This content is part of the Essential Guide: Unified threat management devices: Understanding UTM and its vendors

Essential Guide

Browse Sections
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Evaluating UTM products: Pros and cons of UTM appliances

Before you invest in a UTM product, it's critical to ensure it will fulfill your security needs. Learn the pros and cons of UTM appliances.

Editor's note: This is the second half of a two-part article on evaluating potential UTM products. In part one...

we discussed the cost, efficiency and viability of UTM systems. Here, we discuss more considerations to keep in mind to ensure you find the best UTM for your enterprise needs.

Network security by definition is limited to finding those attacks that involve the transmission of network traffic. However, there are still many security incidents today that occur without network traffic being involved. A classic example is a person inserting an infected USB drive into a laptop, thereby infecting that laptop. There's simply no way for network-based controls to identify this, unless possibly after the fact, when the malware uses network traffic to propagate or to transfer sensitive data from the infected laptop to an external host. And by then the damage may be done. Host-based antivirus software is needed on the laptop to stop this malware from infecting the laptop in the first place.

Organizations with a highly mobile workforce may find that UTM systems are helpful for protecting servers and other infrastructure components, but not their user endpoints.

Another common example of the need for host security is the loss or theft of a mobile device, such as a laptop, smartphone or tablet. Simply put, network security controls are useless at protecting a mobile device from an attacker with physical access to it. Someone who acquires a mobile device that is protected only through network-based means will easily be able to recover any sensitive data stored on the device in a matter of minutes by using forensic recovery tools or perhaps even more basic utilities. It is necessary to use host-based security controls on mobile devices, specifically full-disk encryption technologies, to ensure that their contents are strongly encrypted so that, if they're lost or stolen, unauthorized parties cannot recover their sensitive information.

Similarly, in addition to host-based antivirus software and full-disk encryption, there are many host-based security controls that network-based security controls cannot replace. Rather, these sets of security controls complement each other. Unified threat management (UTM) is a key component of an overall security strategy, but by itself, it's simply insufficient. Even the best UTM appliance used alone will allow many important security threats to achieve their goals and compromise or otherwise damage systems. And with the increasingly mobile nature of IT assets, host-based security is becoming more important all the time. This isn't meant to suggest that network security controls are not important; they are still needed, although increasingly they're implemented on individual hosts instead of networks. Organizations with a highly mobile workforce may find that UTM systems are helpful for protecting servers and other infrastructure components, but not their user endpoints.

More UTM questions to consider

Are UTM appliances enough for enterprise defense?

Is cloud-based UTM by the hour beneficial?

Is enterprise UTM the best threat managementsolution?

That said, protecting servers and other infrastructure systems is incredibly important. These devices are the ones with the "keys to the kingdom," such as database servers containing millions of customer records. Attackers may choose to target these systems instead of user systems because of the vast data stores they hold. Many of the security capabilities that UTM tools provide would be very helpful in protecting servers from external threats. Consider the scope of a UTM appliance -- user devices or server systems -- and your organization's needs when you evaluate UTM products.

A related concern is the potential impact of deploying a UTM appliance and trying to fully use all its capabilities immediately. Some UTM capabilities, such as firewalling and intrusion prevention, can inadvertently block benign activity that they incorrectly categorize as malicious. This happens all the time with new network security deployments. Imagine that you deploy UTM products across your enterprise and they inadvertently block your most important network traffic; what would the financial impact to the enterprise be?

There are also concerns about the efficiency and throughput of UTM systems. Every security capability that's enabled will slow the performance of the UTM appliance somewhat. Individually these slowdowns may not be significant, but when there are six or seven security capabilities, the slowdowns accumulate and can cause major performance problems for anything relying on network traffic. Therefore, it's highly recommended that any UTM deployment be done using a phased approach, and that not all of the UTM's security capabilities be activated at the same time. A more gradual rollout of UTM will help prevent major problems from occurring.

About the author:
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.

This was last published in June 2014

Dig Deeper on Network device security: Appliances, firewalls and switches