How to select enterprise UTM firewalls

By Joel Snyder
Network World, September 3, 2007

Original Article on Network World Web Site

Selecting UTM firewalls in an enterprise environment is more work than just picking a standard firewall, because the "UTM" moniker doesn't offer much information about what the firewall actually does. When evaluating enterprise UTM firewalls, there are four key issues to consider: performance, UTM feature set, network integration and management. Many of these overlap traditional firewall requirements but must be considered in the light of specific needs for very high-reliability, high-performance, enterprise-class products.

Performance is the key starting point for UTM firewalls, because the UTM features exact such a heavy performance cost. Without accepted metrics on how to measure UTM firewall performance, network managers are left to determine how fast a UTM device will go by turning it on and putting it in the middle of their network. No matter what you do, don't skip this step or some reasonable approximation in a test lab. The performance of UTM devices is very dependent on exact configuration and traffic flows, and without some testing, you could easily end up with a device that can't handle the loads you throw at it.

UTM firewalls that let you scale up without a forklift upgrade, either by upgrading in the chassis or by adding systems in an active/active load balancing configuration, are especially attractive when the performance card is on the table. But it's better to start with a system that can run as fast as you need the day you turn it on, and save upgrading for another year.

UTM features are near the top of the list for selection criteria. The idea seems simple enough: If you want antivirus, it should do antivirus. But within UTM firewalls, there's considerable variation in how a simple feature such as antivirus is implemented. For example, not every firewall can examine every protocol for virus signatures, and even those that do cover the top protocols can't always be configured to work on non-standard ports. One firewall we tested only looks for viruses in certain defined Multi-purpose Internet Mail Extensions types as a way to keep performance peak, opening the potential for future exploits to slip directly past. A critical exercise before buying is understanding exactly what coverage is included and how that coverage relates to your own traffic patterns and requirements.

A small number of UTM firewalls offer a choice in threat mitigation products, such as multiple antivirus vendors, but most lock you into a single vendor. While antivirus (as an example) is considered a commodity service, other services, such as IPS and antimalware, are in more active development - which makes the choice of vendor and consistency of implementation significantly more important.

Network integration includes the aspects of a UTM firewall that let it sit securely within an existing network. For example, enterprise UTM firewalls are more likely to need some support for dynamic routing protocols such as Open Shortest Path First to integrate within an existing infrastructure. Virtual LAN support, high port density, WAN support and expandability of interfaces over time are all similar network integration features. While most of these also are relevant in a pure enterprise firewall without UTM features, the tendency to use UTM firewalls as points of consolidation of security control raises their importance.

Another aspect of network integration includes the equipment and interfaces required for high availability and scalability. If you've got a specific set of load balancers or switches, the UTM firewalls have to be able to integrate with that equipment with a minimum of re-engineering and additional equipment. Similarly, with the additional requirements for active/active clustering that UTM performance brings, full support for upward scalability should be considered a UTM evaluation criterion.

Management is one of the most difficult parts of a UTM firewall to evaluate, because you don't know how good or bad the management is until you've had lots of experience with the product. While most management systems strive for glitzy interfaces for the novice, the real evaluation comes with consistent and continued use. Unfortunately, by that time, it's too late to choose another product.

In UTM products, one of the most important features of management is the ability to bring UTM features into play in a flexible and controlled way. For example, a management system that requires all traffic to flow through the IPS, or none of it, is not suitable for an enterprise UTM device. At the same time, the management system must allow for different profiles for the same UTM feature. For example, an IPS might be configured in a liberal way for internal users browsing the Internet, while turned up to strict levels for guest users coming from a different subnet.

While UTM management systems will be mostly of interest to the security manager, there are aspects of configuration that will fall to a desktop manager (such as antivirus) or network manager (such as dynamic routing). Separating function and privilege level horizontally and vertically across the domain of management is difficult. However, if your UTM deployment will have people from three (or more) teams peering into the same management system, features in this area can be critical to successful long-term operation.