WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Unified Threat Management (UTM) products offer a compelling value proposition for smaller organizations: A single, low cost, and easy-to-manage appliance that can replace multiple security software products running on separate servers.
Given that many small-to-midsize businesses have limited IT staff and modest financial resources to devote to security, it's not surprising that the market for UTM appliances is growing strongly. According to Gartner, sales are now over $1.3 billion annually and projected to grow at a compound rate of about 15 percent for the next five years.
So what can a UTM appliance offer? As Gartner defines the product category, a UTM provides at least the following functionality:
- standard network stateful firewall
- remote access and site-to-site virtual private network (VPN) support
- web security gateway functionality (anti-malware, URL, and content filtering)
- network intrusion prevention focused on blocking attacks against unpatched Windows PCs and servers
Most UTMs also offer other features, at least some of which you may never use – either because you don't need them or because your organization might lack the skills necessary to configure them. These include email security, web application firewalls, and data loss prevention systems. If your organization is small, for example, then you are unlikely to have any web applications to secure. You may well also be using a cloud-based email offerings such as Hosted Exchange or Google Apps.
When it comes to making a purchasing decision, any UTM appliances you consider will obviously have to tick the right boxes in terms of offering the specific security functionality you require.
Free Security Resources
10 Commandments of Insider Threat Management
Managing the risks presented by Insider Threats is, in large part, founded on historical counterintelligence (CI) precepts. This presentation updates "old school" CI practices for the digital age and demonstrates how these proven maxims may be translated into controls to enhance your cybersecurity posture.Download
Beyond that, pricing and flexibility is a key differentiator. For a given UTM, it is important to establish whether you will have to pay for functionality such as email security even if you don't need it, or whether you can select the security features you need. Don't forget to look at the ongoing subscription costs (for anti-virus signature updates, URL blacklists, support, and so on) as well as the upfront cost.
Other features you should consider include:
- Ease of deployment, configuration, and management. A UTM is meant to make security simple, but will you be able to use it effectively with the skillset of the staff you have available to you? A simple integrated web interface can make advanced security features accessible to relatively unskilled staff. For larger companies, look for a management system that enables you to push out configuration changes to separate devices in branch offices.
- Ease and speed of adding additional services. Can you unlock any additional security features that you may come to need by paying an additional license fee, or will you need to upgrade the UTM's software and/or firmware?
- Resources of the vendor. How good are the security research labs of the vendor concerned, and will it be able to add new security features to its products as they become available elsewhere in the market as point products? If not, the UTM may fail to meet your security needs much sooner than you would like.
- Ability to deal with remote offices and mobile workers. Unless you plan on deploying UTMs at a number of locations, you'll need to link your branch offices to your UTM. Mobile workers will also have to connect to it via a VPN. It's therefore important to choose an appliance that can manage sufficient incoming connections, and offers a variety of VPN connections – possibly including support for iOS and Android tablet devices if employees use them.
- Regulatory requirements. Will a given UTM provide sufficient functionality and reporting to enable your organization to pass a compliance audit?
- Secure wireless capability. Do you have a WLAN in your work environment? Some UTMs deliver secure wireless connectivity, enabling you to offer wireless users, including guests, the same security controls as wired LAN users.
The roster of vendors supplying UTM appliances has been fairly stable in recent years, and many of the key players such as Check Point Software Technologies, Fortinet, Cisco, and Juniper are well-known networking and security vendors.
Check Point's UTM offerings consist of various hardware appliances with differing firewall throughput capabilities, and a system of software modules offering different security services such as IPSEC VPN, Application Control, IPS, DLP, URL Filtering, and Anti-Spam and Email Security.
The main appliance range starts with the Check Point 2200 appliance for small offices or branch offices with a maximum throughput of 3Gbps. The Check Point 4000 appliances provide 11Gbps firewall throughput and come pre-packaged with 7, 8 or 10 software modules, and the Series 80 appliance for branch offices offers firewall and IPSec software modules out of the box. Other modules can be added if required. Check Point also offers a low-end Safe@Office UTM for very small businesses, which includes an optional ADSL modem, from $349.
Cisco's SA500 Series security appliances are designed for businesses with fewer than 100 employees. They combine firewall, VPN, and optional intrusion prevention system (IPS), email, and web security capabilities. Optional VeriSign Identity Protection (VIP) provides two-factor authentication and one-time-use password access control for remote workers. The range starts with the SA520 with firewall throughput of 200Mbps, while the SA540 offers 300Mbps. The ASA 5500 Series Adaptive Security Appliances for larger companies include VPN, IPS with Cisco Global Correlation, and optional antivirus, anti-spam, anti-phishing, URL blocking and filtering, and content control. Models range from the ASA 5505 with 150Mbps throughput, to the ASA 5515-X with 1.2Gbps throughput.
Fortinet's FortiGate UTM appliances offer ASIC-accelerated performance and a wide range of security functions including firewall, VPN, traffic shaping, IPS, antimalware, application control, DLP, and web filtering. Dynamic updates from the FortiGuard Labs global threat research team help to protect against the latest threats. The range starts with the FortiGate 20C 20Mbps appliance offering firewall, IPS, application control, VPN, and web filtering, and goes right up to the 5000 series with up to 480Gbps firewall throughput and centralized management and reporting for very large enterprises. Fortinet also has a range of FortiGate virtual appliances that can be managed along with physical appliances using the company's management platform.
Juniper's SRX Series Services Gateways include a low-end range (SRX100 - SRX650) for branch offices that offer IPS, anti-spam, antivirus, and web filtering with throughputs from 650Mbps up to 7Gpbs. Its higher-end data center models (SRX1400 - SRX5600) range from 10Gbps - 120Gbps firewall throughput and offer a full range of security services.
SonicWALL's TZ UTMs range from the 100 series, with 100Mpbs firewall throughput, to the 210 series, with 200Mbps throughput. Optional security services can be added to each appliance, including application control (210 series only), anti-malware, IPS, content filtering, enforced client anti-malware, and anti-spam. The top-end TZ215 enables bandwidth throttling for specific applications, and also offers application traffic analytics and reporting to provide an insight into bandwidth utilization and security threats. The higher-capacity NSA Series offers firewall throughputs from 600Mpbps (NSA 220) to 2.75 Gbps (NSA 4500), as well as optional security services including application control, IPS, antimalware, content and URL filtering, reporting, SSL inspection, and reporting.
Sophos' Astaro Security Gateways range from the 110, for organizations with 1-10 employees, to the 626, suitable for businesses with up to 5,000 employees. Every appliance offers firewall, VPN, IPS, email security, web filtering, and application control – plus central management of endpoint anti-virus, spam quarantine, and integrated management of log data. The Astaro Security Gateway is also available as a software appliance and a "VMware Ready" virtual appliance.
WatchGuard's XTM UTMs range from the 350Mbps 2 Series for small businesses and branch offices to the 5Gbps 8 Series for midsize to large enterprises with up to 4,000 users. In addition to firewall capabilities (including next generation firewall technologies on the 8 Series), all include optional security services including application control, reputation enabled defense, spam blocker and virus outbreak detection, antimalware, IPS, web blocking, and URL filtering.
Alternatives to UTMs
When considering a UTM appliance, it's also worth considering alternative security solutions. These include:
- Selecting, installing, and configuring point solutions to different security threats. This would almost certainly require a dedicated security team of one or more suitably skilled employees to manage them.
- Outsourcing your security function to a managed security service provider.
- Using a cloud-based security service that you can configure and manage using a web portal. This is a popular choice for companies with large numbers of mobile workers.
Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.