Managed Security Services

Fire-Proofing Your Network With UTM,
Part 1: Battling new security threats

Today, it takes more than a firewall to defend a network against downloaders, trojans, worms, phishing attacks, and bandwidth-hogging spam. In this series, we examine an increasingly popular alternative: Unified Threat Management.

by Lisa Phifer VP Core Competence, Inc. [December 27, 2007]

Series Summary: Fire-proofing your network with Unified Threat Management

• Part 1: Battling today's security threats
• Part 2: Deploying a UTM appliance
• Part 3: Layering on Anti-X defenses
• Part 4: Delivering UTM as a managed service

Unified Threat Management (UTM) appliances have been quick to gain market traction, putting a serious dent in traditional firewall sales. According to an IDC 1Q07 study, UTM is now the top-selling security appliance category, growing at an annual rate of 28 percent. In fact, just about every firewall vendor now sells UTM appliances.

In this series, we take a look at why UTM has become such a hot commodity and how service providers can benefit from this integrated, network-based approach to snuffing out contemporary security threats.

Defining UTM
Three years ago, IDC coined the term Unified Threat Management to describe an emerging class of security appliances that attempted to integrate multiple security services on a single hardware platform. Originally, UTM products offered at least network firewall, intrusion detection/prevention, and gateway anti-virus services. Today, most UTM appliances pile on a lengthy list of "anti-X" services: anti-spyware, anti-spam, anti-phishing. Many can also provide URL filtering and VPN services.

However, UTM is more than the sum of these parts. UTM represents a fundamental shift in network defense strategy, necessitated by a rapidly-evolving wave of increasingly complex, targeted, and financially-motivated threats.

Before UTM, firewalls controlled the flow of network traffic by inspecting TCP/IP protocols. Some firewalls also used proxies to enforce application-specific rules. However, older firewalls largely left message content inspection to other security systems. Instead, tightly-focused "best of breed" products like IDS sensors, web caches, and desktop virus scanners were used to spot unwanted messages inside the network.

This approach was effective when attacks were aimed at the network and port blocking could control access to servers and data. But as lower-layer defenses improved, attackers shifted to carefully-crafted messages that exploited new application vulnerabilities, weak configurations, and gullible end users. Malicious code grew crafty, slipping through always-open ports and gaps between security systems, while changing faster to evade signature detection. Today, spyware like downloaders and trojans not only outnumbers conventional viruses, but poses a far greater threat.

To deal with these new threats, enterprises and providers spent more and more to purchase, integrate, and maintain a number of separately-managed and monitored security products. Whenever a new category of threat emerged, those with budget and staff invested in yet another security box—perhaps even a load-sharing pool of boxes. Over time, TCO and latency increased, while overall reliability declined.

Worse, cost and expertise barriers grew prohibitive for homes, small businesses, and branch offices. In many small networks, security starts and ends with a single internet firewall. Branch offices either relied on HQ for services like spam filtering or assumed that manually-configured PC security programs wouldn't fail. SOHOs and individuals had little choice but to ignore emerging threats and pay the price as desktops became crippled by spyware and user identities were stolen.

Go to page two: Fighting fire with UTM firewalls >