Unified threat management, demystified

Protecting the secrets of a uranium enrichment plant should be enough to keep any CIO very busy. But when Sarbanes Oxley mandated even tougher controls on databases containing key financial information, David Vordick, CIO of USEC, a $1.9 billion public company that operates a gaseous diffusion plant in Paducah, Kentucky, knew he was going to get even busier.

His security defenses are complex and multi-layered; and while simplicity is generally a good thing, it's not Vordick's priority. "Our philosophy is defense in depth. That means looking at multiple (security) products from multiple vendors. We can not be dependent on any one layer," he says.

Not every CIO has the same worries as Vordick, of course. But as regulations like SOX and PCI standards place increasing demands on IT's security capabilities, more and more companies are choosing to simplify network defense by using a security appliance that combines hardware, software, and networking technologies. U.S. companies spent $3.85 billion on network security appliances in 2006, an expenditure expected to nearly double by 2011, according to market researcher IDC.

As USEC designed its security architecture, Vordick and his team had a wealth of options. They could have chosen to install one or more UTM (Compare Unified Threat Management products) appliances, devices that handle multiple threats from a single chassis, or opted for a series of single function, best of breed appliances.

USEC choose a best-of-breed database security appliance by Guardium, plus point products from other vendors, largely because the defense in depth strategy meant that the convenience of deploying and managing a single device was outweighed by the fear of creating a single point of failure, Vordick says. Moreover, USEC sought a security appliance that would serve as a check on IT employees with privileged database access who might seek to view or change data without proper authorization, an atypical function for a UTM.

The choices regarding network security appliances are complex, but your decision won't just come down to a technology issue, says John South, senior security consultant for Plexent, a Dallas-based IT service management company. "The real question is how do we get our business done and still protect the corporation?" he asks.

Here are some of the issues South suggests you consider regarding security appliances: How does security fit into my overall architecture, and where is the boundary of my network? How many people will it take to support my choice; do I have the staff or can I count on support from the vendor? If I choose a UTM, do I know that the services are well integrated and the device is ultra-reliable; if I choose a series of point products, will the overall solution be able to handle a blended threat, and do the separate devices work well together? Does the appliance, best of breed or UTM, offer adequate reporting capabilities?

And if you're thinking of combining functions in a UTM, consider this: Services such as firewalls, VPNs and intrusion detection are not particularly compute intensive, but are latency intolerant. Anti-virus, URL filters and the like are compute intensive, but much more tolerant of latency. Mixing the two classes of services on your network can slow down applications that are sensitive to latency, says South.

The Case for UTM

San Francisco-based DriveSavers had a different set of concerns when it decided to shore up its security strategy. Though the company has about 80 employees, its network handles an average of 12 terabytes to 14 terabytes of data every business day. Since the company handles critical data, including passwords, for its clients, the tolerance for security lapses is very small.

"We have the keys to (our client's) kingdom, so they want to be absolutely sure their information can not be compromised," says chief security officer Michael Hall, whose company retrieves data from damaged hard drives. "An easy way for [clients] to validate is to probe our ports; we say 'hit me with your best shot,'" he says.

After taking the benign hit, DriverSavers techies collect the log data and get the evidence to the client. That seemingly simple task, however, was becoming a problem, "We were compiling logs from a number of different (security) appliances and had to consolidate. It was cumbersome, time consuming and from a business point of view, ineffective," says Hall.

Meanwhile, DriverSavers was growing rapidly, and it was a good time to look at the company's overall network architecture and see how security could be better integrated. Security goals included simple, 24-hour reporting capabilities, consolidated management, better use of space, ease of deployment and good network performance.

Ultimately, Hall deployed Cisco's ASA Adaptive Security Appliance, which consolidated intrusion detection, firewall, anti-virus and data leakage protection, plus a Cisco MARS (monitoring analysis and response system) box, which consolidates reporting functions. What about concerns regarding a single point of failure? Forrester Research analyst Rob Whiteley says that vendors have done a good job building reliability and redundancy into their devices. "Reliability has become moot," he says. Hall agrees, but just in case, he's kept his old, single function appliances installed and ready to use as a failover.

Compliance Tool

Compliance requirements can be another key reason to choose a UTM appliance, as was the case for San Diego's Paradigm Investment Group, which holds 96 Hardee's burger franchises in seven states. The problem: Paradigm needs to collect sales data and manage Web traffic, including feeds from security cameras, at each restaurant. While that sounds fairly straightforward, the PCI Security Standards Council mandates that point of sale servers must not only encrypt data, but also ensure that data related to credit card billing is securely separated from other types of network traffic, while remaining capable of moving data and fetching anti-virus updates.

That regulation has real teeth. Bogus credit card charges resulting from a hacker's efforts lead to a security audit and fines of up to $500,000, notes Paradigm CTO Greg May.

Since Hardee's restaurants don't have an IT staffer behind the counter, the company looked for a solution that included a central management console. They found it in UTMs from Fortinet, choosing the Fortimanager, FortiGate and FortiWiFi products. Why WiFi? The chain has WiFi hotspots that need to be locked out of X-rated sites, and in the future the company hopes to mine marketing data from its public network, says May.

The system includes a firewall that segments traffic and sets up different security rules for each segment, an anti-virus function and content filtering. The system includes even more functions, such as a VPN, that Paradigm could easily turn on if needed.

Security appliances are getting a lot of buzz and there's plenty of debate about the virtues of UTM versus a best of breed approach. But it's worth noting that any security appliance, whether multifunction or single function, comes with some caveats. "In general, appliances can not be virtualized," says Joel Pogar, director of security and network solutions with the Forsythe Solutions Group, a technology consulting and infrastructure solutions provider. And once an appliance is integrated into the network environment, it can be difficult to remove, he adds.

Even so, Pogar says that appliances, both multifunction and best of breed, have a number of advantages over conventional solutions, including performance. That's because the hardware and the OS are optimized for each other. And since applications are preinstalled on the appliance, configuration and deployment can be completed very quickly.

If UTMs are easier to manage, and best of breed devices offer tailored functionality, is there a way to get both? There may be. Crossbeam Systems offers an appliance that allows customers to run security services from any of Crossbeam's 20 or so best-of-breed partners.

Richard Isenberg, director of security for CheckFree, a provider of financial e-commerce products and services recently purchased by Fiserv, says his company's growth spurt brought on an epidemic of what you might call box creep. "We were adding boxes in every function, with more hardware costs and more people to manage."

Although that sounds like an argument for deployment of a conventional UTM, Isenberg says he didn't like the idea of getting all of his software from a single vendor. "Sure, the firewall might be great, but maybe the IDS isn't," he says. "Why should I settle?"

Checkfree was able to consolidate 20 IDS devices, 20 switches and 26 firewalls onto seven of Crossbeam's X-series appliances. Cost savings? Nearly $200,000 per year, with ROI in about three years, he says.

Isenberg disagrees with those who say UTMs create the risk of a single point of failure. In fact, he believes the opposite: "Every additional box creates more failure points."

John South, the Plexent security consultant, says Crossbeam is one of the few companies taking a hybrid approach. "All of the major players are designing point devices for secure services or packaging services into various sizes of appliances scaled from small to medium businesses up to large enterprises."

The debate over UTM vs. best-of-breed is really a debate that you must decide within your enterprise's walls. As Vordick puts it: "Risk tolerance and understanding the tradeoffs in the different platforms are decisions each company has to make."

This story, "Unified threat management, demystified" was originally published by CIO.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022