In this segment of the guide, channel professionals can learn the importance of testing unified threat management (UTM) device performance with real traffic and real network configurations. This argument originally appeared in Information Security magazine.
Performance is a touchy subject when it comes to UTM devices -- it's difficult to benchmark devices when there are no agreed methodologies for UTM performance testing. The usual metrics of packet and connect rate are still valid, but deciding how to stress the systems and properly measure full system goodput as opposed to single subsystem goodput are without industry consensus.
The idea behind the UTM performance advantage is that each component within a UTM product can have influence on the other components. Greater visibility into the flows within a network allows for a closer match between device capability and real network loads. It's a subtle argument, but one that is especially compelling as speeds grow to gigabit levels.
For example, if you're doing inline IPS, all traffic has to go through your IPS -- this is true even if your IPS strategy is only focused on a subset of the traffic load, such as servers. With a UTM-integrated IPS, the UTM device can ask the IPS to inspect only the traffic that the network manager wants to be inspected, not all traffic on the network. Depending on the size of the network, these could be dramatically different numbers.
Performance, though, has its flip side: Most UTM devices get performance-bound quickly as security features are enabled. This means that older firewalls, even if they can be upgraded to UTM versions of firmware, may not have the memory or performance capacity to enable those new features.
For example, we recently tested a UTM device, and performance went from 2000 transactions per second without UTM enabled, to 1000 with IPS enabled, then to 100 with IPS and antivirus, and finally to 50 transactions per second with IPS, antivirus and some VPN traffic. Goodput dropped, as well, from a high of 70 Mbit/sec with UTM disabled to 2 Mbit/sec with IPS, antivirus and VPN. Our experience in testing shows this is not an isolated case (though it is a bit extreme), and devices will commonly drop to 10 percent or less of unburdened capabilities when the load of multiple UTM features is added.
These performance factors mean it is critical that any UTM deployment, even in networks connected to the Internet by 1.5 Mbit circuits, must be prefixed by testing with real traffic and real configurations. It's likely you will discover that any device more than a few years old cannot handle the load that multiple UTM functions add.
A Manager's Guide to Unified Threat Management
Introduction: Be prepared
Consolidation and Cost
About the author
Joel Snyder is a senior partner at Opus One, an IT consulting firm in Tucson, Ariz., and a technical editor for Information Security.
This tip originally appeared in Information Security magazine.
This was first published in January 2007