News

United in threat management part two: has UTM delivered?

Ian Yates

PREVIOUSLY: How and why UTM evolved

As the industry if unified threat management (UMT) has delivered and you get mixed responses.

"The black box approach hasn't worked in some instances," says

Requires Free Membership to View

Armagan Cetindas, manager, systems engineering at Symantec. "What it does, and it does well, is that if you have lots of attacks of things that you can identify, it helps you to stop these events at the border or at least contain them. Now that's not a bad approach however, what happens if things come from behind the gateway?" Indeed it seems the UTM appliance approach has been circumvented by our new-found mobility. "As an example, say I have a laptop and I take that laptop home," says Cetrindas.

"Sometimes not knowingly I might click on a few things, I might download stuff and inherently they might put some sort of malicious code in my machine. Now if you take that machine back into the corporate network, maybe the UTM appliance may confine the problem to a segment in your corporate network. I am saying may because they typically care more about what comes in rather than what goes out. Potentially, if it's a key logger sniffing passwords and so forth it is still going to be a problem to a degree. So if you say to an administrator look, we can put one of these things in, or we can do the protection right at the end-point then the protection sits right on top of your assets. So to me and many other people that's a better solution."

Chris Barton, regional manager for appliance vendor SonicWall isn't claiming his kit solves all malware problems, but argues you can never have enough protection, so why not make the front door easy to secure and manage with just one seriously tough appliance. "Being able to limit the amount of intrusions and type of information that is actually getting inside an IT environment is something that is only going to beneficial," says Barton. "So it's about mitigating risk and controlling use and being able to enforce policy inside the organisation. It's about having a layered approach."

"We are seeing UTM used now on devices where it's actually managing a lot of the internal traffic on the LAN as well as the external. So if people are popping USB keys into laptops and work stations and so forth from inside the LAN, these devices are going to pick up that as well and protect that organisation from any sort of malicious or confidential data that is not supposed to be leaving the infrastructure. A UTM appliance can be used as not just a perimeter control but an internal control as well. The firewall can actually enforce policy on the desktop from an anti-virus and anti-spyware perspective as well. Not only are you protecting things form the perimeter but you are making sure that laptops and work stations and so forth are carrying up-to-date signatures and they have got the highest level of protection at all times."

If you accept the premise of multiple points of protection, and you decide to stump up the cash for a UTM appliance, you can probably expect to create a bottleneck, slowing down your broadband access while the black box works its magic. "Not necessarily," says Charlie Cote, country manager for network appliance vendor Fortinet Australia. "We have a multitude of products and you need to look at what your expectations are from a firewall perspective, from an IDS perspective, from a web content filtering perspective, the throughput that you need and then we just size the box accordingly."

"In fact, you would find it performing, if not higher, then performing as well as any traditional firewall out there. There were some firewall solutions out there based solely on software. We've incorporated all of this functionality into hardware using ASICs which are much faster than a server running software." So there's no magic there. It's just a matter of choosing the right size box for your network, but there are some tasks which are beyond a single UTM appliance. "We have another product called Fortimail," says Cote. "Fortimail is a point product that folds into the same umbrella but specifically focuses on email protection and it's very, very high performing. It's a separate appliance that compliments the UTM strategy."

Gavin Matthews is CIO of Seccomm Networks which offers managed services to its clients, using a combination of strategies, including UTM appliances. "The appliance approach gives us a one-stop-shop for the network and it gives a single point of failure," says Matthews. "We traditionally would have had up to five different servers that would need to be deployed in pairs to ensure redundancy so there wasn't a single point of failure in the network. Then the traffic was passed between these servers, filtered and cleaned or sent off to IDS systems, then the data was forwarded through to the network."

"So a UTM appliance reduces the points of failure and also speeds up network traffic. Ultimately going through one device with the right architecture in place, being able to scan that information in real time and pass that straight to the user, allows companies to take full advantage of modern broadband speeds and information flow as opposed to traditional systems where latency was an issue." And when you're a provider of hosted services you want very ounce of bandwidth available. "When you look at web hosting, you might have five different protection systems with five different copies of hardened operating systems all needing update patching. It makes a lot more sense to have a UTM device that patch once. Very little maintenance is required by a company to keep an appliance up-to-date."

Systems integration is part of Dimension Data's bread and butter, and security is a given. John Addeo says the decision whether to deploy an appliance depends on the unique requirements of each customer's network. "It's not just an appliance versus software argument when it comes to unified threat management," says Addeo. "There are two arguments there. There is appliance versus software and then there is unified threat management versus distributed threat management. We can bundle those into a consolidated argument having a look at what UTM appliances are available versus what software appliances are available or what software distributed threat management is available versus appliances."

"There are definitely some advantages to having appliances as a low cost installation," says Addeo. "They come pre-configured to some degree and only the specifics need to be put into the box for your environment. There is very little maintenance typically required with them though maintenance is something that we encourage customers to continue to look at when it comes to appliances. A point failure typically within organisations is people put an appliance in and believe that they don't need to be maintained. There are firmware upgrades and things of that nature that still have to be applied."

"If you are looking at a low cost operating model, one would say an appliance is a better way to go," says Addeo. "However, if you believe that your environment is dynamic and requires change and you require growth over time, a software model might be the way to go. It allows for greater room to grow, greater growth potential, being able to take advantage of new features and benefits quicker than an appliance would. So it's about weighing up the pluses and minuses about what's right for your business. We don't believe that unified threat management appliances in an enterprise model are appropriate where you are putting all your eggs in one basket at a gateway to try to accomplish multiple tasks. It's the Swiss army knife approach where you have a whole lot of little tools but no one of them tends to be fantastic in its own right. Enterprises require more of a distributed threat management approach instead of a unified threat management approach."

NEXT: Will blades help UTM cut through?