This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance vs. security: Prevent an either-or mentality."
Download it now to read this article plus other related content.
Obviously, the best UTM approach depends upon a myriad of criteria. Appliances often appear superficially similar, but turn out to be extremely diverse. To avoid this distraction, think of UTM as a design approach instead of a product. Here are some questions to consider:
- Which existing security systems are you itching to replace? Platforms that have become too costly or no longer reliably meet your needs are prime candidates.
- How must the UTM appliance interface with best-of-breed and adjacent systems like switches? Not all products support fiber or VLAN (see
- Table 1 (PDF)).
- What kind of authentication do you use? Many UTM products can interface with RADIUS, but vary in their support of single sign-on, ActiveDirectory and 802.1X.
- How must UTM fit into your management and monitoring framework? Capabilities like multiunit or multilevel policy administration and SNMP are far from universal.
- Define availability and reliability needs. Most high-end UTM devices can be deployed in high-availability pairs, but do you need power supply, disk or CPU redundancy, active-active support or WAN diversity?
- Establish current and future performance requirements. Vendor specs are only guidelines; plan to test real-world performance and adjust accordingly.
- How will you accommodate growth? If consolidating everything on one CPU is impractical, distribute services across appliances or blades and look for load balancing or crypto acceleration options.
- Which services do you truly require on each UTM device? Because packaging and options are so diverse, use your requirements to price comparable systems.
Individual products differ, but the merits of UTM as a design philosophy are growing clearer. To tap this trend, start thinking about whether and how to consolidate security services at trust boundaries throughout your network. After all, you can't reap the benefits if you don't consider the possibilities.
This was first published in March 2007