UTM Solutions Evaluation in Virtual Environments

UTM Solutions Evaluation in Virtual Environments

Andrea Covello
by Andrea Covello
time to read: 7 minutes

Over the course of renewing or updating their IT and network infrastructure many clients will make extensive use of IT infrastructure and network virtualization. During this process, there is a need to address the rising Intranet threat level. The traditional perimeter security paradigm alone is no longer sufficient.

Therefore a solution is in demand that allows segmenting the site network into many (typically 5 to some 100 in extreme cases) network zones. The traffic between these zones should be controlled in such a way that unwanted traffic is blocked and allowed traffic is intelligently analyzed to eventually stop malware from spreading. It should also stop attacks and attempts at using backdoors or remote control of the system.

By making extensive use of VLAN technology (IEEE 802.1q), it should be possible to invent a central point of intervention. This article wants to help generate a questionnaire with the goal to help customers to get an overview of vendors, products and technology best suitable to act as such central point of intervention.

The following picture shows a rather generic overview of the architectural design of such solution:

Generic architecture of a central point of intervention - Click to enlarge

A more advanced version of the same architecture could look like this:

Advanced architecture of a central point of intervention - Click to enlarge


The typical site, for which the envisioned solution is intended, will make heavy usage of hardware virtualization and IEEE 802.1q based network virtualization. VLANs will not only exist on top of the server virtualization platform but also within the site’s physical LAN infrastructure.

A central point of intervention is foreseen, where all VLANs connect to and all traffic between network zones can be controlled (see picture above). Depending on the site’s IT infrastructure and risk profile, the central point of intervention could materialize as a virtual or physical appliance. The products, which will be selected as standard, should be available in both shapes or at least allow for an easy integration into the highly virtualized infrastructure.


For the depicted IT and network environment, clients need an UTM gateway, which protects Intranet sites from each other and internally divides the site network into security zones. It also isolates failure and attacks within the single affected zone and provides alerts and information about incidents above a certain level of criticality.

All traffic that can be blocked on a basis of the IP protocol header should be blocked. For all other traffic it should be possible to decide if and what further inspection of the payload should be done. After such inspection further actions should be decided on, like blocking, alerts and/or logging.


We define an UTM to be a network security device that at least fulfills the following requirements:

  1. UTM Intranet Gateway as virtual appliance or as physical appliance
  2. Packet filtering Firewall (context sensitive)
  3. Takes advantages of hypervisor technology (introspection)
  4. Includes IPS/DPS and content inspection engine
  5. Allows (layer 2) interface spec. in filtering/blocking/logging rules
  6. Malware detection (IPS/DPI, signature based)
  7. Malicious remote control detection (IPS/DPI, signature based)
  8. Attack and malware detection, heuristic/behavioral based
  9. Specify which protocols are known and supported for requirements 6, 7 and 8
  10. Specify how often and when (triggers) you deliver updates of signatures. How long will it take to deliver a dedicated update to mitigate a new high risk vulnerability?
  11. Allows application of IPS/DPI engine only on an as-needed basis (pre-selection packet filter)
  12. Allows flexible configurable logging rules
  13. Provide MITM HTTPS proxy, configurable (pre-selection packet filter). Note that HTTP can be analyzed with or without a proxy.
  14. IPS, allow the detection of encrypted data in arbitrary streams
  15. IEEE 802.1q support with at least 1000 VLANs
  16. Trunking with virtual and physical switches
  17. Bridging connections to vNICs, untagged min. 128 VLANs
  18. Routing between zones, please specify routing protocols
  19. Describes the possible high availability and load balancing options which your product provides
  20. Allows easy fall back to previous rule/configuration set(s). Allows to maintain several rule sets, with easy switching to active state.
  21. Update service: provides IPS/DPI compensating control rule packages for new high risk attack patterns
  22. Intelligent self-diagnosis to alert on conflicting and/or highly vulnerable rule sets
  23. Is it possible to manage many of such devices from a central location? If so, does it support three or more management centers with a formal handover process?
  24. Allows tamper safe logging, i.e. is it possible to configure logging in such a way that log entries, once written, cannot be deleted or changed.
  25. Allows to be tied into market leaders log analysis solutions
  26. Worldwide second and third level support availability
  27. Is it protected against self-lockout with remote management?
  28. Has detection and protection against unauthorized changes to its core operational modules (assured self-operation)


Because money is always important, we need to take a closer look to the possible costs you should ask to provide an example configuration of a physical appliance and a virtual appliance along with rough cost figures for the following two scenarios:

Costs for other mandatory or strongly suggested parts or services

Scenario 1: very small (XS)

Scenario 2: large (L)

I hope this article will give you a hint on what to look out for your day-to day fight to secure your (virtual) environment.

About the Author

Andrea Covello

Andrea Covello has been working in information security since the 1990s. His strengths are in engineering, specializing in Windows security, firewalling and advanced virtualization.

You want to test the security of your firewall?

Our experts will get in contact with you!

Data Transfer with SSID

Data Transfer with SSID

Tomaso Vasella

About M3gan

About M3gan

Marisa Tschopp

Prototype Pollution

Prototype Pollution

Andrea Hauser

Hidden Dangers of Phishing Attacks

Hidden Dangers of Phishing Attacks

Marius Elmiger

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here