The notion of combining the various security devices to protect your network isn't new, but lately the market has become more competitive with the entry of CheckPoint Software's UTM-1 product. UTM stands for unified threat management, and the idea has a lot of appeal – combine firewall, intrusion detection and prevention, and virtual private networks (VPNs) inside a single piece of hardware. Then wrap around some management software so that a security manager can have a single view of what is attacking your network.
According to IDC, UTMs are the fastest growing segment of the security appliance market and by next year they will even outsell firewalls and VPNs. But finding the right UTM appliance will take some careful research and testing. Here are some questions to get you started down the right path, along with the leading products that satisfy each criteria.
1. Do you need protection for remote offices that don't have local IT staff?
If your remote offices have grown beyond a home office and require something more sophisticated to handle a network, then the UTM products have a lot of appeal: you can manage them remotely, often with just a Web browser.
2. How many security services do you want to consolidate into one box?
Most UTM products come with support for at least five different security services: firewall, intrusion detection and prevention, virtual private network (VPN), anti-virus and anti-spyware email scanning. Some add additional protection features, such as Web applications firewalls, outbound attack scans, and Web content filtering modules. You probably don't need to activate all the modules at the beginning, and some are probably more important to you than others. You also might not wish to replace existing firewall or VPN services on your headquarters network, but want these services deployed on branch office networks.
Figuring out which security services to start off with is also important for two reasons. First, the active services determine how much you pay. Each vendor licenses the separate modules with a complex price sheet, and if you don't need anti-virus, for example, there is no sense in paying extra for it. Second, the more services you enable, the less performance you get out of your box, so turning off the ones you don't need can have a big impact.
3. Are you satisfied with you current virtual private network?
The UTM boxes work best with setting up site-to-site VPN connections to encrypt traffic over the Internet from your headquarters to branch offices. Some of them, such as Astaro, Checkpoint, and Fortinet, also include rudimentary Secure Sockets Layer (SSL) VPNs that are useful for connecting remote users too. While these SSL VPNs aren't as feature-rich as dedicated VPN appliances from Juniper, Aventail and F5 Networks, they can be a good place to start to deploy SSL VPNs and get an understanding of what they offer.
4. How important is outbound traffic scans?
All of the UTM products handle inbound intrusion scanning, with some of them, such as Astaro and Juniper, scanning for both network behavior patterns as well as checking for specific packet signatures as traffic comes across their interfaces. But some of the UTM products also scan outbound traffic for potential attacks, such as the products from Secure Computing, Internet Security Systems (ISS is owned by IBM) and Sonicwall.
5. What is the target throughput range of your Internet connection?
UTM products come in various sizes to match the expected throughput and traffic profiles of their connection. And as we said earlier, the more services that are enabled, the lower the overall performance. Some models, such as those from Juniper and ISS, have expansion slots where you can add network processors and extra memory as your traffic increases. Others have less flexibility, meaning that you will need to completely replace them with a new box. And obviously, the more demanding traffic needs, the more you will have to pay.
6. Do you presently own firewalls from CheckPoint, Juniper, Cisco or others?
If your headquarters’ firewalls are from these three vendors, you need to examine how important is it to stick with the same vendor when it comes to deploying UTM boxes in your branch offices. None of these three vendors offer the best-of-breed UTM appliance that can be found from Fortinet, Sonicwall, and ISS. However, all three offer management tools that can configure and view a range of products, so if you have already invested a significant amount of training in these products then learning about the UTM features isn't as much of a stretch. It comes down to a tradeoff between training and level of protection offered.
7. Do you have multiple administrators from different departments?
If you have a group of network administrators that need to concurrently manage the UTM box, then you should consider products from Astaro, Fortinet, or Juniper. All three allow multiple people to view and post configuration changes concurrently. Other products generally only allow a single administrator to make changes, which can get dicey if two (or more) people are connected at the same time.
8. Are you concerned with blocking Instant Messaging (IM) connections?
IM can be another attack vector into your network, and while there are dedicated solutions to block or monitor IM connections, it would be nice to incorporate IM protection when you deploy your UTM solution. However, this is still the hairy edge for the UTM world, and many vendors are still improving their products. Some products are better than others at blocking particular IM vendors. A good place to start on understanding these issues is to read IBM's PDF white paper here.
9. Do you frequently get emails with large (greater than 200 MB) attachments?
Most of the UTM products have an option to configure the maximum attachment file size: anything bigger is either blocked or automatically allowed through. If your users get frequent large attachments that are work-related (as opposed to downloading video and music files), you'll want to use Sonicwall, Secure Computing, or Astaro's UTM box, as these offer the most flexibility.
10 . Do you need extensive Web applications protection?
CheckPoint, Sonicwall, Juniper, and Secure Computing all offer protection mechanisms for blocking common Web server attacks such as cross-site scripting and SQL injection. If your company's Web servers are in remote locations or behind your corporate firewall, or if you are planning on setting up a new Web server on an unprotected network, then you need this feature.
As you can see, there is a lot under the covers to consider before you buy your UTM device, and many factors to weigh before you can match the appropriate product to your needs.