How To Build Your Own Unified Threat Management?

How To Build Your Own Unified Threat Management?


Unified Threat Management (UTM) is a term used for all-in-one security devices that incorporate multiple network security functions into one device. A UTM typically combines firewall, anti-virus, anti-malware, intrusion prevention (IPS), application control and Content Filtering (CF). The benefits of buying a pre-built appliance are speed to deployment and the fact that you only need to manage one box vs. many.

UTMs can be categorized by the number of features they provide


Small Office/Home office units that typically have a single WAN port and one or two LAN ports. The features might include router, firewall, anti-virus, IPS and content filtering.


Small to medium business units that typically have four to six LAN ports and optionally one or two WAN ports. The features might include router, firewall, anti-virus, IPS and application control (for example web filtering).

UTM Appliances can be either hardware or software based:

• Hardware-based appliances are purpose built for the user’s network and security requirements and come pre-installed with all relevant updates and patches For this reason they offer the most consistent performance.

• Software-based appliances are virtual network appliances, which run on a general purpose server or desktop computer system. They are deployed in the same way as most other software, but have the ability to enforce access policy rules based on predefined criteria such as source IP address, destination IP address, user groups etc.

How To Build Your Unified Threat Management

Steps to Build Your Unified Threat Management:

1. Determine what you want to protect: Before we begin we need to determine the elements we will be protecting on our network and what resources and features we require from a UTM device. For this example, we’ll be creating a UTM that will consist of an IDS (Intrusion Detection System), Web Filtering, Anti-Virus, Anti-Spyware and VPN capabilities. We also want to segregate the LAN and WAN interfaces so that all traffic destined for the Internet has to pass through our firewall/IDS before it hits the Internet connection on the WAN interface. Our requirements are as follows:

• A single external IP address – Used for both Public WAN Interface & VPN connection back to corporate office

• LAN Segmentation – Only Internet-bound traffic passes through the UTM to our firewall & IDS.

• DHCP Server – Handles IP address assignment for all of our internal networks. This is not required if your network automatically assigns IPs via a router or server on your network.

• A single WAN Interface — All Internet-bound traffic passes through this interface on its way out to the ISP and on it’s way back into our private network after passing through the UTM, which acts as a gateway and sits between the two interfaces (a Proxy).

2. Identify UTM hardware requirements: A number of questions will need to be answered before you can begin selecting parts for your new system: How much traffic do you expect to pass through the UTM each day? Do you want to segregate your networks into segments or VLANs? If so, how many, and what are their IP ranges? How much will this solution cost me, and what is my budget?

3. Select parts for your new system: This can be done in a number of ways. You may decide to purchase an off-the-shelf pre-built appliance from a security vendor such as Netgear’s ProSAFE line of appliances, or alternatively purchase individual components and assemble them yourself. The latter is known as building a lab rat and can be useful when learning about different technologies but isn’t practical once we need to integrate everything together for production use. If you already have a network appliance that has all the features you’re looking for, then you might just need to upgrade the hardware or purchase additional licenses.

4. Install your system: If you are building an individual UTM device from scratch, then the installation process is fairly straightforward and involves installing your chosen operating system onto its hardware platform, installing additional packages such as IDS software, Web Filtering software etc. Once complete we are ready to begin configuring our new UTM device and integrating it with our existing infrastructure.

5. Integrate your new solution with your existing infrastructure: To integrate our Unified Threat Management (UTM) solution with our existing infrastructure we need to configure DNS (Domain Name Services) and DHCP (Dynamic Host Configuration Protocol) on the new system. Next, we need to configure all our network devices (server & client PCs, switches etc.) to use DHCP services provided by UTM instead of using their own IP address assignments.

6. Configure access policies: Now that our UTM device is ready for production use, it’s time to move on and implement any access policy rules required for Internet browsing users. If you’d like your public wireless network users restricted from accessing certain websites such as Facebook or YouTube, then a Websites Blocking profile must be created and applied to the WAN interface in order for this policy to take effect. The IDS engine analyzes all traffic going through the firewall for signs of malicious activity using signatures called ‘attack objects’. If these attack objects are identified within the traffic stream, this triggers application level blocking of the packets involved.

7. Test your new solution: Before making any changes to production equipment it’s always a good idea to take some test systems out for a spin and make sure that everything works as expected before bringing all your users over to your new UTM device. The amount of time taken for testing will depend on your environment but might be anywhere from days to weeks depending on how many different subnets are configured in the network infrastructure, not forgetting existing security rules already implemented by legacy firewalls or IDS devices which need to be re-tested again after integrating with the UTM solution.

8. Deployment & Production use: Once you’re happy with your test results and everything is working correctly, we’re ready to deploy our new Unified Threat Management solution into production. This would typically involve changes to existing DNS and DHCP services on the network and/or firewall ACL (Access Control List) editing in order for traffic routing to be re-directed through the UTM appliance instead of the legacy device. Once deployed you will likely need some additional licenses from your vendors which can add additional costs so it’s important to ensure everything works as intended before making this kind of commitment.

9. Integration with backup systems: If you have a secondary Admin PC or Server within your environment then I recommend creating a standard VPN client connection between these two devices in order that they can communicate securely when required if network connectivity is lost or disrupted. You will be able to login to this secondary device and access the UTM device when required, perhaps for diagnostics reasons if needed.

10. Periodic maintenance: Maintaining your new UTM solution should be very straightforward indeed because it’s likely that your IDS software will automatically update itself with signatures updates at least once a day, depending on patch management controls specified by the vendor(s). For example, Configuring automatic signature updates in EminentWare is very easy because you simply tick a box within the System Settings applet, done!

Benefits of Unified threat management

-Protection against the most common network security threats, whether they are viruses or hacker attacks – better protection than anti-virus solutions alone

-Scalable solution that can handle the additional traffic generated by new application deployments

-Prevents data leakage through anonymous FTP transfers to unauthorized computers via file sharing protocols like CIFS & NFS

-Provides powerful web caching for improved WAN bandwidth efficiency


UTM appliances are a great way to protect network infrastructures against all of the most common types of attack. Combining this type of solution is significantly more secure than implementing separate firewall, anti-virus and web content control solutions. If you currently have any type of legacy security device deployed which doesn’t offer UTM options then I recommend looking into these new appliances very closely because they are quite frankly awesome! Please note that additional licenses are required for certain features with some vendors so research your needs carefully before making any budget assumptions.

The following documentation provides information on how to configure policies in Sophos UTM for shared access through wireless networks, also called guest networks or open networks.

The goal of this article was to introduce the concept of Unified Threat Management and why it’s so important to implement it within your network infrastructure. I hope you’ve found this short blog post informative and beneficial for learning purposes.

Recent Posts