7.7. UTM¶
Unified Threat Management (UTM) is an integrated security solution to perform a variety of security functions, such as detecting and preventing unauthorized access to the virtual machine in Enterprise Cloud (EC), Anti-Virus securities, URL-based Web filtering, and spam mail filtering.
Note
- This configures an appliance made on a dedicated compute resource that operates this appliance (UTM). It is separate from the compute resource in that the customer optionally configures virtual machines.
- The traffic inspected by UTM is based on the security policies set up by the customer.
7.7.1. Available Features¶
| Function | Outline |
| IPS/IDS | A function that detects and/or prevents illegal communication. |
| Anti Virus | A function that detects and/or prevents viruses from HTTP, FTP, SMTP, POP3, and IMAP communications. |
| Web Filter | A URL filtering function for HTTP communications. |
| Spam Filter | A function to determine whether or not the receiving email message is spam in POP3 and IMAP communications. |
Note
- If NTT Communications judges it necessary, we will notify you via email, etc. of detection and blocking status. It is possible to set email addresses to receive the notifications on the Security Web portal. (Please set an email address if you wish to receive this service, as it is not registered in the initial settings.)
- The communication addressed to Server Segments targeted for detection is set so that it is routed by vFirewall/Integrated Network Appliance to UTM.
- The communication from the Virtual Machine is set so that it is routed by the Virtual Machine on the Server Segment targeted for detection to UTM.
- If you perform Ping monitoring on the Virtual Machine, you will require an additional Server Segment for direct connection between vFirewall/Integrated Network Appliance and the Virtual Machine.
Important
- Please do not change default gateway setting by Security Web portal (Application form is needed).
Note
- Please do not connect the server segments targeted for detection directly to the vFirewall/Integrated Network Appliance.
| Plan | Traffic Processing Capacity | Structure |
|---|---|---|
| Compact | Max 200 Mbps | The total value of uplink and downlink. |
| Large | Max 400 Mbps |
Important
- Please indicate the UTM plan when sending in your application. No changes can be made from Compact to Large or Large to Compact, after the service begins.
7.7.2. IPS/IDS¶
| Items | Content |
| Direction | The direction specified by the customer |
| Protocol | TCP/IP |
Important
- Encrypted communications are not targeted for detection and blocking.
| Function | Outline |
| IPS/IDS functions | Set up whether or not to use the IPS/IDS functions |
| Direction of inspected communication | Specify the direction of the inspected communication |
| Actions when detecting fraudulent communications | Select from IPS mode and IDS mode
|
Note
- The signature file will be updated automatically.
- For IPS mode, not all communications will necessarily be blocked, detection only communications are included as well.
7.7.3. Anti Virus¶
| Items | Content | |
|---|---|---|
| Communications | Direction | The direction specified by the customer |
| Protocol | The protocols specified by the customer from HTTP, FTP, SMTP, POP3, and IMAP | |
| Port Number | The port number specified by the customer | |
| File | File Size | Files that are 3MB and under |
| Compressed files | Number of times | Inspects only files that have beencompressed 12 times or less |
| Format | arj, cab, gzip, lha, lzh, msc, rar, tar, zip | |
| File size | Inspects onlyfiles with extracted file size of 3MB or less | |
Important
- Files other than the above (such as encrypted files and files with passwords) are not inspected.
- Files that are not subject to inspection will pass through.
| Items | Content | |
|---|---|---|
| Anti Virusfunction | Set up whetheror notto use the Anti-Virus function | |
| Communications | Direction | Specifythe direction oftheinspectedcommunication |
| Protocol | Select the protocols from HTTP, FTP, SMTP, POP3, and IMAP | |
| Port number | Specify the port number of each protocol | |
| Actions when detecting viruses | Select from “AntiVirus Block” and”AntiVirus_Monitor”
|
|
Important
- The inspection port number will be a shared setting for Anti Virus, Web Filter, and SPAM Filter functions. It will be subject to inspection if the inspected protocol for each function is the same.(eg)If inspecting port number 80 is set to TCP for one of the Anti Virus and Web Filters, TCP 80 communications will be inspected in both functions.
Note
- The pattern file will be updated automatically
- The blocking actions are the following:
- Displays a block screen on the browser for HTTP
- Downloads a NULL file for FTP
- Responds with an error code to the source IP address for SMTP
- Deletes the attached file and adds a remark to the email message for POP/IMAP
7.7.4. Web Filter¶
Note
- It is necessary to construct a proxy server on the EC service when applying the Web Filter to the communications connected to the internet from VPN of the EC service.
| Items | Content |
| Direction | Communications from vFW/INA via UTM to the virtual machine |
| Protocol | HTTP |
| Port Number | The port number specified by the customer |
Note
- The URLs stated in the Common Name in the server certificate are used to determine the destination for HTTPS communications.
| Items | Content |
| Web Filter Function | Specify or not whether to use the Web Filter function |
| Port Number of the Inspected Communications | Specify the port number |
| BlockBlocked Categories | Select the website category to be blocked.
|
| White List and Black List | Set up the white list and black list. The number of settings is up to 100 URLs each. |
Important
- The inspected port number will be a shared setting for Anti-Virus, Web Filter, and SPAM Filter functions. It will be subject to inspection if the inspected protocol for each function is the same.(eg)If the HTTP protocol can be inspected for Anti Virus and Web Filter and is set at TCP 80, TCP 80 communications will be inspected in both functions.
- To display the block screen and the like, service communication using TCP 8008, 8010, and 8020 ports cannot be used for communications that go through the Web Filter.
- For HTTP communications, the block screen will not be displayed if the domain stated in the Common Name in the server certificate on the accessed site is a domain belonging to the blocked category. (It will be displayed as a browser error.)
Note
- The blocking action is the following.
- Displays a block screen on the browser.
- This function allows access to websites that are not set in the Block categories (Allow: Allows access and no log output).
7.7.5. Spam Filter¶
| Items | Content |
| Direction | Direction specified by the customer |
| Protocol | POP3 and IMAP |
| Port Number | Port number specified by the customer |
| Items | Content | |
|---|---|---|
| Spam Filterfunction | Set up whether or not to use the Spam Filterfunction | |
| Communications | Direction | Specify the direction of the inspected communications |
| Port Number | Specify the port number for each protocol | |
| White List and Black List | Set up the white list and black list. The number of settings is up to 100 URLs each | |
Important
- The inspected port number will be a shared setting for Anti Virus, Web Filter, and SPAM Filter functions. It will be subject to inspection if the inspected protocol for each function is the same.(eg)If the IMAP protocol can be inspected for Anti-Virus and Web Filter and is set at TCP 143, TCP 143 communications will be inspected in both functions.
- When the message is determined as spam, ‘Spam’ will be added in the email subject. The customer, who receives an email message with the subject title ‘Spam’, will need to deal with the message as nothing will be done by Spam Filter after the message is determined as spam.
- For IMAP, there are times when ‘Spam’ cannot be added in the email subject title. This is not caused by UTM specification but a restriction by IMAP action. For IMAP, an email subject title is downloaded on the client first and a message body is downloaded next. So when it is determined as spam due to an URL in the message body, ‘Spam’ cannot be added in the email subject title. With IMAP, it is possible to add ‘Spam’ on the email subject title when the email address is determined to be spam.
7.7.6. Important Points¶
Restrictions in non-Japanese Data Centers- One global IP address per one UTM service is necessarily assigned to monitoring use for UTM server. When you order 2 UTM services, two global IP addresses are assigned by NTT operator. Therefore, please make sure that you prepare the required quantity of global IP addresses when ordering.
- Do not change NAT rules for UTM service configured to vFW/INA by NTT Com Group.
- IP address set as Default gateway in Server Segment setting cannot be assigned on UTM interface.
It is absolutely necessary to have a contract for either vFirewall or Integrated Network Appliance.
The appliance that runs this service operates on a single structure. The platform is a dual configuration where it will switch in five to ten minutes after rebooting on the backup platform during failures.
This service needs a dedicated compute resource pool. (The pool will be designed when applying for UTM.) This service cannot be configured on an existing compute resource pool.
Customers cannot configure a virtual machine on the compute resource pool operating this service.
The dedicated compute resource pool for this service cannot be extended or reduced.
Changes in resource allocations for the virtual machine that operates this service cannot be done from the customer portal. (Only we can change it as it is virtual machine controlled by us.)
It will switch to a conserve (Protect) mode when the usage rate of the UTM memory exceeds 80 percent. It will pass without inspecting new sessions when it is in conserve mode (for Anti-Virus, Web Filter, and Spam Filter functions). Also conserve mode will automatically be released when the memory usage rate is 80 percent and under.
The virtual machine operating the UTM cannot use private catalogues, backup and VM security services.
Packets which break TCP/UDP/IP protocol rules or abnormal packets are discarded as a standard function regardless of customer’s configuration.
(examples)
- When the IP header is cut off in the middle
- When the port number is 0 (zero)
- When the TCP flag combination is abnormal and others
- Illegal packets due to encapsulation and others
UTM does not guarantee that the UTM feature has integrity or accuracy, or is suitable for your use. Furthermore, the suitability of the algorithms that detect unauthorized/cyber-attack communications provided by the developers or distributors of the devices making up the UTM feature is not guaranteed.
The following information might be provided to the developers or the distributors of the devices making up UTM features.
- Configuration information obtained through providing UTM
- Information on UTM control
We cannot guarantee recovery from failures that might occur due to incompatibility between UTM and your environment, or failures that occur due to your operations other than those specified by NTT Communications.
There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s environment. This is not applied when we judge the maintenance work urgent to continue service.