What Is A Unified Threat Management Appliance?
A Unified Threat Management appliance is a multi-function security device that provides firewall, anti-virus/anti-spyware, intrusion prevention or intrusion detection, spam filtering, VPN plus other unified threat management functions. The most important of these are the four core network services—firewall, antivirus/antispyware, spam filter and VPN—combined in one unit.
The history of Unified Threat Managements (UTMs) can be traced back to “stateful inspection” firewalls created by Check Point almost 15 years ago. Then Internet security appliances started flooding the market at rates of 10s per year. Each appliance had slightly different functionality with similar prices. Marketing messages were complicated with technology speak that confused even security professionals.
After the first phase of the “unified” trend, which consisted primarily of combining stateful inspection with some antivirus capabilities, it became clear that this was not enough to deploy a complete security solution. When spam started taking off in 2003 and 2004, another round of appliances added spam filtering capabilities.
This trend culminated in 2005 when several vendors released complete unified threat management systems. In 2006, UTM appliances provided VPN functionality as well. Each iteration has made these products more commercially attractive largely by reducing costs through software licensing efficiencies and/or hardware integration efficiencies. The second phase of “unified” is now upon us with firewalls that combine Network Address Translation (NAT), firewall and IPS functions into one device. This evolution is being driven by the need for better threat protection from known and unknown Internet threats as well as the continued cost pressures of providing security products.
It’s important to understand how a UTM appliance differs from a conventional firewall, an IPS or a spam filter. A conventional stateful inspection firewall provides high levels of security but it does little else besides offer perimeter protection that blocks all incoming traffic unless otherwise permitted. It has no ability to manage network use beyond what one port/protocol is allowed to send and receive. The firewall also can’t block content or applications, nor can it detect or prevent malicious traffic from entering the network from within—that job falls to intrusion detection systems (IDS). IPS can monitor internal as well as external traffic and it can enforce policies on content and applications. In addition, it can apply signatures to stop known bad things from happening.
Benefits/Demerits over Traditional Firewalls:
In contrast, a standard stateful firewall provides only perimeter protection while a UTM typically bundles firewall, IPS, anti-spam, antivirus and VPN capabilities in a single device that’s easy for the user to manage.
Unfortunately there are usually compromises in functionality when combining all of these functions into one box—the most significant being performance loss due to sharing system resources.
These products may have all the latest features but they often lack management depth or reporting detail. Often this type of security device is also difficult to integrate with third party products such as content filtering servers so you might not be able to customize the system to your needs.
If you need more than a firewall and antivirus on a single device, these unified threat management appliances may not be the best solution for a complex network environment.
A Unified Threat Management appliance is usually more cost effective compared with buying separate firewalls, IPS devices, spam filters and VPN appliances since they require less cabling as well as server hardware and software licensing costs.
In some cases, UTM appliances also offer some ease of use by bundling multiple security features into one interface that’s easy for users to configure and manage using wizards or templates—therefore reducing training time.
However, adding more functionality typically results in lower performance so your mileage may vary depending on how many security functions you run on a single box. Combined security appliances typically have a higher initial cost compared with a conventional firewall or spam filter, but not always more than the sum of buying separate units. The key to knowing whether the additional functionality is worth an initial investment and ongoing management complexities is understanding your business needs.
A UTM appliance does more than a separate firewall, IPS and anti-spam device: it lets you implement security policies that span the entire network. If your business needs one single security solution that includes multiple capabilities, then a unified threat management appliance might be right for you.
UIM (unified information management) appliances such as the EMC Information Infrastructure Server (IIS) model provide similar functionality to UTM appliances but rather than performing distributed processing on disparate security functions across several physical servers , UIM appliances perform these tasks in the same box while providing centralized management over all of them. This type of unified system can reduce costs and complexity by consolidating disparate systems and data storage into a single platform, while also increasing risk exposure by running all of the security, data storage and other critical components from a single subsystem.