Security's Everyman

Security's Everyman

Thursday, December 13, 2007

The UTM Argument

There's a (discussion, debate, argument) going on regarding UTM's and multi-purpose firewalls. Actually it's probably cleared up by now, but I'm going to put my 2 cents worth in anyway since Cutaway did ask me to (I was just too busy to do so at the time). This all started when Cutaway made a post the had some misunderstanding in it. Then he asked for some clarification from several other bloggers, He said:

I wanted to cover this because UTM is actually a different animal then what I was originally addressing. Although I do not have any experience with Unified Threat Management, as a blogger I don’t feel ashamed jumping into it. I am sure that Chris Hoff, Rich Mogull, Lori MacVittie, Andy Willingham, or Alan Shimel will correct me if I am misguided.
Then Hoff and Rothman both responded in somewhat harsh ways and it just kept going from there with Farnum jumping in and dragging me in with him.

Now that I have a few minutes I want to give my take on it. I agree with Cutaway that there is the potential for devices that are labeled UTM to be problematic. Now, whether or not they are truly a UTM device is to be debated. Is Astaro a UTM? What about some of the other smaller vendors who have all in one devices? Do only the "big boys" such as CheckPoint, Juniper, and Cisco have real UTM's?

This is what I think caused the misunderstanding. Lots of vendors call their products UTM's and lots of them are just hardened Linux boxes with various features added to them. Cutaway tried to find out what is it that defines a true UTM instead of a firewall w/ additional features but that got lost in the shuffle. The comment that I made on Cutaway's blog was in regards to the boxes that are multipurpose in practice but not specifically designed that way. I would much more readily trust a CheckPoint box over an Astaro box to protect my enterprise. Why? Because as Farnum says it's a proprietary OS that has been designed to handle different functions in a secure and efficient manner.

So, when is a UTM not a UTM? I guess that all depends on your point of view. I consider a UTM to be a box that has several security features built in (firewall, IPS, VPN, NAC, ACL) to be a UTM. I don't consider them all to be on equal ground when it comes to reliability or secure functionality. You do get what you pay for in most cases. I doubt that most of the smaller vendors have true separation of duties between each function of their device. So if one is compromised then getting to the others is not a big deal.

To answer Cutaway's question, yes there is a difference in a UTM device that has been built from the ground up for that purpose and one that has been "retro fitted" to handle multiple functions. There is a difference in the security of them and the complexity of them. Just as there is a difference in a OS that is built for home use and one that is designed to handle classified government documents. If you are looking to deploy a UTM to protect the enterprise then you need to get a enterprise class UTM and not settle for something that sounds good.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.