By Stephen Bigelow, Features Writer
Network security advances have long been driven by the emergence of new threats. For example, the propagation of malware has pushed the deployment of antivirus and antispam software. Network attacks have fostered intrusion detection and prevention products, and so on. Traditionally, each security product is configured, deployed and managed separately. But as organizations need to address a growing number of security issues, the proliferation of individual security products has become too onerous to manage.
Unified threat management (UTM) vendors seek to ease this complexity by integrating most (if not all) security functions into a single product. The first part of this Hot Spot Tutorial explains the basic concepts and capabilities of unified threat management and helps solution providers understand the key issues in product selection for their clients.
Understanding unified threat management technology
The ultimate goal of UTM is integration -- to provide a comprehensive set of security features in a single product that can be deployed in a single location and managed through a single console. The simplification and consolidation offered by a unified security product can potentially improve security because policies and rules can be developed centrally, often resulting in fewer rule errors that may lead to security oversights. A single security product also reduces security management demands, easing management labor.
While the definition and benefits of unified threat management are easy to grasp, the form and functionality of a UTM platform is still a matter of some debate that has been largely clouded by vendors attempting to usurp the term "unified threat management" for their own specific product or market presence. For example, a few solution providers see UTM as software intended primarily for network endpoints, similar to integrated endpoint security suites.
However, most solution providers define UTM as a hardware appliance or other dedicated hardware that is installed at the network gateway level, undoubtedly encouraged by the majority of UTM vendors that focus on hardware. "UTM has got to be hardware or has to be at least something [dedicated] at your gateway," said Andrew Plato, president of Anitian Enterprise Security, a security solution provider in Beaverton, Ore. One example is Astaro Corporation, offering a series of dedicated ASG (Astaro Security Gateway) hardware gateways that sit on the network, along with Astaro Security Gateway V7 software intended to create a security gateway on any server or virtual server environment.
While solution providers like Plato discount the use of endpoint security software as a UTM product, he does emphasize a complementary coexistence between UTM and endpoint security suites. UTM is "focused at the network level and network defenses, whereas an endpoint product is focused on endpoint defense," he said, explaining that endpoint security can often detect threats that some network devices can miss.
There is equal contention about the features and capabilities of a UTM platform. For example, UTM often incorporates advanced firewalls with deep packet inspection, antivirus, antispam and intrusion detection/prevention functionalities. Some UTM platforms include additional features such as Web content filtering to block inappropriate or malicious websites, virtual private network (VPN) support for secure remote access and secure wireless access for user mobility within the enterprise.
A limited number of UTM platforms add advanced features such as WAN acceleration, rate shaping or even inter-zone security to guard against threats originating within the local network itself. Ultimately, the actual feature set depends on the particular product, so solution providers are challenged to recommend UTM systems with appropriate feature sets. It's important to note that UTM features can be enabled independently -- allowing clients to start with certain features like antivirus, and then add other features like VPN functionality over time.
But solution providers are also quick to cite exceptions. Plato noted that products such as dedicated proxy firewalls, specialized identity firewalls with built-in NAC or other identity functions and pure rate-shaping devices should not necessarily be considered UTM platforms, because they lack the diverse array of essential security features that UTM is known for.
Evaluating and recommending UTM appliances
With so many features and functions concentrated into a single product, testing and evaluating a UTM device can be challenging. Even when a client doesn't implement every available UTM feature from the start, it's vital for a VAR to understand the product thoroughly and be knowledgeable enough to guide the client along an effective migration path. Meeting the wide range of client needs can also make it difficult for a solution provider to partner with a single UTM vendor.
Start by considering the product's basic connectivity and scalability to ensure that its scanning speeds are adequate for the size of a client's environment. For example, Crossbeam's small-office C2 provides four Gigabit Ethernet ports and supports firewall performance to 380 Mbps, while its enterprise-class X25 network processor module supplies two 10 Gbps and 10 1 Gbps ports with firewall performance rated to 20 Gbps. VPN traffic speed should also be relatively efficient while supporting the anticipated number of remote users.
Intrusion detection/prevention features should guard against network threats like buffer overflows, known exploits, malicious code and misuse of IM and peer-to-peer (file sharing) applications. Antivirus and antispyware features are generally software-based, so scanning should keep pace with email and file transfer traffic, and signature files must be updated frequently to meet emerging threats.
Also pay close attention to the unit's administrative requirements. As a consolidated security platform, every feature should ideally be accessible from a single console, allowing administrators to manage the UTM product without jumping between screens or switching management tools.
"Complexity in the security space is always a bad thing," Plato said, explaining that increased complexity results in more mistakes and opens the organization to additional security problems. Solution providers must also consider the product's logging and reporting features since organizations will ultimately rely on such tools to track the security behaviors of their networks -- log data will be used to make changes and adjustments to security strategy over time.
But it's important for solution providers to look beyond individual features and examine each UTM appliance as a single integrated product. Most UTM products can trace their roots back to some type of next-generation firewall (including deep packet inspection or other capabilities), but manufacturers quickly added a wealth of other features. Plato pointed out that few UTM platforms have been designed and developed from scratch -- most are cobbled together using functional components that have been licensed or manufactured by several different vendors. Consequently, the performance of different features can be inconsistent.
"UTMs are invariably good at one or two or three of their core functions and mediocre at the rest," Plato said. "It's important to know what those strengths and weaknesses are." In many cases, the UTM product's strongest features are matched to a client's most significant needs.
When a product is assembled from a variety of different manufacturer's components, the UTM manufacturer must develop an operating system or code base to interface those different functional elements. Unfortunately, this integration process can lead to poor performance or inefficiency in the operating code when multiple features are enabled on a single device.
"These companies end up bolting on these pieces in order to be competitive in this market, but they end up with systems that are clumsy… and they don't work very well," Plato said. Integrating third-party components also makes it virtually impossible for UTM vendors to optimize the offending feature or streamline the overall product. OEM components can frequently complicate service and support. For example, a software supplier can blame performance issues on the hardware maker and vice versa, resulting in support delays and frustration for the UTM user. This is further exacerbated by UTM vendors that swap out one component for another provided by a different OEM.
This was first published in August 2008