One word - functionality - characterizes today's unified threat manager (UTM). As I described in the product section opener, there has been an evolution from the past back to the future. But, really, that does not tell the whole story. In the early days of multipurpose appliances, I had two main architectural concerns.
First, there was no defense-in-depth. If the gateway security failed - and it usually failed open to avoid shutting off the enterprise from the rest of the world - protection was gone. One good virus attack and your network was toast.
The second issue was performance. The gateway represented a single point of failure. If the gateway itself - meaning hardware, operating environment or some other key piece of the appliance's infrastructure - failed or was overloaded with traffic, you were cut off from your upstream networks, such as the internet. Neither of those concerns are major issues today.
Performance these days is covered admirably by any of several architectural approaches to failover. Defense-in-depth finally has become everyone's mantra, not just the IA pro. The vendors are building security in layers and those layers, more and more, are interacting with each other. Sounds as if we've reached information security nirvana. Well, not quite, but at least the light at the end of the tunnel is not likely to be an oncoming train.
The issues that affect us today are not the same as the ones that impacted us 10 years ago. Attackers are far more sophisticated and attacks are more and more likely to be automated. The rate of malware proliferation - as well as the ever-broadening definition of malware - is off the charts. Even the motives behind cyber attacks have changed - not just evolved but changed - radically.
The problem of automated attacks, especially those that manifest as insider attacks (e.g., user errors resulting in allowing malware to enter the enterprise), poses some serious challenges to any form of gateway protection. In earlier days, the idea of a SQL Slammer attack or a Code Red infestation seemed novel. But today these types of attacks are common. The good news is that they are not as likely to penetrate the enterprise as in days past. The UTM and protection at the endpoint have pretty well taken care of those and, for the most part, those attacks are nuisances if not serious incursions.
The attacks that keep us awake at night are far more subtle. These are the attacks that result in widespread credit card theft, extortion, theft of trade secrets and other worrying impacts. These attacks are very hard to detect and mitigate. Discussions with colleagues has convinced me that the types of attacks that used to trouble us are clearly on the wane. They are being replaced by the waxing of subtle, very professionally conducted attacks. Why?
The answer to that lies in two major areas. First, motivations have changed from those of the traditional bad boy (or girl) hacker to the cyber mercenary. Cyber-enabled theft is a very safe way to make an illicit living as we all know. The second enabler is that, unlike hackers of yore, today's attackers have plenty of resources. Some are state-sponsored, some are hiring out to organized crime, and some are simply skilled freelance thieves.
So, how does all of that fit into this month's Group Test review of UTM gateway appliances? These appliances have a lot more to deal with than they ever did in the past. With the influx of a plethora of applications, they do a very credible job of addressing current problems. The weaknesses of the old multipurpose appliances - lack of defense-in-depth and single point of failure - have become the strengths of the modern UTM. It is as hard to get stuff out of the network (data leakage) as it is to get bad stuff (and people) into it.
The ability of a unified threat management gateway to be truly unified is the key. Comprehensive policy engines, for example, are a major key to the success of a UTM. Add excellent scalability and manageability and you have the basis for a solid chunk of the security architecture for most enterprises. When you plug in the endpoints, your security infrastructure almost is there.
How we tested
The test bed this month was fairly straightforward. The gateway was set up as it would be in a normal enterprise - between the untrusted network and the trusted network. Then we generated various types of threats from the untrusted network targeting machines of different types on the trusted internal network.