Enterprise UTM security: The best threat management solution?

What is unified threat management (UTM)?
UTM products are, quite simply, several security products combined in a single device. From a performance standpoint, this is a perfectly reasonable thing to do. As we all know, many specialized servers, such as those often used to host security applications, sit idle for a substantial portion of the time. Hosting multiple services on the same server is resource efficient, re...

BROWSE BY TAG Network Security Tactics,   UTM Appliances and Strategies,   Network Security: Tools, Products, Software,   Enterprise Network Security,   Network Device Management,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler How to provide access to Web content (while ensuring network security) UTM Appliances and Strategies Best Unified Threat Management Products Unified threat management products gaining midmarket, enterprise foothold Virtual appliances boost flexibility, improve security Microsoft Threat Management Gateway has some drawbacks The case against UTM: Is there a better alternative? Rising Profile Check Point to acquire Nokia security appliance business McAfee adds NAC module, appliance for unified policy enforcement IBM announcements mark two years of ISS marriage Fortinet acquires database vulnerability scanner from IPLocks Network Device Management Preparing the network for a cloud computing implementation How to prepare for a secure network hardware upgrade Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary denial of service  (SearchSoftwareQuality.com) digital certificate  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) encryption  (SearchSecurity.com) integrated threat management  (SearchSecurity.com) Trojan horse  (SearchSecurity.com) trusted PC  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ducing unused capacity.

The basic building block for a UTM product is a network firewall. (For more on firewalls, read my Firewall Architecture Tutorial.) The other components of the UTM will depend upon the vendor and model that you select. Common features include:

• Spam protection
• Content filtering
• Antivirus/antispyware protection
• Intrusion prevention

UTM vendors will be happy to show you fancy charts and graphs "proving" that you'll save tons of time and money by deploying UTM products in lieu of separate components. However, based upon my experience, other than saving a few minutes performing basic NIC configurations and the like, deploying a UTM product doesn't really make a significant dent in the time you'll spend configuring and working with the product. On the other hand, the cost savings do exist, as getting multiple security services from a single device -- and a single purchase -- can provide good value for your IT dollar.

UTM deployment risks
From my perspective, there are two major risks involved when deploying a UTM product: lack of fault tolerance and lack of vendor diversity. Fault tolerance is a major concern because a hardware or software failure that causes a disruption to the UTM box will take down all of your security services simultaneously. Depending upon your network configuration, this will either take your entire enterprise offline (just wait for that phone call at 3:00 a.m.!) or cause an outage of your entire security infrastructure: also not an ideal scenario. With UTM, the comforting feeling of knowing that each of the security services is running on a separate hardware platform, isolated from the ripple effects of the outage of another security service, doesn't exist.

Vendor commitment is, in my opinion, the greatest downside to UTM products. Take a moment and think about the first UTM offering that comes to mind and the company that produces it. How would you classify that company? If you said "firewall vendor," that's what you'll be buying: a firewall developed by that vendor with some other security features bolted on so they could apply the UTM moniker. Similarly, a UTM product from a content filtering vendor will have excellent content filtering capabilities, most likely supplemented by a mediocre firewall. Is that really what you want?

I'm a big fan of the "best-of-breed" approach to security infrastructure: Find the best firewall, the best IPS, the best content filter (and so on … ) and tie them together with a great security information and event management (SIEM) product. That approach simply isn't possible in the world of UTM.

The role of UTM
So now that I've walked you to the edge of cliff with a UTM box in your hands, let's back up a few steps. I can think of at least two scenarios where UTM can play an important role in securing a network.

First, for a small or medium-sized business, UTM may be the right approach. The cost savings and convenience of having all of these features hosted on a single box may simply outweigh the benefit of having the best individual products available. If that's the case, by all means, consider a UTM.

Second, if budgetary or other constraints prohibit the company from purchasing spam protection, content filtering, malware protection or an IPS, a UTM is a great way to get a feature that you wouldn't otherwise have by adding a small cost on to a previously planned purchase. With this approach, remember to consider the added feature a "freebie" and don't let it play a significant role in the purchase decision. Find the best possible firewall and then see if, for example, the IPS thrown in for free is suitable for use in the environment.

In conclusion, unified threat management products are probably a little overhyped. They do take advantage of unused hardware capacity by hosting multiple security services on the same hardware platform, but security pros are unlikely to see significant time savings as a result and may find themselves chained to a non-ideal vendor. That said, if the budget won't permit an alternative, UTM just might be the way to go.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.