Manage Learn to apply best practices and optimize your operations.

When to upgrade legacy hardware with unified threat management

The maturation of unified threat management technologies has made many legacy firewalls and software obsolete. Help your customers realize security gains and implement high-performance UTM appliances.

The mantra of 2010 for many companies is "do more with less." As aging point technologies, such as firewalls, intrusion detection systems and Web content filters, reach their end-of-life, IT security people are under increased pressure to cut costs and simplify operations.

In the past, single-function technologies were considered best practice. However, in the last few years, unified security offerings, like unified threat management (UTM) appliances, have significantly matured. These products have now become a viable replacement option for aging legacy equipment.

In this tip, we will discuss how solution providers can make a case for UTM, and we'll look at how to help customers upgrade legacy technologies over to unified products that deliver more bang for the buck.

Unified security has arrived
Whereas unified security products were a novelty just a few years ago, appealing mostly to small businesses, they are now a serious option for organizations of all sizes. There is a combination of factors that are motivating companies to consider unified security suites.

Budget cuts: Less budget means organizations need to do the same work (or more) with less money.

Resource cuts: Fewer people running the infrastructure means those people need to be able to work more efficiently.

Maturation of unified security products: Unified platforms, specifically unified threat management appliances, are no longer the flimsy, small office/home office (SOHO) devices of a few years ago. Some of the high-end options can deliver line-speed 10 Gbps performance in a single appliance.

End-of-life (EOL) point products: Companies that invested in new firewalls, IPS or DLP products a few years ago are seeing those technologies EOL.

What is a 'unified solution?'
A unified solution refers to a technology that consolidates multiple functions into a single product, package or appliance.

At the host-level, a unified security product is a single agent that can perform antivirus, firewall, antispyware, DLP, host-based IPS, encryption and application control on desktops or laptops. Numerous endpoint security manufacturers, such as Sophos Inc., Symantec Corp. and McAfee Inc., now offer unified endpoint protection clients.

Unified products are also creeping into the virtualization market. Virtualization technologies, such as VMware, offer a common platform to run many different appliances. Security firms are beginning to see the value in this. Many email security technologies can be run as virtual machines. Web filters and firewalls, such as the Cisco ASA, are now offered as a virtual appliance.

The big player in this market is UTM. What began as a firewall with a built-in IPS or AV engine has matured into a rather robust market with some very sophisticated products.

The politics of IDS/IPS

Ken Harthun explains how to accommodate the IDS/IPS needs of a customer while overcoming the reluctance of end users.

Benefits of unified security products
Unified security appliances offer some obvious, and not so obvious, benefits that solution providers can focus on when recommending products.

Simplification: This is a hard concept to quantify, but simplified systems and networks provide numerous benefits; failures are less common, and the simple systems are easier to manage, modify and upgrade. A common management framework will naturally make administering the system much easier. When IT administrators only have to log on to one console, they can streamline their work and cut down on redundancy.

The challenge here is for customers to view simplification as a good quality. Many network administrators equate simplicity with rudimentary or crude. This bias comes from the notion that simplified systems may put them out of work. A smart network or system administrator will view simplification as a way to free up time to focus on strategic issues and deploy new services to aid the business.

Reduced cost: Combining multiple applications on to a common platform can have significant cost savings. Buying a standalone firewall, IPS, Web filter and SSL-VPN may run $100,000 or more. Comparatively, a UTM appliance with the same features could be purchased for a quarter of that cost. Furthermore, support costs over time will also be much lower. Most UTM products offer a single "bundle" which renews all features for one price.

Expansion capabilities: Even if a customer does not use all the features in a UTM product, the features are available (at the click of a mouse) for future expansion. For example, a company may not want to use the Web filter in a UTM appliance, preferring to go with an existing dedicated product. However, should Web filtering be needed later for a new network (such as a public Wi-Fi), a customer can flip on the filtering without having to purchase additional equipment or license.

Drawbacks of unified security products
Naturally, any new offering is going to have drawbacks, and unified security appliances are not unique here. Some of the common objections include:

Single point of failure; Unifying multiple applications to a common platform does run the risk of creating a monolithic system that upon failure will bring down many safeguards. The simplest way to handle this objection is to deploy unified products in redundant clusters, which provide backup if a device should fail. Any decent UTM appliance should offer high-availability.

Performance limitations: UTM appliances can introduce performance bottlenecks if they are not deployed correctly. There are ways to remedy this and avoid performance problems.

First, make sure the customer is considering an appliance that exceeds their requirements. If you need to protect a 1000 mbps network link, then you will need an appliance that can handle much more than 1000 mbps. Customers should be directed to "overbuy" as much as they can.

Second, consider the architecture and design of the UTM product. Some unified security technologies are cobbled together from disparate applications that the manufacturer has licensed from a third party. Systems that integrate third-party applications tend to experience more performance and stability issues and therefore will require more performance overhead. The most reliable systems are those designed, from the ground up, to be a unified security product where the manufacturer has control over all the relevant components and applications.

Lastly, it is vital that any security product be optimized and tuned for the environment. Intrusion prevention systems (IPS) in UTM appliances, for example, can generate a lot of false positives if they are not tuned to the environment. This can lead to customers ignoring events, or worse, turning off the IPS features. Any IPS, even a UTM version, needs to be acclimated to the environment. This is an excellent way for solution providers to bundle professional services, to assist with tuning and optimization assistance.

Enterprise class: UTM is often seen as a small-business technology, but many UTM providers are now offering very high-performance appliances, with the enterprise support and services that large companies demand. All of the major security providers now offer multi-gigabit performance. Some, like Fortinet Inc. and Palo Alto Networks Inc., can deliver line-speed 10gbps performance.

Keys to unified security success
When guiding customers to unified security products, consider these key issues.

  • What is the current landscape? If the customer just signed up for a three year contract for a new firewall, then replacing that with a UTM appliance is going to be a tough sell.
  • Do the math. Make sure you understand the financial proposition the unified security product offers. Companies often think of decisions in raw dollars, and will ignore or miss the multiyear savings of not having to renew other point products.
  • Plan carefully. Unified security appliances often replace two or more existing technologies. Implementation and deployment is crucial to success. This is an excellent opportunity to provide customers with professional services. Make sure to stress the importance of careful deployment planning to the customer.
  • Use only what you need. While many unified security suites have lots of features, not every feature is going to be ideal for the environment. And unified products tend to be strong in some areas and weak in others. Know the limitations of each offering and direct customers accordingly.
  • Conversion pains. It's unlikely that the configuration from older systems will seamlessly convert into a new security arrangement. This is another area where professional services can be very valuable. Offering to convert the old system to the new will save the customer a lot of frustration and time.
  • Complex licensing. Some products have very complex licenses that require multiple components to be licensed for the entire suite to work properly. If available, direct the customer to purchase a "bundle" license that packages all the features together. This is usually a much faster and less confusing way to license the product.

Tight budgets and end-of-life legacy point products have created a demand for unified security. Service providers should evaluate their offerings in this space and determine how to best approach clients. The efficiency gains are significant for UTM appliances. If that is not enough to justify a change, then consider the financial savings. In some cases, companies could save 50% or more on licensing. Between the efficiency, security, simplicity and cost-savings, there is no better time than now to consider unified security products.

Send comments on this tip to

Join our LinkedIn group.

About the author
Andrew Plato, CISSP, CISM and QSA, is president and principal consultant at Anitian Enterprise Security. Andrew has over 20 years of experience in information systems, networking and computer security. Prior to running Anitian, he was a database developer and technical writer for Microsoft. From 1997-2000 he helped develop the BlackICE intrusion prevention system for NetworkICE Corp. which was later acquired by Internet Security Systems.

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.