A single box that can protect your network from all known evils sounds great, but does the reality live up to the hype? Rob Buckley investigates.
Unified threat management (UTM) sounds like the kind of technology any organisation should have. After all, who wouldn't want a single device that can protect your organisation from most known cyber attacks? But can one box really do everything that's needed? And how easy will it be to manage?
“I have to say I'm a sceptic,” says Geoff Bennett, product marketing director of StreamShield Networks. “What are the odds of world-class performance in all areas of security being sensibly merged into a single platform?” In an area such as security, where a failure in one part can result in an entire organisation being infected, compromising on quality is rarely an option. Most companies tend to pick individual devices for that reason.
But businesses are buying UTMs, and in ever-increasing numbers. IDC reports that more than 46,000 devices were bought in Western Europe during the first quarter of 2006, an increase of 10 per cent over the previous quarter. UTMs appeal because managing single-purpose devices can be expensive and difficult.
UTMs have proved particularly popular with smaller organisations that don't have the budget for separate devices or the staff to manage them. The Greyhound Racing Association has installed SonicWALL devices in its various offices, not only to prevent incoming attacks, but also to improve bandwidth use. “We were having a lot of our bandwidth used for non-work related internet access by employees,” says Mike Kelly, the association's HR manager. “There was potential for viruses and hacking.”
By installing the SonicWALL UTMs, the body was able to identify infected machines, decontaminate them and prevent reinfection. The main reason for picking SonicWALL was to avoid management problems. “We already had a SonicWALL firewall, so it was a straightforward upgrade,” explains Kelly.
The organisation now uses the UTM's content filtering features, as well as its intrusion prevention system, to block potentially malicious traffic, with the supplierss handling the management.
Too many cooks?
But as StreamShield's Bennett points out, the arrival of UTMs hasn't reduced the number of security incidents organisations have succumbed to. In fact, reports from the Department of Trade and Industry show that the number of infections and penetrations has increased over the past year. This suggests that while UTMs might have become more popular, it's not because they actually fix any more problems than previous technologies.
This may be because not all UTMs are created equal. Many vendors describe their devices as belonging to this category, but few agree on a definition. All concur that UTM is an approach that unifies various aspects of security, including firewalling. Indeed, virtually every network security vendor now offers UTM technology.
But after that, agreement breaks down. Opinions vary on what aspects of security UTM should encompass, although anti-virus, intrusion detection and web content filtering appear on most lists. Some argue that UTM needs to be a security appliance; others say it should be software that's installed on clients or hosts. Some claim it's a device that is simply capable of providing the power necessary for whichever security software the owner decides to install on it, while others insist it should have a unified management console. Yet another camp argues that it's enough if all the security components are unified in one place.
UTM, it seems, is more a state of mind than an exact definition. For example, SonicWALL's ability to download and install the latest version of McAfee's anti-virus technology onto individual clients as they appear on the network greatly appealed to the Greyhound Racing Association. With mobile devices typically avoiding the protection offered by perimeter security devices, some vendors argue that UTM needs to be performed in conjunction with host protection. Fortinet offers its own desktop protection software, while CA's UTM strategy is based on a unified desktop product that can be centrally managed.
“With a thriving laptop community, the perimeter is not where you should concentrate your efforts,” says Simon Perry, vice-president of security strategy at CA. “The desktop is where you get the biggest advantages.” His company's UTM includes a personal firewall, IPS, anti-virus and anti-spyware, integrated under a single central management console.
As the capabilities of UTMs have increased and their definition blurred, so they have spread upwards from SMEs, to join devices from enterprise-grade suppliers who have started to reclassify their products as UTMs.
“We're now seeing penetration into the large enterprise,” says Daniel Fleischer, senior research analyst for European enterprise server solutions at IDC. “It comes down to ROI.” Managing different boxes, each with its own infrastructure, is very expensive.
As UTM is a collection of technologies, not of all which need to be enabled at the same time, it appeals to different markets. According to Andre Stewart, Fortinet's vice-president of sales, EMEA, public-sector organisations tend to be interested in all the security features of his firm's UTMs, while banks pick on one or two features, such as the firewall and intrusion detection system (IDS).
Worries about performance seem to have eased, as well. While do-it-all boxes aimed at the lower end of the market clearly can't scale up to the speeds needed by larger enterprises, companies such as Fortinet and Crossbeam have been producing enterprise-grade systems for some time, mainly by forsaking single-box appliances in favour of blade servers with hardware acceleration for specific tasks.
“What you're choosing is a blade to scale processing power,” says Nick Lowe, Check Point's regional director for Northern Europe. “As an application calls for more power, you just add a blade. You can't expect a £1,600 box to give the necessary performance and user numbers as you scale upwards.”
Chelsea and Westminster NHS Trust upgraded its Sun boxes to a Crossbeam C-Series UTM to get the firewall performance it required. “We needed price, performance, portability and scalability,” says Bill Gordon, assistant director of IT at the trust. With the Crossbeam in place, the trust was able to use the device's IDS features as well, while maintaining the performance it needed. “It's very easy to use, it's just one console. We've run penetration tests, and they've come up clean.”
IDC's Fleischer agrees that performance is no longer an issue for most enterprises. “If necessary, they'll just string six devices in series and turn on just one function on each box.”
StreamShield's Bennett remains sceptical, however, of many vendors' performance claims. “If you look at most of these UTMs, there's a massive disconnect in terms of the processing power for functions such as the firewall, where you might get line-rate performance, versus threats such as complex URL filtering and spam filtering. Instead of telling you the line rate, they'll say: ‘We can handle 20 to 30 emails per second.' They rarely talk about performance.”
Many of these enterprise-grade products force the re-examination of the concept of what a UTM actually is. Are they UTMs performing UTM services or some other devices that have been adapted to to claim UTM capabilities?
In theory, there are many possible advantages to a UTM that combines specific services. Security devices that perform content filtering need to collect packets, assemble them in the right order and work out what their intent is. With a set of individual content-filtering security devices, each performing a separate task, this procedure has to be repeated with every device. With a single box, it potentially only has to be done once. Equally, a single device should make the management simpler, and it should be able to use the information gleaned from one step to be passed to the next one.
The facilitator approach
Yet, while vendors such as Fortinet produce their own security software for their enterprise products, solutions from suppliers including Crossbeam and Nortel simply aggregate other vendors' security software onto a single box and only offer management consoles for each individual service.
“We take what the customer defines as best of breed,” says Chris Hoff, chief security strategist at Crossbeam Systems. “We don't manage software. It would be impossible trying to keep up with 15 vendors.” He argues that “true” UTM is not just bundling software from the same vendor onto one platform; the only way to get actual benefit is to take the best appliances from different vendors and integrate them onto a platform that “does not hamper network performance in any way”.
Although this removes most of the benefits of unification, leaving just the rationalisation of hardware as the big attraction of such an approach, it does allow companies to use best-of-breed software. Hoff argues that it is the only real way to provide the necessary protection to enterprises at the moment. “Why have McAfee pulled out? It's not because the market isn't there. It's because UTM is difficult to do well.”
It also avoids the restriction of UTM to the functions prescribed by a particular vendor. Hoff says that it's possible to install other security functions such as XML and web services protection on Crossbeam's hardware, something many UTMs won't allow you to do.
Indeed, one failing of virtually all UTMs is that while their own software may integrate well, the device won't integrate with anything other than itself and other UTMs. “How well do they integrate? Not very well,” says Roberto Casula, technical director of systems integrator Applinet. “If you've got a box that claims to do A, B, C, D, E and F, if you want G, usually you can't. [The vendor's] hope is you won't need any other product since that weakens the proposition of a ‘unified threat manager'.”
It's a complaint that Tim Keanini, chief technology officer at security vendor nCircle, often hears from his enterprise clients. “All UTMs are -single-vendor oriented. I'm finding customers are continuously asking for interoperability, and it's not just multi-vendor interoperability. Clients are asking companies: ‘Please, can you get your own stuff to talk together?'” At the moment, says Keanini, few vendors are developing standards and interfaces to work towards interoperability, although he expects that to change in the next few years.
UTMs are an evolution of previous technologies and offer little or no extra protection. Picking a UTM is as much about deciding which technologies – and which definition of UTM – the organisation actually needs as it is about picking a vendor. A belt-and-braces approach that incorporates host-protection will be vital in any organisation that has a remote or mobile workforce. For the truly security conscious, the “unified” concept will be pretty much be ignored in favour of threat management; while a small organisation might be prepared to sacrifice some of that for unified devices.
No organisation, however, should expect a UTM to solve all its security problems, management headaches or performance issues. But it should certainly solve some of them – if implemented correctly.
Why and how did the technology emerge?
Unified threat management (UTM) is a term invented by Charles Kolodgy of IDC in 2004. He devised it as name for a new breed of firewalls that could analyse and block traffic packets for reasons other than their destination and origination.
Firewalls typically used to be able to block TCP and UDP packets based on the service they were trying to access, the location of that service and the location of the sender of the packet. For example, a traditional firewall would be able to block access to the Secure Shell service on a network by stopping any packet trying to request services on TCP port 22. But the firewall might allow access from a particular trusted IP address, such as a branch office LAN hidden behind a router, or from anyone on the internal LAN using IP addresses in the standard range.
However, with more and more services running on port 80, the web services port, firewalls' ability to block malicious traffic began to decrease. It also became apparent that customers wanted to be told about potential threats, not just have them blocked. So vendors began to add intrusion detection system and traffic analysis capabilities to the firewalls to provide improved attack analysis and to block traffic based on content, as well as destination and origination.
With traffic analysis capabilities in place, a whole range of additional security services became possible. Vendors began to add more and more of these features, including junk email filtering, anti-virus capabilities, anti-spyware, VPN access and web content filtering.
As well as providing differentiation from other firewall vendors, these additional features opened up new potential markets. In particular, SMBs, tired of the management issues involved with security and worried by the increasing number and variety of threats, grew interested by the promise of an all-in-one box that could block all malicious traffic.
IDC's current definition requires a UTM to be a security appliance that “must be able to perform network firewalling; network intrusion detection and prevention; and gateway anti-virus”, even if not all of these features are used by its owner.
However, each vendor essentially came to UTM via its own route. As UTM became a recognised concept, albeit one not clearly defined in the minds of many potential customers, so more vendors began to create “UTM” products. Some integrated different products they already had; others acquired products and companies and integrated these. Others, however, simply changed the definition of UTM to encompass their own products, even if no one else agreed with that definition, with many firewalls capable of only one other security function being reclassed as UTMs.
Associated Newspapers, which publishes the Daily Mail, the Evening Standard, Metro and Loot among others, found that devising a security policy for newspaper offices presented certain challenges. One of the problems was the actual requirement of many employees to download and try different software for their respective publications, something that the average organisation would find completely incompatible with good security.
Mark Callaby, IT security officer at Associated chose to deploy a mixture of UTM technologies both on the host and on the edge as a way to safeguard the organisation while maintaining a “semi-lenient” security policy.
The first hurdle was spyware, since Associated had already managed to get a “stranglehold” on the large number of viruses the company was receiving using CA's AV product. “We already had an AV deployment throughout the organisation, but we had a big spyware problem,” Callaby says. He decided to deploy CA's anti-spyware system, part of its UTM solution, to the 2,100 Windows XP desktops in the organisation. Associated was already a big CA customer, and the team wanted to stay with the supplier's software. “As soon as you start using different vendors, it costs to integrate.”
Installation was simple, with a batch file used to initially put the software on to 15 to 20 machines, to find out just how much of a spyware problem the company had. Having discovered that there was indeed a problem, the company used CA's Unicenter software to package the anti-spyware client software and deploy it to each division.
Associated chose not to have the anti-spyware software automatically remove any detected spyware. “What CA may call spyware, and what we might call spyware are two different things. Is PC Anywhere spyware? We needed to find out what was on our estate and decide for ourselves what to remove.”
In addition to host-based security measures, Associated uses network and edge security to provide complete UTM-level security. WebSense's URL filtering shores up the company's standard firewall to prevent web-based attacks, and a network IPS system alerts it to malicious traffic.
“IDS is a separate beast,” says Callaby. “Once you put that in, it can take you a year getting it right because there's just so much data to deal with.” Currently, Associated uses IDS to monitor traffic and discover any problems on the network.
This combined host and edge-based UTM, slowly moving to fully host-based UTM, has so far proved to be “worth its weight in gold”, according to Callaby, who has seen reduced incidents in the organisation as well as speed improvements from hosts that have been disinfected of spyware.