Unified Threat Management (UTM) appliances, also called next-generation firewalls, have become the network gateway
security implementation of choice for small to midsized businesses. It's not surprising, given their ability to provide a wide array of security technologies, including firewalls, SSL and IPSec VPN, URL filtering, antivirus, spam filtering and intrusion detection and prevention. But do UTM appliances have a role in enterprise networks?
A defense-in-depth approach to security suggests an organization shouldn't rely on a single device to protect its network. But in the real world, budget constraints can make UTM appliances attractive alternatives to a patchwork of individual single-function point devices often delivering varying degrees of effectiveness. Plus you don't need an IT department with multiple skill sets to deploy, manage and update different products from various vendors. Even for competent administrators, avoiding conflicting or incomplete rule sets due to misunderstandings about which products handle which threats is a time-consuming task.
UTM appliances deliver a fundamentally simpler network security infrastructure as their various services are designed to work together and be managed from a centralized console. This saves time, money and man power, making them cost-effective with lower day-to-day running costs. The reduced number of physical devices on the network also consolidates the number of vendors you have to deal with. The appliance's innate ability to share security information and event data also increases their overall security effectiveness.
There are, however, several distinct downsides to relying solely on a UTM appliance. It introduces a single point of failure and with all the tasks a UTM has to handle, network performance and scalability are legitimate concerns, too. Network traffic may be down now, but as economic activity picks up, would a UTM appliance become a bottleneck at high traffic gateways or when under attack?
Although the price-performance ratio of UTM appliances continues to improve, they have to detect an ever-growing array of threats using ever-expanding signature databases, a demanding task even for a single-function appliance. Also if your preferred UTM appliance doesn't have all the features to fulfill your security policy requirements, you're going to have to invest in additional devices anyway. Some features, such as antimalware gateways, for example, may also be duplicated with the UTM appliance, wasting precious IT dollars.
For most enterprise networks to stay secure, they'll need more functional capabilities and analysis power than a single UTM appliance can deliver. An appliance-based, layered security architecture is preferable in a critical environment such as a data center or enterprise server farm. This approach enables a choice of best-of-breed defenses for a wide range of threats. If performance is a key issue but the unified management and aggregated reporting found in UTMs are a must, then consider products such as Check Point Software Technologies Ltd.'s OpenChoice, which offers the flexibility to deploy different security products on a choice of hardware platforms.
Despite all the drawbacks, UTM appliances can play a role within the enterprise. A UTM can be deployed to establish a trust boundary to protect a particular workgroup or reduce the costs of purchasing, installing and managing separate devices at remote sites where administrative staff may not have all the necessary technical skills or resources required. They can also be used for quick set up of small short-term project teams and to protect home networks of telecommuters. One such product, Netgear Inc.'s ProSecure UTM5, sells for less than $400. Where security versus performance is less of an issue, such as in Human Resources or accounts departments, there can often be a business case for replacing older, more basic firewalls that cannot evaluate application-layer traffic with the greater functionality of a UTM.
My preferred choice of UTM is one that runs on a purpose-built security device with a hardened operating system designed to handle the role of real-time analysis and protection. Appliances that employ ASIC-based processing hardware can accommodate high-speed networks but be sure they come with failover capability. Single vendor products as opposed to those built on best-of-breed partnerships can better address performance issues as well as provide a naturally unified management interface.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.