Unified Threat Management Technology
The information security arena has seen a rapid proliferation in the number and types of commercial and open source tools that are available to help mitigate risk. With this trend has come a movement over the last few years to create and offer “unified threat management” (UTM) products, “all-in-one” style products designed to preclude the need to evaluate and buy one type of product for one particular purpose, then buy another for another purpose, and so on.
UTM products were originally the result of consolidating tools such as anti-virus tools, anti-spam tools, personal firewalls, and also other types intended to run on desktop systems as a single product. UTM has since been expanded to include appliances that offer network firewall functionality, intrusion detection, intrusion prevention, network access control, and more. Increasingly, whenever a new security technology emerges, UTM product vendors seem to scramble to find a way to integrate this technology into their products, and there appears to be no end in sight for this trend.
The idea of UTM makes considerable sense. Being able to easily set up and maintain all parameters for all functions within a UTM product and having to apply an upgrade that applies to multiple functions only once are major advantages in terms of ease of installation and operations. Presumably, UTM products should also consist of highly compatible, non-overlapping, and mutually cooperative functions for the sake of efficiency. Finally, the cost savings due to being able to buying multiple tools from a single vendor rather than having to purchase each individually can be potentially substantial.
On the down side, UTM technology violates the time-honored principle of defense in depth. If an attacker compromises a UTM’s central control function, then it is “game over.” In contrast, if there is an exterior firewall made by one vendor, a network-based intrusion prevention system made by another, another firewall made by another vendor at the entrance to every internal screened subnet, anti-virus and anti-Trojan software made by still another vendor on each workstation, and so on, if an attacker breaks through one barrier, chances are there will still be others remaining. Given the sheer number and sophistication of today’s attacks, defense in depth is more important than ever.
Another limitation of UTM technology is that it can provide a single point of security failure. When an “all-in-one” appliance on which many functions run goes down or becomes unresponsive to traffic sent to it, big trouble can occur quickly. UTM tools generally incorporate numerous functions that are very critical to risk mitigation, so downtime and slowdowns are usually not tolerable.
A final problem with UTM technology is that when someone buys and deploys this technology, each piece of it is not likely to be considered “best-of-breed”. You could evaluate firewalls and then buy the best, and then do the same with network intrusion prevention systems. However, no UTM vendor offers a product that is considered “best-of-breed” in all of its functionality. Consequently, someone who buys a UTM product will in all likelihood at best get one or perhaps even two “best-in-breed” functions.
Unification of controls makes a great deal of sense, so much sense that this technology deserves serious consideration by information security professionals. At the same time, however, it is important to avoid being awestruck by this technology, which is beset with several significant limitations. The farest conclusion, therefore, is that UTM technology is young, and it will almost certainly get better over time.