UTM: A united front
- Article 3 of 33
- SC Magazine, August 2006
A single box that can protect your network from all known evils sounds great, but does the reality live up to the hype? Rob Buckley investigates.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
UTMs are an evolution of previous technologies and offer little or no extra protection. Picking a UTM is as much about deciding which technologies - and which definition of UTM - the organisation actually needs as it is about picking a vendor. A belt-and-braces approach that incorporates host-protection will be vital in any organisation that has a remote or mobile workforce. For the truly security conscious, the “unified” concept will be pretty much be ignored in favour of threat management; while a small organisation might be prepared to sacrifice some of that for unified devices.
No organisation, however, should expect a UTM to solve all its security problems, management headaches or performance issues. But it should certainly solve some of them - if implemented correctly.
WHY AND HOW DID THE TECHNOLOGY EMERGE?
Unified threat management (UTM) is a term invented by Charles Kolodgy of IDC in 2004. He devised it as name for a new breed of firewalls that could analyse and block traffic packets for reasons other than their destination and origination.
Firewalls typically used to be able to block TCP and UDP packets based on the service they were trying to access, the location of that service and the location of the sender of the packet. For example, a traditional firewall would be able to block access to the Secure Shell service on a network by stopping any packet trying to request services on TCP port 22. But the firewall might allow access from a particular trusted IP address, such as a branch office LAN hidden behind a router, or from anyone on the internal LAN using IP addresses in the standard range.
However, with more and more services running on port 80, the web services port, firewalls' ability to block malicious traffic began to decrease. It also became apparent that customers wanted to be told about potential threats, not just have them blocked. So vendors began to add intrusion detection system and traffic analysis capabilities to the firewalls to provide improved attack analysis and to block traffic based on content, as well as destination and origination.
With traffic analysis capabilities in place, a whole range of additional security services became possible. Vendors began to add more and more of these features, including junk email filtering, anti-virus capabilities, anti-spyware, VPN access and web content filtering.
As well as providing differentiation from other firewall vendors, these additional features opened up new potential markets. In particular, SMBs, tired of the management issues involved with security and worried by the increasing number and variety of threats, grew interested by the promise of an all-in-one box that could block all malicious traffic.
IDC's current definition requires a UTM to be a security appliance that “must be able to perform network firewalling; network intrusion detection and prevention; and gateway anti-virus”, even if not all of these features are used by its owner.
However, each vendor essentially came to UTM via its own route. As UTM became a recognised concept, albeit one not clearly defined in the minds of many potential customers, so more vendors began to create “UTM” products. Some integrated different products they already had; others acquired products and companies and integrated these. Others, however, simply changed the definition of UTM to encompass their own products, even if no one else agreed with that definition, with many firewalls capable of only one other security function being reclassed as UTMs.
CASE STUDY
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages