Unified Threat Management: Centralizing Network Security

June 6, 2024

Unified Threat Management (UTM) consolidates multiple security services, including your firewall, intrusion detection/prevention systems (IDS/IPS), antivirus, VPN, and content filtering, into a single device or service. 

Instead of juggling several different security tools, UTM allows you to manage everything from one central point, reducing the administrative burden and the potential for configuration errors.

Components of a UTM service


Firewalls act as gatekeepers, monitoring and controlling incoming and outgoing network traffic based on security rules. They help maintain Quality of Service (QoS) policies by blocking or allowing traffic as needed.

Consider running a VoIP service alongside regular web traffic. A firewall can be configured to prioritize VoIP traffic over less critical web traffic. This ensures that call quality remains high even during peak usage times.

Here’s a simple example of how you might configure an iptables firewall on a Linux server to prioritize VoIP traffic:

# Mark VoIP packets with a higher priority (preferred)
iptables -A PREROUTING -t mangle -p udp --dport 5060 -j TOS --set-tos 0x10
iptables -A PREROUTING -t mangle -p udp --dport 5060 -j MARK --set-mark 1
# Apply QoS using tc (Traffic Control) to give high priority
tc qdisc add dev eth0 root handle 1: htb default 12
tc class add dev eth0 parent 1: classid 1:1 htb rate 1000mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 100mbit ceil 1000mbit prio 1
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 900mbit ceil 1000mbit prio 2
tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw flowid 1:10

In this example, packets for UDP port 5060 (a common port for SIP-based VoIP) are marked with a higher priority. Using traffic control (tc), we ensure these packets are handled with the highest priority. This way, even if the network is congested, VoIP traffic will have precedence, maintaining call quality.

UTM systems offer even more granular management. Take, for example, a UTM device like pfSense. With pfSense, you can set up traffic shaping rules to quickly prioritize different types of traffic. Here’s a simple example using the pfSense web interface:

  1. Navigate to **Firewall > Traffic Shaper**.
  2. Choose the **Wizards** tab and select the **Multiple Lan/Wan** type.
  3. Follow the wizard steps. When you reach the **Queue Settings**, assign higher priority to the VoIP queue.

This configuration automatically applies the necessary rules to prioritize VoIP traffic, leveraging the UTM’s integrated features to maintain QoS.


While traditional antivirus software works well, it often only covers endpoints. However, with UTM, antivirus protection extends to the network level. This means it can detect and neutralize threats before reaching your devices. 

For example, Sophos UTM combines antivirus scanning with other security features like firewall, VPN, and intrusion prevention. When a file is downloaded, Sophos scans it in real time, ensuring that any malicious content is blocked instantly.

The script below shows how you might enable and configure antivirus protection on a UTM device via a command-line interface:

# An example of configuring antivirus settings in a UTM system might look something like this:
configure terminal
utm antivirus enable
utm antivirus set scan_mode real_time
utm antivirus set action block

Another powerful feature of UTM systems is the integration of threat intelligence. Services like Fortinet's FortiGuard Labs offer real-time updates on emerging threats. When a new virus strain is detected in the wild, your system is almost instantly updated with the latest defense mechanisms.

Intrusion Detection and Prevention System (IDPS)

IDPS combines intrusion detection systems (IDS) and intrusion prevention systems (IPS). These systems monitor network traffic for suspicious activity and either alert administrators (IDS) or automatically block threats (IPS). 

In a company where sensitive data is constantly exchanged, an IDPS can detect unusual patterns, like a user trying to access restricted files, and immediately block the attempt. This way, it prevents potential data breaches.

You might use an open-source tool like Snort for intrusion detection. Snort can analyze network traffic and log suspicious packets. In the configuration below, Snort is set to alert on any TCP traffic heading to port 80 within a specified subnet. The message "Possible web attack" helps identify the alert in logs:

alert tcp any any -> 80 (msg:"Possible web attack"; sid:1000001;)

Virtual Private Network (VPN)

A VPN extends a private network across a public one, like the Internet. It encrypts data sent between your device and the VPN server, providing privacy and security. 

When working remotely, you might use a VPN to connect to your company’s internal network. This ensures that sensitive data is protected even on an unsecured Wi-Fi network.

When configuring a VPN, you must typically use various protocols like OpenVPN, L2TP/IPsec, or WireGuard. Each has its own set of pros and cons. OpenVPN, for instance, is immensely popular because it balances speed and security well.

However, using a VPN alone isn’t enough to ensure QoS. That’s where Unified Threat Management (UTM) comes into the picture. It manages VPN connections, protects against malware, monitors network traffic, and blocks suspicious activities.

For example, you're configuring a Fortinet FortiGate UTM to work with a VPN. It often involves setting up specific firewall policies to filter traffic and protect against attacks. 

Content filtering

Content filtering allows you to block or allow access to websites and online content. For example, you should block access to social media sites during work hours to maintain productivity. 

Similarly, you can filter out malicious websites to protect users from phishing attacks. Here's a simple example using a firewall rule to block Facebook:

iptables -A OUTPUT -p tcp -d facebook.com -j REJECT

This rule uses `iptables`, a common command-line firewall utility in Linux, to reject any outgoing traffic to Facebook.

Spam filtering

Spam filters work primarily by analyzing incoming emails and separating the good from the bad. They look for specific patterns or characteristics that are typically associated with spam.

For instance, emails with specific keywords, suspicious links, or attachments might be flagged. They're using machine learning, too. Many modern spam filters continually learn and adapt to new spam trends.

A practical UTM example is pfSense, an open-source firewall and router. Imagine using pfSense to set up spam filtering on a network-wide scale. You'd block spam emails and protect your network from viruses, worms, and other nasty stuff.

Traffic inspection

Traffic inspection sets rules for allowing and blocking network traffic and inspecting the traffic content on your network. One way to inspect traffic is by using network analyzers or packet sniffers like Wireshark. 

Wireshark gives us a detailed view of what's happening on the network. We can capture packets and analyze their content, which is invaluable for troubleshooting. 

For example, if an application runs slowly, inspecting the traffic can help us determine if the issue is due to network congestion, packet loss, or high latency.

Here's how you can start capturing packets with Wireshark:

sudo wireshark

Once Wireshark is open, select the network interface you want to monitor and click "Start." You’ll see a stream of packets in real-time. Pay attention to fields like source, destination, protocol, and length. Filtering the traffic by specific criteria can also help. 

For those who prefer command-line tools, `tcpdump` is an excellent choice. It allows you to capture and analyze packets directly from the terminal. Here’s a basic command to capture packets on interface `eth0`:

sudo tcpdump -i eth0

In addition to capturing packets, monitoring tools like Nagios and Zabbix provide a more holistic view of network performance. They allow real-time network traffic monitoring, giving alerts on unusual patterns that could indicate issues or attacks.

Policy enforcement

A UTM can be used to apply security policies to detect and block threats. First, ensure the policy's enforcement mode is active. Policies may not be set to block attacks by default. 

If the enforcement mode is not set to blocking, the policy will only log detected attacks instead of stopping them. For instance, you can change the enforcement mode to blocking to ensure immediate action against threats. 

It’s also essential to regularly update your attack signatures file. If the attack signature file on your policy host device is over 90 days old, you risk missing out on protection against the latest vulnerabilities.

Similarly, it is important to ensure that the Web Application Security policy is actively used. Idle policies attached to no virtual servers or applications can create unnecessary configuration overhead. 

Sensitive data leakage is another concern. Enable the “Mask Credit Card Numbers in request log” setting to prevent sensitive information from appearing in logs. This setting is crucial if your application handles payment information. 

Lastly, stay on top of geolocation updates. The geolocation file helps the system understand the origin of traffic, which is vital for geo-blocking capabilities. If the geolocation file is outdated (older than six months), update it to ensure accurate threat detection.

Real-Time Updates

Staying ahead of threats is crucial for cybersecurity. One way to achieve this is through real-time updates and continuous monitoring. Continuous updates provide the latest threat intelligence and signatures, ensuring systems are always equipped to handle new and evolving threats.

Solutions like FortiGuard AI-Powered Security Services from Fortinet offer real-time threat intelligence that leverages AI and machine learning to analyze data continuously, helping to detect and mitigate threats as they happen. 

Similarly, NetRise's continuous monitoring system constantly checks against databases like the National Vulnerability Database (NVD) and CISA's Known Exploited Vulnerabilities (KEV) catalog. This constant vigilance ensures that threats are identified and addressed promptly.

Security Information and Event Management (SIEM) systems can use threat intelligence feeds to enhance their detection capabilities. They can analyze event data in real-time, correlating it with the latest threat intelligence, to swiftly identify and respond to incidents.

Reporting and alerts

Reporting and alerts help identify suspicious activities and take swift action to mitigate risks. Tools like Microsoft 365 make this process quite intuitive. 

For reporting, platforms like Trend Micro’s cloud security solutions provide features to create detailed reports about alerts and other activities. 

For example, you might set up a scheduled report that runs daily to summarize all alerts triggered in the past 24 hours. 

Tools, like Microsoft Defender XDR, automatically determine if a threat requires action and recommend or take remediation actions. 

What to consider when choosing a UTM solution

Hardware appliances

Having dedicated hardware appliances for Unified Threat Management (UTM) functions will elevate your network security. These hardware appliances are designed to handle multiple security tasks without sacrificing performance.

The Fortinet FortiGate devices, for example, are not just firewalls. They offer a comprehensive suite of security features—intrusion prevention, web filtering, antivirus, and even application control, ensuring a robust hardware solution that efficiently manages network traffic while prioritizing critical applications.

For more granular control, Cisco’s Firepower appliances are worth a mention. These devices offer next-generation firewall capabilities, advanced malware protection, and real-time threat intelligence. 

With Cisco Firepower, you can define QoS policies that ensure your most critical applications get the bandwidth they need while less important traffic gets throttled. It’s a seamless way to manage Quality of Service through dedicated hardware.

Software-based Solutions

Following a methodical approach is crucial when installing UTM software on existing hardware. Ensure that your hardware meets the requirements, including CPU type, RAM size, and network interface cards need to be checked. 

For instance, Sophos UTM needs a minimum of 1 GB RAM and 1 GHz CPU. If your hardware does not meet these requirements, the installation might fail, or UTM might perform poorly.

You'll need the Sophos UTM CD-ROM or a bootable USB stick. Begin by booting your PC from the CD-ROM or USB. This step will launch the installation start screen. Don’t worry if you hit a snag here or need more information—pressing F1 will bring up the help menu.

Cloud-based UTM

Universal Threat Management (UTM) services hosted in the cloud offer immense flexibility and scalability. Instead of deploying and maintaining physical appliances, you can subscribe to a cloud service that handles everything.

For instance, companies like Cisco and Sophos offer cloud-based UTM solutions, which means they can deploy updates and patches almost instantly. With a traditional UTM appliance, you'd need to manually install updates, which is time-consuming and leaves a window of vulnerability.

Centralized management

Cloud-based UTM solutions centralize management, with a single dashboard where you can monitor and manage security policies across multiple locations. 

If your organization has multiple branches, you can manage everything from a single interface. This is incredibly convenient. 


Flexibility is another major perk. You can scale your security infrastructure up or down based on demand without buying additional hardware. 

For example, if you’re running an e-commerce site and expecting traffic spikes during the holiday seasons, you can temporarily scale up your protections. This kind of scalability is hard to achieve with physical appliances.

Seamless integration

Moreover, cloud-based UTM solutions can integrate seamlessly with other cloud services. For example, if you're using AWS, you can quickly deploy a cloud-based UTM solution within your AWS environment to monitor and control traffic to and from your cloud resources.

Cost efficiency

With cloud-based UTM, you pay a subscription fee, which is often cheaper than the costs associated with hardware maintenance, updates, and physical space.

IoT security

All those smart devices—thermostats, cameras, even fridges—connected online are potential entry points for cyber threats, making the security landscape more complex.

Imagine having smart lights, a thermostat, and a security camera. Without UTM, you'd need separate security measures for each device, which is a lot of work. With UTM, you can monitor and protect all your devices from a single interface.

To secure these devices, you should start with strong authentication. Passwords are often the weakest link. Implement two-factor authentication (2FA) wherever possible.

Encryption is another layer of security. Data traveling between IoT devices and servers should be encrypted to prevent interception by malicious entities. Using TLS (Transport Layer Security) is a good practice.

Monitoring is also crucial. UTMs offer real-time monitoring and alerting features. Any unusual activity gets flagged immediately. For instance, if a smart camera starts uploading a lot of data unexpectedly, you'll get an alert. This helps you react quickly to potential threats.

The firmware of IoT devices should always be up-to-date. Manufacturers often release updates to patch vulnerabilities. If you're using a UTM solution, it can automate these updates, saving you time and effort.

More posts


A WireGuard® VPN that connects machines securely, wherever they are.
Star us on GitHub
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.