The UTM is maturing. What I find most interesting is that the fundamental concepts behind UTMs have not changed much since they began to be popular as an economical way to protect the perimeter. What has changed are two important things: their functionality is increasingly tightly coupled and the number of functions is growing significantly.
Starting with the second, we saw a lot more functionality — larger feature sets — than in the past. We define a basic UTM as a device that has, at minimum, an IDS/IDP, anti-virus gateway and firewall. Not all of the products that claimed to be UTMs had this basic functionality. Beyond the basics, we saw specialized anti-malware, including anti-phishing and spam protection.
We see this as a two-edged sword. The more that you expect the device to do, the more performance is required. For large networks, innovative perimeter architectures are necessary to ensure performance and to compensate for a single point of failure.
That said, for many small- and medium-sized organizations, this increase in the anti-malware features is a big plus. This is where we see the real changes taking place in this product group: increased anti-malware capability.
As to feature sets and their interconnection, in years past UTMs looked like devices made out of several products cobbled together under a single interface. The interfaces were awkward. The products worked, but sometimes with a lot of difficulty. The first year that we tested UTMs, it was a challenge even to get them to work properly. Now they are the easiest product Group Test that we do. That translates to the best rate of maturing of any group we see.
Today, the interfaces are slick and we really are looking at a single product with multiple functionalities, all working seamlessly together. All of our products were appliances, which setup quickly and easily. While I wouldn’t say that these products follow a standard approach to setup and the user interface, they are about as close together in both of those as I have seen. This makes support easy, especially if you have inherited UTMs from multiple vendors.
How to buy a UTM
Start with your requirements and the size of your network. The architecture for placing UTMs on very large networks is important and is not trivial to implement. I generally recommend multiple UTMs on enterprises with lots of individual networks placed geographically apart.
Most of the UTMs we looked at can be managed centrally and some can communicate and correlate data into a single analysis. If you have such a disbursed enterprise, make sure that the system you select can do correlation from several individual devices.
As for traffic size, that depends on what you expect the UTM to do. If you are filtering something that comes in very high volumes — such as spam — make sure that the device you select can handle your volume without performance hits. Sometimes, architecturally, it makes more sense to buy the extra product — in this case, an anti-spam tool — than to try to make one device do everything without any performance degradation.
How we tested
Testing for this product group consisted of building a typical network and inserting the UTM on its perimeter. We implemented all of the functions available on the product and we connected to the recommended additional services, such as a DNS server. We tested performance in two ways.
First, we attacked the products with our suite of vulnerability and penetration tools with the firewall turned on and tightened up per manufacturer’s recommendations.
Our second set of attacks was against the product with the firewall turned off. This tests without the firewall protecting the IPS. Universally, we found these products to resist our efforts well.
Prior to performing the attack testing, we performed the manufacturer’s recommended setup procedure. This usually consists of using a console device or a front panel LCD to assign IP addresses to interfaces along with masks, gateway addresses and the like. Once that is done, most products allow a web connection over an out-of-band port or connection from a Java console.
We had no products this year that resisted setup and configuration. That is a good improvement over prior years. Overall, our impression was that the UTM really is coming into its own. It won’t be long before it will take over as the staple in perimeter protection.
John Aitken and Mike Stephenson contributed to these reviews.