Unified threat management 2007

Last year we looked at multipurpose appliances and found that there were a few that met the definition of a unified threat management (UTM) tool. We were critical of the hype surrounding the emerging category of UTM and pointed out that to be a true UTM, according to analyst firm IDC anyway, the product must include, at minimum, a firewall, intrusion detection and prevention and anti-virus functionality. At that time, many products claiming UTM status really were only multipurpose appliances. These products tended to have a lot of anti-malware capability and nothing else.

This year, as with many of the product groups we have reviewed in 2007, the UTM group is maturing rapidly and, in fact, is taking over market share from the multipurpose products. The result is a true UTM that has a lot of anti-malware capability. There is good news and bad news here.

First, the bad news

The bad news is that this creates a single point of failure. It also creates a bit of a dilemma for security architects. If one buys a first rate UTM, especially one with a lot of anti-malware capability, how does one justify purchasing an additional anti-malware gateway? While I suspect that next year at this time we will see almost no pure anti-malware gateways (we’re almost there now), today there are a few very competent anti-malware gateways available.

From my perspective, the justification of a first rate anti-malware gateway (such as Trend’s offering) is a no-brainer. Not only does that approach give me relief from the single point of failure problem, it lets the two products do what they do best.

And now, the good news

The good news is that the UTMs we tested all are very competent. In fact, in some cases, we were hard-pressed to find significant differentiation between some products, and the dashboards even look similar. There is no doubt that this product category is taking off.

We found some very interesting results in our testing. For example, when we decoupled the firewall from the IPS, we generally found that the UTM stopped our attacks anyway. That was good news because we had tested products in the past that needed the firewall running for the IPS to be effective. That’s a bad thing, and we generally spank products that have that fault.

Another thing that we found was that most products sensed our scans and simply blackballed us. As far as our scanner was concerned the target simply disappeared from the network. When we attempted penetration from a different address, the products resisted each individual attempt competently. This is a significant improvement over prior years.

Generally speaking, the UTM market is solidifying and the products are becoming well-defined. For the foreseeable future it’s my bet that this convergence of unified threat management and anti-malware gateways will define perimeter defense. The UTM developers already have the anti-malware functionality, although it may not stand up to some of the better anti-malware gateways. It remains for the anti-malware folks to add UTM capability. Look for that in the next 12 to 18 months.

How we tested

We used our newly implemented attack pod to test these unified threat management products. The attack pod consists of two scanners and a penetration tool plus a command and control center. The scanners are Nessus 3 and NetClarity. The penetration tool is Core Impact. We are adding the Mu 4000 vulnerability analysis tool to the pod (to be reviewed as a First Look next month), but we did not have it implemented fully in time for these tests.

NetClarity and Core Impact are premier tools of their types. Both are rated SC Magazine Lab Approved, and we love having them in our test suite. Because we have tested the anti-malware capabilities of all of these UTMs in the past, we did not focus on such things as catch rates. We were interested, however, in how well the anti-malware capabilities meld with the core UTM functionality. We also were interested in reporting and how easy the product was to manage. In general, just about any of these products will do a credible job for you.

- Mike Stephenson contributed to this Group Test.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.