The industry has seen a steady shift from standalone technologies like firewalls to unified threat management (UTM) appliances. These devices, which integrate antivirus, antispyware, intrusion prevention and firewall onto a single platform with a common policy engine and centralized alerts and logs, have long appealed to small and midsized businesses short on staff and budget.
But do these all-in-one appliances have a place in the enterprise, where best-of-breed has been the top choice to meet more complex needs? Richard Isenberg, director of security engineering at CheckFree, thinks so.
Operating from 19 locations with 3,500 employees, CheckFree processes 1,500 electronic payment transactions per second for more than 2,000 financial firms worldwide. Replacing a complex architecture of 20 IPS boxes, 26 firewalls, 20 switches and numerous proxies with seven UTM devices cut costs and improved reliability, he says.
Return on CheckFree's UTM investment is substantial: $226,000 per year. "That comes from eliminating licenses and maintenance contracts by reducing the number of boxes," Isenberg says. "We also reduced routine maintenance costs. And now we only have to understand what's happening on seven devices, which speeds issue resolution."
Yet while enterprises can enjoy reduced complexity, lower costs, improved flexibility and even stronger security with UTMs, they may run into pitfalls involving scalability, throughput, integration and selective retention of best-of-breed products. To be sure, successful enterprise UTM deployment requires careful planning.
|Click here for a comparison chart of enterprise firewall services (PDF).|
Enterprise UTM Defined
Today, nearly every enterprise firewall has sprouted new services. Table 1 (PDF) depicts a representative list of 20 high-end UTM products for large enterprises. VPN, a firewall staple since 2000, is now widely accompanied by IPS and antivirus. Antispyware, antispam and Web filtering appear frequently, but just 65 percent of these devices support all seven services.
Many of these services are options, activated by software license or expansion card. And available services are not necessarily all used simultaneously. Enterprise UTM products are configurable security platforms designed to give companies the ability to deploy functions where they are needed in the network, unlike the turn-key, all-in-one UTM boxes for SMBs.
"In the enterprise, you need flexible deployment based on the assets being protected," says Throop Wilder, co-founder and vice president of marketing at Crossbeam Systems. "At the perimeter, you may deploy firewall and IPS and antivirus and Web filtering. But in the data center, you're more likely to need XML firewall and Web IPS."
Ability to selectively activate services on UTM devices can be important to reflect centers of domain expertise and purchasing. For example, firewall and IPS may belong to the network group, while antivirus may belong to another organization responsible for email. With UTM, both groups can procure the same corporate standard platform, but use it to address different business risks.
Combining services can also improve reliability. Few enterprises are willing to put all of their eggs into one basket. Benefits of distributing load still apply to UTM. But with UTM, companies are no longer forced to string single-function clusters into intricately laced chains (see Figure 1, below). Instead, customers can decide how to allocate services to each UTM appliance. Ultimately, most will deploy fewer boxes, reducing links, subnets and potential failure points.
Complement or Replacement?
For many, the question is not whether to use UTM appliances, but when, where and how to consolidate security services. Specifically, should UTM augment or replace best-of-breed products?
Forklift upgrades are costly and disruptive, but they also create opportunities to build the physical and logical network you want instead of one cobbled together over time; to use one contemporary interface instead of tracking half a dozen legacy product GUIs; and to improve security while cutting future capital and operating expenses.
"There's a generation of legacy firewalls out there like Cisco PIX that are really good firewalls, but they are just firewalls. UTM gateways do more to protect against threats that are relevant today," says Scott Lukes, eSoft vice president of marketing and product management. "However, if an enterprise has invested a lot in training and configuration, the last thing they're going to want to do is rip that [firewall] out just to get network antivirus."
Lukes says a company that wants to preserve a large, complex firewall/VPN may prefer secure content management (SCM) appliances that focus on specific enterprise applications over UTM. For example, instead of having your firewall scan email for viruses, spam and policy violations, offload all those tasks to an email security appliance placed behind your perimeter firewall.
Crossbeam advocates a different approach. "We couldn't possibly re-create the thousands of hours that products like [Check Point Software Technologies'] Firewall-1 put into policy interfaces," says Wilder. Instead, Crossbeam lets its customers run best-of-breed security programs on blades within a UTM chassis, consolidating hardware not software.
In fact, many UTM products use some best-of-breed software. Gateway antivirus and antispyware are often sourced from Kaspersky, McAfee, Symantec and Trend Micro. Web filters and URL databases on UTM platforms include SurfControl and Websense.
These examples tap the primary best-of-breed advantage. Specifically, it is impossible for anyone to excel at everything. Such partnerships help UTM vendors focus on their own intellectual property, from high-efficiency hardware to unified interfaces.
Cutting the Clutter
Preserving its investment in best-of-breed firewall software from Check Point was a key consideration when CheckFree decided to replace its complex firewall architecture with UTMs in 2003.
"We were not going to throw away all that investment in [Check Point] expertise and licensing," says Isenberg.
The company tested several hardware platforms running Check Point firewall software and chose Crossbeam's X-Series.
"We wanted to re-engineer our firewall and IPS infrastructure to meet availability needs and future growth. We wanted a platform that would be highly available, cost effective and easy to manage," says Isenberg. "And we wanted to increase capacity and scalability while decreasing operational cost and complexity."
A UTM allowed CheckFree to do more with less, but an appliance designed for small offices wasn't going to cut it.
"When you're aggregating security, you need a lot more horsepower. With UTM, if hardware fails and you didn't pick a platform that's resilient, your whole network will fail."
CheckFree chose a UTM blade server for growth and availability. "When we need more horsepower, we just add another blade. If a module fails, a spare blade will come up as any module in our architecture," Isenberg says.
Reed Smith, a law firm with 21 offices across three continents, deployed UTM during a network redesign to accommodate growth, business continuity and security.
"In the past, we operated in a decentralized environment where each location had its own infrastructure," says Frank Hervert, senior manager of enterprise networking and messaging services. "We embarked on an initiative to move to a centralized design that's highly redundant."
UTM was a better fit than best-of-breed for Reed Smith's re-engineered network, he says: "We saw the inefficiencies of managing multiple independent devices and keeping up with [them]. Our preference was a single device, for better manageability and to fit into our highly redundant design. To do best-of-breed in our design would have meant many redundant appliances, which would have grown very complex."
As it grew through acquisition, Reed Smith inherited a mixed bag of Internet firewalls. Today, most have been replaced by dedicated DS3 links carrying thin client and Internet traffic to a primary data center. All traffic passes through a redundant pair of Fortinet FortiGate 5020 chassis with 5001SX blades, with a third at a backup site, all supervised through one FortiManager.
"We wanted something robust enough and secure enough to do firewall, IPS and antivirus in a single device," says Hervert. "UTM gave us the ability to do more without adding more best-of-breed devices." However, Reed Smith retained its Juniper VPN and opted to not utilize Fortinet's spam filters.
Reed Smith had the luxury of creating a new environment from scratch, replacing all legacy devices in one fell swoop. But the company still grapples with unified monitoring for its primary data center, including UTM devices. Hervert recommends that operations teams prepare to incorporate new UTM devices with existing enterprise management and monitoring systems.
Alternatively, UTM can be incorporated gradually. Consider Able Body Labor, a staffing firm with 130 locations in 16 states. Able Body complemented its central and branch office firewalls by adding a UTM appliance with centralized management.
"It was increasingly more than a full-time job to manage all of our firewalls and logs," says Paul Zimorski, CIO. "For example, each time we wanted to update approved Web sites, making that change manually on 127 firewalls could take about three weeks."
Now, after deploying a SonicWALL 4300 with Sonic-WALL's Global Management System, that kind of change takes Able Body's technicians just half an hour.
"We were initially going to put the 4300 at the corporate office, but didn't want to take everything down, so we plugged the 4300 in at our [co-location] facility instead," says Zimorski. "In addition to content filtering, we use IPS, antivirus and antipyware on the 4300."
By routing all traffic through the 4300, Able Body avoided adding licenses or load to the existing SonicWall 3060 appliances at its headquarters. One 3600 protects its Web/ email network, and a second secures corporate Internet access.
The 4300 is meeting AbleBody's current performance needs, including 5.5 gigabytes of database updated daily from headquarters to the colo SAN. Time will tell, however, how well it can meet the company's future demands, says Zimorski.
As shown in Table 1, many UTM vendors advertise gigabit rates for high-end platforms. But overall throughput drops when VPN is added; turning on antivirus, antispam and Web filtering have even greater impact. For example, the SonicWALL 5060 drops from 2.8 Gbps (firewall only) to 384 Mbps (full UTM). Lack of standardized tests prevents meaningful comparison, but most vendors admit that using multiple services takes a significant toll on performance.
That's why Kansas City Life Insurance Company decided to split services across a pair of Astaro appliances. "Ideally we'd put everything in one box, but at our size, that's not really practical," says network engineer Keith Beatty.
One appliance filters Web traffic for 600 local users, enforcing category rules and scanning for viruses. A second unit filters more than 562,000 mail messages each week, blocking spam for another 4,000 insurance agents who work throughout the U.S.
"Web and email are the most visible pieces of a network; you must be sure to put enough hardware in place to support all of your users," says Beatty.
Kansas City Life started with vendorinstallation sizing guidelines, but used live traffic to verify estimates. "I talked to users and watched to make sure quality of service was there. We hit the sweet spot for Web filtering right away, which told me I didn't want to put more [services] on that one box."
The Astaro devices replaced several legacy products, including Cisco Systems PIX and Check Point firewalls, SurfControl and GFI MailEssentials.
"Those products may have had more features, but we weren't really using them," says Beatty. "Astaro gave us the core features we needed, with an overall experience that has been more robust." However, the company opted not to use Astaro's IPsec VPN, preferring to retain its well-ingrained SSL VPN appliance.
Kansas City Life mapped its existing firewall and Web/ spam filtering policies into Astaro's unified interface. On the back end, Windows Active Directory bonds the appliance with the company's user authentication.
Beatty believes that Kansas City Life's investment in UTM has paid off: "It wasn't making my job easier having to dig up firewall patches all the time. And every year, maintenance on SurfControl got more expensive. Now, we're not even using the entire UTM feature set and we have more flexible features for less money."
Obviously, the best UTM approach depends upon a myriad of criteria. Appliances often appear superficially similar, but turn out to be extremely diverse. To avoid this distraction, think of UTM as a design approach instead of a product. Here are some questions to consider:
- Which existing security systems are you itching to replace? Platforms that have become too costly or no longer reliably meet your needs are prime candidates.
- How must the UTM appliance interface with best-of-breed and adjacent systems like switches? Not all products support fiber or VLAN (see Table 1 (PDF)).
- What kind of authentication do you use? Many UTM products can interface with RADIUS, but vary in their support of single sign-on, ActiveDirectory and 802.1X.
- How must UTM fit into your management and monitoring framework? Capabilities like multiunit or multilevel policy administration and SNMP are far from universal.
- Define availability and reliability needs. Most high-end UTM devices can be deployed in high-availability pairs, but do you need power supply, disk or CPU redundancy, active-active support or WAN diversity?
- Establish current and future performance requirements. Vendor specs are only guidelines; plan to test real-world performance and adjust accordingly.
- How will you accommodate growth? If consolidating everything on one CPU is impractical, distribute services across appliances or blades and look for load balancing or crypto acceleration options.
- Which services do you truly require on each UTM device? Because packaging and options are so diverse, use your requirements to price comparable systems.
Individual products differ, but the merits of UTM as a design philosophy are growing clearer. To tap this trend, start thinking about whether and how to consolidate security services at trust boundaries throughout your network. After all, you can't reap the benefits if you don't consider the possibilities.