Visualize going through airport security. You step up to one guy who scrutinizes your boarding pass and license. Once he waves you by, you're immediately stopped by a rent-a-cop with a metal detector. Passing the scan without clicks or beeps, you're clear to walk 4 feet before a bag-check line halts your progress. Then you wait as guards search someone's grandmother for explosives.
That reality is similar to what happens to a packet when it enters a heavily secured network. With an increasing number of systems inspecting traffic for unauthorized access, malware, attacks, data leakage, spam, and more, there's a lot of credential checking and scrutinizing going on--and a lot of cash being spent on multiple security devices. Replace all those checks and searches with a multifunction entity empowered to move you directly from the curb to the plane, and you have the concept of unified threat management, or UTM.UTM products are available for all sizes of networks. Though they're predominantly associated with small and midsize enterprises, sales range from very small networks to very large, dispersed organizations. Distributed enterprises will want to deploy multiple UTM products, and that means management issues. Fortunately, most vendors support platforms for administering a far-flung network of UTM devices and for integration into existing security suites. While it was no surprise that larger companies with an established security presence, including Check Point Software, Cisco Systems, IBM, and Juniper Networks, integrate UTM devices into their overall security portfolios, we were pleased to see some vendors without larger comprehensive security suites, including Astaro, Cyberoam, Fortinet, Secure Computing, SonicWall, and ZyXel, also making sure to address multiple device management and security technology integration. For a comprehensive rundown of UTM offerings, including price and capabilities, download the comparsion chart.Speaking of cost, one interesting facet of the UTM market is that a number of appliances integrate open source components under the hood. This approach has certainly benefited consumers by producing many lower-cost appliances that encourage competition. On the flip side, however, you need to watch for changes in GPL licensing.
(click image for larger view)
Many of the advantages of integrating security functions into a single device are obvious: reduced cost, consolidated reporting, a consistent interface, simplified network architecture, and ease of management. In fact, these trends are also driving consolidation of the endpoint security suite market, as we discuss in "Eating The Elephant". On the desktop, antivirus products have become the commodity around which other features continue to be added, while on the network the firewall has taken that position.There are less obvious benefits, too. Take the push toward green computing: Consolidation doesn't only mean virtualization. Reducing the number of security devices by way of unified threat management is another way to save on that power bill. For more mature products in the space, UTM--yes, we're saying this without sarcasm--provides synergy. For example, an antivirus module, an anti-spam module, and a content-filtering module might all share the same database of known bad URLs that each would apply appropriately. Fortinet maximizes this integrated approach; its entire platform was designed around UTM from the ground up, and the company maintains all its own modules and signature databases, which is rare among UTM vendors.Of course, putting all the animals under one roof does have negatives. It's unlikely that any single UTM product will embody the best of each of its parts. For example, with the exception of Check Point, IBM, and Juniper, whose UTM devices integrate technologies from their top-pedigree intrusion-prevention systems, most UTM IPS functionality won't measure up to standalone intrusion-prevention systems in terms of features and depth of detection and prevention. Likewise with some antivirus and anti-spam functionality.Then there are marketing claims. New laptops never get the battery life that vendors promise, nor do pricey brands of beer elicit instant adoration from the opposite sex. In the case of UTM, it might be useful to have a couple kilos of salt on hand when meeting with vendor reps. It's hard enough to quantify bandwidth claims in standalone evaluations of security products, but in devices with a half-dozen or more separate parsing modules, expect actual performance under real-world networking conditions with all modules turned on to be drastically different from claimed numbers. Many products feature hardware acceleration for this exact reason, but without trying a product on your network with your desired options, you can't know for sure that it will stand up.Another potential unification pitfall is the concept of consolidating your security eggs in one place. Not only does this introduce a single point of failure for network gateway protection, but there's a movement afoot to distribute security for greater effectiveness, rather than consolidate (see "Forum Sounds The Trumpets For Defense In Depth").OPEN SOURCE DEBATE
Some UTM products began as interfaces to a collection of open source technologies--grab Snort for intrusion-detection and -prevention systems, ClamAV for antivirus, and IPTables/Netfilter for firewall, and you have all the required ingredients of a UTM. Add a bit of glue, an interface, and a reporting mechanism, and go to market.SmoothWall sells exactly this and makes no attempt to hide that fact. Even its interface is open source and available freely. Customers benefit, as is obvious from our comparison chart. The SmoothGuard 1000 costs anywhere from half to a third as much as competing products to protect the same size network, at $5,000 to guard as many as 1,000 nodes. In contrast, Check Point's price for 1,000 nodes is $15,500. Astaro also readily admits to using open source to bootstrap areas of its UTM product, which starts at $1,200, though it claims an overall best-of-breed approach, citing a recent switch from the open source Squid HTTP proxy to an internally developed one.Some vendors denigrate competing products that are based on open source technology, but the fact is, open source software is inherently neither better nor worse than proprietary code. Indeed, for any company with finite resources trying to implement an all-in-one UTM approach, it makes good sense to devote financial resources to proprietary software where it's needed most based on a risk assessment and fill in with open source where appropriate.However, there are a few issues to be aware of when deciding between open and proprietary unified threat management. First, licensing changes can affect future versions. Tenable Network Security changed the licensing for the popular Nessus vulnerability scanner, for example, when moving from version 2.0 to 3.0, though it's worth noting that this was possible only because all, or nearly all, of the 3.0 development had been done by programmers employed by Tenable. And licenses for previous versions can't be revoked.Another issue is the GPL derivative works clause. Most earlier interpretations said a program was not considered derivative if it interfaced to a compiled version of the application. In other words, taking Snort and wrapping a Web interface around configuration, management, and output data was not a derivative work such that the entire application needed to be GPL licensed, as long as the original application was not modified. This convention is not held by all open source authors, however. Nmap and Snort now explicitly require licensing of any applications that use their apps in ways that may affect UTM vendors, such as including source or data files, or wrapping them in an installer.Snort is commonly used by the UTM vendors that we spoke with, but only Astaro is listed as an integrator on Sourcefire's Web site. Other companies may either be planning on not using the 3.0 line of the product or have a private licensing agreement with Sourcefire, which wouldn't comment on the specifics of who licenses what.YEAH, IT'S IN THERE
When IDC analyst Charles Kolodgy in 2004 coined the term "unified threat management security appliance," he wasn't so much creating a new class of product as he was enunciating a trend. Firewalls were adding a variety of features, and Kolodgy's original UTM definition required a product capable of firewall functionality, intrusion detection and prevention, and antivirus scanning, from one integrated device. Today's UTM products comprise these features and many others. Here's a rundown:
Forum Sounds The Trumpets For Defense In Depth