Monday November 24, 2008 4:22 AM AEST
Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"it's good one "
on SanDisk taps McAfee for USB drive security
by khanbhai | Nov 22, 2008 9:00 PM
 
"when i login to face book it tells me i am cookies enabled what does this mean"
on Ads on Facebook serving up adware
by celeste | Nov 21, 2008 5:15 PM
 
"Hi this is the mail I received Brett Karpman show details Nov 17 (3 days ago) Reply Atten..."
on Yahoo and Microsoft take aim at lottery scams
by Rodney Churchyard | Nov 20, 2008 6:13 PM
 
"security through obscurity...shows how detached HIPAA is from reality."
on Privacy breaches causing business instability
by priceOfFishInChina | Nov 20, 2008 1:19 PM
 
"Umm. no. The 6.5 product is mounting the offline VM image and performing a scan for patch ..."
on Shavlik Technologies to broaden its patch management offerings
by eric | Nov 20, 2008 8:15 AM
Web

Unified Threat Management 2008

  • Email a Friend
  • Print Page
Products Tested
Related Articles
By Peter Stephenson,
Mar 10, 2008 3:50 PM
Tags: Unified | Threat | Management | 2008
What I find most interesting about the maturing unified threat management (UTM) market is that the fundamental concepts have not changed much since these tools became popular as an economical way to protect the perimeter. However, two important things have changed: their functionality is increasingly tightly coupled and the number of functions they can do has grown significantly.

Starting with the second point, we saw larger feature sets this year than in the past. Borrowing from IDC, we define a basic UTM as a device that has, as a minimum, an IDS/IP, anti-virus gateway and firewall. Not all the products that claimed to be UTMs had this basic functionality. The main features beyond the basic we found interesting were specialised anti-malware, including anti-phishing and spam protection.

We see this as a two-edged sword. The more you expect the box to do, the more performance is required. For very large networks innovative perimeter architectures are needed to ensure performance and compensate for a single point of failure.

That said, for many SMEs, this growth in anti-malware features is a big plus, and it’s where we see the real changes taking place in this product group.

As to feature sets and their interconnection, in years past UTMs looked like devices made out of several products cobbled together under a single interface. The interfaces were awkward and the products worked, but sometimes with a lot of difficulty. Now they are the easiest group test we do. That translates to the best rate of maturing of any product group we see.

Today, the interfaces are slick and we really are looking at a single product with multiple functionalities working seamlessly together. All test subjects were appliances that set up quickly and easily. While I wouldn’t go quite as far as to say that these products follow a standard approach in terms of setup and user interface, they are about as close together as I have seen anywhere. This makes support very easy, especially if you have inherited UTMs from multiple vendors, perhaps through mergers and acquisitions.

How to buy a UTM

Start with your requirements and the size of your network. The architecture for placing UTMs on very large networks is important. I generally recommend multiple UTMs on enterprises with lots of individual networks placed geographically apart.

Most of the devices we looked at can be managed centrally, and some can communicate and correlate data into a single analysis. If you have a geographically disbursed enterprise, make sure the system you select can do correlation from several individual devices.

As for traffic size, that depends on what you expect the UTM to do. If you are filtering something that comes in very high volumes, such as spam, make sure the device you select can handle your volume without performance hits. Sometimes, architecturally, it makes more sense to buy the extra product – in this case, an anti-spam tool – than to try to make one device do everything without any performance degradation.

How we tested

We built a typical network and inserted the UTM on its perimeter. We implemented all of the product’s available functions and connected to the recommended additional services such as a DNS server. We tested performance in two ways.

First, we attacked the products with our suite of vulnerability and penetration tools (NetClarity and Nessus vulnerability assessment plus Core Impact penetration testing tools) with the firewall turned on and tightened up as per the vendor’s recommendations.

Our second set of attacks was against the product with the firewall turned off. Universally, we found these products resist our efforts well.

Prior to the attack testing, we followed the manufacturer’s recommended setup procedure. Once that is done, most products allow a web connection over an out-of-band port or connection from a Java console. From that interface you can configure the product, create rule sets, apply policies and select reports.

We had no products that resisted setup and configuration, an improvement over previous years. Overall, our impressions were that the UTM really is coming into its own, and it won’t be long before it will take over as the staple in perimeter protection.

- Mike Stephenson and John Aitken contributed to both group reviews this month

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Tripwire - Click here to win an iTouch
 
 
 
Vulnerabilities & Exploits Whitepapers
 
Popular Tags
2008 browser clickjacking cloud corporations cyberextortionists cynapspro dunkelberger firewall major malware management mobile policy smartphone strategic suite threat virus web