By Stephen J. Bigelow, Senior Technology Writer
While the physical deployment of unified threat management (UTM) appliances is typically straightforward, the actual configuration can be quite complex. Solution providers must acquire a detailed understanding of the client's network topology and applications in order to establish a suitable migration plan, configure batteries of complex rules for each UTM security feature and complete a successful handoff of each feature to the client. UTM product configurations are also dynamic, changing as applications, infrastructure and business needs evolve. The first part of this Hot Spot Tutorial introduced the basic concepts and capabilities of UTM. This second installment examines a series of UTM deployment concerns and presents typical management considerations.
Deploying unified threat management appliances
Most unified threat management products are implemented as hardware appliances and are deployed at the client's gateway, where network-centric security features such as deep packet inspection or intrusion detection can monitor all traffic entering or leaving the organization. Software-based UTM tools can be installed on a dedicated server and connected at the network perimeter. Consequently, physical UTM deployment is typically straightforward, causing only minimal disruption during the initial installation process.
The biggest oversight in UTM appliance selection is underestimating or settling for inadequate throughput. You should always overbuy throughput, "because the more security features you turn on, the bigger the performance hit on that UTM system," said Andrew Plato, president of Anitian Enterprise Security, a security solution provider in Beaverton, Ore.
UTM is recognized for its consolidation of diverse security technologies into a single product, but feature utilization is rarely an all-or-nothing proposition. Most clients rely on several security products -- each covered by a warranty and service agreement that expires at a different time, so UTM features are frequently enabled in phases. Solution providers must understand their client's current security scheme and contract schedule, then formulate a migration plan that enables UTM features as legacy security products reach the end of their respective lifecycles. This type of phased implementation can provide a source of recurring revenue for solution providers.
"The resellers that provide a smooth migration process are going to benefit their clients the most," said Charles Hegarty, vice president of business development and alliances with ITS Partners, a Symantec solution provider headquartered in Grand Rapids, Mich.
Avoiding UTM deployment mistakes
The real challenge with UTM deployment is in the product's configuration. Advance planning is crucial -- you need to understand the client's network and applications, and then develop an effective and efficient set of security rules that will address every application in your client's environment. Once policies are configured, a UTM solution provider should execute a comprehensive test plan to verify the rules and help identify security gaps. Without well-developed and refined rules, UTM quickly loses its value as a security tool.
Configuration is particularly difficult for large organizations that may operate hundreds of network devices and thousands (even tens of thousands) of endpoints. "Managing that whole infrastructure holistically and with the same security policy is really where the challenge comes into play," said Joe Luciano, CEO of AccessIT Group, a provider of IT security and infrastructure technologies headquartered in King of Prussia, Pa.
Poor security planning and testing are perhaps the most pervasive problems seen by solution providers called in to assist clients with botched UTM deployments. Disgruntled clients may opt to disable troublesome UTM features, never finding the time to properly study and correct the issue. "A lot of smaller providers completely forget about this issue, and it will come back to haunt them because stuff won't work," Plato said. "Or they'll create wide open rules just to get everything working without really analyzing what's going on -- and that pretty much negates the purpose of having a security appliance."
Poorly planned or configured UTM installations can cause tremendous frustration for the client. Solution providers like Plato underscore the need for providers to master UTM product offerings and perform the homework necessary to deploy and configure the product smoothly. "If you're having to shut off a feature because something in your network isn't working, that isn't because the product is poorly engineered," Plato said. "It's because there's something going on in your environment and you need to sit down and think about that and analyze it."
It's a bad idea to blindly transfer existing security policies to new UTM appliances. There can be thousands of rules and exceptions, but few clients or solution providers ever review the existing policies to see if they are still relevant. "Use the new device as an opportunity to rethink the way the customer has really built the policies that help protect their organization," said Mike Rothman, president and principal analyst at Security Incite, an independent analyst firm near Atlanta. Rethink the policies and rules in light of the current threat model, which can be substantially different from when the policy was initially implemented.
UTM planning and preparation can sometimes reveal knowledge gaps in the expertise of the solution provider's staff, and this can lead to features being inadequately or incompletely configured. "When they go do the implementation they might be really strong on the firewall side, and they might ask all the right questions, but they don't really know what to expect or ask of the customer about other areas," Luciano said. The client quickly sees that the UTM product isn't working properly, and this can result in a difficult deployment. One of the best ways for a solution provider to avoid UTM deployment issues is to engage knowledgeable and well-rounded security personnel to work with the client to address every UTM product feature.
Another deployment oversight involves the final client handoff once a UTM appliance is installed and ready for use. Larger clients may involve several different groups in the management of separate security products. For example, firewall management is often handled today by a network group, while IDS/IPS features are handled by the security group and so on. Since several different groups may now be involved in the management of a single UTM product, a solution provider will need to understand how the client manages each feature and be prepared to hand off control of each feature to the appropriate group as it's enabled -- it's often approached as part of the solution provider's UTM migration plan. In some cases, a solution provider will need to facilitate discussion between disparate client groups to preempt handoff issues. Experts say that the only time a UTM appliance is not "fully" deployed is when the organization is so siloed that it's practically impossible for multiple groups to share the management of a single device.
UTM management considerations
UTM appliances demand some degree of management, but the exact amount is a matter of debate. Conventional wisdom suggests that consolidating myriad security features into a single platform should provide a measure of management efficiency once the initial setup and configuration is complete. "Over time, if you can reduce that [proliferation of devices] to one console or one agent through one tool, then understanding that tool is going to reduce the overall time that you need to support [the device]," Hegarty said. The idea is to accomplish more work with fewer people.
However, UTM configurations are never static. Introducing new applications, updating existing applications or adding new network devices requires a corresponding adjustment to permissions and rights. In addition, security products regularly produce detailed log and event data that should be analyzed in a timely manner, allowing clients to forestall attacks, troubleshoot network problems or identify potential vulnerabilities to their security posture.
Plato noted that security products carry an "analytical overhead" that should not be ignored, but the actual time involved will depend on the size of the organization. Plato recommends that a staff member study UTM appliance logs at least a few hours a week, if not a full day. Analysis can be performed by the client in-house, but solution providers can derive recurring revenue by providing analytical services and making periodic changes to the UTM configuration -- or offering recommendations to the client's UTM management groups.
This was first published in August 2008