Managed Security Services

Fire-Proofing Your Network With UTM,
Part 1: Battling new security threats — continued

by Lisa Phifer VP Core Competence, Inc. [December 27, 2007]

Fighting fire with UTM firewalls
By 2004, these problems reached critical mass, creating a growth market for security appliances that could do more than firewall. Early UTM products were designed to replace those old SMB firewalls with "all in one" security appliances. To reduce reliance on desktop anti-virus updates, appliances learned to scan common infection vectors like FTP and SMTP for virus-laden payloads. As spam became more prevalent, appliances were augmented to drop e-mail from known offenders (i.e., real-time blacklists).

Today, these multi-service "UTM firewalls" are very popular in the SMB and SOHO markets. Stopping attacks at the internet gateway appeals to organizations with limited security expertise because it consolidates control. During a new threat outbreak, just one platform requires an immediate signature update. Before that signature becomes available, just one platform requires the savvy to block suspicious traffic. For malicious code or phishing attacks arriving by e-mail, just one platform must be reconfigured to blacklist the sender. And so on.

Make no mistake: endpoint security programs still play a critical role in protecting end users from each other and the dangers posed by public network connections. No network should depend exclusively on a single UTM firewall for security. But, in reality, small networks often do. Where endpoint and server security measures are absent, broken, or simply out-dated, a UTM firewall can offer far more protection than a basic TCP/IP packet inspection firewall.

Those with limited budget can also benefit from a la carte licensing. When a network owner installs a UTM firewall, they purchase a configurable platform from which to try (and perhaps) buy incremental network defenses. A small office might start with a $499 firewall/IPS appliance, using 30-day trials to experiment with the benefits and impacts of network anti-virus/spyware or web filtering. Packaging varies widely, but configurable UTM firewalls let administrators enable just the features they need and want.

Edging into the enterprise
In smaller networks, security consolidation for the sake of simplicity has clear appeal. However, in larger networks, the case for UTM is less well-defined.

On one hand, UTM platforms can eliminate physical boundaries that required chaining best-of-breed boxes together. Instead, enterprise administrators can decide where and how to group security services—for example, dedicating one UTM platform to firewall and IPS, while configuring another for e-mail spam and virus filtering. Or workload can be distributed across several UTM platforms, each providing the same set of security services, but for a different set of systems/users or applications/protocols.

In large, complex networks, UTM platform consolidation can pay dividends by lowering capital equipment and operating expenses. Annual maintenance contracts and training costs are reduced by focusing on a smaller set of products. Reducing the number of boxes and subnets can also simplify routine monitoring and trouble-shooting.

On the other hand, enterprise network security needs are more diverse than SMB needs. For example, SMBs may not need or use spam filtering bells and whistles, but networks that receive huge amounts of spam, destined for large user communities, may absolutely require the deeper policies and more granular controls found in best-of-breed products.

There are also limits to what anyone can squeeze out of a single box. SMB UTM appliances cannot meet enterprise demands, but high-end UTM platforms are now available with gigabit interfaces and high availability. Advertised capacities vary widely, impacted by hardware and product architecture. But in situ policy and traffic also make a huge difference—for example, a UTM platform with gigabit firewall/IPS throughput may slow to 400 Mbps or less with virus scanning enabled.

Finally, larger networks rarely depend on a single perimeter firewall—nor are they likely to depend on a single UTM instance. The same UTM platform can play many different roles in an enterprise or provider network, from guarding a server farm to protecting an individual workgroup or customer subnet. In short, anywhere a trust boundary must be enforced, a UTM platform could be deployed to establish a "security zone."

Navigating the road ahead
Given UTM market success, your next new firewall will probably offer multiple security services, integrated at least to some degree. The question facing most network owners is therefore not whether to buy UTM products, but when, where, and how to take advantage of UTM as a network security strategy.

To illustrate what UTM products can do, Part 2 of this series will take you on a guided tour of one entry-level UTM appliance. Part 3 will demonstrate the benefits and limitations of enabling UTM anti-X services. Finally, Part 4 will share one provider's experiences with delivering UTM as a managed security service.

—End

< Back to Part 1, page 1