Home >Documents >Service Descriptions >Network-based Security v6.0.2 > Managed UTM >Managed UTM Version2

Managed UTM Version2

About This Menu

Overview

Managed UTM is form of the most integrated security functions (including firewall functions) within Tenant(s) for the Enterprise Cloud 2.0 to manage " Unified Threat Management" literally.

It can be connected to Logical Network within the Tenant(s) and Customers are able to utilize their own controlling parameters at their inter-logical network transmission so that they are the only controllers of their own network.

(NOTE: Hereinafter, Managed UTM is referred to as "this Menu" and the equipment that provides the features is referred to as "device".)

Features

This menu has following features:

1. Reliable and secure operation by security managed service

   The Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.

   
   
2. 2. All-In-One provision of security features:

   All-in-one necessary security features in order to protect the customers' environment from a variety of security threats such us unauthorized access, virus infection, unwanted web access, spam e-mail, etc. are provided.

   
   

   Firewall function (Access control/IPSecVPN)

   ● IDS/IPS function provides detection and protection for fraudulence access.

   ● Anti-Virus function for Protection from Virus.

   ● Web Filter function for Filtering of Web communication based on URL.

   ● Spam Filter function for determination of Spam mail.

   
   

   
   
3. Immediate provision by self-operation · Immediate setting change

   Customer can immediately leverage this menu by operation Security Control Panel through Enterprise Cloud 2.0 Portal. Configuration change is immediately reflected by Security Control Panel.

   Customers can use the necessary resources without initial investment and minimum usage period, without owning assets, and can constitute a secure environment tailored to the customer's business environment.

Available Functions

List of Available Functions

This menu provides following functions;

Functions	Description
1.Firewall	Traffic control function based on firewall policy which customer configures.
2.Security	Security function is where Customers can control and manage security measurements such as followings against what they set as Transmissions Rule accordingly at their own given parameter in (which is Firewall policies) Firewall :
3.Network	This function is where the "Device" is connected to the Logical Network and / or routed to the transmitters.
4.IPsecVPN	This function creates a tunnel encrypted with IPsec and realizes secure communication between multiple bases.
5.Other Functions	The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the "Device" and assign the time zone for the log content recorded within the "Device" themselves.
6.Security Incident Report	This function is what the "Device" self-analyzes and reports any security incident(s) occurring within themselves once there is any information that determines the "Device" received hostile incoming transmissions.
7.Control Panel	Ability to set up applications and devices from Security Control Panel of Enterprise Cloud 2.0 Portal
8.Version Upgrade	Function to upgrade Managed FW / UTM / WAF Version 2

Description of Respective Functions

1.Firewall

Customers are provided with the following functions with this menu:

Item	Description
Firewall	Traffic control function by Stateful inspection [1] based on configured firewall policy to a traffic through the device.
NAT / NAPT [2]	NAT / NAPT function is to transform the IP Address or Port number(s) which pass through the "Device" .

[1]	Stateful inspection will inspect to determine if it allows or disallow a passer-by packets (through the "Device" ) by monitoring the status of passer-by packets. Usually the packets will be allowed to come passing back through if it is allowed on the way to.

[2]	NAT stands for Network Address Translation. NAPT stands for Network Address Port Translation

2.Security

Security provides the following functions.

Item	Description
IPS/IDS	This function proceeds with signature-based virus filtering on transmissions; detects and separates dangerous transmissions and then blocks such dangers.
Anti-virus	Signature-file based detection of transmitters; detects and block such dangers of which function considers as "Virus".
Web Filter	This function checks the access destination of the Web communications and control the communication.
Spam Filter	Spam filter filters Mail transmissions; this function will identify the spam email and makes actions.

Functions of IDS/IPS

Specifications of the functions of IDS/IPS are as follow:

Item	Description
Protocol	TCP/IP
Action	Choosing the action of the risk communication event IDS_Monitor: Detection only, do not Block IPS_Block: Detection and Block

Note

• In the case of IPS mode, not all the signatures are target to be blocked, there are signatures only for inspection.

• The signature will be automatically updated.

● Antivirus function

Specifications of the functions of the Anti-Virus are as follow:

Item	Description
Protocol	HTTP、FTP、SMTP、POP3、IMAP、MAPI、NNTP
Port Number	Customer-specified port number
Action	By protocol, select the action at the time of detection Block: Block the communication that virus was detected Monitor: Virus detection only, do not block Disable: no detection
Selectable file size for inspection:	1MB - 10 MB (Initial value: 3MB)
Number of times compressed	Only 12 or less time compressed files are able to be inspected
Compression Format	arj、cab、gzip、lha、lzh、msc、rar、tar、zip
Decompressed file size of the compressed file	Decompression file size is the value indicated by Selectable file size for inspection.

Note

• Encrypted and passworded file is not verifiable. Traffic with encrypted and passworded file passes this menu without verification.

• The signature will be automatically updated.

Functions of Web-Filter

The specifications of the web-filter's functions are as follow:

Item	Description
Protocol	HTTP
Port Number	Customer-specified port number
Block URL category.	Control in the URL category units Block upon detecting the communication to the URL contained in the category by selecting the URL category to block
White list / Black list	The customer sets individually the URL and specify the action for the URL. block: Block the set URL. exempt: Do not block the specified URL.

Note

• Communication with TCP 8008, 8010 and 8020 port is not allowed for verified communication by WebFilter function to show Block screen correctly.

• For communication through Proxy server to use WebFilter function, please apply to WebFilter function to communication from client to Proxy server. When WebFilter function apply to communication from Proxy server to Web site on internet, sometimes WebFilter function does not correctly work by Proxy server specification and configuration. For example, Block screen does not shows to client.

• If in any case there is a connected site's server certificate with common name domain, which is categorized as a harmful blocked domains at the end of Customers, blocking screen will not be specifically showing but the webpage will show users errors in web browser.

• URL included in URL category is automatically updated.

Functions of Spam Filter

The specifications of the functions of spam filter are as follow:

Item	Description
Protocol	POP3、IMAP
Port Number	Customer-specified port number
Action	By protocol, select whether you want to enable or disable spam judgment. Tag: Enabled Pass: Invalid
Tag	In the case of an action with a tag, the tag can be optionally specified in the mail subject.
White list / Black list	The customer sets up the email address individually and specify the action for that email address. Spam: the mail address is determinated as a spam mail Clear: the mail address is not determinated as a spam mail

Note

• Indicated tag is added to the subject of mail which is decided as SPAM . This menu does not delete mail which is identified as spam. Please deal with mail based on tag information in subject by customer.

• In IMAP case, Tag may not be added to subject of mail. This behavior is the restriction of IMAP not this service specification. IMAP downloads body of mail after downloads subject of mail to client, so if the URL of body is identified as spam, Tag cannot be added to subject of mail. If mail address is identified as spam, Tag can be added to subject.

• Mail address which is determined as spam is automatically updated.

3.Network

Network provides the following functions.

Item	Description
Interface	This function is where Interface of the “Device” will be set and then it will be connected to logical network.
Routing	Routing function is where static routes and default gateway is being set and transmission is being routed with.

Note

• It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.

• The "Device" will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.

• In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the "Device" , the Customers (and the end users) are noted that they are required to reboot the "Device" and the interface MAC address will be automatically changed.

• The MTU size of the interface can be varied from 100 to 9000 bytes. The initial value is 1500 bytes.

• In the case of HA plan, when customer applys address range of connected segment, which is connected to interface, to NAT/NAPT, Please configure Proxy ARP.

4.IPsecVPN

IPsecVPN provides the following functions.

Item	Description
IPsecVPN	IPsecVPN function defines authentication, encryption method and connection destination IP address and creates a tunnel to the opposite network.
Routing	Routing function sets up and routes static routes to the tunnel interface.
Access Control	Access control function controls traffic passing through the tunnel based on policy which customer configures.
NAT/NAPT	NAT/NAPT function converts IP address of traffic passing through the tunnel and port number.

Note

• In the HA configuration plan, the IPsecVPN function can not be used. This function is available only in a single configuration plan.

• IPsecVPN function provided by this service is IPsecVPN connection between Managed Firewall / UTM. Connection with other VPN devices is not supported.

• The security function can not be used within the policy created with IPsec VPN.

The specifications of the IPsec VPN function are as follows.

Item	Description
Authentication method	Pre-shared key (PSK)
Encryption algorithm	AES-128 / AES-192 / AES-256
Authentication (hash function)	SHA-256 / SHA-384 / SHA-512
DH Group	14 / 15 / 16 / 17 / 18 /19 / 20 / 21 / 27 / 28 / 29 / 30 / 31
Number of tunnels that can be created	Maximum 15 (per 1 Managed UTM)

5.Other Functions

Other Functions provide the following functions.

Item	Description
Sys log transmission	Sys log server where the Customers manage is receiving logs obtained at the "Device"
Time Zone Assignment	Time stamp recorded as to the timetable log on the "Device" will be assigned.
Device Config Export	Export items set on the device to the document.

Note

• There is only one (1) settable destination for syslog transmission.

• If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.

• Traffic logs and Security detection logs, which are configured to obtain logs on firewall policy, are sent by syslog.

6.Security Incident Report

Security Incident Report provides the following functions.

Item	Description
Create Report	Device logs will be automatically analyzed and "Security Incident Report" will be generated after recognizing detected threat(s).
Publish Report	Security Incident Report is shown on Security Control Panel through Enterprise Cloud 2.0 Portal.
Notify Report	When Security Incident Report is generated, E-mail notification will be sent by registering mail address on Security Control Panel.
Report notification level setting	Function to change the severity of the criteria for creating an Incident Report.

● Security Incident Report

Following titles will be included within the "Security Incident Report":

Item	Description
Device	The Device Name if there is any
Signature	Threat name
Severity	Severity in degree of the recognized threat
Confidence	Detection accuracy
Reference	Automatically granted ID
Date and Time	The date and time of detection --and date and time of last detection-- of the reported threat being reported
Description	Description of the details of the recognized threat
Access Patterns	Draw threat access status
Details	Threat details

Note

• Analyzed log is limited by firewall policy which the device obtains logs.

• All "Security Incidents" are reported in English.

• When customer leverages this menu and other menu as like Managed Firewall Version2 or Managed WAF Version2 on one tenant, Security Incident Report by correlation analysis of each device log is generated. So each Security Incident Report is not generated for each menu and device.

7.Control Panel

For Control Panel Functions, the following operations are possible.

For details, see the Enterprise Cloud 2.0 tutorial.

Item	Description
Order	Customers can subscribe the Security Menu
Operation	Customers can either manage and / or set the created "Device"

● Order

Following actions are processable from the Order Panel:

Item	Description
Add Device	Customers can either create a new or add a "Device"
Change	Created "Device" Menu and / or Plan will be changed to update the settings details
Delete Device	Created "Device" can be deleted to be eliminated from the operation

● Operation

Following actions are operable from the Operations Panel:

Item	Description
Device KPI	Resource status (such as CPU and memory) and traffics will be viewed.
Network Management	Interface of the "Device" will be set here (and then connected to logical network).
Device Management	Firewall, security and other functions is configureable.
Log Analysis	Customers can download to obtain the data by CSV file after assigning search details by conditions tags.
Incident Reports	The Security Incident Report will be posted.
Customer Profile	Customers can register mail notification destination for Security Incident Report.
Document	Customers can download the CSV file output by the Device Config Export.
Information	Any notable information will be relayed.

Note

• To indicate log analysis target and analyzed Security Incident Report, it is necessary to configure which logs are obtained for each Firewall Policy.

• In log analysis, confirmable and searchable period of logs is below. It does not ensure integrity of obtained logs.

  • Log acquired by firewall function (traffic log): 7 days

  • Log acquired by security function (security detection log): 90 days

• In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.

8.Version Upgrade

Version Upgrade function provides the following features:

Item	Description
GetFirmwareSatus	You can check whether the device is the target of version upgrade.
Firmware Update	Execute the version upgrade of the target device.

Menu

Plan

This menu provisions the following Plans:

Plan	vCPU	Memory	Disk	Interface	Configuration
	(Number)	(GB)	System area (GB)	(Maximum)
2CPU-4GB	2	4	2	7	Deploy Singular
8CPU-12GB	8	12	2	7	Deploy Singular
2CPU-4GB（HA）	2	4	2	7	High Availability (Redundancy)
8CPU-12GB(HA)	8	12	2	7	High Availability (Redundancy)

Subscriptions Method

Customers with Enterprise Cloud 2.0 can basically request to subscribe this menu.

Subscriptions types, Subscription methods and Delivery are as follows:

Order Types	Details	Subscription Methods	Offering Date
Add Device	Create the Device	Subscription by customer on security control panel.	Immediate
Change	Change the "Device" Plan; Modify Menus to change settings	Same as the above.	Same as the above.
Delete Device	Delete the Device	Same as the above.	Same as the above.

Note

• Number of the executable "Device" for one (1) "order" is just one (1). Therefore, if in any event Customers wish to make multiple orders for the "Device", Customers are advised that each order process has to go through once for every "Device" Customers wish to subscribe. The Order screen has to proceed for each and every "Device" every time.

• Change of plan can be performed by all of patterns.

  • 2CPU-4GB → 8CPU-12GB ○
  • 8CPU-12GB → 2CPU-4GB ○

• Following plan changes with changing configurations, such as changing from a Single Configuration Plan to a HA Configuration Plan, is not possible.

  • Single Configuration Plan to HA Configuration Plan: N/A

  • HA Configuration Plan to Single Configuration Plan: N/A

• At such change of Plan, Customers are noted that the "Device" has to reboot.

• You can not change the menu from this menu to another menu.

• Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating "Device", changing Plans and so forth.

• At creating device, selectable zone and group are different by region. Detail information is described on Region/Zone/Group in service description.

Restrictions

Following are the sales unit, the number of uppermost maximum and lowermost minimum units.

Unit	Maximum Number	Minimum Number
1	No limit	0

Terms And Conditions

Terms And Conditions

Logical Network Connectivity
<Singular Configuration> For singular deployment, logical network should be placed two (2) or more. Customers are required to configure each separate logical networks to manage the receiving ends and transmitting ends. (In essence Customers are hereby advised that they are unable to deploy what they call a "one-arm" setup.)
<HA Configuration> In the case of HA configuration, logical network requires four or more. Requirement of logical network which deals with customer traffic is more than 2 NW same as single Configuration Plan. In addition, 2 logical network is necessary to hook up 2 devices for HA Configuration Plan. (In essence Customers are hereby advised that they are unable to deploy what they call a "one-arm" setup.) Note When VRRP is used, Please enable DHCP of logical network dealing with customer’s communication on above capture. When the DHCP settig is “invalid”, the ARP request is executed at the source address of 0.0.0.0 on ECL2.0 Network. it is confirmed that Load Balancer, Managed Firewall/UTM, etc. provided by NTTCom do not reply ARP and interruption of transmission may occur at the time of VRRP switching. It is necessary to prepare 2 logical network for HA above capture. Please create 2 logical network before order. Please select "Data" for plane of logical network. Please configure subnet network address as x.x.x.x/29. Please avoid to duplicate address of x.x.x.x and other network. Please check "Disable Gateway" not to indicate Gateway IP. Please check "Enable DHCP". Please do not connect logical network for HA to other menus. Please configure traffic through this menu not to route asymmetric communication.

Note

• When customer uses VRRP for the opposite device, customer needs to select a different VRRP ID.

Conditions of Use in Combination with Other Services

This menu does not specifically limit as with combined usage with any other services.

Minimum Use Period

This menu does not require minimum usage period.

Pricing

Initial Fee

This menu is offered at no charge no matter what Plan, subscriptions are being made.

Monthly Fee

This menu, regardless of the use of time, has a monthly fixed fee.

In the same device, if there is a change of the plan or menu in the middle of the month, then the new one is compared with the monthly fee according to the plan or the menu that was available in that month, to apply the highest rate as a monthly fee.

Quality of Menu

Support Coverage

All functions and facilities provided in this menu are within the support range.

However, designing using this menu is not supported.

Operations

This menu is subject to the operational quality, which has been defined by the standard in Enterprise Cloud 2.0.

Furthermore, this menu is implementable as qualified operation of the following self-managed services:

Item	Description
Security update version management	Manages signature updates
Applies security patches	Apply the security patch depending on the degree of influence (Equivalent process as version up operation)
Life Cycle Management of the Products	Proceeds with the updated versions in operations
Monitoring / Maintenance	Operation monitoring and failure countermeasure implementation of this device

SLA

SLA of this menu conforms to SLA defined as standard in Enterprise Cloud 2.0.

Restrictions

Restrictions of this menu are following;

• When customer leverage VRRP, VPPR ID configuration of logical network has restriction below.

  • In the case of HA configuration, please make sure that the VRRP ID on the same network such as the logical network to which this menu connects and colocation connection (CIC) and Enterprise Cloud 1.0 connection (EIC) do not overlap.

• In HA Configuration Plan, Please enable DHCP of logical network dealing with customer’s communication.

• Below IP address is not available for Interface, Routing, Address object, Destination NAT and Source NAT. When these IP addresses is used, This menu cannot correctly work.

  • 100.65.0.0/16
  • 100.66.0.0/15
  • 100.68.0.0/14
  • 100.72.0.0/14
  • 100.76.0.0/15
  • 100.78.0.0/16
  • 100.80.0.0/13
  • 100.88.0.0/15
  • 100.91.0.0/16
  • 100.92.0.0/14
  • 100.126.0.0/15

• Please design the IP address in the logical network to which this menu is connected at your own risk. Please be careful not to duplicate the IP address etc assigned to this menu.

• Please create firewall policy after object and security profile configuration is saved.

• Violation packet to TCP/UDP/IP protocol and abnormal packet are dropped by standard function regardless customer configuration. Example is below.

  • IP header is intermittently cut off in the middle;

  • Port number is valued null (0);

  • TCP flag pair turns out to be abnormally irregular;

  • Unauthorized capsular processing of unauthorized packet(s).

• If the memory usage on the device exceeds 88 percent, it goes into Conserve mode. When in Conserve mode, new sessions will pass through without being inspected (for antivirus, web filter, and spam filter features). Also, when the memory usage drops below 88%, Conserve mode is automatically canceled.

• Dynamic Routing Function is not provisioned in this menu.

• Bandwidth Controlling Function is not provisioned in this menu.

• During maintenance work related to the device, communication will be interrupted in the case of a single configuration. In the case of HA configuration, the effect is about the same as the switching time at the time of failure. We will carry out the work after notifying in advance, but the work date and time cannot be adjusted.

• Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer's purpose of use.

• NTT Com as a service provider is required to provide the following information to the "Devices'" developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which NTT Com did not intend to. The following information is going to be relayed to the system developer and front-end seller:

  • Setting details and data obtained at such time the menu is provisioned.

  • Managed details within such information relates to this provisioned menu.

• Below port is not available for this menu. This menu may not work, when below port is used.

  • TCP/2000, TCP/5060

  • TCP/8008, TCP/8010, TCP/8020 (If WebFiliter function is enabled.)

• There is a guideline for the upper limit of performance values. See (Reference) Performance measurement results of Managed FW / UTM .

---

Managed UTM Version1

Managed WAF