Editor's note: This is part one of a two-part series on evaluating UTM appliances and assessing the costs versus...
benefits of implementing UTM in your environment.
Unified threat management (UTM) appliances are widely deployed in many organizations, both large and small, to stop a wide variety of threats from compromising systems and data. However, UTM systems are not necessarily the right choice for every environment. For example, many organizations already have a set of point products deployed that provide network security capabilities similar to what UTM appliances provide. There are substantial costs, sometimes prohibitively high, as when an enterprise rips and replaces all its point products and installs a UTM product. There are also advantages to using point products instead of UTM in terms of product selection; you get to select the best product available for each network security capability instead of having to compromise and acquire a single product, which is likely to be stronger in some capabilities and weaker in others.
Organizations considering the purchase of a UTM appliance should ask detailed questions regarding its internal integration and consider avoiding products that are unified in name only.
The size of an organization is another important consideration when evaluating UTM appliances for possible adoption. The smallest organizations might not need all the network security capabilities that UTM provides -- in these cases, UTM may simply be providing unnecessary functions at considerable expense. On the other hand, the largest and most cyberdependent organizations may not be able to use UTM tools because they need a level of scalability and reliability in their network security measures that the tools might not support, or at least not support as readily as their point product counterparts.
The importance of reliability with UTM systems should not be overlooked; they naturally create a single point of failure for most or all network security capabilities. A UTM system failure could conceivably shut down an enterprise, and a UTM appliance compromise could have catastrophic security impacts.
From a technical perspective, one of the most important benefits of this appliance is that it integrates several detection and prevention capabilities to provide improved overall efficiency and effectiveness -- detecting and stopping attacks more quickly and accurately with less effort. Unfortunately, not all UTM products work this way. Some loosely bundle separate products under a single name, but they may not provide a single interface for managing and monitoring these products, much less re-engineer the individual products to share information with each other and split the analysis workload. Organizations considering the purchase of a UTM appliance should ask detailed questions regarding its internal integration and consider avoiding products that are unified in name only.
UTM tradeoffs vs. benefits
Future UTM features for Web security
UTM vs. NGFW: Comparing technologies
Do UTMs defend against Web 2.0 risks better than NGFW?
Organizations acquiring UTM systems should be aware that they are not a panacea for all security threats. For example, most UTM tools still omit significant network security technologies, such as network-based data loss prevention, so other network security controls are typically needed to complement UTM systems.
Another major shortcoming is that network security technologies can only monitor the network traffic that is carried over the organization's own networks. Therefore, they may be ineffective for mobile and other computing devices that don't necessarily use the organization's networks. Some organizations choose to route all of their computing device traffic through their own networks, even for these mobile devices, but this comes with its own financial costs and performance outcomes (primarily increased latency in network communications). More importantly, network security controls cannot view the contents of encrypted communications to look for malicious content unless the network is architected in such a way as to automatically decrypt and re-encrypt communications at key points. There are security hazards in doing this, as well as the increased overhead in performing additional decryption and encryption on all network traffic. And, finally, network security controls, unless deployed throughout an enterprise, will not see network-based attacks that don't pass through key network junctions (e.g., the perimeter), such as malware spreading between hosts on a single subnet.
About the author
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.