The Case For Remote Office Unified Threat Management

Unified threat management (UTM) devices are becoming an important consideration for branch office security as enterprises look to balance cost restraints and the ever-increasing bandwidth requirements spurred by performance-sensitive, low-latency applications such as VoIP and video across the WAN. Most typically, enterprises backhaul traffic to central locations where they apply security controls such as firewalling, intrusion prevention, AV and anti-spam--the so-called hub and spoke architecture--and enforce security. An increasingly popular option is to manage essential corporate application and services traffic over the private network and provide low-cost, commodity direct Internet access at the branch. But that exposes branch offices and their users to all kinds of threats, as corporate security doesn't move out to the branches with the Internet access. That's where UTM comes in.

"Having servers at branch and doing things like replicating databases--that way of thinking is the old way of doing applications," said Scott Lucas, director of product marketing of Juniper. "Enterprises are moving back to the central data center for general economies and giving people access across network itself." That requires spending a fair amount of money, for example, buying MPLS circuits from a service provider to get the bandwidth you need.

Backhauling Internet traffic and retransmitting it makes little sense if you have more than a few branch offices, said Joel Snyder, senior partner at consultancy Opus One. You're either paying to get it on the private network--"the worst case"--or transmitting it on the public network twice, once encrypted in the tunnel on the private network and then to the Internet. "I see fewer people trying to backhaul Internet traffic to a central site, and that means greater demand for UTM in the branch," said Snyder. "Also, as people build more mesh networks as opposed to hub and spoke, they are worried about infected sites infecting other internal sites on these more highly interconnected networks."

UTM has replaced traditional firewalls in SMBs and branch offices. Typically, UTM appliances offer firewall/VPN at base and an assortment of optional security modules, starting with IPS and including, in most cases, anti-virus, some form of URL filtering and sometimes anti-spam. IPS is probably the most important security module, since directly accessed traffic is no longer run through your HQ IPS, but don't expect it to match the security capabilities of your high-end data center boxes.

"It's IPS light," said Snyder. "You're not getting the same strength of signatures as on a dedicated IPS box. You're not going to catch a lot of stuff." The analytics and management capabilities are weaker as well. The IPS management consoles in UTMs are almost universally poor. "When push comes to shove, how am I going to configure and manage the IPS and handle alerts. There is just no good answer with UTM. So, you lower your expectations," Snyder says.Some lines of UTMs are purpose-built for branches, rather than simply deploying SMB in them. To a certain degree, UTMs' limited anti-virus capabilities are not very important in the branch, and certainly anti-spam is not needed, because e-mail invariably goes through the central office. However, it makes good sense for enterprises to use UTM to leverage services such as WAN optimization, using a single firewall console for managing enterprise devices in HQ and smaller devices in the satellite offices.

"Branch offices are not so simple," said Juniper's Lucas. "They have multiple different needs for security and network segmentation." For example, a branch location such as a convenience store or service station may have to deal with network segmentation for PCI compliance, connectivity to lottery systems, guest connectivity and automated inventory control.

That complexity makes choosing the right UTM appliances for your branch locations a tricky question, especially when it comes to choosing the right size boxes based on current needs and future growth. You don't want to buy one line of branch office appliances only to find your traffic requirements have increased dramatically, and you need to buy up to the next box six months later. Anticipate business growth and any new applications and services that may add to your bandwidth requirements. Juniper's Lucas recommends "affordable headroom" so you buy appliances that allow you to add features without refreshing equipment every two to three years. He concedes that most of Juniper's branch UTMs have no or limited WAN expandability. One approach is to separate WAN issues and network segmentation on the one hand, and port density on the other, so you can address additional port requirements by adding a switch.

"Start with speeds and feeds," said Snyder, based on the vendor's firewall throughput figures. Then compare the number of tunnels supported to the tunnels you need. If you are using dynamic routing, make sure you have sufficient CPU power to run it. Finally, be aware that performance degrades as you activate security modules. As a rule of thumb, he said, if you are planning for a 10 Mb circuit, "figure a 10-X slowdown, so you'll need at least 100 Mb of firewall capability."