The notion of combining the various security devices to protect your network isn't new, but lately the market has become more competitive with the entry of CheckPoint Software's UTM-1 product. UTM stands for unified threat management, and the idea has a lot of appeal – combine firewall, intrusion detection and prevention, and virtual private networks (VPNs) inside a single piece of hardware. Then wrap around some management software so that a security manager can have a single view of what is attacking your network.
According to IDC, UTMs are the fastest growing segment of the security appliance market and by next year they will even outsell firewalls and VPNs. But finding the right UTM appliance will take some careful research and testing. Here are some questions to get you started down the right path, along with the leading products that satisfy each criteria.
1. Do you need protection for remote offices that don't have local IT staff?
If your remote offices have grown beyond a home office and require something more sophisticated to handle a network, then the UTM products have a lot of appeal: you can manage them remotely, often with just a Web browser.
2. How many security services do you want to consolidate into one box?
Most UTM products come with support for at least five different security services: firewall, intrusion detection and prevention, virtual private network (VPN), anti-virus and anti-spyware email scanning. Some add additional protection features, such as Web applications firewalls, outbound attack scans, and Web content filtering modules. You probably don't need to activate all the modules at the beginning, and some are probably more important to you than others. You also might not wish to replace existing firewall or VPN services on your headquarters network, but want these services deployed on branch office networks.
Figuring out which security services to start off with is also important for two reasons. First, the active services determine how much you pay. Each vendor licenses the separate modules with a complex price sheet, and if you don't need anti-virus, for example, there is no sense in paying extra for it. Second, the more services you enable, the less performance you get out of your box, so turning off the ones you don't need can have a big impact.
3. Are you satisfied with you current virtual private network?
The UTM boxes work best with setting up site-to-site VPN connections to encrypt traffic over the Internet from your headquarters to branch offices. Some of them, such as Astaro, Checkpoint, and Fortinet, also include rudimentary Secure Sockets Layer (SSL) VPNs that are useful for connecting remote users too. While these SSL VPNs aren't as feature-rich as dedicated VPN appliances from Juniper, Aventail and F5 Networks, they can be a good place to start to deploy SSL VPNs and get an understanding of what they offer.
4. How important are outbound traffic scans?
All of the UTM products handle inbound intrusion scanning, with some of them, such as Astaro and Juniper, scanning for both network behavior patterns as well as checking for specific packet signatures as traffic comes across their interfaces. But some of the UTM products also scan outbound traffic for potential attacks, such as the products from Secure Computing, Internet Security Systems (ISS is owned by IBM) and Sonicwall.
5. What is the target throughput range of your Internet connection?
UTM products come in various sizes to match the expected throughput and traffic profiles of their connection. And as we said earlier, the more services that are enabled, the lower the overall performance. Some models, such as those from Juniper and ISS, have expansion slots where you can add network processors and extra memory as your traffic increases. Others have less flexibility, meaning that you will need to completely replace them with a new box. And obviously, the more demanding traffic needs, the more you will have to pay.