To protect networks and information against increasingly sophisticated threats, many organizations are deploying security in layers. Some are finding that an efficient way to do this is by using unified threat management (UTM) appliances.
UTM systems have multiple features and capabilities, including intrusion detection and prevention, gateway antivirus, e-mail spam filtering and Web content filtering, as well as the traditional functions of a firewall, integrated into one product offering.
Some vendors offer the option of purchasing UTM appliances for all of the various functions available or integrating just a few of the functions as needed.
It's a fast-growing market. Research firm IDC (a sister company to CSO) released a report in October 2008 saying that it expects UTM products, which passed the $1 billion mark in market size in 2007, will make up 33.6 percent of the total network security market by 2012.
The UTM market has attracted a large number of vendors. Among the market leaders are Fortinet, Cisco, SonicWALL, Juniper, Secure Computing, Check Point, Watchguard, Crossbeam Systems and Astaro.
Vendors continue to add new features to the basic functionality of the products. For example, the latest version of Astaro's Security Gateway product includes HTTPS Proxy Filtering, which allows users to filter and control secure Web traffic and block programs that attempt to bypass security policy with SSL tunneling.
Another new feature, Site-to-Site VPN, lets users create permanent tunnels between Astaro Gateways, providing a simple way to permanently connect two gateways while supplying the security level of an IPsec VPN tunnel.
In November 2008, Fortinet introduced a UTM product that gives organizations the ability to segment their networks for greater policy granularity and event isolation.
More vendors are adding new messaging security capabilities such as e-mail spam filtering and instant messaging security, and Web security features such as Web application firewalling and content filtering, says Jon Crotty, research analyst for security products and services at IDC.
Crotty says other new developments in UTM include centralized management using graphical interfaces, enabling networkwide changes for licensing and upgrades, and network features such as the ability to monitor latency and throughput and automated event correlation and network logging.
IDC and others are beginning to call the newer UTM appliances (with these added security and networking features and functions) "extensible threat management" (XTM) systems.
If your organization is considering implementing a UTM system, here are some things to consider.
What Do You Really Need?
Before looking into products on the market, determine the specific security needs of your organization.
The same can be said for purchasing many types of IT security products, but it's especially true with technologies such as UTM appliances, which combine a number of security functions into one system.
There are several dozen UTM products on the market, and they vary broadly in terms of features, capabilities and price.
Not all organizations will need particular security features and capabilities that could drive up the total cost of the technology as well as the complexity involved in implementing the systems.
"If you're going to evaluate a UTM box, start with the basics: What are your needs? How big is your company? Is your company growing?" Crotty says. "Those questions alone would probably cut the [product] list down do about a third. Some of these players are much more geared toward the enterprise, some toward the low end."
Check Vendor References
Prior to purchasing a UTM from Fortinet, DJO, a global provider of medical devices based in Vista, Calif., visited several companies that were using UTM appliances from various vendors.
DJO wanted to learn about the level of administration needed to operate the products, how difficult they are to use, how the firewalls work with VPNs and other issues, says John Iraci, vice president of enterprise infrastructure at DJO.
The diligence paid off. DJO successfully implemented the Fortinet product into its global environment and is seeing the benefits of enhance security, Iraci says.
The company deployed two appliances in "high availability mode" at its headquarters, and they're being used to help provide firewall, IPS, antivirus, VPN and Web filtering security. DJO was able to easily deploy IPS functionality to its network without adding additional hardware and without exceeding its security budget.
Investigate and Test
Many organizations, especially smaller ones, don't have the time or resources to test products in-house. But they can take advantage of published product reviews and use the testing services available from organizations such as ICSA Labs (formerly International Computer Security Association), Crotty says.
Larger enterprises that have the resources "should select three or four vendors and try to kick the tires in a lab," Crotty says.
He suggests that organizations conduct two types of tests. The first is to test the products' performance against the configuration that the organization plans to use and those specific functions that will be enabled.
The other is to test the products with all the features engaged on the UTM. "This will give you an idea of performance should you eventually want to enable more applications than you do now," Crotty says. "You want that room to grow and should look at [these capabilities] when making the initial purchase."
DJO did a lot of testing of its UTM appliance in its labs to ensure that the device worked with the disparate hardware that the company has installed.
"We do a lot of acquisitions, and we need to make sure that there's interoperability" among the systems, Iraci says. "Testing is so important in this day and age when you've got so many pieces and the infrastructure has become so much more complex."
Testing should also apply to release upgrades.
"While the release notes may seem like they make no significant changes, with UTM there can be a change to one type of traffic pattern or filter that can affect 'good' traffic," says Mike Mierwinski, CIO at Mid-America Overseas, Chicago, a transportation and logistics provider that uses a UTM system from Astaro. "Without testing this in advance, you could potentially bring down one segment of your network if you apply these updates blindly."
Cost Versus Scalability
When selecting a product, take into consideration a range of factors, including cost, scalability, centralized management and vendor support.
Cost, throughput and management are the key criteria for evaluating UTM devices, says Richard Stiennon, chief research analyst at IT-Harvest, an IT research firm in Birmingham, Mich.
"There is the purchase price and the subscription price to consider as URL filtering, IPS and AV all require constant updates," Stiennon says. "Does the vendor do their own research or do they use databases from third parties? The management interface should be as unified as the actual device."
Scalability and distribution are other key considerations. Organizations with a lot of branch offices need to make sure that a UTM appliance is capable of supporting remote users. "That's when scalability and performance with hundreds or thousands of users really comes into play," Crotty says.
It's also critical to take a look at the management console of a UTM appliance. "With UTM, this is very important," Crotty says. "Does it have a SIEM [security information and event management to gather and analyze security log data from different systems]? Can you enable applications easily? Can you do universal policy configurations and changes? What about system upgrades? With UTM, these [factors] are just as important as what the box does."
Effective centralized management is especially vital for large enterprises that have a lot more users to support.
UTM systems should not have separate consoles for each function, Stiennon says. "Rather, protection profiles that define URLs, IPS and [antivirus] signatures to apply based on a specific group of users should be integrated with a firewall rule manager," Stiennon says. "Updates should be easy to push from a central management console to multiple devices."
How the UTM system is supported and maintained by the vendor is another key consideration for companies. "Some of these vendors have been aggressive in offering customer service; we've seen a lot of customers jump in just because of that," Crotty says.
Can the Vendor Support Global Operations?
This was an important factor to DJO, which has operations in multiple countries. "Because we have several offices in Europe, we had to make sure [the vendor has] reseller channels over there that can ship products there and have technicians available if necessary," Iraci says.
DJO's five international offices have Fortinet appliances to connect the locations to corporate headquarters.
The integrated security platform enabled the company to provide the same security services at its remote locations as it does at headquarters.