Sergey Nivens - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

UTM vs. NGFW: Unique products or advertising semantics?

In comparing UTM vs. NGFW, organizations find it difficult to see if there are differences between the two products or if it is just marketing semantics.

It can often be difficult to discern the difference between unified threat management (UTM) and next-generation...

firewalls (NGFW). Experts agree that the lines appear to be blurring between the two product sets, but enterprises that focus on defining each product type during the purchasing process may be making a mistake.

NGFWs emerged more than a decade ago in response to enterprises that wanted to combine traditional port and protocol filtering with IDS/IPS functionality and the ability to detect application-layer traffic; over time they added more features like deep-packet inspection and malware detection.

Meanwhile, UTMs were borne of a need for not only firewall functionality among small and midsize businesses, but also IDS/IPS, antimalware, antispam and content filtering in a single, easy-to-manage appliance. More recently UTMs have added features, like VPN, load balancing and data loss prevention (DLP), and are increasingly delivered as a service via the cloud.

According to Jody Brazil, CEO of Overland Park, Kan.-based security management firm FireMon LLC, SMBs and remote office locations were attracted to the UTM, but larger enterprises tended to favor the NGFW to standalone devices throughout the network, minimizing the impact on firewall performance.

Greg Young, research vice president for Stamford, Conn.-based Gartner Inc., said larger enterprises have had the budgets to buy the best technology, and the staff to support the more advanced features and better performance afforded by NGFWs. On the other hand, SMBs not only wanted an all-in-one product, but also needed extra support from the channel to manage the device, even if it meant that each feature of the UTM was good, but not the best.

"Service providers for ISPs have different needs than enterprises," Young said. "So, UTM vendors will only offer basic firewall features as a price-play for that market."

Young said those differences in ease of use and support demands still exist today, though they have become more nuanced; there is overlap in the underlying technology of NGFW and UTM, and spec sheets tend to look similar. Young said that the key differences now are more around quality of features, and the level of support from channel partners to meet customer needs.

What an NGFW does is bigger than just a firewall.
Mike RothmanPresident, Securosis LLC

Young also noted that vendors tend to excel in one market or the other, like Fortinet Inc. with UTM for SMBs, or Palo Alto Networks Inc. with NGFW for enterprises. Few vendors can succeed in both, he said, like Check Point Software Technologies Ltd. has done.

"The confusion came from SMB vendors trying to move into the enterprise market without making channel and quality changes," Young said. "It was an intentional campaign to confuse, but very few end users are confused about what they need. It is either a racecar [NGFW] or a family van [UTM]."

Brazil admitted that the differences between NGFW and UTM can be confusing, even for experienced practitioners, but described UTM as a collection of unrelated security features, one of which is the firewall.

"UTM generally refers to a firewall with a mix of other 'bolted-on' security functions like antivirus and even email spam protection," Brazil said. "These are not access control features that typically define a firewall."

What traditionally has defined next-gen firewalls, Brazil said, is robust Layer 7 application access control, though an increasing number of NGFWs are being augmented with integrated threat intelligence, enabling them to deny known threats based on a broad variety of automatically updated policy definitions.  

However, Brazil did caveat his distinctions by saying that a UTM could be considered an NGFW if it met the Layer 7 parameters, and an NGFW that included malware functions could be considered a UTM. Though, he was clear that despite these potential overlap points, he would keep the classifications separate because of a lack of similarities in other respects, like access control.

Brazil said that NGFW will eventually become the standard, and the terms "NGFW" and "firewall" will become synonymous. He said UTM will remain an important product for SMBs, especially when a company prioritizes simplicity of deployment over the depth of security and performance, but NGFW and UTM will not converge because of performance and management concerns.

"The idea of a 'converged' network security gateway will continue to have appeal, so vendors will continue to add functionality to reduce cost of firewall ownership to the customer and increase revenue to the vendor," Brazil said. "However, issues with performance and manageability will continue to force separate, purpose-built systems that will be deployed in enterprise networks. As such, there will continue to be enterprise firewalls that should not be considered UTMs."  

Mike Rothman, analyst and president for Phoenix-based security firm Securosis LLC., said he believes that UTM and NGFW are essentially the same, and the differences are little more than marketing semantics. Rothman agreed that marketing from vendors caused confusion, but also blamed analysts for adopting the term NGFW and driving it into the vernacular.

He said that early UTMs did have problems scaling performance from SMBs to larger enterprises, especially when trying to enforce both positive rules (firewall access) and negative rules (IPS), but that early NGFW had the same issues keeping up with wire speed when implementing threat prevention. He said that the perceived disparities were used to enforce market differentiation, and they persist today, despite these scaling issues not being relevant anymore.

According to Rothman, the confusion lies not only in comparing the two device types, but also in the term "next-generation firewall" itself, which he thinks minimizes what the device does.

"What an NGFW does is bigger than just a firewall," Rothman said. "A firewall is about access control, basically enforcing what applications, ports, protocols, users, etc., are allowed to pass through the firewall. The NGFW also can look for and deny access to threats, like an IPS. So it's irritating that the device is called an NGFW, as it [is] more than just a firewall. We call it the network security gateway, as that is a more descriptive term."

Rothman said that today's UTMs can do everything a NGFW can do, as long as they are configured properly and have the right policy integration. He said he believes that arguments about feature sets or target markets are examples of aritificial distinctions that only serve to confuse the issue.

"From a customer perspective, the devices do the same thing," Rothman said. "The NGFW does both access control and threat prevention, as does the UTM, just a little differently in some devices. Ultimately, the industry needs to focus on what's important: Will the device scale to the traffic volumes they need to handle with all of the services turned on? That's the only question that matters."

Moving forward, despite differences in opinions, the experts agree that enterprises shouldn't go into a purchasing process by trying to decide whether they need a NGFW or a UTM. Rather, the ultimate goal should always be to focus on the best product to solve their problems.

Rothman said that the distinctions will go away as low-end UTM vendors add more application-inspection capabilities and more traditional NGFW vendors go downmarket by offering versions suitable for SMBs. He also said he doesn't expect an end to confusing vendor marketing anytime soon, so enterprises need to be careful to ignore these semantics and focus on finding the right product to address security needs.

Young said that in the short term, UTM and NGFW will remain separate and will both continue to be mainstays for SMBs and larger enterprises respectively, and the decision around what device to use will be a question of need.

The question of UTM vs. NGFW is still divisive, and experts have different ideas regarding if and where the two technologies diverge when looking at the issue from a vendor perspective. However, when looking at the issue from a customer perspective, the experts agree that focusing on an enterprise's security needs will help to mitigate the confusion and lead to the right product.

"It isn't just about technology, it is about how a small company's security is different than a big company's security," Young said. "It's all about the use case, not a 'versus.'"

Next Steps

Learn about the benefits and tradeoffs of using a UTM appliance.

Learn about the benefits of an NGFW.

Dig Deeper on Network device security: Appliances, firewalls and switches