Problem solve Get help with specific problems with your technologies, process and projects.

UTM features: Is a UTM device right for your layered defense?

Expert Mike Chapple explores what features a contemporary UTM device provides, and explains the factors that help determine UTM total cost of ownership.

This tip is part of's Intrusion Defense School lesson, Reinventing defense in depth. Click on...

the lesson page for the other materials in this lesson. For dozens of free lessons on a variety of information security and compliance topics, visit's Security School Course Catalog.

For several years, industry insiders have lauded the widespread availability of unified threat management (UTM) systems as the tipping point that will bring often-underutilized security technologies to the small and mid-sized enterprise. 

Dedicated security appliances for intrusion detection and prevention, content filtering and gateway antivirus have often been outside of the price range and expertise of these organizations, leaving UTM as the only viable means for securing their networks on a reasonable budget, but are they right for your enterprise? That’s what we’ll help you determine in this tip.

Introduction to UTM

UTM products replace the traditional firewall at the border of the enterprise with a well-rounded security device capable of performing many security services in a single box.  Common UTM features include:

●     Traditional firewall protection

●     Intrusion detection and prevention

●     Virtual private networking

●     Content filtering

●     Gateway malware filtering

●     Spam filtering

●     Data loss prevention

●     Vulnerability management

While not every UTM product offers all of these features, you’re likely to find several that provide the subset you need for your enterprise. 

The two major benefits offered by UTM are bundled cost and ease of management.  Typically, the price of a UTM appliance is only slightly higher than what you’re already paying for the firewall protecting your perimeter, but a UTM device provides a tremendous amount of added functionality at a fraction of the cost of separately purchased devices.  From a management perspective, you’ll have a single interface to administer all of your perimeter security controls. This is a significant time saver, reducing the number of devices you need to check during your routine security log reviews.  (And you are doing routine log reviews, right?)

Is UTM right for you?

Should you consider a UTM for your organization?  If you’re a small to medium-sized organization that currently lacks several of the security controls listed above, you’re a prime candidate for a UTM device.  If it’s not in the budget now, consider a UTM appliance to replace your firewall during your next upgrade cycle.

If you’re running a large network, a UTM device is probably not the best bet for you.  Although the bundling of services is attractive, it’s not the most efficient way to handle large-scale security services.  In fact, you might find that a UTM appliance is simply not able to keep up with the load presented by your network.  You’ll get enhanced functionality and better performance by purchasing separate function-specific devices.

There is one scenario where large enterprises may wish to consider the use of UTM systems: smaller remote offices.  If you have a network of sales or support offices in geographically dispersed locations, a UTM device may be just the thing you need to secure that environment.  Most UTMs are capable of establishing a site-to-site VPN back to your home office while simultaneously providing a suite of security services to remote users.

Assessing the total cost of ownership

As with any security investment, you should be sure to consider the total cost of ownership (TCO) of a UTM appliance before you purchase it. You’ll certainly want to include the purchase price and ongoing support contract for the appliance, but there are some hidden costs as well.  Here are a few things to consider:

●     Will the new device require a recurring time commitment from your IT staff?  If you’re adding services, it’s inevitable that it will take additional time to properly maintain them.

●     Will your staff require training before using the UTM appliance?

●     What is the cost of annual signature updates for the antimalware and content filtering components of the system?  Although the first year of service may be included in your device purchase cost, the renewal of these services is often a separate cost from your device maintenance renewal.

●     Do any of the services require add-on license fees?  You may find one or more services are available on the appliance but are not part of the base license fee.  One common scenario is vendors including a small number of VPN user licenses with the device and requiring a separate fee for each additional license.

Overall, UTM appliances provide a good bang for the buck to small and mid-sized enterprises interested in enhancing their perimeter security services, and can also be useful to larger enterprises in limited roles like remote offices.  When used in combination with other security controls, such as endpoint configuration management, software updates and desktop antivirus, UTM devices play an important role in a defense-in-depth approach to information security.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was last published in April 2011

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.