Anil Patrick R, Chief Editor
At what cost comes information security compliance? This question has plagued Indian businesses for a while — especially the Indian small and medium business (SMB). While regulatory compliance is still off the radar for many SMBs, business compliance requirements dictate the need for basic security controls such as gateway antivirus and firewalls. The new IT (Amendment) Act 2008 is expected to add to the requirements.
In many cases, security controls implemented individually may entail capital costs significantly larger than the SMB's annual IT budget. This is why many Indian SMBs now take the unified threat management (UTM) shortcut to cover compliance requirements. Yet another ideal sweet spot for UTM usage is in remote offices and branch offices.
From its humble days as a basic firewall with a couple of features such as antivirus and intrusion prevention system (IPS), the UTM concept has grown to encompass other capabilities. Placed at the gateway level, today's typical UTM is a mix and match of functionalities such as firewall, gateway antivirus, intrusion detection system (IDS), IPS, anti-malware, content filtering, antispam, virtual private network (VPN), load balancing, bandwidth management, and secure wireless access. This multi-faceted capability makes them ideal for Indian SMBs, which need to meet compliance requirements at the least costs, and with minimal management hassles. "Normally, if I look at a UTM appliance, it should take care of virus protection, IDS or IPS capabilities, firewall, proxy and to some extent, access to internal systems," says Jayesh Kamath, manager - information security officer of Patni Computer Systems.
UTMs can be compared to Swiss army knives. Their multiple capabilities make them ideal for SMBs, which typically lack sufficient resources to manage individual point solutions. "The main advantage of using a UTM appliance is ease of deployment and management," says Graham Titterington, security IT security analyst from research firm Ovum. "Generally, a UTM comes configured to suit the needs of most businesses without the need for significant security expertise. It is likely to be a little cheaper than buying all the parts individually, assuming that you would need a dedicated server for the firewall in the latter case."
A supplemental benefit of UTM devices is that many vendors offer UTM solutions which allow capabilities to be switched on — one at a time. This can be handy for organizations with limited IT budgets. For example, organizations can initially opt for a UTM box with just firewall and IPS activated by default. It can opt to add features like content filtering and load balancing later on.
The consolidated nature of UTM alerts also makes it easier for security personnel to respond to various information security incidents across the controls. This capability is suitable for environments such as remote offices, where device management expertise is scarce. Yet another application area of UTM is to provide a failover to supplement existing firewalls, antivirus, VPN and IDS/IPS solutions in enterprise networks.
So, do I need a UTM?
Frankly, this decision depends on the environment that you need to protect. Indian enterprises typically steer clear of a UTM as their primary security control due to scalability and high throughput limitations.
Although UTMs can be scaled up, it's not very easy to expand a UTM to accommodate large throughputs. Also consider the fact that most UTM devices can trace their origin to a firewall box, with the rest as a hotchpotch of different features. Seasoned IT professionals tend to take the "best of breed" term with a pinch of salt, and the UTM is no different on the performance front.
A UTM's different functionalities are the result of disparate components interlinked to form a single system. As a result, certain features will be notable, whereas others may not be potent enough. A handy thumb rule is to consider the UTM vendor's core specialization at this point. For example, if your UTM vendor is renowned for his antivirus product line, it's a safe bet to assume that his UTM product will have strong antivirus capabilities — and lack in other areas! "Since the UTM's various features will not be best-of-breed, they are not typically deployed at the primary data centers of large organizations," Says John Kindervag, the senior analyst from IT research firm Forrester Research. "UTM appliances work well in distributed networks, such as retail organizations."
Fault tolerance can be yet another fly in the ointment. The UTM may equate to a single point of failure, and by extension are suitable only for networks which can tolerate such latency or downtime. Other aspects like vendor lock-in should also be kept in mind.
Kindervag observes that UTM appliances are not suited for main data center deployment and should not be used as the primary Internet firewall for large organizations. UTM appliances function best in small office and remote office environments. As a result, UTM appliances are widely deployed in small and branch offices for DSL wide area network (WAN) implementations. If this is your requirement, the budget pinches, and you need a quick fix to meet compliance requirements, head right this way.
Zeroing in on the right UTM
Since a UTM introduces many security controls into the picture, preparation is essential before the evaluation process. As Kamath points out, a business impact assessment (BIA) to identify risk levels is the right approach. "Depending on the BIA, you can decide the controls required to mitigate these risks," he says. "Once the controls are in place, then you should start evaluating UTM appliances, which can take care of most of the controls. This is a much better approach than getting a device first and then formulating controls according to the device's capability."
After the BIA, consider the UTM vendor's specialization in terms of the products he offers (as mentioned earlier). This will help you identify the levels of acceptable risk that can be undertaken with the particular solution's capabilities. It's also a good idea to leverage existing relationships, if the particular vendor's UTM solution makes the grade.
Since UTM solutions are available as hardware appliances as well as software variants, it's essential to determine your specific approach. Since appliances are hardened by default and generally don't have hardware overheads, they are perceived to be easier to manage and sustain. Many vendors offer both options — hardware and software — so you can take your evaluation pick.
UTM appliances have disadvantages such as lesser processing power and memory, as opposed to custom-built hardware for the software UTM solutions. These limitations may result in performance lags once multiple UTM functionalities are enabled. On the other hand, software UTM solutions require dedicated servers, which add up to hardware overheads. This is compounded by the need to install, harden and maintain components such as the server operating system.
On the sizing front, Kamath recommends opting for a UTM which is only 60% loaded on day zero, to account for future expansion. "For example, if I am looking at a network of 1000 people in the future, then I will typically opt for a UTM that can manage 5000," says Kamath.
This brings us to the tricky topic of real world UTM performance. Vendor figures typically have fine print when it comes to throughputs. So first go through this fine print in detail, since many of the quoted figures are mentioned in ideal network conditions. It's best to run your own tests to determine the actual performance figures. "Size appliances for peak data flows and differentiate between traffic that requires a guaranteed high service level (such as video or speech) and identify areas where delays are more acceptable (like data flows and web browsing). When you have this information, talk to your potential vendors, and try to get a guarantee that their appliance will meet the benchmark," says Titterington.
Scalability comes next on the evaluation checklist. Kamath rates typical UTM appliance scalability figures in the range of 30% to 40% as the criteria to look for. The vendor should also be able to provide clear upgrade paths. "Some UTMs have additional bandwidth that the vendor can easily enable (often remotely) for an additional payment. Others have dormant functionality that can be enabled similarly. Ask the vendor about upgrade paths, and any costs that you are likely to need in your purchase strategy," says Titterington. Portability of the UTM appliance is another factor that can be kept on the agenda.
UTM support is perhaps the most critical aspect. Typical models involve annual maintenance contracts which involve product enhancements during the contract. Other factors to consider on this front include hardware maintenance procedures and speed of response.
By virtue of its design, it's essential that your UTM is simple enough to manage by regular IT administrators. A single management interface is a pre-requisite on this front, as are the ability to aggregate security reports from all components. Alert correlation, logging, and determination of attack severity are other desirable UTM features.
Last but not the least comes the biggest aspect of them all from an Indian context — the price. According to Kamath, UTMs typically come in the Rs 5 lakh to 10 lakh range. Do keep in mind that the price will vary according to the UTM features that you opt for.
Implementation and thereafter
It's never a good idea to unleash any network device on your network without a pilot project phase. Ideally, this phase should be part of your evaluation process. Also, it might be wise to enable UTM functionalities one at a time and off peak hours (preferably on a holiday), to avoid unwarranted surprises.
Be prepared for false positives (lots of them) till the UTM is stable. Components like the IPS may require substantial tuning, so a certain amount of time should be factored into the process to account for such eventualities. Last but not least comes a detailed training session for your team, which should be performed by the vendor or integrator.
Life thereafter should only involve routine reconfiguration for infrastructure changes and incident monitoring. "You should be able to use reported security information, by filtering what is relevant from the mass of detected 'incidents' and reacting appropriately to the few that aren't automatically resolved by the UTM," says Titterington.