If you believe everything you read, enterprise unified threat management (UTM) products and appliances are the silver bullet for information security. These all-in-one boxes claim to offer a panacea for any enterprise's security ailments, with functions including network perimeter protection, content filtering, malware protection and more. However, I've never met a security professional who believes everything he or she reads! In reality, UTM provides decent network security for small and midsized businesses, but probably has no place in the enterprise.
What is unified threat management (UTM)?
UTM products are, quite simply, several security products combined in a single device. From a performance standpoint, this is a perfectly reasonable thing to do. As we all know, many specialized servers, such as those often used to host security applications, sit idle for a substantial portion of the time. Hosting multiple services on the same server is resource efficient, reducing unused capacity.
The basic building block for a UTM product is a network firewall. (For more on firewalls, read my Firewall Architecture Tutorial.) The other components of the UTM will depend upon the vendor and model that you select. Common features include:
- Spam protection
- Content filtering
- Antivirus/antispyware protection
- Intrusion prevention
UTM vendors will be happy to show you fancy charts and graphs "proving" that you'll save tons of time and money by deploying UTM products in lieu of separate components. However, based upon my experience, other than saving a few minutes performing basic NIC configurations and the like, deploying a UTM product doesn't really make a significant dent in the time you'll spend configuring and working with the product. On the other hand, the cost savings do exist, as getting multiple security services from a single device -- and a single purchase -- can provide good value for your IT dollar.
UTM deployment risks
From my perspective, there are two major risks involved when deploying a UTM product: lack of fault tolerance and lack of vendor diversity. Fault tolerance is a major concern because a hardware or software failure that causes a disruption to the UTM box will take down all of your security services simultaneously. Depending upon your network configuration, this will either take your entire enterprise offline (just wait for that phone call at 3:00 a.m.!) or cause an outage of your entire security infrastructure: also not an ideal scenario. With UTM, the comforting feeling of knowing that each of the security services is running on a separate hardware platform, isolated from the ripple effects of the outage of another security service, doesn't exist.
Vendor commitment is, in my opinion, the greatest downside to UTM products. Take a moment and think about the first UTM offering that comes to mind and the company that produces it. How would you classify that company? If you said "firewall vendor," that's what you'll be buying: a firewall developed by that vendor with some other security features bolted on so they could apply the UTM moniker. Similarly, a UTM product from a content filtering vendor will have excellent content filtering capabilities, most likely supplemented by a mediocre firewall. Is that really what you want?
I'm a big fan of the "best-of-breed" approach to security infrastructure: Find the best firewall, the best IPS, the best content filter (and so on … ) and tie them together with a great security information and event management (SIEM) product. That approach simply isn't possible in the world of UTM.
The role of UTM
So now that I've walked you to the edge of cliff with a UTM box in your hands, let's back up a few steps. I can think of at least two scenarios where UTM can play an important role in securing a network.
First, for a small or medium-sized business, UTM may be the right approach. The cost savings and convenience of having all of these features hosted on a single box may simply outweigh the benefit of having the best individual products available. If that's the case, by all means, consider a UTM.
Second, if budgetary or other constraints prohibit the company from purchasing spam protection, content filtering, malware protection or an IPS, a UTM is a great way to get a feature that you wouldn't otherwise have by adding a small cost on to a previously planned purchase. With this approach, remember to consider the added feature a "freebie" and don't let it play a significant role in the purchase decision. Find the best possible firewall and then see if, for example, the IPS thrown in for free is suitable for use in the environment.
In conclusion, unified threat management products are probably a little overhyped. They do take advantage of unused hardware capacity by hosting multiple security services on the same hardware platform, but security pros are unlikely to see significant time savings as a result and may find themselves chained to a non-ideal vendor. That said, if the budget won't permit an alternative, UTM just might be the way to go.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
