UTM Should Not Equal Unnecessary Threat Management

Buying the right unified threat management appliance means knowing what--if anything--you actually need beyond a firewall.

Information Security
magazine, July-August issue


Download the entire July-August issue of Information Security magazine here in PDF format.

By NEIL ROITER
If you are responsible for security at a small- to mid-sized business, and your current firewalls aren't unified threat management (UTM) appliances, then your next ones will be.

With the possible exception of a few low-end SOHO firewall products, every vendor offers a range of firewall/VPN appliances with options to add gateway antivirus, intrusion prevention, antispam, URL filtering and other security functions on a single box.

"The UTM space has essentially replaced the firewall space; at the low end, there are no firewalls that are not UTM," says Joel Snyder, senior partner at consultancy Opus One. "If you talk about what people used to buy for a small business in the $150-to-$1,000 range, I don't think you can find one that doesn't have UTM capabilities."

It can get confusing. Businesses are faced with complex choices: Extra security comes at a price, both in ongoing subscriptions and performance, so what do you really need and what are you prepared to pay for?

Most vendors offer an extensive line of appliances to accommodate your traffic requirements and number of end users. Ready to choose? Not so fast. You"ll take a performance hit when you start adding AV, IPS, and other security functions.

Information Security July-Aug
Table of Contents

Controlling Privileged Accounts: Regulatory requirements and economic realities are pressuring enterprises to secure their privileged accounts. Applied correctly, technology can help offset the risks.
DNSSEC: Has the Time Come? DNSSEC brings PKI to the Domain Name System and prevents dangerous cache poisoning attacks. Implementation difficulties and political battles, however, keep it from going mainstream.
UTM Should Not Equal Unnecessary Threat Management: Buying the right unified threat management appliance means knowing what--if anything--you actually need beyond a firewall.
ISP shutdown latest cat-and-mouse game with hackers: While the 3FN.Net shutdown had limited impact on cybercriminals, it signaled that the private sector and the government are serious about illegal activity.
Editor's Desk: Hey Google: Do the Right Thing: Security's leading thinkers ask Google to turn on HTTPS by default for Gmail, Docs and Calendar.
Perspectives: Wrestling Match: Data protection and compliance teams battle for resources but need each other to succeed.

SMALL BUSINESSES HAVE BIG SECURITY NEEDS
Small businesses were starting to wake up to changing security needs were changing when Information Security first covered "turnkey appliances" in 2004. Some had no firewalls at all, or first-generation firewalls that no longer supported the business. IT managers shopping for replacements from established firewall vendors found young companies that could offer firewalls plus additional security features packed into a single appliance--all at a an attractive price.

Soon this was christened the UTM market, and, eventually, everyone in the network firewall business was pushing unified threat management. Today some vendors, are pushing high-end appliances in what they claim is a nascent enterprise UTM market.

For smaller businesses faced with growing security requirements, UTM made it easier to buy and manage a lot of security tools in a single appliance. The alternative was more point products they could not afford. Or worse yet, simply going with less security.

"Ten or 12 years ago, we had a firewall, but it wasn't a major piece of equipment--we thought, 'yeah, maybe we should get one," said Jason Omens of Seattle, Wash.-based marketing consulting firm BuzzBee, a WatchGuard UTM customer. "Now the number of threats has [skyrocketed]."

Omens has to be security conscious now, particularly because of the work BuzzBee does for Microsoft. Keeping precious intellectual property inside the organization is his biggest concern.

ZirMed, a Louisville, Ky.-based software-as-a-service provider for the healthcare industry, which uses SonicWALL UTM appliances since 2000, has also raised its security profile as the years have passed.

"It's not that we weren't focused on security--we had patient healthcare information to protect," said ZirMed CIO Chris Chirgwin. "But we've seen enactment of HIPAA, and since we added credit card processing, we fall under PCI. We've become a bigger business; now people want us to be SaS 70 audited."

Smaller companies can still have big security headaches. Law firm Sonnenschein Nath & Rosenthal LLP, an IBM ISS customer, is relatively small in employees numbers--but about 800 of them are lawyers, and the firm has a lot to protect.

"We produce hundreds of thousands of documents," says Adam Hansen, Sonnenschein manager of information security. "Think about what lawyers print, what they transfer electronically. We protect information throughout its] life cycle in whatever form it may take and be sorted."

Also, firms like Sonnenshein need the extra layers of security UTM can offer because they tend to stick with standard, off-the-shelf products. "That's great for support, Hansen says, "but not great in terms of mainstream vulnerabilities. The risk landscape is fairly broad. If they can run it through Word, we're vulnerable."

The UTM space has essentially replaced the firewall space; at the low end, there are no firewalls that are not UTM.
JOEL SNYDER
Senior partnerOpus One

GROWING INTO UTM
Years ago, it was fairly simple to choose the right-sized firewall for your business. Your bandwidth pipe was limited and your was traffic predictable.

Today, your choice of UTM appliance is a factor of business needs and the security features you choose to purchase and turn on. It's not just a purchase it's a commitment. ZirMed found that out as it upgraded from a firewall to full UTM, then to a bigger UTM appliance.

"First, we said, let's embrace UTM--IPS, gateway AV, malware detection-- [Then we] had to get more serious as we needed a chassis upgrade with considerably more horsepower-" said Chirgwin. The next upgrade came when "We needed more horsepower, simply for more bandwidth. As we were committed to UTM and brought on more customers, the firewall was getting close to being a performance issue."

In general terms, you can plan to upgrade as your needs change, say every couple of years, or perhaps spend more initially to accommodate that growth down the line. Buzz Bee's Omens, for example, faced with growing traffic as more customers have network access and transfer big files over FTP, is about to upgrade from a T-1 line to 10 Gbps Ethernet without changing appliances.

"It handles our small business needs as we grow," he said. "We want to be able to grow with what the company needs to do and know that these boxes can handle it."

He also looks for features like external ports on an appliance to accommodate his environment. For example, he uses one of the WatchGuard interfaces to link to an external NAS, so that traffic doesn't interfere with the internal network.

Even with planning, making the right choice isn't easy.

"Bandwidth with growth is terribly hard to predict," says Gartner's Young. After you invest in the capital expense, if your throughput strains the appliance, vendors are ready to help you trade up. "That's how they make money."

"You need to balance, a box with more horsepower that doesn't break the bank," said eSoft CEO Jim Finn. "It's a fine line vendors walk down, a fine line users walk down, and the bar continues to be raised."

Opus One's Snyder advises caution as you walk that line. High speed cable and DSL have brought fat pipes to small businesses. If you go beyond firewall and VPN and add gateway antivirus, you'll not only be paying a recurring cost for the subscription, but you'll also bump up your capital expense for a more powerful appliance.

"The costs can be non-predictable," he warns, "because vendors don't like to give good numbers for performance."

The wrong choice can be costly. If you don't have a good case for gateway AV, you're wasting money on subscription and the box. If you find your box isn't fast enough, you have to upgrade. Or turn of the AV.

"And then you've wasted money and time," says Snyder.

Snyder, who has done extensive UTM testing, has written that transaction rates can drop in half with IPS enabled, and fractions of that with AV and IPS combined in extreme cases. He wrote that you can expect performance to drop to 10 percent or less if you turn on multiple security capabilities.

The recommendation is to plan ahead for your future needs, so you don't need to upgrade in six months or a year if you decide to turn on AV and/or other security apps because your security requirements change. Perhaps your compliance auditor says you need to improve security at the perimeter. Maybe you've had a data breach or your IT staff is spending too much time cleaning up/reimaging infected computers? Or those complaints to HR convinces management that you need to control visits to porn sites.

What's more, your changing business needs also impact your selection.

As the economy improves and your business grows, you may hire more people, upgrade to a faster network or expand your online business. Save money and trouble ahead of time by testing the UTM appliance under stress on your network, and anticipate your needs to allow for growth.

Is there an Enterprise UTM?
Enterprises turning to UTM are trying to consolidate servers, saving on hardware and management costs.

SOME HIGH-END network firewall and UTM vendors say we're seeing the dawn of enterprise-grade unified threat management appliances. These, they say, are high-performance beasts that can process network AV, email security, Web security and perhaps other functions such as data loss prevention--in addition to network firewall, VPN and intrusion prevention in front of the data center without missing a beat.

While the rationale for UTM in the SMB world is adding affordable security extras on top of firewall/VPN in a single box, the argument in the enterprise is consolidation, as large companies look to save on capital expenses, management overhead, rack space and power.

Whether we'll see real UTM at the enterprise level is open to debate, but we are seeing IPS integrated into high-end firewalls with the muscle to keep traffic moving quickly enough for performance-sensitive applications.

"There are certain decision points where an organization reevaluates their security infrastructure," says Guy Guzner, Check Point director, security products. "There's a lot of restructuring of data centers, a lot of consolidation. When this happens, it gives us an opportunity to revisit some decisions that were made when integrated IPS wasn't mature."

But vendors, including Check Point, take this further. Guzner says that its UTM "software blade" approach is in the "early adoption phase" on its high-end Power-1line for things like gateway AV.

"The enterprise can realize an incredible ROI from a technology and cost perspective, says Anthony James, Fortinet vice president of products. "UTM gives them much more bang for the buck. They can move at the pace they want. They can replace a firewall at cost and add functions over time."

Greg Young, an analyst for Gartner--which prefers the term "multi-function firewall" to unified threat management--is more than cynical.

"There are lies, damn lies and UTM for the enterprise," he declares. "The physics works out, for doing inspection, so that you don't start running into problems until you hit the larger volumes of users, traffic and connections, and then the physics breaks down and then you really need separate products and processors for antivirus, for firewalling, for other deep inspections."

In effect, what vendors are talking about, Young says, are blades in a chassis, where the chassis becomes essentially a server rack. He cites Crossbeam Systems' blade architecture as a prime example.

He breaks the enterprise market into three silos: Next-generation firewalls, which include VPN and IPS; Web security gateways, which typically include URL filtering, and email security appliances.

Joel Snyder, senior partner at consultancy Opus One, takes a slightly different tack, defining Crossbeam as UTM, but otherwise agrees.

"I'm not saying there is one big UTM market," he says. "There are two: Crossbeam and everyone else that's SMB.

Enterprises are doing true UTM in the branch office, which have differentiated into separate product lines, because the branch appliances generally don't need things like AV or antispam, because the mail is still centralized. But they do need other services, Young says, such as WAN optimization, and they will be managed by the same console as the enterprise firewall, because companies don't want to use two different consoles. For that reason, large firewall vendors tend to do well in the branch offices.

--Neil Roiter

UTM SECURITY OPTIONS
Most SMBs aren't in the market for a UTM. They are shopping for a better firewall, perhaps or more robust VPN.

BuzzBee's Omens went to a UTM appliance because he was having difficulty setting up a VPN using PPTP on his old firewall.

"The big thing was to get the VPN working," he says. The other things, like gateway antivirus, are good to have, since we're too small to have interest in another appliance. As BuzzBee grows, we'd like to be preemptive."

I don't believe most small business or even midmarket IT managers -- think I want UTM versus I want a firewall, Snyder says. "But, the features are now so ubiquitous they are not surprised to see them. They hit a stumbling block of 'do I want them, do I have to pay, and does this help me in any way?"

Antivirus and other security applications are what make UTM a UTM. so you need to consider the value to you versus the cost.

AV is probably No. 1 on the list. Small businesses are accustomed to buying it for their PCs and servers. And they worry about malware, in part because they find are finding their endpoint AV isn't sufficient--PCs and servers still get infected.

You pay a performance premium for turning on additional capabilities, particularly AV and IPS, which have to closely inspect traffic.You may not want everything or everything at one time, so set your sights on a low bundle price for the entire package. That way you can cherry pick and turn on a security service when you are ready or the need arises.

For example, you may not use URL filtering initially, but perhaps your HR department starts enforcing acceptable use policies, or wants to keep your employees off sites that eat up their work time. You may not feel you need network intrusion prevention now, but might when the business grows or you begin hosting Web sites.

Snyder again raises a yellow flag on IPS, saying the quality varies widely.

Don't expect any of these security apps to be as robust as stand-alone products or services, but they may be "good enough," or simply add a layer to your defenses at a reasonable price.

For example, antispam is a good addition if you are not using a stand-alone product or hosted service.

URL filtering is a good fit for UTM appliances, Snyder says -- the firewall is a logical place to put it. The same goes for SSL VPN, which some UTM vendors offer as an option along with the more traditional IPsec. In either case, don't expect either to have the kind of granular policy and management controls of their full-featured counterparts.

A UTM version of URL filtering is likely to be pretty basic. It will work off a URL database, but will not give you dynamic evaluation based on content. Nor should you expect access control integration with your directory, or the ability to set exceptions for groups or individuals who have legitimate access to certain types of sites.

In addition some new options such as data loss prevention are appearing. but again, manage your expectations.

"The DLP is very rudimentary; it's not full enterprise DLP," said Gartner's Young. "But if your requirements are low, it's perfect.'

So, if all you want to do is watch for credit card numbers or Social Security numbers, this is almost surely good enough DLP at the right price.

We're starting to see Web application firewalls (WAFs) in UTMs as well, but this seems like even more of a reach. WAFs have become very popular since they became an option for the application security requirement for PCI DSS. But WAFs aren't plug-and-play tools, and simply turning on this option in front of your Web apps will neither make you more secure nor PCI compliant. Plan to invest some care and feeding if you are going to deploy a WAF as part of your application security program and investigate the WAF's capabilities before you decide it will be a checkbox PCI solution.

If it fills the bill, however, says Young, you won't have to buy a stand-alone product or tinker with open-source tools.

UTM is here to stay. For organizations with up to 500, perhaps 1,000 employees, depending on the specific attributes of the business, it is the firewall of the present and at least the foreseeable future.

It's a winner for firewall vendors, Snyder says.

"The whole reason UTM exists is because of recurring revenue," he says. "The recurring revenue model is the salvation of firewall industry. That's why these boxes exist."

For SMBs, UTM offers a number of security services for the price of a single appliance to purchase and modest, though recurring subscription fees.. If you're sure all you need is firewall and VPN, don't feel you have to buy the extra subscriptions, so you don't get stuck with added fees or a more expensive appliance than you really need. If you think you may need to turn on additional services in the foreseeable future and/or anticipate more users and traffic, make sure you buy appliances that will grow with your needs.

Neil Roiter is Senior Technology Editor for Information Security. Send comments on this article to feedback@infosecuritymag.com

This was first published in July 2009

Dig deeper on UTM Appliances and Strategies

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close