Published: 01 Jun 2006
It's a firewall, it's an IPS, it's antivirus, it's antispam... but is it right for you?
More information from our sister site SearchSecurity.com
Go to Intrusion Defense School to learn more about Unified Threat Management and its role in a holistic intrusion defense strategy. CISSPs and SSCPs who attend the School webcasts are eligible to earn CPE credits from (ISC)2.
Visit our resource center for tips and expert advice on Unified Threat Management.
By Joel Snyder
Vendors are talking about unified threat management, but is it right for you? We'll dissect the five arguments in favor of UTM.
It makes sense in theory: Combining security functionality--such as antivirus, intrusion detection and firewall--into one appliance gives infosecurity professionals a security Swiss Army knife of sorts.
In reality, however, unified threat management is not defined by what is in the appliance, but by your reason for wanting to put more than one function in a single device. There are five main arguments in favor of UTM: It provides for consolidation, thereby reducing costs; it improves performance; it reduces complexity; it simplifies management; and it increases flexibility.
By understanding the merits of these arguments, you'll have a better idea of whether UTM is right for your network.
Current UTM devices pick from a menu of more than a dozen options including network firewalls, application and XML firewalls, site-to-site and remote access VPNs, antivirus and antispyware, antispam and antiphishing, bandwidth management, intrusion prevention and detection, application control, content filtering, and Web proxy.
In other words, UTM has come to mean "a security feature we added to our firewall/ VPN device." In short, there are no firewall vendors who don't want to count themselves in the UTM space.
What does this mean for you? The question isn't whether you should be buying a UTM firewall, but rather, should you be using UTM features? If you're buying a firewall, you're getting a UTM device.
The UTM question is further confounded by an interest from high-end firewall vendors to push UTM into enterprise networks. Until recently, the easiest place to implement a UTM firewall was in an SMB network. It is a simple proposition: UTM firewalls often add security features that the network didn't have. Going from no gateway antivirus to a UTM gateway antivirus isn't a hard decision to make. Adding another layer of protection is no guarantee, but when it's a matter of checking the "Enable Antivirus" box and paying a subscription fee, the cost/ benefit ratio usually encourages SMB users to turn on these extra features.
However, in a more sophisticated enterprise network, you'll find multiple threat management devices, ranging from e-mail firewalls to IPS devices and Web proxy servers, already in place. Here, UTM raises a more difficult question: Should I use the UTM features of the firewalls, or should I continue with point solutions to solve my problem?
To answer this key question, we'll give you the metrics you can use to map these to your own network.
Special Feature: Be Prepared
Consolidation & Cost
The easiest argument to make in favor of UTM is that it takes multiple devices and merges them into one. Consolidation has its own benefits even if you're only compressing multiple firewalls into a single device. But when UTM is added, the greatest benefit is cost savings from three different areas: capital expenditure, operational expenditure and saved rack space in a server room.
In terms of capital expenditure, savings start with buying fewer boxes and software licenses. Although there are always exceptions to this rule, buying one box that does two things but needs one set of licenses is almost always less expensive than buying two boxes and two sets of licenses. The capital expenditure savings argument, though, becomes less clear when you already own the two boxes. In that case, it's important to understand that you're never done buying boxes. Network managers have been on this treadmill before, and, if they're not buying boxes for their network every day, they at least realize that there is a never-ending train of solutions to deal with new and evolving threats.
Operational expenditure savings are easier to see because fewer boxes to manage means, well, fewer boxes to manage. And, fewer boxes take less time to maintain with patches, updates and configuration changes. In addition to operational expenditures come all of the other software support costs required for any security device, including maintenance and subscription services. With fewer devices, the subscription services might be the same (or they could be lower), but the software maintenance fees will definitely offer savings.
The last cost savings area is pure hardware: power, space and cooling. While some network managers have the advantage of oversized computer rooms with excess cooling, that's far from common. The stress of 1U servers combined with ever-increasing clock speeds has dramatically changed the balance of space, power and heat used to build most computer rooms. The upshot is that every inch of rack space in a computer room represents a valuable resource, and the marginal cost of adding racks, power and cooling to a filled-to-capacity room is enormous. Thus, putting one box where there were two (or three or five) is a savings and can be fairly substantial.
Consolidation is a driver for UTM if the cost savings in the three areas add up when compared to the alternative--either not enabling UTM or sticking with a multi-box solution. If the cost savings aren't there, that doesn't mean that UTM is not right for you--just that you need to move on to more compelling arguments.
Special Feature: Be Prepared
Performance is a touchy subject when it comes to UTM devices--it's difficult to benchmark devices when there are no agreed methodologies for UTM performance testing. The usual metrics of packet and connect rate are still valid, but deciding how to stress the systems and properly measure full system goodput as opposed to single subsystem goodput are without industry consensus.
The idea behind the UTM performance advantage is that each component within a UTM product can have influence on the other components. Greater visibility into the flows within a network allows for a closer match between device capability and real network loads. It's a subtle argument, but one that is especially compelling as speeds grow to gigabit levels.
For example, if you're doing inline IPS, all traffic has to go through your IPS--this is true even if your IPS strategy is only focused on a subset of the traffic load, such as servers. With a UTM-integrated IPS, the UTM device can ask the IPS to inspect only the traffic that the network manager wants to be inspected, not all traffic on the network. Depending on the size of the network, these could be dramatically different numbers.
Performance, though, has its flip side: Most UTM devices get performance-bound quickly as security features are enabled. This means that older firewalls, even if they can be upgraded to UTM versions of firmware, may not have the memory or performance capacity to enable those new features.
For example, we recently tested a UTM device, and performance went from 2000 transactions per second without UTM enabled, to 1000 with IPS enabled, then to 100 with IPS and antivirus, and finally to 50 transactions per second with IPS, antivirus and some VPN traffic. Goodput dropped, as well, from a high of 70 Mbit/sec with UTM disabled to 2 Mbit/sec with IPS, antivirus and VPN. Our experience in testing shows this is not an isolated case (though it is a bit extreme), and devices will commonly drop to 10 percent or less of unburdened capabilities when the load of multiple UTM features is added.
These performance factors mean it is critical that any UTM deployment, even in networks connected to the Internet by 1.5 Mbit circuits, must be prefixed by testing with real traffic and real configurations. It's likely you will discover that any device more than a few years old cannot handle the load that multiple UTM functions add.
Special Feature: Be Prepared
If there's any argument that will resonate with large enterprise network managers, it's this one. UTM strategies can dramatically decrease the number of devices in a network, which has the immediate side effect of increasing overall reliability (with fewer devices to fail, the mean time between failures of the system increases), and decreasing management and debugging difficulty (with fewer devices, it's easier to find where a problem is).
The physical network topology for a single-device solution is much simpler than any pre-UTM environment. In fact, integrating UTM devices can make some topologies easier to implement. While the plan for building a high-reliability firewall service-- usually by sandwiching pairs of firewalls between pairs of load balancers-- is well known, how these interact with a miscellaneous pile of threat mitigation devices is a different and more difficult planning question. With fewer devices in the picture, everything becomes less complex.
There are other complexities that can be ameliorated by use of UTM. For example, if a network has both a firewall and dedicated Web proxy, a goal of the network manager is to ensure all outgoing Web traffic goes through the proxy, and no unsupervised traffic moves through the firewall. This logical complexity, and the attendant risk of error or omission, is reduced if the Web proxy and firewall are in the same box.
If adding UTM features to your network will help you to reduce or at least constrain complexity, then this is a strong argument in favor of UTM. If network complexity doesn't change much, you may have to find a different justification.
Special Feature: Be Prepared
Saying that UTM offers better management is a contextual argument depending on both the device itself and the organization. Most UTM devices, with their SMB orientation, have sacrificed depth and breadth of management to give the same "flavor" to each function within the device. Where device and function management are occasional tasks, such as in firewalls and antivirus systems, this compromise may not be noticed.
In larger enterprises, features such as IPS and e-mail security require their own consoles and management style. These features may also be handled by different functional units. Combining every UTM feature into an all-in-one console can be a show-stopper.
Of course, not every UTM device forces every function into the same GUI mold. These devices merge more seamlessly into the existing management structure in an enterprise where multiple units are responsible for different aspects of security, or where management-heavy features such as IPS are in play.
Having separate management systems has its disadvantages. For example, if your firewall and IPS are using different management systems, you may open a hole in the firewall and forget to adjust the IPS to properly handle the new services. Or, more commonly, you'll make the same change in two places, but have a simple error, such as having different subnet masks, that gives the two changes different semantics.
A clear plus for UTM is when network policy and objects can be shared across UTM features. For example, if a subnet requires inbound FTP services, policies permitting and inspecting this would have to be matched on both a firewall and an IPS, while the definition of the subnet would also have to match.
Anytime two things have to be matched or coordinated, there is the chance for failure--and a UTM device without some type of unified scheme to share policy and object information is ripe for human error.
Special Feature: Be Prepared
The last reason that UTM might be right for you is if you require flexibility--at which point you should respond, "Who doesn't?"
Flexibility in the world of UTM means that you have the option to enable or disable a threat management feature any time you want. For example, if you find something wrong with your desktop antivirus, such as a bad update or missing signature, you can enable antivirus on the gateway instantly--even if it's not part of your long-term strategy. Of course, the flexibility to disable a feature quickly without reconfiguring your network, such as turning off an IPS or virus scanner, can be equally useful.
While most products have the ability to easily turn on and off entire subsystems, such as the IPS or virus scanner, it's also important to identify UTM products that give you more than a few UTM options, such as a choice of multiple vendors for antivirus and IPS, or the ability to add in more obscure threat management, such as traffic management tools or esoteric firewalls.
That said, flexibility is a hard argument to evaluate. If you thought calculating ROI on a security investment was difficult, consider how to value installing a product for a feature that you might not even use.
Fortunately, you don't have to make one big decision about UTM. Instead, UTM is all about making a series of small decisions, one per feature. Any function can go into a UTM firewall, but not every function should. By evaluating the five arguments in favor of UTM, you'll have a better feeling for the cases where UTM will bring benefits--and those cases where you're better off sticking with multiple point solutions.
About the author:
Technical editor Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging. Send your thoughts on this article to firstname.lastname@example.org. Case Study
UTM Boosts Hospital's Immunity
By Bill Brenner
Tavares Marsh and Eric Conrad have a big job overseeing IT security for the 12,000-employee, 250,000-patient Caritas Christi Health Care chain in Massachusetts. Their IT shop, in the Dorchester section of Boston, is the hub of a network spanning two medical centers, four hospitals and a vast array of remote doctor's offices--all of which rely on the Internet to trade data back and forth.
More than 5,000 medical personnel access a network of about 5,000 Windows machines--including servers and wireless devices--and about 30 UNIX servers. Such a large environment is a potential gold mine for online attackers. A hacker who successfully cracks the network could then access information on patients' medical histories, pharmaceutical needs and insurance data--including policy codes and Social Security numbers.
But Marsh, the senior IT engineer, and Conrad, the network security manager, say they're not about to let that happen. This is the story of how they try to keep the bad guys at bay.
They have plenty of help, to be sure. Each hospital and medical center has its own IT shop with about 100 staffers across the enterprise. They've built an intrusion defense with multiple layers of AV, firewalls, spyware scanners and IDS tools from vendors and the open source community. They also use a unified threat management platform as an extra layer for Web-content filtering.
Caritas Christi's multi-layered defense starts with its main Check Point Software Technologies firewall and backup firewall support from Fortinet. Its desktop AV comes from CA, while corporate e-mail is scanned using the open-source Clam AV and an AntiVir scanner from Avira.
"E-mail and Internet activity get scanned multiple times by multiple tools," Conrad says. "That way, if a piece of malware evades one scanner, it'll be caught by another scanner."
Case Study: UTM Boosts Hospital's Immunity
Marsh and Conrad credit Fortinet with helping them roll a variety of security tools into one UTM system. They've deployed two FortiGate-800 enterprise-class systems--one inside the headquarters' core data center, where it runs AV and scans all Internet traffic; the other inside one of the hospitals, where it's used for intrusion detection and prevention and security policy enforcement.
The FortiGate systems also receive automatic antivirus signature and Web content filtering updates. Marsh and Conrad say the product has helped them protect data in a way that is essential to their HIPAA compliance.
But they were not looking for a UTM appliance, per se. They simply wanted an extra tool to scan Web traffic and block spyware and other suspicious content. They looked at products of all stripes, including Trend Micro's InterScan VirusWall and CyberGuard's Webwasher, but determined that those products were more expensive and complex than they wanted.
"With InterScan VirusWall, you had to buy software, a big server and licenses for however many users you needed it for," Marsh says. "I liked Webwasher, but there was an issue with how it charged per seat."
They found the simplicity and cost-effectiveness they were looking for in a UTM appliance from Fortinet. And while they're only using it for the Web filtering, Marsh said the extra features found are a bonus because they give the Caritas Christi IT shop more options as the security infrastructure evolves.
One of the reasons Marsh and Conrad chose the Fortinet platform is because it allows them to get the biggest bang out of their open-source tools. "The whole device is based on open source," Marsh says. "It took open-source tools, improved them and put them into a box that makes everything work more efficiently.... We use Snort and other custom tools for IDS. What's great about it is that we can load it onto some older hardware, and it allows you to be smart with the budget you have. And it just works well."
Not that it's perfect: Snort requires some "babying," especially when it comes to separating true security events from normal network noise, says Marsh.
In the end, "Our philosophy is that if you can go with open source, if it works better than some of the other things out there, you go with it," Conrad says.
Case Study: UTM Boosts Hospital's Immunity
|UTM Buyer's Guide|
Click here a representative list of companies that offer unified threat management appliances. For the most part, these are firewall/VPN appliances that integrate antivirus, antispam, intrusion detection/prevention and URL content filtering, typically as optional modules. Many offer SSL VPN and antispyware capabilities as well. (PDF).
Compiled by Neil Roiter
Indeed, focusing on a rapid incident response and multi-layered defense has served them well--so far. Recent experiences with malware are a good example.
"Spyware is largely a laptop issue now," Marsh says. "And worms and viruses haven't been much of a problem at all. At worst, we may have a 20-machine cleanup to deal with, but we're able to stop it before it gets out of hand."
In the end, Conrad says that a strong intrusion defense program is based on best practices that aren't always tied to spending; it's about having the right user policies and knowing how to make the most of the tools you have.
"It's all about a layered defense--using tools efficiently, training staffers to uncover threats, and hiring and keeping good people," he says. "An organization like ours can't prevent everything. But we can have a quick response that focuses on protecting the high-level, confidential data. That's out focus. I'll put it this way: I'm not losing any sleep," Conrad says.
About the Author:
Bill Brenner is a news writer with SearchSecurity.com. Send your thoughts on this article to email@example.com. Opinion
What is 'Best-of-Breed
Best-of-breed is the key phrase for one of the biggest arguments against UTM deployment: It's a code, thrown around by the folks who sell dedicated products, that means, "Our stuff is better than whatever was packaged with your UTM device." In effect, when IPS vendors argue against UTM on "best-of-breed" grounds, what they are saying is that their IPS is better than the IPS in the UTM firewall. Their product is Parmigiano-Reggiano; UTM is supermarket cheddar.
Of course, this is a matter open to debate. While it's often true that the specialized devices have more functions, features and flywheels than those in a UTM device, there are two reasons why you might not care:
- Many network managers have no need for the additional features in standalone devices. For example, standalone antivirus typically has an option to quarantine viruses, while UTM firewalls generally don't. That's fine, except experience has shown that antivirus engines almost never have false positives, and best practices are to simply delete messages rather than quarantine them.
- Often, you want a different set of features in an embedded firewall than you want in a standalone device. IPS is the perfect example: a technology that can be of use to almost anyone, yet only a few are willing to put in the time and energy to maximize value. A simple IPS that doesn't allow or require complex configuration is perfect for integration with a UTM firewall.
The lack of choice is a dominant, but not universal, characteristic among UTM devices. In the SMB space, it is rare to find choice except perhaps in antivirus (because everyone agrees that having different vendors for antivirus is the smart solution). In the enterprise space, vendors are making a more sincere effort to offer real choice when building UTM devices.