Customers using unified threat management devices say the appliances represent a more streamlined way to provide multiple security functions and to track down security data, but don’t necessarily meet all gateway security needs adequately.
Customers using unified threat management devices say the appliances represent a more streamlined way to provide multiple security functions and to track down security data, but don't necessarily meet all gateway security needs adequately.
This category of equipment is about 4 years old and has really caught on — IDC projects more than $3 billion in sales in 2011 — with most firewall appliances supporting options that make them UTMs and offering a way to simplify networks by eliminating boxes. (Compare UTM products.)
For instance, the Columbia Association, a nonprofit government agency that oversees the planned city of Columbia, Md., switched this year to using Cisco ASA routers with UTM functionality that enabled the association to drop a VPN concentrator, firewall and intrusion-detection system — all Cisco gear — and the Cisco Security Agent software deployed on the association's servers.
Instead, the ASA performs all those functions, says Columbia Association’s IT director Nagaraj Reddi. Adopting the ASA to pick up the functionality of the individual products gave Reddi a way to quickly assess what otherwise would have been spread across four other platforms. "We had nothing to put these logs together," Reddi says. "Now we can monitor them all in one place."
This kind of unified reporting from UTMs can give a broad view of overall network health and activity, says Grant Nickle, the IT director for Underwriters Safety and Claims in Louisville, Ken., which uses an Astaro Security Gateway UTM. It replaces two devices — a Cisco PIX firewall and a Novell Border Manager proxy — and provides functionality the company lacked before, namely intrusion protection, gateway antivirus and SSL VPN.
Initially, Nickle was skeptical that the device could perform all of its functions well, but he says it does and generates an executive report daily that he finds valuable for its snapshot of the previous day's activity application by application. It reports concurrent traffic, CPU and memory use, the number of packets filtered and top users.
"It answers 95% of the questions I might have about the network," he says. For greater detail, he can drill down to the activity of a particular IP address or the top categories of blocked URLs. Before, he had to dump logs from Border Manager and sort them. The Astaro reporting makes it easier to find data he needs to voluntarily comply with Statement on Auditing Standards 70 requirements, which demonstrate to outside parties that companies follow accepted auditing procedures.
While consolidating functions on a single device has its upside, not all UTM users are satisfied that they provide the best protection. Cedarville University, a 3,000-student school in Cedarville, Ohio, uses paired SonicWall E7500 UTMs, and other gear that duplicates some of its functions is still desirable, says Nathan Hay, Cedarville’s network engineer.
In addition to firewalling the network, the UTM gear performs intrusion prevention, gateway, antispyware screening and URL filtering, Hay says.
He chooses to double up the URL filtering with a St. Bernard Software iPrism Web-filtering appliance that offers more than the Web filtering on the UTM, he says, such as logging and built-in reports. "I get more complete features with the purpose-built Web filter," he says.
But because the URL filtering is available on the UTM and doesn't overtax the machine, he uses it with the theory that one filter might catch something the other misses.
Hay recommends making sure the UTM is the right size. Initially the school had a smaller SonicWall PRO 5060 that bogged down so it turned off URL filtering and the intrusion-prevention system (IPS), he says. With the larger device processing the IPS and antivirus screening, it runs at 30% of capacity or less. "The 7500 has lots of horsepower and we wanted it to grow with us," he says.
Tift Medical Center in Tifton, Ga., uses a Watchguard UTM for its firewall capabilities and gateway antivirus screening, but would like to use more features such as antispam and e-mail filtering. By focusing on a single device, this would help simplify troubleshooting problems and finding threats, says Alan Lewis, network administrator at the medical center.
"For the most part we are using other things. I’m trying to move more and more to the UTM to simplify and consolidate my network," Lewis says.
But he also doubles up some protection. For instance, he uses both gateway and desktop antivirus because he doesn't believe the gateway can stop all threats. "Not in a large environment like ours. There's too many ways to get in," Lewis says.McAfee e-mail filtering appliance in addition to e-mail protection on the UTM as well, relying more on the appliance.
He uses a
"I'm not using [the UTM] to the fullest. It's on a low-level setting to catch the obvious things," he says, and the specialized device is used to do deeper inspection.
Lewis says ultimately he would like to use the Watchguard gear for antispam, antivirus and e-mail filtering to reduce complexity. He has separate security event management tools, firewalls and Zix e-mail encryption service for medical businesses. "I've got lots of places to look," when something goes wrong, he says.
Columbia Association's Raddi says switching from multiple Cisco devices to the ASA saves him on licensing and maintenance fees. Plus the single chassis reduces energy consumption so the UTM is green as well, he says.