Feature Story

Buying Tips: Unified Threat Management

Unified threat management incorporates a raft of network security technologies previously sold separately, such as intrusion prevention, spam filtering, and VPN. Not only does well-coded UTM keep disparate components from conflicting with each other, it gives them access to each other's expertise for better protection.

Here's a look at major features to keep in mind if your enterprise is planning to upgrade its UTM appliance.

Perimeter defense. If you think of a UTM as a castle, its firewall component is its moat. Pierluigi Stella, CTO of Network Box USA (www.networkboxusa.com), recommends that a UTM appliance have at least SPI (stateful packet inspection) capability. Better yet, he says, is a hybrid firewall with SPI, proxy, and packet filtering features.

Additionally, the UTM must come with intrusion detection and prevention systems (IDS/IPS). The IDS/IPS should be inline with the firewall and fully integrated with it to better stop threats at the edge.

Anti-everything. "Hackers use all kinds of ways to get in," Stella says. "You need to have protection against all of them." This means active safeguards against spam, phishing, Trojans, worms, and so on.

First, Stella says, a good UTM employs multiple antivirus engines with robust, real-time protection against zero-day attacks. The antivirus should cover multiple protocols. An additional ability to scan encrypted protocols, uncommon today, will become more important this year, he adds.

Also, Stella says, look for products from vendors that don't "dumb down" their low-end models intended for branch and remote offices. Although entry-level UTMs may provide proportionally more modest throughput and concurrent connection figures, he says, "it is very important that the technology offered for the small offices be exactly the same as that offered for the main office."

User-related protection. A UTM must provide policy enforcement, detection of hidden and/or compressed attachments with potentially dangerous payloads, and server protection that leverages the firewall and IDS/IPS.

A Web access policy is also key, Stella says, as is secure VPN access with both IPsec and SSL support for site-to-site and roaming scenarios.

Continuous vendor support. After dedicating a skilled, onsite technician or two to professionally configure your new managed UTM to protect your network, the vendor must also monitor and manage the appliance all day, every day. This includes proactive updating instead of waiting for the devices to "check in" every so often.

"The Internet moves too fast for updates to be pulled from the devices. Push updates are now a must . . . to reduce exposure to zero-day threats."

True integration. A UTM should be a team effort, Stella says. All of its formerly disparate features must be integrated with each other. As examples, Stella says that just as the firewall and IPS should work closely together, the antispam should work with the IPS to block bad payloads prior to the inbox. In a like manner, the Web access policy should consult with the antispam component to disable a harmful URL inserted in a message.

"In a true UTM device, all the functions work together as a whole, such that the final result is stronger than the sum of the parts."

Future tech. UTMs will likely add more new technologies that have traditionally been sold separately, Stella says, citing data loss prevention and vulnerability scanning as two examples. "More and more companies are demanding to see them integrated with the gateway protection," he says.

by Marty Sems

Buyers' Checklist

Effectiveness. How well does the appliance block malware and network threats, known and unknown?

Performance. Is the system fast enough to have minimal impact on network throughput?

Price. Beyond the purchase price and cost of initial, professional configuration, what's the ongoing subscription cost of remote management?

Reliability. If the UTM comes in an appliance, does it have high availability features?

Key Terms

Appliance. A standalone server for running a particular application, such as UTM.

Managed. An appliance that a vendor remotely monitors, updates, and changes.

UTM (unified threat management). Software (often installed on a managed appliance) that seeks to comprehensively block malware and network threats through features such as a firewall, antivirus, antispam, intrusion prevention, VPN, access policy enforcement, and more.

Return to: 2011 Feature Stories