Unified threat management (UTM) appliances were once the preserve of small companies with no specialist security staff. But UTM vendors are now beginning to target their products at even larger enterprises, promising lower cost of ownership and a lower carbon footprint.
But can a single appliance really combine the functions of firewall, intrusion detection, URL filtering, spam blocking, spyware protection and VPN all under one box without grinding to a halt?
UTM vendors say that a combination of more powerful hardware and a desire to cut running costs and power consumption is making unified threat management a much more acceptable product to larger organisations.
Joe Wang, chief executive of Seattle, Washington-based security vendor WatchGuard Technologies Inc., in London to promote his company's next generation UTM with its XTM technology (eXtensible Threat Management), said faster processors were making it possible for single appliances to manage high workloads without damaging performance, and this was making them more attractive to big organisations.
Wang said the cost benefit of taking the UTM route could be a saving of two-thirds compared to buying and managing a series of point products.
Patrice Perche, European VP at UTM manufacturer Fortinet Inc. – whose headquarters are in Sunnyvale, California -- reported the same trend. He said that Fortinet's ASIC (custom chip) -based technology gave it higher performance than software-based products, and had won business in some of the world's largest corporations, including seven of the top 10 Fortune 500 companies.
But not all companies are convinced. "There are several challenges for UTMs to move into the enterprise," said Jeff Finn, CEO at Broomfield, Colorado-based eSoft Inc., which makes UTMs for the small and medium-sized company. "More email and Web traffic requires more processing power on a single device, which raises the price. More deep-packet inspection for viruses, worms, malware, etc. adds even further requirements for processing power, which raises the cost further."
But, he said, the single biggest impediment is the "entrenched IT staff who prefer point solutions, command line interfaces, etc. as it further ensures reliance on the IT staff."
Even though UTMs can deliver a security option that is simple to install and to use, he said, this often runs counter to the self-interest of the IT staff, "which is why they have a preference to go with vendors such as Cisco, where considerable training is required to master the complexities of the Cisco interfaces and configurations."
The functional split between network security and content security in larger organisations (above 1000 users) will also militate against a single product, said Yuval Ben-Itzhak, CTO at security company Finjan Inc., headquartered in San Jose, California. "Because of this organizational structure, each of these groups wants to manage their own products. As you go higher, you see more dedicated solutions. And when you reach 3000 users, that often splits further into the email, Web and network security groups," he said. "Politics also play a part in this, especially in larger companies, which we as a vendor know very well."
He added that UTMs face serious technical challenges when handling big-company traffic. Content inspection requires more CPU power and memory than network inspection tasks such as intrusion detection and prevention, and firewalling, he said. "Trying to analyse antivirus in thousands of emails and attachments, plus the network, is too much for one box to handle."
But according to one major distributor who handles both UTM and single products, the UTM is making ground in larger companies. "We're seeing considerable growth in UTM in larger organisations for WatchGuard and Check Point and for Fortinet, which we have in Germany," said Ian Kilpatrick, chairman of Wick-Hill Ltd., an IT security distributor.
But he acknowledged that there was still resistance in many large companies, which may have teams dedicated to different vendors and technologies, and sometimes in different countries.
Compliance may also be a barrier to change. If companies have reached compliance, they may be unwilling to rock the boat, he said. And Kilpatrick admitted that if companies need unrestricted speeds greater than 20 GB throughput at their main gateway, then they might shy away from a UTM on performance grounds.