"Sean Newman is a security strategist for Cisco Security Business Group" I suppose we should all buy one at Cisco.
I use a NGFW at home, you'd be shocked.. Possibly even - mortified - to see how many threats/exploits/attacks it blocks in a short period of time. Probably the thing that causes us to lose more sleep in the IT field are blended threats but also it's getting difficult to protect infrastructure with the wide variety of deployed operating systems. You have your MAC OS's, Windows, Linux, iOS, AndroidOS, BSD, SMB, and then proprietary systems based on Unix such as Asterick, Tivo, and a multitude of others. All of these need protection of some type due to the blended threat matrix, and to individually deal with each device or OS is becoming impossible. Blended threats are beginning to impact the home, it's the latest emerging threat. As homes get a wider variety of devices, appliances, and systems, those blended threats are becoming very real.
@Mayahana: very interesting, that... I see some cross-platform stuff there. Nasty. I currently have an old laptop configured as a network gateway/firewall for home, but I haven't configured it as a UTM box; partly because I worry about the gateway itself getting compromised, giving an attacker control over my network. It seems like having a bunch of services running on a gateway, constituting a single point of attack, could be a problem. (Also it is unfortunately not powerful enough to run Snort...) Anyway would you say there is some merit to setting it up for UTM? All the attacks flying around sound a bit worrisome, especially given the Windows machines on my network.
What you see on that screenshot are blended threats, and that's the major issue these days. Attacks seem to be coming in blended, factoring a variety of different machines connected to networks (home or otherwise). This is where things get difficult, as you are attempting to secure a wide range of devices with a wide range of security solutions - all costing money, and in some cases, no security solution (SmartTV's etc). So a UTM becomes the best solution. I personally would put a traditional router on the gateway, or a nice Enterprise one if you can afford it. Then place your UTM behind that in transparent mode as your filtration. That lessons compromises because it's layered, and it requires someone to get through the gateway then get through the IPS on the transparent UTM. Nothing wrong with an old laptop as an Untangle machine, it doesn't take much power to run it. Even a cheap little ATOM Mini-Notebook would run it perfectly fine. The likelihood of snagging a blended threat increases with each engine/signature set you run. In my case I run Kaspersky UTM, Snort+Clam. Entirely different beasts, and in many cases entirely different signatures. If I remember, those SSL attacks are targeting my Tivo's. Tivo generally runs unpatched, or very slow in patching. As soon as a Tivo box starts broadcasting it starts getting tagged by exploits. Again, you aren't installing anything on a Tivo to prevent it, so you a UTM is your solution.
No tasks, everything was snagged at the gateway. That's all inbound threats, attempting to exploit vulnerabilities, or inject code. No UTM? Those generally hit the individual systems. BTW the name of the porn threat has nothing to do with porn.
Thanks for the explanation @Mayahana. Now that I think of it I have a bunch of obsolete networked appliances. I'll take a look at the various UTM distros.
Something I discovered today... ZyXEL USG NGFW doesn't scan recursive archives, but Untangle does. In penetration testing I was able to sneak a recursive Eicar past ZyXEL, which was subsequently picked up by Untangle. That gives me some comfort knowing it 'has the back' of Kaspersky UTM.
Also most consumers/home users fail to realize the sheer number of 'true' downloads each day to their network. It goes far beyond downloading applications here and there. For example in my home we average 2,000+ downloads per day. How? 1) Updates - various devices/programs/software.. Lots of updates. Your AV downloads packages, as does almost everything you have installed. 2) All documents, PDF's, videos, photos, etc. 3) Updates to games, launchers, and firmware. All told, it's vastly more than what people think, and only a UTM is really going to protect you from a wide range of threats, across a wide range of devices/appliances in the home. Of all of those downloads a traditional desktop AV is only going to protect you from a few, as most ignore updates, firmware, and other things. That's even if you get an AV installed on appliances and other OS gear like DVR's, etc.
I will look into this UTM stuff, but to be honest, at the moment I do not use a lot of devices that are connected to the web. I have two PC's (desktop + laptop), and I'm planning to buy a SMART TV, so I do not need a UTM at the moment. This is from the ESET thread. Good point, but if I had to choose between UTM and HIPS, the choice is quite easy. Besides, I'm not even into the realtime based "cloud AV" stuff.
Rasheed, I agree.. You probably do have tablets and phones that connect? Remember phones background connect through connection optimizers to localized WiFi when possible, and they push files/updates through that WiFi. Same with Kindle, and other tablets. We have a 60" SmartTV in the home (LOVE IT) but it's been hacked already. Mostly because I have a pretty big bullseye, and get targeted often. But Smart Appliances tend to broadcast out 'Here I am, hack me!". There have been companies working to come up with antimalware solutions to smart appliances. However I think the consensus is that a push to move consumers to UTM-type solutions will be the best move. I have a couple Tivo's in the home, and Tivo is very slow about updating. One of the primary things my UTM's block are SSL Vulnerabilities in Tivo. Without a UTM my Tivo's would all likely have malware installed on them. Since they have hot connections, that malware can then mine our viewing habits, and potentially allow remote control of the device. Last night we had 32 devices connected on the home network, about 50% were windows, the rest were an amalgam of operating systems. Another example is a company I am analyzing something for, they have 22 iOS, 48 Android, 110 Windows, 5 Linux, 4 Unclassified devices on their network. Without a blended solution they are toast.
Hello, yes but that's the point, you don't have to pick one of them, you can continue using a HIPS if you like. Using a AV without any cloud assistance at all is like using an AV from the 90's. Not that effective.
OK, now I know why you're so into UTM's, interesting to read. But to answer your question, I do not use tablets or smart-phones at home. And I didn't know DVR's like Tivo were a target for malware? I also use a DVR, but at the moment it's not connected to the web.
If you look at my UTM logs you will see a huge number of exploits targeting Tivo's (based on Linux). I've seen SmartTV's hacked, as well as some VOIP devices. http://www.techhive.com/article/2013790/dvrs-are-being-targeted-by-hackers-says-security-expert.html The scary part about the situation was that traffic wasn't being generated by the bank's infrastructure. "The traffic was coming from a DVR from a cable provider connected to the banks network," Stiansen added. "The DVR had been compromised and had compromised the whole network of the bank."
@ Mayahana This is kinda worrying, perhaps it's a good idea for me, to connect as less devices as possible to the web. Luckily my DVR can receive all signals via the cable signal, but my SMART TV will of course need a connection, especially if I want make use of NetFlix. Would be cooler if services like NetFlix were offered directly by the internet provider (via cable or IPTV signal), then there would be no need for a web connection.
