UTM: A united front

• Article 3 of 33
• SC Magazine, August 2006
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages

StreamShield's Bennett remains sceptical, however, of many vendors' performance claims. “If you look at most of these UTMs, there's a massive disconnect in terms of the processing power for functions such as the firewall, where you might get line-rate performance, versus threats such as complex URL filtering and spam filtering. Instead of telling you the line rate, they'll say: 'We can handle 20 to 30 emails per second.' They rarely talk about performance”

Many of these enterprise-grade products force the re-examination of the concept of what a UTM actually is. Are they UTMs performing UTM services or some other devices that have been adapted to to claim UTM capabilities?

In theory, there are many possible advantages to a UTM that combines specific services. Security devices that perform content filtering need to collect packets, assemble them in the right order and work out what their intent is. With a set of individual content-filtering security devices, each performing a separate task, this procedure has to be repeated with every device. With a single box, it potentially only has to be done once. Equally, a single device should make the management simpler, and it should be able to use the information gleaned from one step to be passed to the next one.

The facilitator approach

Yet, while vendors such as Fortinet produce their own security software for their enterprise products, solutions from suppliers including Crossbeam and Nortel simply aggregate other vendors' security software onto a single box and only offer management consoles for each individual service.

“We take what the customer defines as best of breed,” says Chris Hoff, chief security strategist at Crossbeam Systems. “We don't manage software. It would be impossible trying to keep up with 15 vendors.” He argues that “true” UTM is not just bundling software from the same vendor onto one platform; the only way to get actual benefit is to take the best appliances from different vendors and integrate them onto a platform that “does not hamper network performance in any way”.

Although this removes most of the benefits of unification, leaving just the rationalisation of hardware as the big attraction of such an approach, it does allow companies to use best-of-breed software. Hoff argues that it is the only real way to provide the necessary protection to enterprises at the moment. “Why have McAfee pulled out? It's not because the market isn't there. It's because UTM is difficult to do well.”

It also avoids the restriction of UTM to the functions prescribed by a particular vendor. Hoff says that it's possible to install other security functions such as XML and web services protection on Crossbeam's hardware, something many UTMs won't allow you to do.

Indeed, one failing of virtually all UTMs is that while their own software may integrate well, the device won't integrate with anything other than itself and other UTMs. “How well do they integrate? Not very well,” says Roberto Casula, technical director of systems integrator Applinet. “If you've got a box that claims to do A, B, C, D, E and F, if you want G, usually you can't. (The vendor's) hope is you won't need any other product since that weakens the proposition of a 'unified threat manager'.”

It's a complaint that Tim Keanini, chief technology officer at security vendor nCircle, often hears from his enterprise clients. “All UTMs are single-vendor oriented. I'm finding customers are continuously asking for interoperability, and it's not just multi-vendor interoperability. Clients are asking companies: 'Please, can you get your own stuff to talk together?'” At the moment, says Keanini, few vendors are developing standards and interfaces to work towards interoperability, although he expects that to change in the next few years.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages