Unified Threat Management

All articles

Unified Threat Management (UTM), also called Unified Security Management (USM), is an all-in-one information security solution. The first UTMs appeared in 2004 as network attacks became too sophisticated to be fended off by the conventional firewalls. Unified threat management is the next evolutionary stage of the conventional firewall and includes all the functionality to protect sensitive data. To bring information security to the next level, a UTM also includes additional security subsystems, such as network intrusion detection and prevention, gateway anti-virus, firewall, and VPN.

The term “unified threat management” was first used by International Data Corporation (IDC), a U.S.-based market research company that, among other things, specializes in information technology and telecommunications. The key advantage of UTM is that the user gets an all-inclusive security product that performs all the necessary functions, including anti-virus protection, content filtering, and network intrusion prevention (IPS), which is much more convenient than having to manage several security products.

UTM architecture

UTM can be implemented either as a software solution (installed on a dedicated server or running as a virtual machine) or as a hardware-based system. In the latter case, the UTM system uses not only the general-purpose CPU, but also some special-purpose processors. As a result, a UTM gateway can handle 1 Gbps or more.

Content processor

The content processor is designed to quickly handle suspicious network traffic (including archived files) by comparing it to the types of threats stored in the memory. The traffic is processed on the general-purpose CPU, which improves the performance of the IPS and the anti-virus.

Network processor

The network processor quickly processes network traffic to reduce load on other system components. It also performs encryption, network address translation, and TCP segments handling. Even if the data have been specially fragmented to avoid detection by security systems, the network processor can detect a threat by sorting the data and reconstructing the actual destination of the resulting data packets.

Security processor

The security processor greatly improves the performance of the anti-virus, data loss prevention, and network intrusion prevention (IPS) subsystems. By taking over high-complexity computational tasks, it significantly reduces the CPU load.

Software components


The multi-level firewall protects users from attacks not only at the network layer, but also at the application layer by allowing only authenticated users to access internal data. The network administrator can assign different access privileges to different users. The multi-level firewall supports network address translation (NAT) and conceals the LAN architecture from the external network.


Using this component, the network administrator can quickly and easily build encryption domain-based or routing rules-based secure virtual private networks. So encryption, authentication, and access control are combined in one place. Remote users, sites, or networks can securely connect to the virtual private networks.

URL filtering

This component helps the network administrator to prevent employees from accessing certain websites by filtering unwanted URLs. It can handle a large database of URL addresses and allows the network administrator to use content categories. It also supports white and black lists for users or servers.

Anti-virus and anti-spam

The anti-virus subsystem checks traffic for malicious code at the security gateway before any malware can get to the user’s hard drive. The POP3, FTP, HTTP, and SMTP protocols are supported.   The anti-virus subsystem can also scan compressed files.

The anti-spam subsystem blocks spam by analyzing the sender’s IP address reputation and by comparing the received data packets to the white and black lists. Network intrusion prevention (IPS) protects the mail server from DDoS attacks and buffer overflow attacks. The whole email message content is scanned for malicious code.


Clustering increases the UTM’s performance by balancing the load between multiple computing cores. If traffic is properly balanced between several gateways, it makes the whole system more fail-safe: If a gateway fails, another one will handle the traffic.

Safe web surfing

This component analyzes the current web session for the presence of malicious code. It not only detects the presence of executable code, but also identifies its security threat level, and block malicious code before it can reach the user’s computer. To prevent possible network attacks, the safe web surfing subsystem can hide information about the server in the HTTP response.

Why UTMs became necessary

As more and more major companies were falling victim to network attacks and hacks, it became obvious that UTMs should be used to prevent viruses and worms from getting into the corporate network.

Nowadays attackers have a rich choice of techniques at their disposal to hack low-security systems. The major problems of modern companies is lax data security practices and unauthorized access to data by insiders. In a number of highly publicized cases, lax data security resulted in a huge financial loss. Nonetheless, only recently major companies have recognized the need to control data access by employees and use specialized solutions to better protect data in the corporate network, so that confidential information cannot be easily disclosed or compromised.

The purpose of a UTM is to provide a full range of applications that protect data from third parties. Easy to use, UTMs are constantly evolving, so they can respond to increasingly sophisticated network attacks and stop the attackers in good time.

Similar solutions: NGFW

UTM has an analog – the Next Generation Firewall (NGFW). The Next Generation Firewall is hardware-based system that is very similar to Unified Threat Management. But unlike UTMs, which were intended for medium-sized enterprises, the NGFW was developed to be used by major companies. Initially the NGFW developers tried to combine filtering by ports and protocols, and provide both protection from network attacks and application-layer traffic analysis.

Commercially available UTM technologies

According to the latest research, the UTM market is going to increase by 15 percent in 2016–2020. The major UTM vendors are:

  • Dell (Dell SonicWALL)
  • Cisco (Cisco ASA-X)
  • Check Point Software Technologies
  • Juniper Networks
  • Fortinet
  • Sophos
  • Kerio (now part of GFI)

Russia-based UTM vendors:

  • Entensys (UserGate UTM)
  • A-Real (Internet Control Server)
  • Smart-Soft (Traffic Inspector)

UTM: An all-inclusive solution

Using single-function network solutions has become unreasonable due to the complexity of managing such solutions and integrating them together, which is very costly in terms of both time and money. Modern network security requires a comprehensive approach, combining the functions of all systems that used to work separately in an all-in-one solution. This approach ensures high performance and helps to solve security problems faster and more efficiently.

Using one UTM solution instead of several different devices makes it easier for the network administrator to manage the corporate network security strategy. Thankfully, all UTM components can be configured via one console, but there was a time when it would require using multiple hardware interfaces and software UIs.

If your company has remote offices and remote servers, a UTM solution can both enable centralized management of remote networks and protect them.


  • Fewer security devices;
  • Fewer software applications (and less money for their maintenance);
  • User-friendly interface. Availability of different settings and a web interface. Extensible architecture;
  • Faster personnel training thanks to using a single device .


  • A single point of failure (though some UTMs support clustering);
  • If the UTM cannot handle the network’s maximum data transfer rate, it may have a negative impact on network capacity and response time .

Tags: UTM, Unified Thread Management