I was reading Christopher Hoff's blog yesterday and got to pondering the use and usefulness of UTM and UTM architectures to the mid-to-large enterprise.

There's a lot to say on this topic, so I will confine myself to a couple of points. First, why would you even consider a UTM solution, Second who would own a UTM solution, and third what is with the different architectures.

Just to be entertaining, I'll start by pointing out that most readers I talk to wouldn't consider a UTM at this time. That doesn't mean most organizations wouldn't, there's a limit to the number I can stay in regular touch with and still get my job done, but it does say something about the market.

UTM is appealing in that you can slow down the steady spread of boxes that represent your security architecture. Now that doesn't mean you can eliminate function - you still need a firewall and an anti-spam device, etc. etc. It just means there are less physical boxes in your network. I'm not certain that is the bonus UTM providers think it is. You still have to manage the same number of apps, just in a smaller number of physical locations.

Greg Shipley rightly reminded me that most organizations struggle with ownership of UTM. Content inspection, Anti-virus, and Firewall are all generally controlled by different crowds in the enterprise, so if you choose a UTM solution, you'll have to arm-wrestle to see who has to maintain it. I'm voting for the auditors, they're not busy enough ;-). Or maybe that's just because I've never been an auditor.

The problem gets even more sticky when you look at the UTM architectures out there. Crossbeam, the company that Christopher works for, and whose blog started this train of thought, uses a blade server with best-of-breed applications as its solution. This can be good and can be bad. First off, you're going to have a cascading group of applications that have to crack the packet individually. Crossbeam argues that this problem is minimalized for them because they send packets to applications in parallel. That's cool, but the CPU usage is still up there. Less of a problem on a blade server, but they also sell 1U/2U solutions that might suffer from the CPU and memory requirements of several apps doing the same job over and over.

Other vendors have taken different routes. Cymphonix for example uses integration of solutions to leverage the UTM model - offering unified management and reporting that allows you to see at-a-glance what the overall security system is doing. The negative is that you'll be using only the software they've chosen or developed, probably meaning a rip-and-replace of your existing solutions. You do get the benefit of a single packet crack though, reducing overall CPU usage.

But I'm still forced to wonder if the single platform model is right for the majority of enterprises who are large enough to have security staff. In the end, it must be better or it must save time or it must save money to be a compelling for existing infrastructure. I'm just not yet convinced that UTM does any of the three.

I believe that the sprawl created by our existing infrastructure can't go on forever - there is a limit to the number of security-only ports you can throw into the network before you start rethinking the process.

I think UTM will come, eventually. But eventually isn't today. Like the GIS UTM (Universal Transverse Mercator), its usefulness in the real world may be sorely limited.

Oh yeah, and for those of you sputtering over my abuse of the UTM map projection, I've worked in GIS and can back up my statement. Anything outside of a narrow zone is not in scale, making it practically useless for distance measurement... So please don't send me your hate mail :-). To the rest of you, yes GIS afficiandos are as passionate about projections as the computer world is about OS's.