Wednesday, April 18, 2007

Why UTM Will Win

We know how many words a picture is worth. The figure at left, from Boxed In by Information Security magazine, shows why Unified Threat Management appliances are going to replace all the middleboxes in the modern enterprise. At some point the UTM will be the firewall, so the gold UTM box above will also disappear. In some places even the firewall will disappear and all network security functions will collapse into switches and/or routers.

I'd like to show one other diagram from the story.

Figures like these, showing which products and their "features," are another reason UTM will replace point product middleboxes. "Hey, I read in this magazine that product X checks 7 boxes, but product Y only checks 3. Let's look at product X." These are the sorts of figures that people who are not security experts and are not interested in or capable of assessing security products like.

Just because I think this is going to happen (or is happening -- look at what your Cisco router can do) doesn't mean I like it. The more functions a box performs, the greater the likelihood that all of those functions will be performed at a mediocre level. Mediocrity is an improvement over zero security protection for some sites, but elsewhere it will not be sufficient.

I should say that the top diagram has its merits, with simplicity being the primary advantage. With so many networks having multiple "moving parts," it can be tough to stay operational and understand what's working or not working. Moving all those moving parts onto a single platform may not yield all the simplicity one might expect, however!

One way to address the weaknesses of these UTMs is to deploy stand-alone devices performing network forensics, so they record exactly what happens on the network. Using that data, one can investigate security incidents as well as measure the effectiveness of the UTM. I do not foresee network forensics collapsing into security switches/routers due to the data retention requirements and reconstruction workload required for investigations.

To survive I think network security inspection/interdiction vendors either need to be in the "meta-security" space (SIM/SEM) or in the do-it-all space (UTM). If your favorite vendor is in neither space, expect them to be acquired or go out of business.

8 comments:

Daniel Cid said...

Hi Richard,

UTM has some great advantages, but I would never want to have a single point of failure like that. Just imagine a bug in my virus scan (like the last clamav vulnerability), crashing my firewall, ids, mail scan and disrupting my whole network.

UTM's are good for small networks with a tight budget, but medium/large enteprises can't have a single point of failure like that..

*I didn't even mention defense in depth or privilege/process separation... :)

Daniel

jbmoore said...

One thing I've learned working for a Enterprise is that you can't always trust your vendors or their products. Daniel Cid makes a good point that it might work for SMBs, but not big firms. One product we bought into works fine for small networks, but chokes on huge networks. The finger pointing goes on about who's to blame, but when it comes down to it, my bosses were at fault for believing the vendor's claims without thorough testing and the vendor is at fault for not fixing their product to work for us. Fancy graphics and charts look nice, but you really want to see test cases that reflect your environment and not an idealized test lab situation, or comparisons with similar products. I think that your assertion to use collectors for forensics is an excellent way to verify your network design, security and architecture.

Davi Ottenheimer said...

good points. it's also turning into a nasty sales strategy. want vpn or anti-malware? hey, it's already in the box you bought as a router or firewall. look how "inexpensive" it is versus buying a whole new piece of equipment. so you may effectively be paying a lot more for something than you should be, to support the UTM sales strategy that hopes you will one day need the other licenses. conversely, if you spec out a box as single-purpose, when you agree to license the other features you may find that it just can't handle the load and you'll need a replacement or sister device anyway.

Bunda Pakistani said...

The sad fact is that even Cisco has jumped on the UTM bandwagon with its ASA series.

Christofer Hoff said...

@Rich:

I want to understand whether or not this perspective on "UTM" is an evolution of thinking on your part or a change of heart as it relates to the following statement you've made:

"It seems as though all network security functions are going to collapse into the devices which carry traffic -- switches."

...are you suggesting that switches are going to be(come) UTM devices? I've always understood your position to be quite literal in as much as ALL security will go into the switch and while Cisco may not call their products "UTM," devices such as the ASA are trending toward it.

Interesting comments, for sure.

@Daniel:

Not every UTM architecture suffers from the issues you describe. The market definition of "UTM" (the SME/SMB perimeter solutions) certainly fall into this space and these limitations.

Others, do not.

/Hoff

Richard Bejtlich said...

Hoff,

I see UTM as the last step before everything ends up in the switch. In the figure at the top, the end of the line will be the switches/routers and nothing else.

Anonymous said...

Hi Richard,

Do you have a bigger size UTM chart? I'm looking for it for quite some time now.

Pls email it to riconeo at gmail dot com

Thanks! :)

Richard Bejtlich said...

riconeo,

That's all I have. I suggest asking the magazine directly.