This is the hot review of the year. The herd of UTMs queued up on our loading dock ready for testing was prodigious. For this test, SC Lab Manager Mike Stephenson beefed up the test bed to unload all our guns against the victims. The results were most interesting.
First, UTMs have broken the traditional mold and now contain just about anything that you can conceive of putting on the perimeter. We saw anti-spam, anti-malware, firewalls and the rest of the usual gateway tools all neatly packaged into 10 appliances - no software or virtual appliances.
The breadth and depth of covered protocols improves every year. We saw emphasis on P2P and IM added to those products that did not have them last year.
As well, the price-performance ratio continues to improve along with the products' robustness.
In short, we liked pretty much all that we saw. But, as always, we liked some more than others. UTM reviewing in the SC Labs has gone from picking the best of a questionable bunch a very few years back to struggling to pick the winner from a boat-load of winners.
Buying a UTM
The game is changing. There now are very competent endpoint security products - we look at several this month in our other group review - so the notion of spreading defense-in-depth across the enterprise now is viable. In the case of the UTM, we now have come to expect a lot of functionality. However, functionality at any cost is not the goal. For example, many organizations have excellent anti-malware gateways and do not need additional functionality in a UTM. So, review your security and network architecture at the perimeter and decide what you need before you decide what to buy.
Manageability is a key aspect of a successful UTM deployment. If you have a widely distributed enterprise, figuring out how to manage remote appliances can be a challenge. Pick products that fit into your existing architecture and are able to be managed centrally. The same is true of reporting and alerting. Make sure the capabilities of the UTM fit your needs in both respects.
Another consideration is the nature of the rest of your security architecture. There is something to be said for slotting a UTM into an existing system that is made up of siblings from the same product line. That usually integrates management and makes the whole architecture more solid. The other side is that weaknesses often are endemic within a given product line, and adding new products within that line to your architecture simply perpetuates the weakness. Be sure that you are getting the protection you need even if you need to sacrifice homogeneity.
Network architecture is a key issue as well. If your architecture at the perimeter is based on a DMZ or multiple perimeter networks (such as online banking systems), you might want to consider mixing the UTM with a traditional firewall. This adds defense in depth at a very sensitive part of the enterprise. It also increases your control.
The last issue to consider is performance. The UTM sometimes can pose a bottleneck at high traffic perimeters. Be sure that your choice has high availability capability in those situations.
How we tested
UTM testing is great fun. We set up some of our meanest attack tools and threw everything we could at the products. We set up a complete network of targets that we protected by the devices. Then, we set up an attack machine on its other side (the WAN side).
We started with the firewall wide open to see if the IPS would stop attacks. Generally, we found the default state was 'report only.' With that in mind, admins are faced with fully configuring before the IPS can be used effectively. However, you can use the reporting to characterize the traffic that is passing through the UTM. That helps you tune effectively.
Once we knew what was passing through our devices, we tightened them down and ran Nessus again. The idea was to get past the UTM and hit the targets it was protecting. If we saw anything inviting, we opened up our big guns - Core Impact - and let fly. Those of you who attended the SC World Congress may recall that we demonstrated a UTM test there. The difference is that Core has continually updated its attacks and each month there are more tests for us to try.
The results this year were quite satisfactory. Bottom line? If you can't find what you need in the way of a UTM here, it probably doesn't exist.