The Research and Implementation of UTM

Yin Chao, Cao Bingyao, Ding Jiaying, Gu Wei

Shanghai University, Room 1212, Xing Jian Building,
No.149 Yan Chang Road, Shanghai, China, 200072
Email: ChaoYin@139.com, Fax: +86-21-5633 2297

Keywords: UTM, DPI, PME, TLU, QoS According to IDC [1], the official definition of UTM is:
“Products that include multiple security features integrated
Abstract into one box. To be included in this category, an appliance
must be able to perform network firewalling, network
UTM (Unified Threat Management) is rapidly becoming a intrusion detection and prevention and gateway anti-virus. All
most important network security device in many enterprises, of the capabilities in the appliance need not be used
particularly in small-sized and mid-sized offices. In this paper, concurrently, but the functions must exist inherently in the
the author introduces the concept, background, central appliance.”
function and the typical technologies of UTM; then the UTM With all of these capabilities, UTM solutions have become
system model based on NP structure is achieved. the fastest growing segment in the security industry, growing
at 47.9% (CAGR: 2003-2009) according to IDC [2]. As
1 Introduction shown in Figure 1, we can see that UTM has become the
hottest security segment in the world.
Alone with the continuous development of the computer
network, more and more enterprises and governments treat 2 Functions of UTM
their business on Intranet and Internet; network security
shows itself as a serious problem in front of people. The biggest value with UTM platforms is simplicity and
Traditionally, customers used firewall as their first line of lower price given its “all-in-one” footprint. The Figure 2
defence. But with the more complicated network environment illustrates the functions and compelling value proposition of
and mature attack means, the traditional firewall strategy deploying UTM.
cannot meet the demands of security. All those aggravate the Some of the key benefits of UTMs include: [3]
work of network administrators and a little of negligence z Cost-effectiveness: By reducing the number of
could result in great loss. appliances, there is a lower up-front cost as well as
To build united protection against complex and blended lower management and support costs
threats, multiple security features need to be integrated into z Easy to configure and manage: By reducing the number
unified security architecture, which results in a Unified Threat of appliances, there is a lower up-front cost as well as
Management (UTM). lower management and support costs
UTM refers to a security appliance as a combination of z Stop attacks at the Network Gateway: The additional
hardware, software, and networking technologies whose layer of security that a gateway device provides simply
primary function is to perform multiple security functions. makes sense. Gateway devices block network threats
before they have the opportunity to enter your network
or attack individual desktop PCs or mail servers.

AntiǦ
IDS IPS Firewall
Virus

UTM
AntiǦ Content
VPN Others
Spam Filtering

Figure 2 Functions of UTM

Figure 1 UTM has become the hottest security segment

389
3 Typical technologies in the inspection
3.1 Traditional inspection based on TLU
As to the server offering specific service ˈ the directory
server in the centralized P2P network, the super node in the
mixed P2P network and some hostile opposite customer, it is
possible to inspect the application of the IP package through
identifying the IP address [4].
Most common protocol types have fixed port numbers and a
lot of network applications achieve the definite functions with
default port numbers [5].
TLU (table lookup unit) is used by network protocol stacks to
store and retrieve data in tables. To retrieve data, the TLU
searches tables using a search key which is normally derived
from one or more fields of a packet being processed, and
returns the data associated with that key.
Classification is used to determine such things as whether to
forward or discard an incoming packet, what class of service
to provide, or how to charge for it. As is shown in the Figure
3, the 5-tuple (including source IP, destination IP, source port,
destination port and the protocol number) is put into the key
to search for the result and then traditional inspection is
achieved.
Figure 3 Table search operation
3.2 DFI (Deep flow inspection)
As to the two- direction communication data belonging to the
same session flow, if certain direction of the data is identified
as an application, then its reverse direction will also be
attributed to the same application [6].
3.3 DPI (Deep packet inspection) based on PME
DPI technology is a strict inspection method, which not only
analyzes the head of the data package, but also involves the
application payload. The fixed data field is analyzed and
picked up in the application layer, then defined as character
information and saved in the character database. Compare the
traffic package with the character information and the
matched package will be identified to certain application type.
DPI technology could attain high precision of inspection
through optimizing the character database [7].
The built-in Pattern Match Engine (PME), with its features
and operational characteristics, is particularly conducive to
390
providing high performance and accuracy simultaneously in
UTM deep packet inspection:
z Regex allows the creation of sophisticated signatures
that are fingerprints of various forms of undesirable
content
z Stateful rule enables even more accurate signatures by
tracking application protocol exchange
z Set and subsets enable only relevant portion of the total
signature be used in a context-sensitive manner
z Matching patterns across packet boundaries to increase
accuracy by matching application messages that span
packet boundaries
3.4 QoS (Quality of service)
QoS is the idea that transmission rates, error rates, and other
characteristics can be measured, improved, and, to some
extent, guaranteed in advance. QoS is of particular concern
for the continuous transmission of high-bandwidth video and
multimedia information. Transmitting this kind of content
dependably is difficult in public networks using ordinary
"best effort" protocols.
Using the Internet's Resource Reservation Protocol (RSVP),
packets passing through a gateway host can be expedited
based on policy and reservation criteria arranged in advance.
3.5 Integrated protocol processing
Protocol processing in UTMs involves repeated application of
several basic operations, mainly including packet
classification for firewalling and protocol analysis for
intrusion prevention [8]. In order to get the maximum gain in
overall performance, we need to design the protocol
processing applications in a very efficient manner. However,
because each processing engine need to manipulate multiple
fields of packet header, they have to load the packet header
from the off-chip memory to the local cache and then carry
out modification and classification, and finally write the new
header back into the external memory. Such read-modify-
write operations are very time-consuming, and hence greatly
impede the overall processing speed [9].
4 Implementation of UTM system model
4.1 Dual-core usage
The dual-core NP can be used in the Symmetric Multi-
Processing (SMP) or the Asymmetric Multi-Processing (AMP)
mode. From Figure 4, we can easily see how UTM operations
can be implemented in the AMP mode. In essence,
z Core2, working in conjunction with the Pattern Matcher,
is used for the CPU-intensive application protocol and
content processing, including matching suitable parts of
the packet flow payload against intrusion, spam and
virus signatures.
z Core1, working in conjunction with eTSECs and TLUs,
is used for the packet data path, such as packet I/O,
forwarding, controlling QoS and updating statistics.
 5 Performance Test for UTM
5.1 Topology of the test
To objectively evaluate the performance of the UTM, a series
of tests have been carried out. We focus on the test for the
physical layer (including throughput, latency and packet loss
rate) and the test for the application layer (including
application indentify and control capacity). We first evaluate
Figure 4 Dual-core usage model the independent implementation of these two applications and
then compare their performance with the integrated
implementation.
4.2 Implementation The topology for the test is shown below. In Figure 6,
network packets are sent by SmartBits6000C to test the
Form Figure 5, we can clearly see the total process of the throughput, latency and packet loss rate of UTM system
implementation of the UTM system model. Firstly, the model. In Figure 7, UTM is placed between a PC and
Ethernet controller puts received packet into appropriate Internet. If a kind of network application is running on the PC,
queue in memory and interrupts Core1. Then, Core1 analyzes the UTM can identify and control the application. [10]
the network packet and extracts 5-tuple key from the packet
header. After that, Core1 writes key to TLU to lookup flow
table and reads back results (Protocol_ID) of the lookup.
Then the content of received packets are put in to the PME.
After the deep packet inspection, the system reads back the
Patten_ID. Focus on the Protocol_ID and Patten_ID, the final
result is established. At the same time, Core1 instructs
appropriate Ethernet controller to transmit packet and the
Ethernet controller transmits packet, applying QoS rules as
required.
There is a PC server on which SQL server 2003 is installed in
the system model. The configuration information is saved on
this server, including TLU, PME and QoS rules.
We can upgrade the configuration of TLU (including Source
IP, Destination IP, Source Port, Destination Port and Protocol Figure 3 Topology of physical layer test
Number) and PME (including Regex, Stateful Rules, Sets and
Subsets) on this server; what’s more, QoS rules should be
configured and upgraded on this server.

Figure 4 Topology of application layer test

5.2 Test results of the physical layer test

As shown in Table 1, the test report shows the acceptable loss
throughput test and the latency test result.
When the frame size is 512 bytes, the total throughput size is
234962 bytes and the latency is 7.3ȝs. Similarly, when the
frame size is 1024 bytes and 1518 bytes, the total throughput
size is 119732 bytes and 81274 bytes. Accordingly, the
latency is 7.1ȝs and 7.0ȝs.
Obviously, the throughput and latency come up to the
requirements for network equipments.
Figure 5 System model implementation

391

Table 1 Test report for physical layer
What’s more, as shown in Figure 8, many network
applications such as http, telnet, BitTorrent, xunlei, QQ, and
ppstream can be identified. Here shows the percentage of all
the Internet applications: QQ comprise 0.48 per cent, telnet
0.49 per cent, BT Peer 13.19 per cent, ppstream 38.23 per
cent, and http 46.19 per cent.
Figure 9 shows the throughput with ACL (Access Control
List) rules test. From this figure, we see that the total number
of packets was above 6000 at 16:45. After the ACL rules is
set, the packets decreased to 2500 at 16:49.
6 Conclusion
To reach high-performance Unified Threat Management,
security applications should be optimized at system-level
rather than simply stringed together a number of security
applications. In this paper, we propose an integrated protocol
processing scheme to resolve the key problem in existing
UTMs: the performance. Analysis and experiments on the
FreeScale MPC8572E network processor show the excellent
performance of UTM. Our future work will focus on
implementing complicated QoS on UTM.
Acknowledgements
This paper is supported by Science and Technology
Commission of Shanghai Municipality under Grant No.
075115004 and Shanghai Leading Academic Discipline
Project and STCSM(S30108 and 08DZ2231100)
392
Figure 8 Results of application layer test
Figure 9 ACL test
References
[1] http://www.idc.com
[2] http://www.itsecurity.com/features/unified-threat-
management/
[3] http://www.freescale.com
[4] K.Claffy, H.-W.Braun, and G.Polyzos, “A
parametrizable methodology for Internet traffic flow
profiling”, IEEE JSAC, 1995.
[5] Pawlak.Zˈ ĀRough Setsā, International Journal of
Information and Computer Science, 1982.
[6] Traffic control and congestion control in IP based
networks. ITU-T Y.1221, 2002.3
[7] Kwangjin Choi, Jun-kyun Choi, Sangyong Ha1,SeYun
Ban. Content-based Pattern Matching for Classification
of Network Application [J]. ICACT2006, pp.2027~2029
[8] U.R.Naik and P.R.Chandra, “Designing High-
performance Networking Applications,” Intel Press,
2004.
[9] Yaxuan Qi, Baohua Yang, Bo Xu, Jun Li, “Towards
System-level Optimization for High Performance
Unified Threat Management”, Third International
Conference on Networking and Services (ICNS'07)0-
7695-2858-9/07
[10] http://www.spirentcom.cn/