UTM firewalls: Ready for the enterprise

Our testing shows that unified threat management appliances aren't just for the SMB market anymore

Deciding whether and where to deploy UTM appliances in a large enterprise is a complicated and difficult decision due to the fact that they could represent a single point of failure and raise network performance issue. That said, Network World Lab Alliance member Joel Snyder outlines an argument as to why UTM is, indeed, ready for the enterprise.

IT managers at small and midsize businesses like unified threat management appliances - firewalls that layer on antimalware protection, content filtering, antispam and intrusion prevention - because deploying a single, multi-function device reduces costs and simplifies configuration.

However, deciding whether and where to deploy UTM appliances in a large enterprise is a more complicated and difficult decision. The idea of a single point through which all traffic flows as an obvious locus for threat mitigation doesn't work when a network has dozens, hundreds or thousands of distinct locations. Also, because performance is a critical issue in large networks, savvy network managers often seek to distribute threat protection rather than centralize it, simply to reduce the likelihood of a performance bottleneck.

Similarly, the style and quality of threat mitigation features one commonly sees in an SMB UTM may not be of interest to an enterprise, where requirements are more exacting and security architectures are more complex. For example, the antispam features and functionality in UTM firewalls pale compared with those in stand-alone enterprise-class dedicated antispam/antivirus appliances.

Enterprise UTM pros and cons
Complexity: High availability and scalability are dramatically simplified in UTM.Performance: Enabling threat response features causes a huge performance hit and makes performance unpredictable.
Management: A single management interface enables better coverage for less effort, and reduces the possibility of mistakes.Choice: Bundled threat response represents choices the vendor made based on partnerships and commercial interests, not necessarily matching what youÕd choose for your own network.
Flexibility: Ability to bring security services in and out of the equation quickly supports threat response requirements best.Features: Threat mitigation bundled into firewalls usually doesn't match the functionality and features in stand-alone products.
Cost: Long-term costs for UTM will likely be lower than individual point solutions.Separation: Different teams are responsible for different threats, and requiring coordination and agreement between them can be difficult and time-consuming.

With such dramatic differences between SMB and enterprise requirements, is there a place for enterprise UTM firewalls? The answer is definitely "yes," for these three reasons: reduced complexity, simplified management and increased flexibility.

Reduced complexity

Enterprise network managers have long sought to include additional threat protection, especially intrusion detection/prevention systems (IDS/IPS) functions, both at the core and at the perimeters of their networks. However, the complexity of dropping standalone IDS/IPS boxes into a network has made them wary.

Building the "firewall sandwich," with load balancers surrounding a core of clustered firewalls, is well understood, but trying to scale that sandwich up with another layer of protection dramatically increases architectural complexity and potential instability.

A simple sandwich is considered science by network architects, but adding layers takes it from craft to art, dramatically increasing the difficulty of the project and opening a window for failure and problems. It's like adding just one more piece of cheese to that Dagwood sandwich: Not only will you be unable to get it in your mouth, but the whole thing may fall apart on your plate.

Enterprise UTM with integrated IDS/IPS can give network managers additional security throughout the network without the massive increase of complexity that stand-alone IPS devices would create.

Simplified management

It's pleasant to imagine the concept of a single UTM console that can handle everything from IP routing to IDS alerts, but enterprise security teams often want different management systems for a reason: different people are responsible for different kinds of threats and configuration.

Nevertheless, some level of management integration can reduce the task of handling these different functions. For example, every management console must have different network objects in it that are used to define policy: here are my mail servers, here are my users, this is the guest network, here is where the Internet is.

Each time those same objects must be typed into a different management system, and each time these objects are updated and adjusted, there is an opportunity for human error or miscommunication to create a security hole. A single management console that shares objects across different functions simplifies the complex task of management.

This single management view is especially valuable when firewall, VPN and IDS/IPS are considered together because all three of these functions act on the same policy. Each of these functions needs to have some view of the topology of the network, what applications are running on different servers and what different groups of users are allowed to do. Completely separate management for all three functions makes coordinated policy maintenance difficult, if not impossible.

A single UTM-ready management console realistically enables a fine-tuning of policy across all three functions, increasing total security.

Increased flexibility

Enterprise security architects generally scoff at the plethora of features, such as antivirus, antispam, antimalware and antiphishing, that are being built into SMB UTM devices. With a "best of breed" mentality and correspondingly large budgets, they are barely interested in activating IPS features in their existing firewalls. However, there are always specific situations where the ability to turn on, for example, antivirus, may be a huge benefit.

Having additional security features latent in large firewalls that can be activated with the click of a mouse gives the network manager increased flexibility, which is of significant value. For example, blocking incoming viruses in a UTM firewall may be a life-saver when the normal antivirus appliances suddenly stop working because of hardware, software or update failure.

Or consider the requirements of a guest user network: Most enterprises have chosen HTTP proxies to provide content filtering and antiphishing protection but may want to let guest users choose a different kind of protection and not take on the support burden of making sure they're properly working with the enterprise proxy. It may be simpler and more effective to enable these features in a UTM firewall for those networks.

The flexibility to bring security services in and out of the equation quickly using a UTM firewall supports threat response requirements - even if those features are rarely used.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT