UTM systems have multiple features and capabilities, including intrusion detection and prevention, gateway antivirus, e-mail spam filtering and Web content filtering, as well as the traditional functions of a firewall, integrated into one product offering.
Some vendors offer the option of purchasing UTM appliances for all of the various functions available or integrating just a few of the functions as needed.
It's a fast-growing market. Research firm IDC (a sister company to CSO) released a report in October 2008 saying that it expects UTM products, which passed the $1 billion mark in market size in 2007, will make up 33.6 percent of the total network security market by 2012.
According to IDC, who coined the term UTM to begin with, the next evolution of UTM is what they call “eXtensible Threat Management (XTM).” XTM solutions incorporate key management and networking features. Instead of being a feature or application on a networking platform, XTM appliances provide essential networking features and a centralized management console as a part of a security solution that can support networking needs for SMBs and distributed enterprises.
The UTM market has attracted a large number of vendors. Among the market leaders are Fortinet, Cisco, SonicWALL, Juniper, Secure Computing, Check Point, Watchguard, Crossbeam Systems and Astaro.
Vendors continue to add new features to the basic functionality of the products. For example, to provide protection against inbound and outbound attacks at all levels, Juniper Networks integrates a complete set of best-in- class content security software features (Unified Threat Management features) into its platforms through partnership with the leading content security partners in the market. “ By consolidating switching, routing, and security services in a single box, organizations can economically deliver new applications and services, secure connectivity, and quality end-user experiences. Juniper's high performance platforms deliver WAN connectivity and security, plus the muscle to protect the high-speed LAN against internal network and application-level attacks while simultaneously stopping content-based attacks,” says Tarek Abbas, Senior Systems Engineering Manager, Juniper Networks.
SonicWALL Unified Threat Management (UTM) solutions employ an expanding array of seamlessly integrated services featuring gateway anti-virus, anti-spyware, intrusion prevention, enforced desktop anti-virus, content filtering and application firewall. SonicWALL’s continuous real-time threat protection and dynamic signature updates, ensuring the strongest defense posture with minimal IT intervention.
In November 2008, Fortinet introduced a UTM product that gives organizations the ability to segment their networks for greater policy granularity and event isolation.
More vendors are adding new messaging security capabilities such as e-mail spam filtering and instant messaging security, and Web security features such as Web application firewalling and content filtering, says Jon Crotty, research analyst for security products and services at IDC.
Crotty says other new developments in UTM include centralized management using graphical interfaces, enabling networkwide changes for licensing and upgrades, and network features such as the ability to monitor latency and throughput and automated event correlation and network logging.
If your organization is considering implementing a UTM system, here are some things to consider.
What do you really need?
Before looking into products on the market, determine the specific security needs of your organization.
The same can be said for purchasing many types of IT security products, but it's especially true with technologies such as UTM appliances, which combine a number of security functions into one system.
There are several dozen UTM products on the market, and they vary broadly in terms of features, capabilities and price. Not all organizations will need particular security features and capabilities that could drive up the total cost of the technology as well as the complexity involved in implementing the systems.
“Not all organizations will require all particular security features and capabilities of UTM solutions that could increase the cost of ownership as well as the complexity of deployment. If you are going to evaluate a UTM appliance, start with the basics: What are your needs? How big is your company? Is your company growing? This would narrow down the product list to enterprise or SMB,” says Shahnawaz Shiekh, Regional Sales Manager of SonicWall.
The most critical aspect is the ability of the vendor to deliver the latest security updates such as virus and attack signature as early as possible. “Having a sophisticated security device with outdated threat signatures is almost as good as having no security at all. The threat research behind a truly consolidated UTM solution will comprise the effort of a team of researchers experienced in a variety of threats and countermeasures, supported by knowledge-sharing structures and processes designed to highlight the ways in which multi-mode attacks can combine different threats,” says Judhi Prasetyo, Regional Channel Manager, Fortinet Middle East.
Investigate and Test
Many organizations, especially smaller ones, don't have the time or resources to test products in-house. But they can take advantage of published product reviews and use the testing services available from organizations such as ICSA Labs (formerly International Computer Security Association), Crotty says.
Larger enterprises that have the resources “should select three or four vendors and try to kick the tires in a lab,” Crotty says.
He suggests that organizations conduct two types of tests. The first is to test the products' performance against the configuration that the organization plans to use and those specific functions that will be enabled.
The other is to test the products with all the features engaged on the UTM. “This will give you an idea of performance should you eventually want to enable more applications than you do now,” Crotty says. “You want that room to grow and should look at [these capabilities] when making the initial purchase.”
Cost versus scalability
When selecting a product, take into consideration a range of factors, including cost, scalability, centralized management and vendor support.
Cost, throughput and management are the key criteria for evaluating UTM devices, says Richard Stiennon, chief research analyst at IT-Harvest, an IT research firm.
“There is the purchase price and the subscription price to consider as URL filtering, IPS and AV all require constant updates,” Stiennon says. “Does the vendor do their own research or do they use databases from third parties? The management interface should be as unified as the actual device.”
Scalability and distribution are other key considerations. Organizations with a lot of branch offices need to make sure that a UTM appliance is capable of supporting remote users. “That's when scalability and performance with hundreds or thousands of users really comes into play,” Crotty says.
It's also critical to take a look at the management console of a UTM appliance. “With UTM, this is very important,” Crotty says. “Does it have a SIEM [security information and event management to gather and analyze security log data from different systems]? Can you enable applications easily? Can you do universal policy configurations and changes? What about system upgrades? With UTM, these [factors] are just as important as what the box does.”
Effective centralized management is especially vital for large enterprises that have a lot more users to support.
UTM systems should not have separate consoles for each function, Stiennon says. “Rather, protection profiles that define URLs, IPS and [antivirus] signatures to apply based on a specific group of users should be integrated with a firewall rule manager,” Stiennon says. “Updates should be easy to push from a central management console to multiple devices.”
How the UTM system is supported and maintained by the vendor is another key consideration for companies. “Some of these vendors have been aggressive in offering customer service; we've seen a lot of customers jump in just because of that,” Crotty says.