Identifying the best unified threat management (UTM) appliance for your enterprise's specific business needs can...
be a confusing and challenging task. However, knowing the proper questions to ask potential vendors can greatly help simplify the process.
When you're evaluating UTM products or services, it is critical to ask the following important questions:
1. Where are the primary components of the product or service typically located? For example, does the UTM appliance sit directly on the customer's network, or is the appliance located with the customer's Internet service provider, the managed security service or UTM provider? If multiple options are available, which placement is recommended and why?
2. Which of the following security capabilities does your product or service provide? For each capability, indicate whether a third-party product provides it (for example, antivirus software bundled from another vendor) and, if so, indicate how tightly it is integrated with the UTM system in terms of patching, attack detection and prevention, reporting and the like.
- Application control
- Intrusion prevention
- Virtual private network
- Web content filtering
3. In addition to the security capabilities listed in question two, what other security capabilities does your product or service offer? Examples include bandwidth management, data loss prevention and load balancing. What other security capabilities are you planning to add in the short term (e.g., next year)?
UTM product reviews
Product review: UTM devices
WatchGuard Technologies' Firebox X 1250e
Discussion: UTM product reviews
UTM: Secure Computing's Sidewinder 2150 v7
SonicWall NSA E5500 product review
4. Of the security capabilities the UTM product or service provides, which ones may be disabled (for example, can antivirus capabilities be disabled if they are already being performed by enterprise antivirus servers)? Are there technical dependencies among the capabilities, such as firewalling being a core capability that other capabilities cannot function without?
5. What technical methodologies do the antivirus software, intrusion prevention software or other attack detection capabilities use to identify the possible presence of an attack? Are these methodologies all signature-based or are some anomaly-based or reputation-based? Is there any sharing of attack information across customers (for example, would a signature for an attack seen on customer A's network quickly be added to other customers' signature sets)?
6. How does the UTM product or service respond when it is overwhelmed with activity to process (for example, when legitimate traffic exceeds peak expectations, or when a distributed denial of service [DDoS] attack occurs)? Do users experience noticeable slowdowns? Are some security checks "skipped" to increase performance while decreasing security? Are there traffic-shaping capabilities to ensure that the most important traffic continues to be fully processed? What features does the UTM product or service have that make it resistant to DDoS attacks?
7. What degree of access does the vendor have to the customer's UTM appliance (e.g., technical support access, administrative access, no access)? If the vendor has any type of access, how is that access secured (including authentication methods, network traffic encryption and administrative auditing)?
8. What degree of access, if any, does the vendor have to the network traffic flowing through the UTM product? Is the customer's network traffic routed through any of the vendor's networks or systems other than the UTM appliance? Under what conditions does this occur (normal conditions, DDoS detection and so on)? Who can access that traffic, and how is that traffic protected from unauthorized access?
9. How are updates handled for the UTM (pushed, pulled, other)? Can UTM updates be checked for and applied automatically, and if so, how frequently can this occur? How often are UTM updates typically made available? If third-party vendors are involved, how quickly are their signature or reputation updates to components such as the antivirus software and Web content filtering made available to the UTM after initial vendor release?
10. A major concern with UTM technologies is that they create a single point of failure and compromise. What features do your UTM products or services provide that support the integrity and availability of UTM technologies, as well as the confidentiality of the security data that they record?
About the author:
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.