Enterprise Cloud Knowledge Center

  • Documents
  • FAQ
  • Known Issues
  • Service Status
Home >Documents >Service Descriptions >Network-based Security v6.0.2 > Managed UTM >Managed UTM Version2

Managed UTM Version2¶

About This Menu¶

Overview¶

Managed UTM is form of the most integrated security functions (including firewall functions) within Tenant(s) for the Enterprise Cloud 2.0 to manage " Unified Threat Management" literally.
It can be connected to Logical Network within the Tenant(s) and Customers are able to utilize their own controlling parameters at their inter-logical network transmission so that they are the only controllers of their own network.
(NOTE: Hereinafter, Managed UTM is referred to as "this Menu" and the equipment that provides the features is referred to as "device".)

Overview Managed UTM


Features¶

This menu has following features:

  1. Reliable and secure operation by security managed service
    The Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.

  2. 2. All-In-One provision of security features:
    All-in-one necessary security features in order to protect the customers' environment from a variety of security threats such us unauthorized access, virus infection, unwanted web access, spam e-mail, etc. are provided.

    Firewall function (Access control/IPSecVPN)
    ● IDS/IPS function provides detection and protection for fraudulence access.
    ● Anti-Virus function for Protection from Virus.
    ● Web Filter function for Filtering of Web communication based on URL.
    ● Spam Filter function for determination of Spam mail.


  3. Immediate provision by self-operation · Immediate setting change
    Customer can immediately leverage this menu by operation Security Control Panel through Enterprise Cloud 2.0 Portal. Configuration change is immediately reflected by Security Control Panel.
    Customers can use the necessary resources without initial investment and minimum usage period, without owning assets, and can constitute a secure environment tailored to the customer's business environment.


Available Functions¶

List of Available Functions¶

This menu provides following functions;

Functions

Description

1.Firewall

Traffic control function based on firewall policy which customer configures.

2.Security

Security function is where Customers can control and manage security measurements such as followings against what they set as Transmissions Rule accordingly at their own given parameter in (which is Firewall policies) Firewall :

3.Network

This function is where the "Device" is connected to the Logical Network and / or routed to the transmitters.

4.IPsecVPN

This function creates a tunnel encrypted with IPsec and realizes secure communication between multiple bases.

5.Other Functions

The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the "Device" and assign the time zone for the log content recorded within the "Device" themselves.

6.Security Incident Report

This function is what the "Device" self-analyzes and reports any security incident(s) occurring within themselves once there is any information that determines the "Device" received hostile incoming transmissions.

7.Control Panel

Ability to set up applications and devices from Security Control Panel of Enterprise Cloud 2.0 Portal

8.Version Upgrade

Function to upgrade Managed FW / UTM / WAF Version 2


Description of Respective Functions¶

1.Firewall¶

Customers are provided with the following functions with this menu:

Item

Description

Firewall

Traffic control function by Stateful inspection [1] based on configured firewall policy to a traffic through the device.

NAT / NAPT [2]

NAT / NAPT function is to transform the IP Address or Port number(s) which pass through the "Device" .

[1]

Stateful inspection will inspect to determine if it allows or disallow a passer-by packets (through the "Device" ) by monitoring the status of passer-by packets. Usually the packets will be allowed to come passing back through if it is allowed on the way to.

[2]
NAT stands for Network Address Translation.
NAPT stands for Network Address Port Translation

2.Security¶

Security provides the following functions.

Item

Description

IPS/IDS

This function proceeds with signature-based virus filtering on transmissions; detects and separates dangerous transmissions and then blocks such dangers.

Anti-virus

Signature-file based detection of transmitters; detects and block such dangers of which function considers as "Virus".

Web Filter

This function checks the access destination of the Web communications and control the communication.

Spam Filter

Spam filter filters Mail transmissions; this function will identify the spam email and makes actions.


Functions of IDS/IPS

Specifications of the functions of IDS/IPS are as follow:

Item

Description

Protocol

TCP/IP

Action

Choosing the action of the risk communication event

  • IDS_Monitor: Detection only, do not Block

  • IPS_Block: Detection and Block

Note

  • In the case of IPS mode, not all the signatures are target to be blocked, there are signatures only for inspection.

  • The signature will be automatically updated.


● Antivirus function

Specifications of the functions of the Anti-Virus are as follow:

Item

Description

Protocol

HTTP、FTP、SMTP、POP3、IMAP、MAPI、NNTP

Port Number

Customer-specified port number

Action

By protocol, select the action at the time of detection

  • Block: Block the communication that virus was detected

  • Monitor: Virus detection only, do not block

  • Disable: no detection

Selectable file size for inspection:

1MB - 10 MB (Initial value: 3MB)

Number of times compressed

Only 12 or less time compressed files are able to be inspected

Compression Format

arj、cab、gzip、lha、lzh、msc、rar、tar、zip

Decompressed file size of the compressed file

Decompression file size is the value indicated by Selectable file size for inspection.

Note

  • Encrypted and passworded file is not verifiable. Traffic with encrypted and passworded file passes this menu without verification.

  • The signature will be automatically updated.


Functions of Web-Filter

The specifications of the web-filter's functions are as follow:

Item

Description

Protocol

HTTP

Port Number

Customer-specified port number

Block URL category.

Control in the URL category units

  • Block upon detecting the communication to the URL contained in the category by selecting the URL category to block

White list / Black list

The customer sets individually the URL and specify the action for the URL.

  • block: Block the set URL.

  • exempt: Do not block the specified URL.

Note

  • Communication with TCP 8008, 8010 and 8020 port is not allowed for verified communication by WebFilter function to show Block screen correctly.

  • For communication through Proxy server to use WebFilter function, please apply to WebFilter function to communication from client to Proxy server. When WebFilter function apply to communication from Proxy server to Web site on internet, sometimes WebFilter function does not correctly work by Proxy server specification and configuration. For example, Block screen does not shows to client.

  • If in any case there is a connected site's server certificate with common name domain, which is categorized as a harmful blocked domains at the end of Customers, blocking screen will not be specifically showing but the webpage will show users errors in web browser.

  • URL included in URL category is automatically updated.


Functions of Spam Filter

The specifications of the functions of spam filter are as follow:

Item

Description

Protocol

POP3、IMAP

Port Number

Customer-specified port number

Action

By protocol, select whether you want to enable or disable spam judgment.

  • Tag: Enabled

  • Pass: Invalid

Tag

In the case of an action with a tag, the tag can be optionally specified in the mail subject.

White list / Black list

The customer sets up the email address individually and specify the action for that email address.

  • Spam: the mail address is determinated as a spam mail

  • Clear: the mail address is not determinated as a spam mail

Note

  • Indicated tag is added to the subject of mail which is decided as SPAM . This menu does not delete mail which is identified as spam. Please deal with mail based on tag information in subject by customer.

  • In IMAP case, Tag may not be added to subject of mail. This behavior is the restriction of IMAP not this service specification. IMAP downloads body of mail after downloads subject of mail to client, so if the URL of body is identified as spam, Tag cannot be added to subject of mail. If mail address is identified as spam, Tag can be added to subject.

  • Mail address which is determined as spam is automatically updated.


3.Network¶

Network provides the following functions.

Item

Description

Interface

This function is where Interface of the “Device” will be set and then it will be connected to logical network.

Routing

Routing function is where static routes and default gateway is being set and transmission is being routed with.

Note

  • It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.

  • The "Device" will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.

  • In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the "Device" , the Customers (and the end users) are noted that they are required to reboot the "Device" and the interface MAC address will be automatically changed.

  • The MTU size of the interface can be varied from 100 to 9000 bytes. The initial value is 1500 bytes.

  • In the case of HA plan, when customer applys address range of connected segment, which is connected to interface, to NAT/NAPT, Please configure Proxy ARP.


4.IPsecVPN¶

IPsecVPN provides the following functions.

Item

Description

IPsecVPN

IPsecVPN function defines authentication, encryption method and connection destination IP address and creates a tunnel to the opposite network.

Routing

Routing function sets up and routes static routes to the tunnel interface.

Access Control

Access control function controls traffic passing through the tunnel based on policy which customer configures.

NAT/NAPT

NAT/NAPT function converts IP address of traffic passing through the tunnel and port number.

Note

  • In the HA configuration plan, the IPsecVPN function can not be used. This function is available only in a single configuration plan.

  • IPsecVPN function provided by this service is IPsecVPN connection between Managed Firewall / UTM. Connection with other VPN devices is not supported.

  • The security function can not be used within the policy created with IPsec VPN.

The specifications of the IPsec VPN function are as follows.

Item

Description

Authentication method

Pre-shared key (PSK)

Encryption algorithm

AES-128 / AES-192 / AES-256

Authentication (hash function)

SHA-256 / SHA-384 / SHA-512

DH Group

14 / 15 / 16 / 17 / 18 /19 / 20 / 21 / 27 / 28 / 29 / 30 / 31

Number of tunnels that can be created

Maximum 15 (per 1 Managed UTM)


5.Other Functions¶

Other Functions provide the following functions.

Item

Description

Sys log transmission

Sys log server where the Customers manage is receiving logs obtained at the "Device"

Time Zone Assignment

Time stamp recorded as to the timetable log on the "Device" will be assigned.

Device Config Export

Export items set on the device to the document.

Note

  • There is only one (1) settable destination for syslog transmission.

  • If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.

  • Traffic logs and Security detection logs, which are configured to obtain logs on firewall policy, are sent by syslog.


6.Security Incident Report¶

Security Incident Report provides the following functions.

Item

Description

Create Report

Device logs will be automatically analyzed and "Security Incident Report" will be generated after recognizing detected threat(s).

Publish Report

Security Incident Report is shown on Security Control Panel through Enterprise Cloud 2.0 Portal.

Notify Report

When Security Incident Report is generated, E-mail notification will be sent by registering mail address on Security Control Panel.

Report notification level setting

Function to change the severity of the criteria for creating an Incident Report.


● Security Incident Report

Following titles will be included within the "Security Incident Report":

Item

Description

Device

The Device Name if there is any

Signature

Threat name

Severity

Severity in degree of the recognized threat

Confidence

Detection accuracy

Reference

Automatically granted ID

Date and Time

The date and time of detection --and date and time of last detection-- of the reported threat being reported

Description

Description of the details of the recognized threat

Access Patterns

Draw threat access status

Details

Threat details

Note

  • Analyzed log is limited by firewall policy which the device obtains logs.

  • All "Security Incidents" are reported in English.

  • When customer leverages this menu and other menu as like Managed Firewall Version2 or Managed WAF Version2 on one tenant, Security Incident Report by correlation analysis of each device log is generated. So each Security Incident Report is not generated for each menu and device.


7.Control Panel¶

For Control Panel Functions, the following operations are possible.
For details, see the Enterprise Cloud 2.0 tutorial.

Item

Description

Order

Customers can subscribe the Security Menu

Operation

Customers can either manage and / or set the created "Device"


● Order

Following actions are processable from the Order Panel:

Item

Description

Add Device

Customers can either create a new or add a "Device"

Change

Created "Device" Menu and / or Plan will be changed to update the settings details

Delete Device

Created "Device" can be deleted to be eliminated from the operation


● Operation

Following actions are operable from the Operations Panel:

Item

Description

Device KPI

Resource status (such as CPU and memory) and traffics will be viewed.

Network Management

Interface of the "Device" will be set here (and then connected to logical network).

Device Management

Firewall, security and other functions is configureable.

Log Analysis

Customers can download to obtain the data by CSV file after assigning search details by conditions tags.

Incident Reports

The Security Incident Report will be posted.

Customer Profile

Customers can register mail notification destination for Security Incident Report.

Document

Customers can download the CSV file output by the Device Config Export.

Information

Any notable information will be relayed.

Note

  • To indicate log analysis target and analyzed Security Incident Report, it is necessary to configure which logs are obtained for each Firewall Policy.

  • In log analysis, confirmable and searchable period of logs is below. It does not ensure integrity of obtained logs.

    • Log acquired by firewall function (traffic log): 7 days

    • Log acquired by security function (security detection log): 90 days

  • In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.


8.Version Upgrade¶

Version Upgrade function provides the following features:

Item

Description

GetFirmwareSatus

You can check whether the device is the target of version upgrade.

Firmware Update

Execute the version upgrade of the target device.



Menu¶

Plan¶

This menu provisions the following Plans:

Plan

vCPU

Memory

Disk

Interface

Configuration

 

(Number)

(GB)

System area (GB)

(Maximum)

 

2CPU-4GB

2 4 2 7

Deploy Singular

8CPU-12GB

8 12 2 7

Deploy Singular

2CPU-4GB(HA) 2 4 2 7

High Availability (Redundancy)

8CPU-12GB(HA)

8 12 2 7

High Availability (Redundancy)


Subscriptions Method¶

Customers with Enterprise Cloud 2.0 can basically request to subscribe this menu.
Subscriptions types, Subscription methods and Delivery are as follows:

Order Types

Details

Subscription Methods

Offering Date

Add Device

Create the Device

Subscription by customer on security control panel.

Immediate

Change

Change the "Device" Plan; Modify Menus to change settings

Same as the above.

Same as the above.

Delete Device

Delete the Device

Same as the above.

Same as the above.

Note

  • Number of the executable "Device" for one (1) "order" is just one (1). Therefore, if in any event Customers wish to make multiple orders for the "Device", Customers are advised that each order process has to go through once for every "Device" Customers wish to subscribe. The Order screen has to proceed for each and every "Device" every time.

  • Change of plan can be performed by all of patterns.

    • 2CPU-4GB → 8CPU-12GB ○
    • 8CPU-12GB → 2CPU-4GB ○
  • Following plan changes with changing configurations, such as changing from a Single Configuration Plan to a HA Configuration Plan, is not possible.

    • Single Configuration Plan to HA Configuration Plan: N/A

    • HA Configuration Plan to Single Configuration Plan: N/A

  • At such change of Plan, Customers are noted that the "Device" has to reboot.

  • You can not change the menu from this menu to another menu.

  • Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating "Device", changing Plans and so forth.

  • At creating device, selectable zone and group are different by region. Detail information is described on Region/Zone/Group in service description.


Restrictions¶

Following are the sales unit, the number of uppermost maximum and lowermost minimum units.

Unit

Maximum Number

Minimum Number

1

No limit

0


Terms And Conditions¶

Terms And Conditions¶

Logical Network Connectivity

<Singular Configuration>

For singular deployment, logical network should be placed two (2) or more.
Customers are required to configure each separate logical networks to manage the receiving ends and transmitting ends.
(In essence Customers are hereby advised that they are unable to deploy what they call a "one-arm" setup.)

Minimun Configuration Single

<HA Configuration>

In the case of HA configuration, logical network requires four or more.
Requirement of logical network which deals with customer traffic is more than 2 NW same as single Configuration Plan. In addition, 2 logical network is necessary to hook up 2 devices for HA Configuration Plan.
(In essence Customers are hereby advised that they are unable to deploy what they call a "one-arm" setup.)

Minimun Configuration HA

Note

  • When VRRP is used, Please enable DHCP of logical network dealing with customer’s communication on above capture.
    When the DHCP settig is “invalid”, the ARP request is executed at the source address of 0.0.0.0 on ECL2.0 Network.
    it is confirmed that Load Balancer, Managed Firewall/UTM, etc. provided by NTTCom do not reply ARP and interruption of transmission may occur at the time of VRRP switching.
  • It is necessary to prepare 2 logical network for HA above capture. Please create 2 logical network before order.

    • Please select "Data" for plane of logical network.

    • Please configure subnet network address as x.x.x.x/29. Please avoid to duplicate address of x.x.x.x and other network.

    • Please check "Disable Gateway" not to indicate Gateway IP.

    • Please check "Enable DHCP".

  • Please do not connect logical network for HA to other menus.

  • Please configure traffic through this menu not to route asymmetric communication.

Note

  • When customer uses VRRP for the opposite device, customer needs to select a different VRRP ID.


Conditions of Use in Combination with Other Services¶

This menu does not specifically limit as with combined usage with any other services.

Minimum Use Period¶

This menu does not require minimum usage period.


Pricing¶

Initial Fee¶

This menu is offered at no charge no matter what Plan, subscriptions are being made.

Monthly Fee¶

This menu, regardless of the use of time, has a monthly fixed fee.
In the same device, if there is a change of the plan or menu in the middle of the month, then the new one is compared with the monthly fee according to the plan or the menu that was available in that month, to apply the highest rate as a monthly fee.


Quality of Menu¶

Support Coverage¶

All functions and facilities provided in this menu are within the support range.
However, designing using this menu is not supported.

Operations¶

This menu is subject to the operational quality, which has been defined by the standard in Enterprise Cloud 2.0.
Furthermore, this menu is implementable as qualified operation of the following self-managed services:

Item

Description

Security update version management

Manages signature updates

Applies security patches

Apply the security patch depending on the degree of influence
(Equivalent process as version up operation)

Life Cycle Management of the Products

Proceeds with the updated versions in operations

Monitoring / Maintenance

Operation monitoring and failure countermeasure implementation of this device


SLA¶

SLA of this menu conforms to SLA defined as standard in Enterprise Cloud 2.0.


Restrictions¶

Restrictions of this menu are following;

  • When customer leverage VRRP, VPPR ID configuration of logical network has restriction below.

    • In the case of HA configuration, please make sure that the VRRP ID on the same network such as the logical network to which this menu connects and colocation connection (CIC) and Enterprise Cloud 1.0 connection (EIC) do not overlap.

  • In HA Configuration Plan, Please enable DHCP of logical network dealing with customer’s communication.

  • Below IP address is not available for Interface, Routing, Address object, Destination NAT and Source NAT. When these IP addresses is used, This menu cannot correctly work.

    • 100.65.0.0/16
    • 100.66.0.0/15
    • 100.68.0.0/14
    • 100.72.0.0/14
    • 100.76.0.0/15
    • 100.78.0.0/16
    • 100.80.0.0/13
    • 100.88.0.0/15
    • 100.91.0.0/16
    • 100.92.0.0/14
    • 100.126.0.0/15
  • Please design the IP address in the logical network to which this menu is connected at your own risk. Please be careful not to duplicate the IP address etc assigned to this menu.

  • Please create firewall policy after object and security profile configuration is saved.

  • Violation packet to TCP/UDP/IP protocol and abnormal packet are dropped by standard function regardless customer configuration. Example is below.

    • IP header is intermittently cut off in the middle;

    • Port number is valued null (0);

    • TCP flag pair turns out to be abnormally irregular;

    • Unauthorized capsular processing of unauthorized packet(s).
  • If the memory usage on the device exceeds 88 percent, it goes into Conserve mode. When in Conserve mode, new sessions will pass through without being inspected (for antivirus, web filter, and spam filter features). Also, when the memory usage drops below 88%, Conserve mode is automatically canceled.

  • Dynamic Routing Function is not provisioned in this menu.

  • Bandwidth Controlling Function is not provisioned in this menu.

  • During maintenance work related to the device, communication will be interrupted in the case of a single configuration. In the case of HA configuration, the effect is about the same as the switching time at the time of failure. We will carry out the work after notifying in advance, but the work date and time cannot be adjusted.

  • Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer's purpose of use.

  • NTT Com as a service provider is required to provide the following information to the "Devices'" developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which NTT Com did not intend to. The following information is going to be relayed to the system developer and front-end seller:

    • Setting details and data obtained at such time the menu is provisioned.

    • Managed details within such information relates to this provisioned menu.

  • Below port is not available for this menu. This menu may not work, when below port is used.

    • TCP/2000, TCP/5060
    • TCP/8008, TCP/8010, TCP/8020 (If WebFiliter function is enabled.)

  • There is a guideline for the upper limit of performance values. See (Reference) Performance measurement results of Managed FW / UTM .




Managed UTM Version1
Managed WAF

Table Of Contents

  • Managed FW
    • Managed Firewall Version1
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
    • Managed Firewall Version2
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
  • Managed UTM
    • Managed UTM Version1
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
    • Managed UTM Version2
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
  • Managed WAF
    • Managed WAF Version1
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
    • Managed WAF Version2
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
Copyright © NTT Communications All Rights Reserved.
NTT Communications