Product Group Tests
Unified threat managementMarch 03, 2014
We are even beginning to see UTM products for the virtual world.
The whole idea behind a UTM is that one takes to the enterprise a handful of security tools that belong at the gateway, puts them all in the same box, lets them talk to each other and share data, and then manages the tools under a single pane of glass. Pretty good in theory, but how well does it work?To answer that question we need to look at the issues that a UTM is intended to address. The first thing we can look at - and this is one of the traditional functions - is the firewall. Firewalls benefit from bandwidth and data. As well, especially if they are application layer firewalls, they benefit from being able to do deep-packet inspection. They also produce data - in that they collect the results of access attempts that result in denies. Well-configured firewalls, in some cases, also make pretty good data leakage prevention tools.
The aspect that really benefits from lots of data is the intrusion prevention system (IPS). The IPS makes judgments based on the full contents of the packet, especially the header, of course, but payload can be extremely important. While we don't need deep detail in many cases for alerting, or even blocking, there are certainly situations that demand a closer look at the data. Particularly when there may be malware involved, the IPS can act as a companion to the anti-virus (AV) gateway.The AV gateway can act in a number of ways. Of course it looks at data coming into the network, but it also can provide connections to the backend - i.e., the endpoint devices. Kith and kin to these two gateways we have the email and content filtering functionality. All of these inspection tools acting together have two significant features: they do a lot of analysis and they take a lot of resources. Performing an AV scan, comparing reputation against white- and blacklists, looking at firewall rules all take resources - on the network and, especially, in the UTM device itself.
This is a hard assignment this month. We saw several really superb products and shoppers are really going to need to analyze unique requirements closely to make the right choice. Often in this column, readers hear that all the tools we examine are competent so they won't go too far wrong selecting, in most cases. Not this month. The differences between these products are subtle. Your choice will depend on such things as your network architecture, your bandwidth requirements, what kind of a target you are (bank, manufacturer, government agency, etc.) and what your overall attack surface is.Probably the most important piece of today's UTM is the AV engine. Just about every major attack has a malware component, and much of the malware is zero-day. You need a better-than-competent AV tool in that environment. So the big question is whether you select a tool that uses its own AV engine or someone else's. Both have advantages, often involving cost. Generally speaking, if you already are using an AV tool at the endpoints that you like, pick a UTM that can work well with it. One of the ways to defeat single point of failure not involving bandwidth is to focus on defense-in-depth. By that I mean that because there are two things that can go wrong at the gateway - failure or overloading - when you start dropping packets you take the chance that you will drop something to which the UTM needs to alert you.
The bottom line: These tools are your first line of defense. Select them carefully to meet your requirements - and don't forget to take into account your plans, if any, to virtualize or go to the cloud - and over-build a bit when it comes to managing bandwidth. It's better to have your UTM loafing some than it is to have it groan under a load.Now, on to this month's products.