Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Case For Remote Office Unified Threat Management: Page 2 of 2

Some lines of UTMs are purpose-built for branches, rather than simply deploying SMB in them. To a certain degree, UTMs' limited anti-virus capabilities are not very important in the branch, and certainly anti-spam is not needed, because e-mail invariably goes through the central office. However, it makes good sense for enterprises to use UTM to leverage services such as WAN optimization, using a single firewall console for managing enterprise devices in HQ and smaller devices in the satellite offices.

"Branch offices are not so simple," said Juniper's Lucas. "They have multiple different needs for security and network segmentation." For example, a branch location such as a convenience store or service station may have to deal with network segmentation for PCI compliance, connectivity to lottery systems, guest connectivity and automated inventory control.

That complexity makes choosing the right UTM appliances for your branch locations a tricky question, especially when it comes to choosing the right size boxes based on current needs and future growth. You don't want to buy one line of branch office appliances only to find your traffic requirements have increased dramatically, and you need to buy up to the next box six months later. Anticipate business growth and any new applications and services that may add to your bandwidth requirements. Juniper's Lucas recommends "affordable headroom" so you buy appliances that allow you to add features without refreshing equipment every two to three years. He concedes that most of Juniper's branch UTMs have no or limited WAN expandability. One approach is to separate WAN issues and network segmentation on the one hand, and port density on the other, so you can address additional port requirements by adding a switch.

"Start with speeds and feeds," said Snyder, based on the vendor's firewall throughput figures. Then compare the number of tunnels supported to the tunnels you need. If you are using dynamic routing, make sure you have sufficient CPU power to run it. Finally, be aware that performance degrades as you activate security modules. As a rule of thumb, he said, if you are planning for a 10 Mb circuit, "figure a 10-X slowdown, so you'll need at least 100 Mb of firewall capability."