2.8. UTM


2.8.1. Overview

UTM (Unified Threat Management) is an integrated security solution to perform a variety of security functions, such as detecting and preventing unauthorized access to the virtual machine in Enterprise Cloud (EC), Anti Virus securities, URL-based Web filtering, and spam mail filtering.

2.8.2. Features

UTM offers the following features.
Feature Overview
IPS/IDS A function that detects and/or prevents illegal communication.
Anti Virus A function that detects and/or prevents viruses from HTTP, FTP, SMTP, POP3, and IMAP communications.
Web Filter A URL filtering function for HTTP communications.
Spam Filter A function to determine whether or not the receiving email message is spam in POP3 and IMAP communications.

Analysis Capacity
Plan

Traffic Processing

Capacity

Plan
Compact Max 200 Mbps

The total value of uplink and downlink.

The values are best-effort.

Large Max 400 Mbps

2.8.2.1. IPS/IDS

IPS/IDS is a feature that inspects communications based on the signature and stops the communications deemed as harmful.
The following is the communications that will be inspected. Encrypted communications are not targeted for detection and blocking.
Items Overview
Direction The direction specified by the customer
Protocol TCP/IP

You can specify the following items in IPS/IDS.
Items Overview
IPS/IDS functions Set up whether or not to use the IPS/IDS functions
Direction of inspected communication Specify the direction of the inspected communication
Actions when detecting fraudulent communications
Select from IPS mode and IDS mode
  • IPS mode: Block
  • IDS mode: Detection only (no blocking)

For IPS mode, not all communications will necessarily be blocked, detection only communications are included as well.

2.8.2.2. Anti Virus

Anti Virus is a feature that inspects communications based on the pattern file and prevents communications that are detected as viruses.
The following are the communications and files that will be inspected.
Items Content
Communications Direction The direction specified by the customer
Protocol The protocols specified by the customer from HTTP, FTP, SMTP, POP3, and IMAP
Port Number The port number specified by the customer
File File Size Files that are 3MB and under
Compressed files Number of times Inspects only files that have been compressed 12 times or less
Format arj, cab, gzip, lha, lzh, msc, rar, tar, zip
File size Inspects only files with extracted file size of 3MB or less

Files other than the above (such as encrypted files and files with passwords) are not inspected. Files that are not subject to inspection will pass through.
You can specify the following items in Anti Virus.
Items Content
Anti Virus function Set up whether or not to use the Anti Virus function
Communications Direction Specify the direction of the inspected communication
Protocol Select the protocols from HTTP, FTP, SMTP, POP3, and IMAP
Port number Specify the port number of each protocol
Actions when detecting viruses

Select from “AntiVirus_Block” and “AntiVirus_Monitor”

  • AntiVirus_Block: Blocks the communication when viruses are detected
  • AntiVirus_Monitor: Detects viruses only (but does not block)

The inspection port number will be a shared setting for Anti Virus, Web Filter, and SPAM Filter functions. It will be subject to inspection if the inspected protocol for each function is the same.

2.8.2.3. Web Filter

Web Filter is a feature that controls communications by inspecting the destination of the Web communications.
The following are the communications that will be inspected.
Items Overview
Direction Communications from vFW/INA via UTM to the virtual machine
Protocol HTTP
Port Number The port number specified by the customer

You can specify the following items in Web Filter.
Items Content
Web Filter Function Specify or not whether to use the Web Filter function
Port Number of the Inspected Communications Specify the port number
Blocked Categories
Select the website category to be blocked.
Block: Blocks the access and has log output
hite List and Black List Set up the white list and black list. The number of settings is up to 100 URLs for each.

The inspection port number will be a shared setting for Anti Virus, Web Filter, and SPAM Filter functions. It will be subject to inspection if the inspected protocol for each function is the same.

2.8.2.4. Spam Filter

Spam Filter is a feature that determines spam mail by inspecting the email communications.
The following are the communications that will be inspected.
Items Overview
Direction Direction specified by the customer
Protocol POP3 and IMAP
Port Number Port number specified by the customer

You can specify the following items in Spam Filter.
Items Content
Spam Filter function Set up whether or not to use the Spam Filter function
Communications Direction Specify the direction of the inspected communications
Port Number Specify the port number for each protocol
White List and Black List Set up the white list and black list. The number of settings is up to 100 URLsfor each

The inspection port number will be a shared setting for Anti Virus, Web Filter, and SPAM Filter functions. It will be subject to inspection if the inspected protocol for each function is the same.
When the message is determined as spam, ‘Spam’ will be added in the email subject. The customer, who receives an email message with the subject title ‘Spam’, will need to deal with the message as nothing will be done by Spam Filter after the message is determined as spam.

2.8.3. Restrictions

Restrictions in non-Japanese Data Centers

  • One global IP address per one UTM service is necessarily assigned to monitoring use for UTM server. When you order 2 UTM services, two global IP address is assigned by NTT operator. Therefore please make sure that you prepare the required quantity of global IP addresses when ordering.
  • Do not change NAT rules for UTM service configured to vFW/INA by NTT Com Group.
Restrictions relating to IP addresses

  • IP address set as Default gateway in Server Segment setting cannot be assigned on UTM interface.
Restrictions relating to network configuration

  • If you perform Ping monitoring on the VM, you will require an additional Server Segment for direct connection between vFW/INA and the VM.
  • Do not connect the target server segments directly to the vFW/INA.
  • Do not change default gateway setting of UTM via Security Web Portal. It can be changed by service order form for changing.
Restrictions relating to Web Filter

  • It is necessary to construct a proxy server on the EC service when applying the Web Filter to the communications connected to the internet from VPN of the EC service.
  • To display the block screen and the like, service communication using TCP 8008, 8010, and 8020 ports cannot be used for communications that go through the Web Filter.
  • For HTTP communications, the block screen will not be displayed if the domain stated in the Common Name in the server certificate on the accessed site is a domain belonging to the blocked category. (It will be displayed as a browser error.)
Restrictions relating to Spam Filter

  • For IMAP, there are times when ‘Spam’ cannot be added in the email subject title. This is not caused by UTM specification but a restriction by IMAP action. For IMAP, an email subject title is downloaded on the client first and a message body is downloaded next. So when it is determined as spam due to an URL in the message body, ‘Spam’ cannot be added in the email subject title. With IMAP, it is possible to add ‘Spam’ on the email subject title when the email address is determined to be spam.
Other restrictions

  • It is absolutely necessary to have a contract for either vFirewall or Integrated Network Appliance.

  • You cannot switch plan from Compact to Large or the other way after the service begin.

  • The appliance that runs this service operates on a single structure. The platform is a dual configuration where it will switch in five to ten minutes after rebooting on the backup platform during failures.

  • This service needs a dedicated compute resource pool. (The pool will be designed when applying for UTM.) This service cannot be configured on an existing compute resource pool.

  • Customers cannot configure a virtual machine on the compute resource pool operating this service.

  • The dedicated compute resource pool for this service cannot be extended or reduced.

  • Changes in resource allocations for the virtual machine that operates this service cannot be done from the customer portal. (Only we can change it as it is virtual machine controlled by us.)

  • It will switch to a conserve (Protect) mode when the usage rate of the UTM memory exceeds 80 percent. It will pass without inspecting new sessions when it is in conserve mode (for Anti Virus, Web Filter, and Spam Filter functions). Also conserve mode will automatically be released when the memory usage rate is 80 percent and under.

  • The virtual machine operating the UTM cannot use private catalogues, backup and VM security services.

  • Packets which break TCP/UDP/IP protocol rules or abnormal packets are discarded as a standard function regardless of customer’s configuration.
    (examples)
    • When the IP header is cut off in the middle
    • When the port number is 0 (zero)
    • When the TCP flag combination is abnormal and others
    • Illegal packets due to encapsulation and others
  • UTM does not guarantee that the UTM feature has integrity or accuracy, or is suitable for your use. Furthermore, the suitability of the algorithms that detect unauthorized/cyber-attack communications provided by the developers or distributors of the devices making up the UTM feature is not guaranteed.

  • The following information might be provided to the developers or the distributors of the devices making up UTM features.

    • Configuration information obtained through providing UTM
    • Information on UTM control
  • We cannot guarantee recovery from failures that might occur due to incompatibility between UTM and your environment, or failures that occur due to your operations other than those specified by NTT Com Group.