Enterprise UTM vs next-generation firewalls

Clarifying Terminology

Today we have a thoughtful contribution from security expert Patrick Bedwell, vice president, product marketing at Fortinet, the well-known provider of unified threat management systems. Patrick challenges the view that next-generation firewalls are a new and superior technology to unified threat management systems (such as the ones manufactured by Fortinet). Everything that follows is Patrick's own work with minor edits.

* * *

There's currently a lot of discussion in security circles about next-generation firewalls (NGFW) (over a million hits on "next-generation firewall" in a Google search in mid-July 2010). Some writers believe that an entirely new, innovative technology has emerged in NGFWs; in my view, NGFWs are a subset of the existing unified threat management (UTM) systems market, or even simply the next step on the continued evolution of traditional firewalls. The discussion is leaving some chief information security officers (CISO) wondering how NGFWs differ from UTM systems.

Lifting the hood on next-generation firewalls

Next-generation firewalls are generally described as tightly integrating firewall functions, intrusion-prevention systems (IPS), VPN technologies and robust application-control capabilities. All of these features have historically been offered by many security products.

One of the most touted technologies in NGFW products is an application visibility-and-control capability. This is being promoted as one of the most significant advancements in security technology since the introduction of the stateful firewall. But is it really so innovative? The simple definition of application control is the ability to detect an application based on the application's content vs. the traditional layer 4 protocol. Since many application providers are moving to a Web-based delivery model, the ability to detect an application based on the content is important, but not especially innovative. Consider that the proposed innovation is just taking traditional firewall controls and applying them to applications based on the International Organization for Standardization (ISO) OSI (Open Systems Interconnection) Reference Model's Application Layer (7) vs. the original Transport Layer (4) method. This change is important, but not worthy of a new category of firewall. NGFW capabilities such as application control are critical parts of the firewall, but nothing more.

Today's security risks

Attacks are both application-aware and application-agnostic at the same time. That is, attacks seek out legitimate applications to carry their wares, but are not targeted only to specific applications. For example, we can assume a peer-to-peer (P2P) application is more likely to carry attack content vs. a known commercial application. But attacks have been carried by legitimate business applications as well. In fact, some of the most notable attacks have carried their threats via some of the most widely used commercially-available applications, including Facebook and Twitter. Does this mean you should use the application control feature of an NGFW to block Facebook and Twitter? Unfortunately, it can't always be that black and white.

Enter UTM

The reality of security today is that deeper inspection of all content is essential, vs. just the application allow / deny approach offered by NGFW devices. For example, to protect against the recent Conficker virus, an enterprise would have needed a firewall, Web filtering, network antivirus, IPS, anti-spam and host-based antivirus in addition to an efficient automatic updating mechanism for all of these devices. Enter the UTM solution, which is a superset of NGFW products. The application policy capabilities are a feature of UTM; the technologies are more focused on scrutinizing the content of legitimate applications and on blocking unwanted applications to ensure threats are not passed via application communications. In other words, a UTM solution continuously monitors even trusted applications to ensure the application's behavior or content is not malicious.

Admittedly, the main challenge for UTM vendors has historically been the ability to scale to large enterprise deployments as the amount of content inspection is significantly more than traditional firewall and NGFW products. This challenge is due to the focus on detecting sophisticated threats and protecting the system from such attacks. The key for UTM vendors to meet this enterprise challenge is to evolve their solutions in the area of custom hardware acceleration. Hardware acceleration provides real-time traffic reassembly and threat analysis at gigabit/second speeds. By combining broad security capabilities including firewall, IPS, VPN, application control, antimalware, Web filtering and other features, it is essential to integrate custom hardware with custom ASIC acceleration to ensure low latency with high throughput for all application traffic. With latency and resiliency issues out of the way, UTM is clearly an economical, secure and easily managed option for large enterprises – and one that brings much more than just NGFW buzz.

[DISCLAIMER: Mich Kabay has no involvement whatever with Fortinet other than occasionally accepting and editing articles from Fortinet authors for publication in this column.]

* * *

Patrick Bedwell is vice president, product marketing at Fortinet, and has more than 13 years of experience in the network security and network management industries. Prior to joining Fortinet, Patrick held product marketing and product management leadership positions at Arcot Systems, McAfee, SecurityFocus, Network ICE and Network General. Patrick earned an MBA with honors from Santa Clara University and a BA degree in English from the University of California, Berkeley.

Learn more about this topic

Review: Firewall operations management

Why does unified threat management work so slowly?

What's required of a next-generation WAN firewall

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.