The security channel is wonderful about getting on board with technologies that customers really need. Why? Because when you live on gross margin, you get no dog yummies for jumping on technologies without mass-market relevance. If you don't sell anything, you don't get paid. That's clear enough, no?
So many VARs have been tracking the adoption of unified threat management (UTM) gear and trying to figure out the right time to throw down. This has become increasingly difficult to determine because, as with pretty much every other security technology, the term UTM means something different to everyone.
Vendors have definitions that sound remarkably like whatever product they "used" to sell -- like
So what's a reseller to do? I'm always a fan of taking a step back and examining the user need. Then you can get into specific architectures, decision criteria and ultimately who you want to do business with. But never put the cart in front of the horse. Remember, no demand -- no gross margin -- no paycheck.
The good news is that there is a real need for UTM technology, especially in the mid-market. Mid-sized enterprises have been fed a constant diet of increasingly narrow security technologies to solve terrifyingly narrow problems. They are now rebelling. They don't want another box to solve another problem. They want leverage. They want simplicity. They want integrated management capabilities. And they want it now.
Many customers are willing to replace their existing gear because the ROI of a new box is pretty clear when compared to maintenance renewals and 24/7 support contracts on five or six disparate security products.
So this begs the question, what's in a UTM product? That depends on who you ask, but basically you'll see the following components:
- Firewall/VPN (SSL and IPSec)
- Gateway antivirus and antispyware
- Web filtering/Content filtering
Vendors may also increasingly add Web application firewall capabilities as that market matures. So basically UTM is one box to replace all of the mayhem currently sitting in the customer's DMZ.
To be clear, there isn't a lot of differentiation between the products. According to the data sheets, a UTM is a UTM is a UTM. So when you're trying to decide which vendor to pick, your decision will come down to a few key issues:
- Scalability -- Do you cater to the SMB or enterprise? For the most part, scalability isn't an issue for SMB customers, and for larger customers the architectural differences between products become clear once all of the UTM features are turned on (especially IPS and content filtering).
- Hardware vs. software -- UTM vendors fall into either the purpose-built hardware or software-on-appliance camps. Traditionally, hardware-based solutions (with their own custom chips) have scaled better but tended to be less flexible in adding new capabilities. As the market evolves, these generalizations may not hold, so I recommend you take the solutions you're considering into your lab, and put them to the test. That's the only way for you to really know what'll work for you and your customers.
- Open-source vs. proprietary -- There are some solutions that are largely based on open
source technology wrapped in a pretty interface. Other vendors have built all their own
Ultimately, the vendor(s) you choose will be largely driven by the technologies your customers already have. Changing vendors is risky and usually involves learning a new interface and maybe sacrificing some functionality. That adds friction to the sales cycle. We don't like friction -- it impacts margins.
So if your customer base is largely Cisco, Juniper or Check Point, you pitch the customers first on that solution. In the event the customer hates the incumbent (which is a real possibility), then bring a hardware-based solution (like Fortinet or SonicWall) and a software + appliance solution (like Astaro) to the table. Let the customer decide what is more important to them. Larger enterprises will be interested in modularity and flexibility, so Crossbeam is usually a good fit -- in addition to the typical incumbents.
But get familiar with UTM and do it now. If you don't I can guarantee your fellow VARs will be.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Read his blog at http://feeds.feedburner.com/securityinciterants, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.
This was first published in January 2007