Firewalls and UTM's

What are they, what can they do and what’s the difference?

What is a firewall and UTM?

Look at firewalls like castles. In where the firewall, like the name suggests is functioning like a wall that protects everything on the inside. A firewall can monitor in- and outgoing traffic and also allow, drop or block based on its destination IP, source IP, destination port, source port and/or protocols like TCP, UDP, AH, ICMP or IGMP.

In the past, next to the firewall, we ran a separate webfilter, mailfilter, DNS filter and/or IDS/IPS (Intrusion Detection System / Intrusion Prevention System)

An UTM (Unified Threat Management) is essentially the same as what is described above but all combined into a single device! This device can scan all passing traffic using all or some function specified above.
UTM’s are generally more expensive, but there are free variants also! But limited in capabilities, for instance.

Stateful VS Stateless

So what’s do states have to do with firewalls? Well.  A lot, most firewalls if not all in the modern day are stateful.

This means that the firewall keeps track of the flow of traffic. It monitors the state of each connection that passes.
As an example, if a client would connect to a server on port 7436, you’d only have to open that port towards the server on the firewall. The firewall then tracks if the server responds to the client for that connection and will automatically allow it in turn.
However, if the server would initiate a connection first on that same port, the connection would be rejected or dropped.

With stateless firewalls. You’d need to open both a port to the server, and (if the responding source port can be any) open all ports from the server side to the client side on the firewall.

How does it work?

Firewall

A firewall works like the mighty gatekeeper. Whenever a packet enters it is screened by policies that look for the source- and destination IP addresses, the source- and destination port(s) and protocol used.

The firewall uses so called ‘policies’ to do this. These policies can be bound to an incoming (and sometimes also outgoing) interface.
When the policies are created you then have to order them from top to bottom, with the more specific policies at the top for best practice. Each time the traffic then passes the incoming interface the firewall will then check to what policy this traffic applies.

If it then hits that policies it applies to it’ll either block, ignore or allow the traffic depending on what you told the policy to do.

OPNsense firewall table
FTG_Policy
FortiGate firewall policy

Note that you can see in each image that there’s a source and destination along with service/ports. The way you create or apply these policies can differ from brand to brand. But i the end they all require the same. A source, destination and port at least.

UTM

A UTM basically adds up to what it described above.

A UTM also provides firewall options, rules and such tables. But, it also provides more to those policies with Anti-virus, web filtering, DNS filtering an so much more!

Web Filter

With a web filter you can do just as the name implies. You can filter websites and even webcontent. Do not let yourself get confused with a DNS filter. A webfilter acts after the FQDN already has been resolved to an IP.

The webfilter will act right when you try to visit the website. The website can either be evaluated by a manual entry where, for instance, you’d have set it to block ‘example.com’. But, many brands come with a service where websites are rated by them and you can simply choose to block the whole category, phishing or hacking related websites. If a website is blocked, the firewall will simply forge a replacement message to sent back to client’s browser and makes it display the UTM firewall’s warning message.

Other than that. Most firewalls with webfilters can also look into the webcontent and prevent you from doing certain lookups on search engines. Although, this does require the firewall to act as a proxy.

FTG_Profile_Web-Filter
FortiGate Webfilter profile
Web filter overview

Application Control

FTG_Profile_Application_Control
FortiGate Application Control

Application control allows you to block off specific program based on the signature this programs show when traffic passes the firewall. A signature can be seen as a specific fingerprint only that application or even specific traffic of the application will contain. No other program will have the same as the other. Although, programs sharing similar techniques and/or software can show similar signatures.

The application filter will act whenever traffic containing the specific signatures it needs to look for passes. Application control is commonly used to block off VPN’s. The reason for this is so that users cannot circumvent any other security measures, such as web filtering or anti virus.

Anti Virus

Anti virus on a UTM is basically a way to provide anti virus filtering to any and all devices, even if the client device does not have an anti virus installed or is not even capable of having one. (e.g. IoT devices)

Some firewalls are even able of neutralising the virus and repairing the file.
For instance, if a Word document would be downloaded with malicious macro’s. The anti virus on the firewall can remove the macro and send the Word document on to the end user.

FTG_Profile_Anti-Virus
FortiGate Application Control

External sources