Font Size

- Aa +

Thu 2 Aug 2007 12:00 AM

Font Size

- Aa +

Boxing clever

UTM appliance vendors are adding advanced functionality to their products - but industry observers continue to highlight ongoing issues with the devices.

"UTM systems have been around in one form or another since the start of the decade. It's only in the past few years, however, that the technology has entered the mainstream IT security market," says Shahnawaz Sheikh, regional sales manager for SonicWall.

And an entry it has been, especially in the Middle East market. Over the last two years, UTM appliances have become popular security choices for companies, with sales growing by 45% year-on-year according to some statistics. The attraction of these devices, especially in the Middle East, is easy to understand. Bundling in several security solutions (the minimum requirement is an IPS, firewall and antivirus package) in one go, the devices promise a one-box solution that can easily reduce the complexity that an IT manager may have to deal with, especially at the perimeter.

While most of these devices are being bought and implemented by SMBs, vendors and industry watchers believe that enterprises also use them in certain network topologies.

"Enterprises typically buy a firewall at every internet connection. In the last few years, as internet connectivity has become cheaper and more branch offices are connected directly to the net, enterprises have been investing in UTMs to provide protection. Almost 80% of all enterprise UTMs are employed in branch office infrastructure," says John Pescatore, VP and distinguished analyst for infrastructure protection at Gartner.

Just as more switch vendors are including security, so security vendors can include more networking functions.

Some vendors even argue that enterprises are beginning to use the UTM appliances at the core and gateway. While that point is debatable, it is true that the recent spurt in demand for the devices can be partly attributed to the fact that vendors are beginning to pack in more features.

One box to rule them all

"The first generation of UTM devices weren't unified in any way. Most of these early day appliances ran compute-intensive software applications in one-server-like boxes and this obviously created performance problems. The architecture has been updated since then and the second generation of products address this issue to a certain extent," says Pescatore.

As UTM appliances move into the second generation (some argue third generation) of operation, the type of features that are being packed in vary from vendor to vendor.

"Apart from the minimum functionality that most UTM devices come with, SSL VPN has been added recently, along with protecting peer-to-peer protocols such as interactions over Skype or across VoIP. The appliances have the potential to include a lot more functionality, including WAN optimisation. Fortinet has been working on traffic shaping, which is the beginning for WAN optimisation, and looking at compression and caching for the future," says Richard Steinnon, chief marketing officer for Fortinet who believes that devices with these features could be available within a year's time.

"WAN optimisation is very important since everything is becoming web-based. Appliances are also getting better on the hardware front. Secure will soon be launching an eight CPU box with 4Gbytes of memory. The appliances are becoming more powerful and there are fewer concerns over speed. We have just introduced a full-blown IPS in our appliances and added a new feature called Trusted Source. This is a reputation-based security option that checks back with our servers on the reputation of every IP address that tries to access a network. Our server definitions meanwhile are updated every four hours," says Tareque Choudhury, pre-sales manager for MEA at Secure Computing.

The problem areas

Between the development of UTM features and the large number of sub-1000 employee businesses in the Middle East, UTMs have become ever more popular in the region.

However, UTM devices come with their own set of problems chief among them being performance issues and the fact that they act as a single point of failure to network security. In fact, these are issues that have existed since the appearance of UTMs and what vendors suggest now are newer solutions.

"Concern over devices becoming single points of failure can be largely taken care of by clustering, as many users do," says Choudhury.

L K Pathak, senior manager for corporate communications at Elitecore says, "There is no doubt that, at some level, they are a single point of failure. But depending upon the situation, a single point of failure might be manageable with a standby. On the other extreme some may prefer to compare it with stand alone boxes and say that having separated boxes for firewall, IPS and so on just represents multiple single points of failure. If any of them fail, it could bring your network down. At least in the UTM model you just have to worry about one box, not several." (Elitecore is the owner of Cyberoam appliances.)

Some vendors though believe that UTMs can actually help ensure connectivity at the office.

"Often it is not the UTM device that becomes the single point of failure for the enterprise, but the WAN connection itself. This is why some UTM devices from Juniper are capable of providing other options for the office to re-route traffic. In this way, these appliances actually save the organisation from downtime instead of causing it," asserts Tarek Abbas, regional systems engineering manager at Juniper.

As for performance levels, Fortinet's Steinnon agrees that throughput could be adversely affected when more of the UTM's promised functionality is switched on.

"Having VPN in place can affect throughput by a certain amount. Switching on IPS and antivirus functions can do the same as well, taking away from network throughput and affecting optimal performance," he says.

Choudhury however disagrees, stating that an enterprise is likely to face the same performance issues even if they were to use different boxes for each of the functions.

All considered, UTM appliances still restrict the security solutions that an IT manager can choose from. IT managers can no longer pick from best of breed solutions and has to be satisfied with a single vendor solution package, as in the case of Fortinet, or have third party solutions bundled into the appliance, as is the case with Juniper.
Keeping all of those possible pitfalls in mind, vendors advise customers to be fully aware of the functionalities they need when investing in an appliance.

Of more importance is that users take the time out to test these devices in their own environments or consult independent third party test statistics to understand performance issues when functions are switched on.

"UTMs are not a replacement for any other security technology - either stand-alone boxes from us or software from any of our partners. It is a complementary technology that has to be linked and integrated across enterprise environments," says Juniper's Abbas.

"The bottom line is that these appliances do not, regardless of initial appearances, represent a universal solution for security in any organisation. They need to be designed and built into the security and network infrastructure of enterprises, just as is done with any other security measure or device," says Elitecore's Pathak.

The end is nigh?

For all their success in the region, some believe that the days of UTM devices are numbered. They point to the changing competitive landscape - where more switch vendors are building security elements into their products - as indicative of the trend.

"It's very much a competitive environment. At the higher end especially, switch vendors are adding some security functionality. This is completely natural since the direction is to link networking and security functionalities rather than separate them. In fact, systems that do not do security run the risk of becoming obsolete," says Fortinet's Steinnon.

"Just as more switch vendors are including security, so security vendors, such as Fortinet, can include more networking functions such as switching and routing. And since the hard part is including security, there is much more opportunity for the security vendors than there is for traditional switching vendors," he adds.

Juniper is another vendor which is extending its UTM functionality by adding routing capability.

Some vendors state that low-end competition is also on the rise with the entry of several, non-branded, cheap appliances which are making an appearance in the region. While these do not offer serious competition yet, they still have the potential to impact the market, especially as they come at nearly half the price of branded UTMs.

That being said, the real competition for UTMs might come from a rapidly maturing customer base, which is shifting from appliances and hardware to higher end software and extended integration across the infrastructure in order to achieve higher operational efficiency and coordination with business strategy.

"UTMs do a good job for SMBs. But with large enterprises and organisations there is the need for scalable and reliable solutions which, I believe, UTMs as we traditionally describe them might fail to meet. I have yet to see a suitably scalable UTM. At Cisco, we are leading the next stage in security where we believe that the network becomes the platform for delivering integrated security," says Cherif Sleiman, chief technologist for Cisco MEA, quite unsurprisingly.

Nevertheless, there are parts of the industry which believe that the UTM and what it signifies is far from an eventual demise.

"At Gartner, we consider UTMs and their functionality as part of the next generation firewall category. Unlike other analyst firms, we do not believe that UTM appliances are a separate category, they are just part of the firewall market. We will only see them change, modify and add on functionality for the future," says Pescatore.

"One key area that we see functionality emerge in is to address the growing threat of customised attacks on enterprises. Today's antivirus and IPSs are not very good at detecting these specific threats since they look only for known threat signatures on a global scale. We will see more functionality related to the behavioural analysis of executables that are delivered on incoming messages. That is the direction we are going to go in. That is how firewalls are going to change," Pescatore adds.

As UTM devices add more features, all indications are that these security appliances are here to stay - for a while longer at least.

Before you buy…

NME presents some of the top considerations CIOs should keep in mind when investing in a UTM device:

1. Know what you want the UTM for and where it will sit in the network.

2. Assess the functionalities that you would need in a UTM device - avoid buying features that you do not need.

3. Be aware that a UTM is not a standalone security device and has to be used in conjunction with other products/solutions and a strong policy.

4. Check the market thoroughly on the choices available to you.

5. Pick a vendor who has local support and service options, otherwise you run the danger of holding a dud box in a short time.

6. Always ask the vendor for a test run. Preferably ask it for independent third party test results with the appliance in question.

7. Invest in the UTM only after running a pilot in your own office to get a true measure of the issues you might face.

8. Remember to assess the performance of the device with as much of the functionality switched on as possible.

9. Remember to invest in a good management platform and reporting solution - many vendors believe that users do not monitor their UTM devices and lose out on efficiency due to inadequate reports.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.