Managed Security Services

Fire-Proofing Your Network With UTM,
Part 4: Delivering UTM as a managed service
— continued

by Lisa Phifer VP Core Competence, Inc. [December 31, 2007]

Weighing the options
Some SMB customers use firewall features in their routers. "They ask us: Why do we need another firewall?" said Davis. "Now, if they want to continue using their own firewall, we can still offer them IPS, Anti-Malware, and Web Filtering, but it's more advantageous to buy the bundle."

"It is also much better to have those security services on this side of the last mile connection. Not only is malicious traffic consuming circuit bandwidth, but it is consuming CPU on the customer's router. Performing security services in the cloud is much more efficient."

Point solutions can sometimes be better at a single task, but "As a business, I think you have to weigh that against manageability and cost," said Davis. Many MegaPath customers are large distributed enterprises with hundreds or thousands of small sites, or SMBs with fewer than 500 employees and 10 sites. "Those two segments tend to do the analysis and come up with UTM as their best approach," said Davis.

Tunneling through UTM
Despite this, MegaPath does use best-of-breed platforms to deliver VPN services.

Most customers route cleartext traffic over T1 or DSL onto an MPLS private virtual circuit. But sites connected via cable or customer-provided circuits use a VPN router to secure that last mile. "We still have legacy customers using Cisco routers to terminate IPsec tunnels," explained Davis. "But more and more, we're using our F5000s to terminate those IPsec tunnels, giving us one place to manage all of the customer's services."

SSL has been MegaPath's dominant remote access VPN since it acquired Aventail's managed services group in March 2005. "SSL customers from that acquisition were large Fortune 100-500 customers or large consulting firms with thousands of users worldwide," said Davis. "We've since taken that service and scaled it down to smaller customers with maybe only 50-100 users."

Today, if a customer buys MPLS VPN, MegaPath uses a hosted SSL appliance to deliver remote access to the customer's network. In that case, the SSL appliance is placed outside of the F5000 so that it can apply UTM anti-X services to traffic after decryption. A smaller Fortinet firewall is then used to protect the SSL appliance from the Internet.

Despite these additional hops, MegaPath does not plan to move those remote access VPN tunnels onto the F5000. "When deciding which SSL VPN platform to support next, our goal is to provide different feature/functionalities for our customers. Purpose-built VPN appliances offer functionality that doesn't exist in the F5000," said Davis.

Series Conclusion
In this series, we have examined some of the goals, benefits, and limitations associated with consolidating network security onto integrated UTM platforms. We have demonstrated some advantages, as well as reasons why you may still want to keep a few security services separate.

Ultimately, UTM is not an all-or-nothing approach that requires you to squeeze everything into a single box. Rather, it is a different way of delivering network security. An approach that can help you tackle contemporary threats by deploying broader network defenses. An approach that can tap configurable multi-function security platforms to do more with fewer separately-purchased, independent-managed devices. And, hopefully, an approach that permits more cost-effective delivery of more secure services.

—End

< Back to Part 4, page 1