements
from web servers, providing additional acceleration for web application traffic.

Intrusion Prevention System (IPS). An IPS acts as a network’s watchdog, looking for patterns of network
traffic and activity, and records events that may affect security. An IPS issues alarms or alerts for
administrators, and is able to block unwanted traffic. IPS also routinely log information as events occur,
so they can provide information to better handle threats in the future, or provide evidence for possible
legal action[3]. IPS is the best way to detect threats trying to exploit network vulnerabilities.

Quality of Service (QoS). QoS refers to a network’s ability to achieve maximum bandwidth and deal with
other network performance elements like latency, error rate and uptime. Quality of service also involves
controlling and managing network resources by setting priorities for specific types of data (video, audio,
files) on the network. QoS is exclusively applied to network traffic generated for video on demand, IPTV,
VoIP, streaming media, videoconferencing and online gaming. [4]

SSL/SSH inspection. This provides the ability to inspect content encrypted by applications using Secure
Socket Layer (SSL) cryptologic technique, in which it performs a “man-in-the-middle” takeover of the SSL
traffic. This allows other inspections to be applied such as DLP, web filtering, and antivirus/malware.
Some popular SSL protocols are HTTPS, FTPS, and mail protocols SMTPS, POP3S, and IMAPS.[2]

Application awareness. Web Application Security solutions provide specialized, layered application
threat protection for medium and large enterprises, application service providers, and SaaS providers.
FortiWeb application firewalls protect your web-based applications and internet-facing data. Automated
protection and layered security protects web applications from layer 7 DDoS and more sophisticated
attacks such as SQL Injection, Cross Site Scripting attacks, and data loss. The Web Vulnerability
Assessment module adds scanning capabilities to provide a comprehensive solution to meet your PCI
DSS section 6.6 requirements.

Tradeoffs. The main advantage to UTM is reducing operational complexity. In particular, reducing
operational complexity for network administrators increases the likelihood that they will use the
available protection features to optimize network security. However, while simplification presents the
advantage of security optimization by administrator, the main drawback may be positioning UTM as a
single point of failure (SPOF) in a system or network.

4
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Extended UTM Features
One of the key factors that enables specialized UTM products to achieve the highest levels of
performance and boost network throughput is incorporating custom application-specific integrated
circuits (ASICs) into UTM hardware components. As discussed previously in the lesson Data Center
Firewall, using custom-designed ASICs presents a more challenging design process, but the tradeoff is
achieving the highest levels of system performance by having tailored the ASICs to the device
capabilities and intended functions. Even with high-performance ASICs, however, as more UTM
capabilities are activated performance will decrease. As with most highly efficient technologies, planning
and configuration are critical in achieving optimum performance and control when systems and
networks are brought online.

Expanding on the foundation of an integrated firewall, UTM builds additional capabilities to enhance
network security management. With ever-increasing capabilities for data transfers between remote
users, integration of capabilities not resident in NGFW include Data Leak Prevention (DLP) (sometimes
referred to as Data Loss Prevention), helps prevent unauthorized transfer of information to someone
outside an organization by protecting the contents of email, web pages, and transferred files. DLP
provides a strong authentication appliance to control data by methods such as inbound/outbound
filtering and fingerprinting.

DLP filtering scans inbound and outbound files, searching for text string and patterns that, when
compared against the DLP database, determine whether the content will be allowed, blocked, or
archived.

Fingerprinting consists of a method by which each document file is encoded with a unique
“fingerprint”—based on the fingerprint, DLP determines whether the document is a sensitive or
restricted file that should be blocked or if the file is allowed to be shared beyond the network.

DLP has the ability to scan and identify data patterns using supported scanable protocols—for example,
FortiGate systems are capable of detecting HTTP, FTP, SMTP, POP3, IMAP, and instant messaging
protocols for Yahoo, MSN, AOL, and ICQ messaging services[2]. A limitation of DLP, however, is that it is
affected by the same limitations as antivirus scanning—maximum file size, data fragmentation (but not
necessarily packet fragmentation), and encryption—all of which may limit effective data leak detection
and subsequent prevention.

Evolving UTM Features

As mentioned previously, UTM is a user-simplified, protection-complex, integrated concept with the
ability to evolve as technologies, user trends, and threats evolve. With this focus on being flexible and
future-ready, additional technologies are increasingly being integrated to UTM devices. Among these
capabilities—suited to various size networks—are switching, Wireless Local Area Network (WLAN)
control, and Power-over-Ethernet (POE).

5
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Switching. By integrating Switching into UTM, the capability to manage switching is added to single
control console security management. This again reduces the number of physical hardware devices and
control monitors necessary to manage the UTM system. From this integrated control panel, individual
ports can be switched on or off to physically isolate network traffic. This is important, because some
applications attempt to use port 80 to avoid detection from traditional port-based firewall security
systems. Port 80 is the primary port used by the Worldwide Web (WWW) and is how web servers
“listen” for incoming unsecure (HTTP) connections from web browsers. This is a primary port through
which malicious code tries to sneak through via Internet applications. Conversely, secure WWW
connections are monitored through port 443 (HTTPS) using TLS/SSL security protocols.

Figure 3. LAN control.

Wireless LAN (WLAN). Integrating the WLAN into UTM provides more than added economy of
hardware. Integrating WLAN into UTM provides a simplified method to ensure each network on the full
infrastructure—physical, WLAN, and VPN—may be controlled together to maintain consistent security
policies and controls across all networks on the control interface. This approach also detects and
eliminates potential “blind spots” and better prevents unauthorized or rogue wireless access to the
combined network. WLAN is also important for SMB networks where secure wireless coverage must
take the place of non-existent cable-based network connectivity, such as rented small office spaces.

6
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
With continued increases in mobile computing and BYOD operations, many people in today’s
technologically-empowered workforce expect the ability to replicate their office environment wherever
they happen to be conducting business. Because of the many variables involved in such an endeavor—
variations in available Internet speeds, availability of secured versus open networks, volume of users on
remote networks, the cost of high-speed links, and so forth—a technique needs to be available to
enable effective remote communication for authorized network users. In this situation, a process called
WAN Optimization (WANOpt) is such a technique for use with UTM-empowered network infrastructures
(Figure 3).

WANOpt provides improved application and network performance to authorized remote users through
five primary methods [3]:

 Protocol optimization. Improves efficiency of FTP, HTTP, TCP, and other protocols to accelerate
network performance.
 Byte caching. Caches files and data to reduce amount of data necessary to be sent across WAN.
 Web caching. Stores/caches web pages to serve on request to avoid reloading over the WAN to
reduce latency and delays between servers.
 SSL offloading. Offloads SSL decryption/encryption onto SSL acceleration hardware to boost
web server performance.
 Secure tunneling. Secures traffic crossing the WAN.

Power over Ethernet (PoE). PoE allows UTM to provide power to external devices, much like legacy
systems such as Universal Serial Bus (USB). With PoE, power can be supplied over Ethernet data cables
along extensive cable lengths, either on the same conductors as data or on a dedicated conductor in the
same cable (Figure 4). USB data + power capabilities are designed for up to 5m (16ft), compared to PoE
capability up to 100m (330ft) or even more with new PoE-plus developments.

Figure 4. Typical Power over Ethernet (PoE) cable configuration

UTM applications utilizing PoE enables connection of Wireless Access Points, 3G/4G Extenders, Voice
over Internet Protocol (VoIP) handsets, and IP cameras to the network security platform while keeping
the devices away from system main power supplies. Depending on how it is applied, some advantages of
POE over other technologies include: lower cost because of combined cabling for power and data, ability
to remotely cycle appliance power, and fast data rates.

7
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
3G/4G. 3G/4G extenders integrate with UTM to provide a secure WAN connection for SMB and
distributed enterprise locations, with ability to serve as a secondary failover connection to the wired
WAN link for business continuity or, if desired, as a primary WAN link.

UTM Functions
UTM provides a number of integrated functions beyond
the scope of NGFW. Two of these important functions
focus on threats inherent in platform capabilities used
daily by users in systems and networks of all sizes, from
personal computers, to smartphones and phablets, to
networks and data center operations and automated
business functions. In particular, these common threats—
which continue also to evolve with technology and more
widespread integration of technology components into
common devices—include email and “Surfing the Web.”

You may have heard on many different commercials—both online and on other media—the phrase “we
have an app for that!” Fortunately, UTM has apps—or solutions—to help protect your networks from
these continually evolving threats.

Antispam. One of most widely used “buttons” on email applications is the

one that allows users to designate messages from a particular sender as
“spam,” thereby delegating it to be routed to a folder for which the user
receives no alert when the message arrives and the message is often
automatically deleted at a programmed periodicity. UTM has an integrated
Anti-Spam function as well, acting as a filter to block threats like bots—many
of which arrive in user email boxes. The multiple anti-spam capabilities
integrated into UTM may detect threats using a variety of methods,
including:

 Blocking known spam IP addresses to prevent receipt.

 Blocking messages with any URL in the message body associated with known spam addresses.
 Comparing message “hashes” against those for known spam messages. Those that match may
be blocked without knowledge of actual message content.
 Comparing the client IP address and sender email address to stored whitelist/blacklist profiles.
Whitelist matches get through; blacklist matches get blocked.
 Conducting a DNS lookup on the domain name to see if the domain exists or is blacklisted.
 Blocking email based on matching message keywords or key phrases in a banned word/phrase
filter list. [3]

8
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Intrusion Prevention Systems (IPS). IPS performs a dual protection function. In the UTM environment,
IPS protects the internal network from attacks that originate from outside the network perimeter as well
as those that originate from within the network itself. IPS is also discussed as a component of NGFW—in
a UTM solutions environment, the IPS component provides a range of security tools to both detect and
block malicious activity, including:

 Predefined signatures. A database of malicious attack signatures is included, which is updated

regularly to keep pace with newly identified threats.
 Custom signatures. Customizable entries that add to the standard threat signature library to add
protection against new, little known, or unknown attacks.
 Out-of-band mode. Alternately referred to as “one-arm IPS” mode, the component may be
programmed to operate as only an Intrusion Detection System (IDS), detecting but not acting
upon identified threats and attacks. In this configuration, such identified threats/attacks would
be analyzed on a separate switch port.
 Packet logging. This feature provides the option to save network packets that match identified
IPS signatures and analyze the log files with analysis tools.[3]

Where UTM Fits In…

As network magnitude and function complexity grow, so also must the capabilities of the security
apparatus. One of the considerations for both SMB and smaller, remote offices tied to a corporate
headquarters or central database is consideration of implementing UTM security as an all-in-one
solution that provides flexible, future-ready security that is user-friendly and threat-complex. Figure 5
illustrates how UTM may be deployed to support satellite branches in a distributed enterprise network,
while NGFW and Advanced Threat Protection (ATP) technology is maintained at the central office where
increased staff and capability exists to monitor and manage security parameters at all network locations.

Home Office / Headquarters. Next Generation Firewall (NGFW)

 Application Visibility & Control. Identify and control applications on a network regardless of the
port, protocol, or IP address used.
 Advanced Threat Protection (ATP). Sophisticated on-device and cloud-based detection and
mitigation techniques block Advanced Persistent Threats (APTs) that target specific people or
functions within an organization, and use extensive evasion techniques to remain stealthy for
long periods before exfiltrating data.

Remote / Branch Offices. Unified Threat Management (UTM)

 Content Security & Web filtering. Combines sophisticated filtering capabilities together with a
powerful policy engine and cloud-based model to create a high performance and flexible web
content filtering solution.
 Antispam. Real-time email protection against spam.
 IPS/IDS. Intrusion Detection and Prevention Systems monitor, log, identify and block malicious
network activity.

9
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)

Figure 5. UTM scalability

UTM: Scalable Deployment

Because UTM may be configured to provide network security tailored to specific environments, UTM is
designed for deployment across a broad range of organizational needs. The integrated hardware and
software features of UTM make it ideal for SMB networks, while simultaneous control of wired, VPN,
and wireless infrastructure components provide the means for distributed enterprise and select large
enterprise deployment (Figure 5). Across these various deployment environments, UTM provides
enhanced and cost-effective network security options.

SMB networks. Simple controls and multiple scalable options. Provides option for control and scalable
security for businesses with limited physical space and IT staff, or branch offices where IT policy and
control is managed from a central location (Figure 5).

Distributed enterprise networks. Simultaneous control of wired, VPN, and wireless infrastructure
components, with centralized control with advanced features to effectively run operations up to a global
scale.

10
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Like many other sectors of the technology industry, UTM deployment may be accomplished in various
ways. A common method for vendors—following traditional hardware procurement paradigms—was to
license UTM infrastructure based on the amount of devices included in the deployment package. In
other words, the standard was an “a la carte” menu of options.

Figure 6. Fortinet’s concept of “Connected UTM”

However, in an effort to provide a better option for organizations wanting to upgrade to the UTM
security model, leading UTM companies developed a new licensing model that more closely reflects the
“bundle” model offered by cable and DSL companies (Figure 6). Fortinet, recognized by Gartner as a
leader in UTM development and implementation along with CheckPoint, offers a “bundle” concept that
includes the purchased hardware, software updates, security feature updates for all included security
components, and system support[2]. This not only provides simplified licensing and reduced costs, but
also enables better future budget planning for UTM system customers.

11
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Summary
NGFW improved on the basic gatekeeping security of Edge Firewalls by introducing such features as IPS,
Deep Packet Scanning, Network Application Identification and Control, and Access Enforcement.
However, beyond those capabilities, additional security functions meant additional appliances and
software configurations, increasing operational complexity for the network administrator.

Because increased operational complexity often results in bypassing of processes in the interest of time
or administrator overload, development was needed for a new dynamic vision of a flexible, future-ready
security solution to meet the needs of today’s network environments and keep pace—or think ahead
of—advanced threats of the future. This dynamic, integrated network security concept—Unified Threat
Management (UTM)—is in place today and ready for tomorrow’s evolving challenges.

Overcoming the difficulties of patching together legacy systems with newer, state of the art systems,
UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have
international reach. Combining user-simple interfaces with threat-complex protections, as well as cost
effective procurement, operations, and support, UTM provides an optimum system to best ensure
continued network operations in a secure environment.

12
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)

Key Acronyms
AAA Authentication, Authorization, and GUI Graphical User Interface
Accounting
HTML Hypertext Markup Language
AD Active Directory
HTTP Hypertext Transfer Protocol
ADC Application Delivery Controller
HTTPS Hypertext Transfer Protocol Secure
ADN Application Delivery Network
IaaS Infrastructure as a Service
ADOM Administrative Domain
ICMP Internet Control Message Protocol
AM Antimalware
ICSA International Computer Security
API Application Programming Interface Association
APT Advanced Persistent Threat ID Identification
ASIC Application-Specific Integrated Circuit IDC International Data Corporation
ASP Analog Signal Processing IDS Intrusion Detection System
ATP Advanced Threat Protection IM Instant Messaging
AV Antivirus IMAP Internet Message Access Protocol
AV/AM Antivirus/Antimalware IMAPS Internet Message Access Protocol
Secure
BYOD Bring Your Own Device
IoT Internet of Things
CPU Central Processing Unit
IP Internet Protocol
DDoS Distributed Denial of Service
IPS Intrusion Prevention System
DLP Data Leak Prevention
IPSec Internet Protocol Security
DNS Domain Name System
IPTV Internet Protocol Television
DoS Denial of Service
IT Information Technology
DPI Deep Packet Inspection
J2EE Java Platform Enterprise Edition
DSL Digital Subscriber Line
LAN Local Area Network
FTP File Transfer Protocol
LDAP Lightweight Directory Access Protocol
FW Firewall
LLB Link Load Balancing
GB Gigabyte
LOIC Low Orbit Ion Cannon
GbE Gigabit Ethernet
MSP Managed Service Provider
Gbps Gigabits per second
MSSP Managed Security Service Provider
GSLB Global Server Load Balancing
NGFW Next Generation Firewall

13
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
NSS NSS Labs SNMP Simple Network Management Protocol
OSI Open Systems Infrastructure SPoF Single Point of Failure
OTS Off the Shelf SQL Structured Query Language
PaaS Platform as a Service SSL Secure Socket Layer
PC Personal Computer SWG Secure Web Gateway
PCI DSS Payment Card Industry Data Security SYN Synchronization packet in TCP
Standard
Syslog Standard acronym for Computer
PHP PHP Hypertext Protocol Message Logging
POE Power over Ethernet TCP Transmission Control Protocol
POP3 Post Office Protocol (v3) TCP/IP Transmission Control Protocol/Internet
Protocol (Basic Internet Protocol)
POP3S Post Office Protocol (v3) Secure
TLS Transport Layer Security
QoS Quality of Service
TLS/SSL Transport Layer Security/Secure Socket
Radius Protocol server for UNIX systems Layer Authentication
RDP Remote Desktop Protocol
UDP User Datagram Protocol
SaaS Software as a Service URL Uniform Resource Locator
SDN Software-Defined Network USB Universal Serial Bus
SEG Secure Email Gateway
UTM Unified Threat Management
SFP Small Form-Factor Pluggable VDOM Virtual Domain
SFTP Secure File Transfer Protocol VM Virtual Machine
SIEM Security Information and Event
VoIP Voice over Internet Protocol
Management
VPN Virtual Private Network
SLA Service Level Agreement
WAF Web Application Firewall
SM Security Management
WANOpt Wide Area Network Optimization
SMB Small & Medium Business
WLAN Wireless Local Area Network
SMS Simple Messaging System
WAN Wide Area Network
SMTP Simple Mail Transfer Protocol
XSS Cross-site Scripting
SMTPS Simple Mail Transfer Protocol Secure

14
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)

Glossary
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of
malware attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and
reporting on malicious code. By intercepting and inspecting application-based traffic and content,
antivirus protection ensures that malicious threats hidden within legitimate application content are
identified and removed from data streams before they can cause damage. Using AV/AM protection at
client servers/devices adds an additional layer of security.

NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:

• Intrusion Prevention (IPS)
• Access Enforcement
• Third Party Management
Compatibility
• Deep Packet Inspection (DPI) • Network App ID & Control
• Distributed Enterprise • “Extra Firewall” Intelligence
Capability
• VPN • Application Awareness

IPS. Intrusion Prevention System (IPS) protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including out-of-
band mode (or one-arm IPS mode, similar to IDS). IPS can be installed at the edge of your network or
within the network core to protect critical business applications from both external and internal attacks.

Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.

UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as
either cloud services or network appliances, integrating:

• Intrusion Prevention (IPS) • Content Filtering • Quality of Service (QoS)

• Anti-Malware • VPN Capabilities • SSL/SSH Inspection
• Anti-Spam • Load Balancing • Application Awareness
• Identity-based Access Control

VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.

15
 Study Guide for NSE 1: Unified Threat Management 2016
(UTM)

References
1. Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential
Guide, 2014.
2. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
3. Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
4. Janssen, C., Quality of Service (QoS), in Techopedia.com. n.d.

16