Unified threat management's time has come. We put ten products to the test. By Peter Stephenson.
This is the hot review of the year. The herd of unified threat management products - UTMs - queued up ready for testing was prodigious. This year, Mike Stephenson beefed up the test bed to unload all our guns against the victims - and the results were most interesting.
First, a few observations are in order. UTMs have broken the mould and now contain just about anything that you can conceive of putting on the perimeter. We saw anti-spam, anti-malware, firewalls and the rest of the usual gateway tools, all neatly packaged into ten hardware appliances - no software or virtual appliances this year.
The range of covered protocols improves every year. This year, the emphasis is on adding P2P and IM to those UTMs that did not have them last year.
The price-performance ratio continues to improve, as does the robustness of the products. The management is now almost completely web-based.
In short, we liked pretty much all that we saw. But, as always, we liked some more than others. UTM reviewing in the lab has gone from picking the best of a bad bunch a very few years back to struggling to pick the top tip from a boatload of winners.
Buying a UTM
The game is changing. There now are very competent endpoint security products - we look at several this month in our other group test - so the notion of spreading defence in-depth across the enterprise is a viable one.
In the case of the UTM, we expect a lot of functionality, but functionality at any cost is not the goal. Many firms have excellent anti-malware gateways and do not need UTM functionality. It is best to review security and network architecture at the perimeter and decide what you need before you decide what to buy.
Manageability is a key aspect of a successful UTM deployment. If you have a widely distributed enterprise, figuring out how to manage remote appliances can be a challenge. Pick products that fit into your existing architecture and are able to be managed centrally. The same is true of reporting and alerting. Make sure that the capabilities of the UTM fit your needs in both respects.
Another consideration is the nature of the rest of your security architecture. There is something to be said for slotting a UTM into an existing system that is made up of its siblings from the same product line. That usually integrates management and makes the whole architecture more solid. The other side of that coin is that weaknesses often are endemic within a given product line and adding new products within that line to your architecture simply perpetuates the weakness. Be sure that you are getting the protection you need, even if you need to sacrifice homogeneity.
Network architecture is a key issue. If your architecture at the perimeter is based on a DMZ or multiple perimeter networks (such as online banking systems), you might want to consider mixing the UTM with a traditional firewall. This adds defence-in-depth at a sensitive part of the enterprise. It also increases your control.
The last issue to consider is performance. The UTM can pose a bottleneck at high traffic perimeters. Be sure your choice has high availability capability. Being able to have a failover capability that also allows high volume traffic can be critical to network traffic management.
How we tested
UTM testing is great fun around SC Labs. We set up some of our meanest attack tools and throw everything we can at the products under test. This year, we set up a complete network of targets that we protected by the device under test. Then, we set up an attack machine on the other (WAN) side of the device being tested.
We started out with the firewall wide open to see if the IPS would stop our attacks. Generally, we found that the default state for these products was report-only, so you are faced with configuring the UTMs before you can use them effectively. The other side of that is that you can use the reporting to characterise the traffic that is passing through the UTM.
Once we knew what was passing through our devices, we tightened them down and ran Nessus again. The idea was to attempt to get past the UTM and hit the targets it was protecting. If we saw anything inviting, we opened up our big guns - Core Impact - and let fly. Core has continually updated its attacks and each month there are more tests for us to try.
The results this year were quite satisfactory. Bottom line? If you can't find the UTM you need here, it probably doesn't exist.