United in threat management

Where did unified threat management (UTM) come from? And why is it powerful? Ian Yates begins a three-day exploration!

Keeping the nasties out of your network has been a problem ever since those blokes at IBM figured out how to connect a couple of PCs together with some spare coax cable and a token. Things got worse when Ethernet came along as the seeds were sown and suddenly PCs could be invaded by evil things.

The first security device that emerged in response was probably the humble router, primarily designed to stop network traffic taking a wrong turn while also making it harder for anyone with bad intentions to take a stroll through your network neighbourhood. Of course, it didn't take long for the ne'er-do-wells to take advantage of the shiny new Internet and the hundreds, then thousands, and now millions of PCs just waiting to be abused.

Then somebody invented the firewall and around the same time network address translation arrived, ostensibly to overcome the shortage of IP numbers, but fortuitously making it harder to reach into the LAN from the WAN.

Today, it's a given that you wouldn't connect anything to the Internet without a firewall and every operating system includes its own firewall, just in case there isn't an industrial grade version upstream. After we stopped using sneaker-net to share information, the malware mavens were stopped in their tracks - temporarily - until they worked out how to get their payloads through the firewalls by disguising their evil intentions within innocent looking emails and websites. Then we applied anti-virus. And anti-spyware. And anti-spam. And anti-DOS. And it all started to get too complicated.

The best way to stop the nasties seemed to be to build an impenetrable wall between your network and the Internet. A single server which did no serving but spent its days inspecting every byte and discarding any poisoned packets. For a brief moment in time this approach seemed to be working, until the evil experts worked out how to attack the very foundation of these servers by exploiting inherent weaknesses, with the vendors chasing after them with a giant can of software patches. Eventually, vendors figured out how to embed small hardened operating systems into their servers then renamed them security appliances.

Over time the multiple appliances merged into a single appliance designed to protect against everything and the marketing term "unified threat management" or UTM was introduced to the lexicon.

In general, these UTM appliances were seen as a 'good thing' and most could be installed at the front door of the network without too much impact on the traffic passing through them. Larger networks still had to rely on multiple appliances or standalone servers in order to keep up with the traffic volumes but many mid-sized network managers were able to sleep peacefully again.

There's still a large market for UTM appliances, but the rapid growth in WiFi and Bluetooth along with portable malware delivery systems like MP3 players and memory-sticks has provided another avenue for attack. The UTM appliances can't filter what doesn't go though their ports, so you can't avoid installing malware protection directly on workstations and servers inside the building. This altered reality has lead vendors such as Symantec to exit the appliance market altogether, while McAfee is still an appliance player but prefers to leave the firewall and VPN functions to other experts upstream.

Other vendors such as SonicWall and Fortinet continue to build all-embracing UTM appliances, but they readily admit the limitations of their products when it comes to blocking threats physically transported behind their network ports on a USB-key, a PDA or a notebook in a returning road warrior's briefcase. And if the UTM appliance can't provide total protection, are you wasting your time and money deploying them? The answer as always, depends on your particular network, but just as locks on your doors don't stop all burglars, you'd be brave not to lock your doors anyway, if only to stop the curious.

NEXT: Has UTM delivered?

Read more on Network security management