UTM firewalls: Ready for the enterprise

Increased flexibility

Enterprise security architects generally scoff at the plethora of features, such as antivirus, antispam, antimalware and antiphishing, that are being built into SMB UTM devices. With a "best of breed" mentality and correspondingly large budgets, they are barely interested in activating IPS features in their existing firewalls. However, there are always specific situations where the ability to turn on, for example, antivirus, may be a huge benefit.

Having additional security features latent in large firewalls that can be activated with the click of a mouse gives the network manager increased flexibility, which is of significant value. For example, blocking incoming viruses in a UTM firewall may be a life-saver when the normal antivirus appliances suddenly stop working because of hardware, software or update failure.

Or consider the requirements of a guest user network: Most enterprises have chosen HTTP proxies to provide content filtering and antiphishing protection but may want to let guest users choose a different kind of protection and not take on the support burden of making sure they're properly working with the enterprise proxy. It may be simpler and more effective to enable these features in a UTM firewall for those networks.

The flexibility to bring security services in and out of the equation quickly using a UTM firewall supports threat response requirements - even if those features are rarely used.

Top trends in enterprise UTM market

1. All firewalls are for unified threat management. There is little distinction between a UTM firewall and a "normal" firewall nowadays. The firewall vendor community has made the transition so that all current products include the option to include some UTM features. While very high-end devices may not include much beyond embedded intrusion-prevention systems and VPN, the term "UTM firewall" has become redundant. If it's a modern-day firewall, it does more than simply block or allow traffic.

2. Conversely, UTM doesn't necessarily include the firewall. Whether it's a public relations ploy or a search for more customers, the UTM market has expanded to include products that don't actually have a firewall inside. Several vendors have brought products to market that have weak or nonexistent firewalls, yet a strong suite of threat mitigation features, including antivirus, antimalware, content filtering and traffic analysis. By combining these everything-but-the-firewall features into a single system, such vendors are focusing on the threat mitigation features and can design hardware that fits those requirements best to bring a very strong offering to the table.

3. New products have new architectures. Most UTM firewalls do a poor job at certain functions - antispam and antivirus are the best examples - because the underlying hardware and software was not originally designed to meet the needs of UTM. For example, without disk space, a UTM firewall can't provide a spam and virus quarantine. Or, without a link to the corporate directory, user personalization and differentiation on settings can't occur. While established vendors are not moving quickly in this area, new products are coming to market that reflect a rethinking of software and hardware requirements for a UTM firewall that provide better coverage on the threat mitigation side of the house.

4. Vendor business models are evolving. UTM changes the model from a capital-focused one to a service-focused one. This means that firewalls will get even less expensive - but only be really useful when under a support agreement that provides constant updates. In fact, small-to-midsize-business-sized software-based firewalls are coming to market for "free," based on the idea that they will generate revenue through support and subscription fees. It worked for razors; it can work for firewalls.

5. Network managers remain skeptical. While vendors are packing features into products and offering them at attractive prices, network managers are still hesitating to enable threat mitigation features. The UTM sweet spot is networks in SMBs with no dedicated security staff. While you'd think that enabling UTM features is a no-brainer on these new devices, fears of false positives and bad experiences with performance slow-downs keep many of these devices running in firewall-only mode. Enterprise network managers are even further behind than their small-business brethren in deploying UTM features such as IPS in high-end devices.