Unified threat management (UTM) devices are becoming an important consideration for branch office security as enterprises look to balance cost restraints and the ever-increasing bandwidth requirements spurred by performance-sensitive, low-latency applications such as VoIP and video across the WAN. Most typically, enterprises backhaul traffic to central locations where they apply security controls such as firewalling, intrusion prevention, AV and anti-spam--the so-called hub and spoke architecture--and enforce security. An increasingly popular option is to manage essential corporate
application and services traffic over the private network and provide
low-cost, commodity direct Internet access at the branch. But that
exposes branch offices and their users to all kinds of threats, as
corporate security doesn't move out to the branches with the Internet
access. That's where UTM comes in.
"Having servers at branch and doing things like replicating databases--that way of thinking is the old way of doing applications," said Scott Lucas, director of product marketing of Juniper. "Enterprises are moving back to the central data center for general economies and giving people access across network itself." That requires spending a fair amount of money, for example, buying MPLS circuits from a service provider to get the bandwidth you need.
Backhauling Internet traffic and retransmitting it makes little sense if you have more than a few branch offices, said Joel Snyder, senior partner at consultancy Opus One. You're either paying to get it on the private network--"the worst case"--or transmitting it on the public network twice, once encrypted in the tunnel on the private network and then to the Internet. "I see fewer people trying to backhaul Internet traffic to a central site, and that means greater demand for UTM in the branch," said Snyder. "Also, as people build more mesh networks as opposed to hub and spoke, they are worried about infected sites infecting other internal sites on these more highly interconnected networks."
UTM has replaced traditional firewalls in SMBs and branch offices. Typically, UTM appliances offer firewall/VPN at base and an assortment of optional security modules, starting with IPS and including, in most cases, anti-virus, some form of URL filtering and sometimes anti-spam. IPS is probably the most important security module, since directly accessed traffic is no longer run through your HQ IPS, but don't expect it to match the security capabilities of your high-end data center boxes.
"It's IPS light," said Snyder. "You're not getting the same strength of signatures as on a dedicated IPS box. You're not going to catch a lot of stuff." The analytics and management capabilities are weaker as well. The IPS management consoles in UTMs are almost universally poor. "When push comes to shove, how am I going to configure and manage the IPS and handle alerts. There is just no good answer with UTM. So, you lower your expectations," Snyder says.