Five tips on deploying enterprise UTM

By Joel Snyder
Network World, September 3, 2007

Original Article on Network World Web Site

Early rounds of testing in our upcoming 10-vendor shootout of enterprise unified-threat-management firewalls have shown that deploying enterprise UTM has its own pitfalls. Here are some tips to help you avoid those issues in your network.

1. Don't try to do it all in one box.

Although you can buy UTM firewalls of almost unlimited power, that doesn't mean you should try and consolidate all your firewalls into a single system. It's important to logically distribute firewall functionality, because of the difficulty of building a single, coordinated, enterprisewide policy. Even though firewall vendors have made huge strides in centralized management, no product easily handles many zones of control with differing firewall rules, network address translation rules and VPN tunnels in a single policy. Add in the axes of intrusion detection/prevention systems (IDS/IPS) or other UTM features and the policy becomes even less manageable. UTM devices can support consolidation, but it's easy to go too far. Make sure you don't "over-consolidate" into an unmanageable device.

2. Check performance carefully.

Performance is one of the biggest gotchas in UTM devices: As you turn on features, performance can drop dramatically - or not at all. Security product vendors don't hide these performance costs, but they don't make it easy for you to understand what the impact of enabling different UTM features will be on your system performance. Make sure you know exactly what your UTM configuration will be, and test it to be sure that performance matches your requirements. Speed drops of 75% to 90% are common with a single check box. Be sure you also have plenty of headroom. IPS rules, for example, will only get more complex over time, so your IPS will get slower and slower over time.

3. Don't shortchange management.

UTM firewalls have a lot to say, with each layer of the firewall logging information about the traffic flowing through it. Enterprises are increasingly being asked to capture and retain these voluminous firewall logs for months or years. Make sure you plan for a dedicated management server with plenty of disk space, memory and CPU power to handle these chatty boxes. Although some enterprise vendors still allow management to be handled via a Web GUI or through a management server running co-resident with a firewall, don't be tempted to skip a properly separated and sized management system.

4. Verify high-availability and scalability features.

As firewalls take on more functions and become more central to correct network operation, ensuring high availability and scalability also is more important. Because performance is more likely to be a bottleneck in UTM, active/active configurations are more attractive than active/passive - but such configurations are more difficult to build and test. Simulating all the different failures, and making sure that you test them in all the different states of the cluster, can be a five-day and not a five-minute job. We also found that not every feature in our UTM devices works in the same way. For example, the basic firewall and VPN functions are usually shared cleanly across a cluster, but dynamic routing may not be as well thought out. If the VPN tunnels stay up across an individual device failure but the cluster doesn't know how to route the packets, that's not "highly available."

5. Complex configurations are hard to verify.

During our testing, we found that the firewalls often were not doing what we thought we had asked for, especially in the area of UTM add-ons such as antivirus and IPS. You should be prepared for a second round of training on system management and configuration, because what you thought you knew about your enterprise firewall may not be enough to get a proper UTM configuration in place. Even if you think you know what you're doing, it's valuable to run simple tests to validate that the protections you've asked for are actually activated. The terminology and protocol coverage varies wildly across different products, and a simple check box for a UTM feature may need an hour of testing to understand.