The multipurpose security appliances that consolidate firewall/VPN, content filtering, intrusion prevention and more into a single box are winning favor as easy-to-manage devices. But the open secret about these unified threat management devices is that they take a bite out of bandwidth as they inspect content.
It's not uncommon for UTM products on the market today to suffer as much as a 50 percent loss in performance as the full panoply of security services is put to use. That's a situation acknowledged by UTM vendors, which sometimes advise customers to compensate by getting higher-bandwidth devices than they ordinarily might need.
"When you turn on all the services, the speed is impacted," says John Kuhn, product line manager at SonicWall, whose UTM products range in bandwidth support from tens of megabits per second to more than one gigabit. "Absolutely, there is a performance consideration, and it could be a 50 percent loss."
Even at the high end
What's true for a UTM appliance at the low end is also true at the high end with appliances that attain multigigabit speeds.
"You pay a performance penalty as you go deeper into the content, and you could lose half the performance," acknowledges Chris Roekl, vice president of corporate marketing at UTM vendor Fortinet. Fortinet's FortiGate line of UTM devices support speeds from 10Mbps to 48Gbps.
Several other UTM appliance vendors, including Internet Security Systems (ISS), Secure Computing and Symantec, are equally blunt in saying customers could experience as much as a 50 percent performance loss in speed.
"In general, it's more like 10 percent, but 50 percent is possible," says Mark Butler, director of product marketing at ISS, which offers three multifunction security appliances in its Proventia line.
"The approach we take is we size [the appliance] according to the number of users," Butler says, noting about the latest ISS products that the Proventia MX 1004 supports 100 concurrent users, the MX 3006 as many as 250 concurrent users and the MX 5010 as many as 500 concurrent users.
Cisco, which offers various models of its Adaptive Security Appliance (ASA) that tops out at 1.2Gbps, is reluctant to admit more than a 10 percent performance hit.
Despite any drawbacks associated with bandwidth, UTM seems to be here to stay. UTM is the phrase coined two years ago by Charles Kolodgy, security analyst at research firm IDC, for the multipurpose security appliance whose basic foundation is a firewall or firewall/VPN.
"It has to have a firewall/VPN, and gateway antivirus and preferably intrusion prevention," says Kolodgy, who estimates the UTM market will reach about US$850 million by year-end, up from US$700 million last year.
While Fortinet leads at the high end and SonicWall at the low end, Kolodgy says, this still-nascent market is changing rapidly with Cisco's ASA appliance, which debuted a year ago shaking up the low end.
UTM appliances vary considerably from vendor to vendor. Some vendors making UTM products must partner with other security firms to support antivirus, or other content-filtering, on their UTM products when they don't have the technology in-house.
For example, Cisco and Secure Computing partner with Trend Micro, and SonicWall partners with McAfee. ESoft, which offers the InstaGate UTM with top speed of 190Mbps, uses its own antivirus filtering but turns to Aluria for antispyware and Secure Computing for Web filtering. Crossbeam Systems makes use of the Check Point FireWall-1 UTM as well as Trend Micro, Aladdin and Websense for content filtering.
UTM's role expanding
Most vendors see their UTM products deployed at the Internet gateway, though Cisco's senior product manager for ASA and the PIX firewall, Mike Jones, says "it's no longer about protecting just the Internet edge, but going inside" to provide firewall, antivirus, antispam and URL filtering deep within the corporate network.
Nevertheless, businesses deploying UTM appliances generally do so at the point of Internet access at corporate headquarters and branch offices. The value of the multipurpose security appliance, according to the vendors selling them and their customers, derives from the simplicity of managing a single device instead of several.
"The single point of management for content filtering and the intrusion prevention is a key point for us," says Jack Wickwire, CTO at Central Bank Illinois, which has deployed Secure Computing's Sidewinder G2.
However, other technology managers are hesitant to put all their security eggs in one basket with a UTM.
"One of these things, when it breaks, then everything breaks," explains Brian Walowitz, technical coordinator at Yeshiva University's High School for Girls, about his reluctance to go with UTM.