Should You UTM?

When it comes to security devices, there are a lot more decisions to make than there used to be. Features that used to be market differentiators are now a given even on low-end commodity appliances, homogenizing offerings over the last few years. Market leaders have responded by adding new features and technologies to create what are now often referred to as Unified Threat Management (UTM) or Next-Generation Firewalls (NGFW).

So, what are these mythical creatures, what are they good for, who should consider them and why are they named after now-defunct space fantasy shows?

All valid questions. I’m glad I asked them on your behalf, and I’ll be happy to answer myself for you.  

What They Are

In a nutshell, these firewalls are designed to combine the function of numerous security technologies inside a single device. In addition to traditional firewall rules, you may find such features as:

  • Web Filtering
  • User Identification
  • DLP
  • IPS/IDS/IDP
  • GRC
  • Threat Modeling
  • Web Application Firewall
  • Remote Access
  • SSL Decryption
  • Anti-Spam
  • Anti-Malware/Antivirus
  • WAN Optimization
  • Web Proxy
  • Vulnerability Scanning
  • Halfway Decent Espresso Machine (Okay, this is more of a suggestion to the industry. I’d buy it, and I’m not alone.)

In many respects, firewalls are an ideal point for inspection of data since they already inspect most, if not all, traffic in an organization. These hybrid devices tend to be very attractive from a pricing standpoint when compared to the cost of buying separate solutions for each technology. They can help simplify complicated designs by reducing the number of nodes that traffic must be sent through, and they may offer a more manageable learning curve for leanly staffed organizations. 

What They Are Not

For all that these devices can do, there are a few critical things to bear in mind before running out to buy one for your environment. Packing all these features into a single box can have some downsides, too. 

Performing all these operations generally means higher latency and significantly higher requirements for system resources, particularly RAM and CPU. An overtaxed box can behave unexpectedly and either impact performance negatively or allow uninspected traffic to pass. 

Another thing to remember is that firewall manufacturers may have a lot of experience with firewalls, but these other technologies are not firewalls. Your chosen vendor may not have much experience in with these added features. So, you might have to accept some tradeoffs in terms of protection compared to a best-of-breed approach.

Beware of optimistic performance metrics and other overstated claims. It is important to look and ask around before moving forward with one of these devices.

So, to UTM or Not to UTM?

There’s no formula for determining if an organization is a good candidate for UTM/NG firewalls, but here are a few questions to help determine if you are NOT a good candidate:

  • Is value your top priority in a security purchase?
  • Do you carefully track SLAs?
  • Do you have four or more of the technologies listed above already in use?
  • Do you make firewall changes during business hours?
  • Do you have a security staff of more than four?
  • Do you follow a rigorous change management policy?

If you answer ‘yes’ to more than a couple of these questions, UTM/NG firewalls may not be suitable for your data protection needs. But unless you know for sure they will not work for you (and why would you be reading this if you were?), they are certainly worth a look.