While there has been a gray line separating next-generation firewalls and unified threat management systems for...
some time, it seems to be blurring now more than ever before.
Many organizations nowadays are being sold a bill of goods that doesn't necessarily address their needs. Unified threat management (UTM) systems do a good job at a lot of things, while next-generation firewalls (NGFWs) do an excellent job at just a handful of things. Enterprises making bad purchases are no doubt contributing to the seemingly out-of-control security challenges faced today.
So, what's the best way to align an organization's security needs with one product over the other?
It helps to take a look at how NGFWs and UTM can contribute to the overall goal of minimizing network security risks.
UTM vs. NGFW in the enterprise
When it comes to unified threat management systems, there are three main considerations I have seen during my work in the field. First, given the form factor, the feature list of a UTM system is impressive: firewalling, intrusion prevention, VPN, email content filtering, network activity monitoring, malware protection and even data loss prevention (DLP).
In many situations, getting these important security capabilities in one package is the only way to justify implementation; purchasing standalone products for each area is just too costly. That said, enterprises are probably not going to get the absolute best technology for each of the security areas. Many vendors like to the think they're the best at everything they offer, but experience has proven otherwise.
Second, each unique security system, application and console an organization has to monitor takes away from other work. Having to learn the interfaces, reporting, etc. for each of the vendor's products can be just as much of a distraction. A single interface can be one of the greatest selling points of unified threat management systems.
Lastly, enterprises must consider whether the specific configuration will be a single point of network (and security) failure or not. If so, how will this be addressed? Hardware and software are fairly resilient these days, but there's also the human component -- someone doing something incorrectly or at the wrong time may take the system down.
That said, there a few considerations around NGFWs I see regularly in my work. First, NGFW granular application layer features can help monitor and control the most complex of applications and malware.
Additionally, presumably more mature threat intelligence is available given the prevalence of NGFWs across large enterprises and large government agencies.
The potential expense of NGFWs -- in both initial capital expenditures and ongoing operational costs -- is a drawback of the technology. It has been my experience that the larger the vendor, the prouder it is of its products and service.
Lastly, if an organization has a person (or team) managing its NGFW(s), then who's managing the security controls for other security needs, such as DLP, VPN, email content filtering and the like? Enterprises will likely have dedicated resources for those, which is good, as they really need them to manage such diverse systems.
In UTM marketing circles, one of the common selling points is that UTM is good for SMBs. If a company is trying to figure out whether a UTM system can handle its network demands, don't assume that it is only for small mom and pop shops with a handful, or perhaps a couple dozen, of employees. I see plenty of businesses and government agencies that fall into the SMB category, yet have relatively large networks and overall information system complexity that rely on a UTM for much of their security controls.
Unified threat management systems are plenty scalable and feature-rich for sizeable organizations.
Making the decision: UTM vs. NGFW
In the end, the decision on purchasing a UTM or NGFW should be based on risk and what your business needs most. The following questions can help:
- Which risks are you attempting to mitigate? If you cannot fully answer this, you're not ready to buy just yet. Perform your risk assessment (technical and operational) and determine what's at risk and what can be done about it.
- What are your network throughput numbers, service-level agreement requirements and unique network visibility and control needs? Prospective vendors should be able to help you map your requirements to their offerings.
- How much time do you have to dedicate to deploying, managing and troubleshooting these systems?
- What are the independent test lab reports, product reviews and people using these systems saying? You'll learn more about what's best for your organization this way than through any other means.
The answers to these questions could very well be contrary to what a vendor's sales engineer or account manager thinks is best for you. Only your organization knows its network best; you know what's at risk and what you're capable of doing about it. Get as many people involved as you can and gather all the right information so you can decide on the solution that best helps you meet your goals.
The best choice -- UTM or NGFW -- will emerge and be quite obvious. Just don't get caught up in the semantics or vendor/analyst hype. Remember, it's not wrong to choose a different product (or products) altogether.
About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments and penetration tests of network systems, as well as Web and mobile applications. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website and follow him on Twitter at @kevinbeaver.