The notion of combining the various security devices to protect
your network isn’t new, but lately the market has become more
competitive with the entry of CheckPoint Software’s UTM-1 product.
UTM stands for unified threat management, and the idea has a lot of
appeal – combine firewall, intrusion detection and
prevention, and virtual private networks (VPNs) inside a single
piece of hardware. Then wrap around some management software so
that a security manager can have a single view of what is attacking
According to IDC, UTMs are the fastest growing segment of the
security appliance market and by next year they will even outsell
firewalls and VPNs. But finding the right UTM appliance will take
some careful research and testing. Here are some questions to get
you started down the right path, along with the leading products
that satisfy each criteria.
1. Do you need protection for remote offices that don’t have
local IT staff?
If your remote offices have grown beyond a home office and
require something more sophisticated to handle a network, then the
UTM products have a lot of appeal: you can manage them remotely,
often with just a Web browser.
2. How many security services do you want to consolidate into
Most UTM products come with support for at least five different
security services: firewall, intrusion detection and prevention,
virtual private network (VPN), anti-virus and anti-spyware email
scanning. Some add additional protection features, such as Web
applications firewalls, outbound attack scans, and Web content
filtering modules. You probably don’t need to activate all the
modules at the beginning, and some are probably more important to
you than others. You also might not wish to replace existing
firewall or VPN services on your headquarters network, but want
these services deployed on branch office networks.
Figuring out which security services to start off with is also
important for two reasons. First, the active services determine how
much you pay. Each vendor licenses the separate modules with a
complex price sheet, and if you don’t need anti-virus, for example,
there is no sense in paying extra for it. Second, the more services
you enable, the less performance you get out of your box, so
turning off the ones you don’t need can have a big impact.
3. Are you satisfied with you current virtual private
The UTM boxes work best with setting up site-to-site VPN
connections to encrypt traffic over the Internet from your
headquarters to branch offices. Some of them, such as Astaro, Checkpoint, and
also include rudimentary Secure Sockets Layer (SSL) VPNs that are
useful for connecting remote users too. While these SSL VPNs aren’t
as feature-rich as dedicated VPN appliances from Juniper, Aventail and F5 Networks, they can be a good place to start to deploy
SSL VPNs and get an understanding of what they offer.
4. How important are outbound traffic scans?
All of the UTM products handle inbound intrusion scanning, with
some of them, such as Astaro and Juniper, scanning for both network
behavior patterns as well as checking for specific packet
signatures as traffic comes across their interfaces. But some of
the UTM products also scan outbound traffic for potential attacks,
such as the products from Secure Computing, Internet Security Systems (ISS is owned by IBM)
5. What is the target throughput range of your Internet
UTM products come in various sizes to match the expected
throughput and traffic profiles of their connection. And as we said
earlier, the more services that are enabled, the lower the overall
performance. Some models, such as those from Juniper and ISS, have
expansion slots where you can add network processors and extra
memory as your traffic increases. Others have less flexibility,
meaning that you will need to completely replace them with a new
box. And obviously, the more demanding traffic needs, the more you
will have to pay.
6. Do you presently own firewalls from CheckPoint, Juniper,
Cisco or others?
If your headquarters’ firewalls are from these three
vendors, you need to examine how important is it to stick with the
same vendor when it comes to deploying UTM boxes in your branch
offices. None of these three vendors offer the best-of-breed UTM
appliance that can be found from Fortinet, Sonicwall, and ISS.
However, all three offer management tools that can configure and
view a range of products, so if you have already invested a
significant amount of training in these products then learning
about the UTM features isn’t as much of a stretch. It comes down to
a tradeoff between training and level of protection offered.
7. Do you have multiple administrators from different
If you have a group of network administrators that need to
concurrently manage the UTM box, then you should consider products
from Astaro, Fortinet, or Juniper. All three allow multiple people
to view and post configuration changes concurrently. Other products
generally only allow a single administrator to make changes, which
can get dicey if two (or more) people are connected at the same
8. Are you concerned with blocking Instant Messaging (IM)
IM can be another attack vector into your network, and while
there are dedicated solutions to block or monitor IM connections,
it would be nice to incorporate IM protection when you deploy your
UTM solution. However, this is still the hairy edge for the UTM
world, and many vendors are still improving their products. Some
products are better than others at blocking particular IM vendors.
A good place to start on understanding these issues is to read
IBM’s PDF white paper here.
9. Do you frequently get emails with large (greater than 200
Most of the UTM products have an option to configure the maximum
attachment file size: anything bigger is either blocked or
automatically allowed through. If your users get frequent large
attachments that are work-related (as opposed to downloading video
and music files), you’ll want to use Sonicwall, Secure Computing,
or Astaro’s UTM box, as these offer the most flexibility.
10 . Do you need extensive Web applications
CheckPoint, Sonicwall, Juniper, and Secure Computing all offer
protection mechanisms for blocking common Web server attacks such
as cross-site scripting and SQL injection. If your company’s Web
servers are in remote locations or behind your corporate firewall,
or if you are planning on setting up a new Web server on an
unprotected network, then you need this feature.
As you can see, there is a lot under the covers to consider
before you buy your UTM device, and many factors to weigh before
you can match the appropriate product to your needs.
Article courtesy of Datamation