Thoughts on UTM

We’ve been having some discussions here about UTM (Unified Threat Management) devices. For those of you who don’t know, UTM applicances are products that unify and integrate multiple security features integrated onto a single hardware platform. For instance, a single device typically includes firewall, SSL VPN, anti-malware and web URL filtering. Example products include Fortinet’s FortiGate and Checkpoint’s UTM-1.

UTM devices certainly appear to offer the promise of a number of benefits. In particular in terms of cost savings, management overheads and interoperability. For example, a single management console and a single device potentially saves a lot of overhead.

Conversely there are drawbacks. The one that concerns me most is that we could end up with a single point of failure. On his blog, Kurt Seifried discusses some of the risks. He states that devices “that combine multiple functions into a single platform have a great deal of added complexity” and goes on to say that networks will “have a small number of highly critical security devices placed at network choke points and other strategic locations that are potentially vulnerable to compromise.”

It’s a good point and UTM devices are going to need to be extremely “robust and less prone to security failures.”

Initially, it’s likely to be smaller businesses that take advantages of the cost savings of having a single management device. But here’s a word of caution from IT Week:

It may well be up and running, but the main question is – is it giving your business proper network security? How can you tell?

The point being made is that companies buying such solutions probably haven’t got the people on their payroll specifically dedicated to network security, and so the default out-of-the-box settings define the state of the network security.

In my opinion, UTM devices should certainly be considered as one part of a strategy to consolidate infrastructure and decrease costs. The most important thing of all is ensure that UTM is fully understood in terms of it’s capabilities; potential drawbacks and risks, as well as the promised benefits.