What's the Future for Unified Threat Management (UTM)?

As competition from Next Generation Firewall (NGFW) vendors arise strongly against traditional security devices such UTM, people wonder what's the real impact on UTM's future. With this question in mind, I do not intend to analyze this from a business perspective with ROI and other factors involved. Because that would make the analysis an endless pursuing of moving targets. In stead, i try to stay on the technical course and investigate what security model(s) can really help solving the security problems facing by today's business customers.

Brief History

Let's first understand how the UTM security model has evolved to where it is today. The term UTM was first coined by IDC. In early 2002, there existed widespread blended threats - web based malware, email spam/phishing and malicious network accesses etc.. It was at a point that point security devices like stateful protocol inspection firewall, IPS, web content filtering proxy and email security boxes just could no longer withstand these blended threats individually. Chaining all these security devices all together could defend against those blended threats to some extend, but proven to be just too expensive and difficult to manage.

So it was obvious that a solution was needed to collocate all these services on a single appliance. The type of device was called UTM. UTMs unify multiple systems under a single appliance that it’s easy to deploy and manage rather than administer them individually. The concepts seemed to be simple and effective, and particularly attractive to SMBs who were limited by IT budgets while wanted something simple to deploy and manage.

What Is UTM Really?

Maybe 5 years ago, port-based firewalls met customer's needs because each applications were following the "rules". They only use its assigned ports. For example, SMTP on port 25. At that time, everyone knew that traffic that ran on port 25 was SMTP and that SMTP would run only port 25. But today that is no more true. Applications began using SSL encryption, port-hopping, tunneling, and a variety of other techniques to circumvent port-based firewalls. Port-based firewalls are pretty much useless at controlling traffic between networks of different trust levels. UTM vendors augmented their IDS/IPS to include application identification functionality, to deal with the threat landscape changes. This is surely better than nothing, but IPS engines use a negative enforcement model, i.e. default allow, and only monitor a limited number of ports.

UTM was a concept where multiple security services are rather collocated than really integrated. In the UTM approach, separate security engine is used for each type of security service - anti-virus, anti-spam, URL filtering, IPS and stateful firewall. Majority of UTM vendors architecturally scan the traffic in multiple passes with each pass inspecting one type of security problems (firewall, IPS, virus, and web content filtering etc..). 

What Are the Disadvantages?

Consequently, UTM devices genetically introduce the well-known performance problems when all security services are enabled. The performance degradations are so poor that in many cases, customer simply turn off the anti-virus and email protection functions, left alone only the stageful firewall and IPS functions. We all know that network based anti-malware function simply can not be disabled. Malware will never go away. Having anti-malware on the gateway level is an important compliment to the imperfect end-point based anti-malware solutions. So what's the point of investing on an UTM box if malware inspection is disabled?

Certain vendors claim that they use ASIC/FPGA acceleration methods to have improved the performance. However the improvement is very limited and only on stateful firewall, not on content or application security aspects.

In addition, there are other concerns that make UTM approach not considered by serious especially large enterprise customers. UTM device would become a single point of failure that could paralyze all security services all together. Many vendors argued they could use approaches such as active/active, active/standby method to deal with High Availability needs, but so far none of the UTM vendors (perhaps except Juniper) have proven that they can switch traffic to redundant protected route fast enough, when an UTM device experience hard failures such as power failure, or event fiber cuts. Imagine in a case where critical cloud based financial application traffic is being protected by an UTM, sub 100ms traffic protection switching is needed for keeping the continuity of financial transaction processing. Obviously it would take a long way for today's UTM vendors to learn how to build a true fault tolerant equipment, if not carrier grade where telecom equipment manufactures have learned in many decades.

Of all the UTMs today,  almost all of them still use port-based (stateful inspection) firewall technology. These UTMs have not really advanced the “firewall” technology. They do not enable positive (default-deny) network traffic control up through the application level. They depend on the negative control model of their IPS and application modules/blades.

In summary, UTMs are architecturally not feasible to solve the problems that they originally targeted to especially for large businesses; architecturally they suffer from performance problems; they can monitor only a small subset of ports for a small set of applications and protocols, and they employ negative enforcement model for application controls.

So What's Next?

With cloud, virtualization and mobile technologies are being rapidly adopted, and the increasing trend of BYOD in the enterprise world, UTM and traditional firewall technologies are no longer adequate or scalable or even valuable. Customers are looking for new solutions that allow them to define and enforce "global security policy" (GSP), where no matter what devices they use, and where they use and when they use, security controls can always be applied accurately, on the application they run, on the files they download or upload, and on the SalesForce data they access.

This requires tight integration of application identification, identity access management (IAM), correlation of applications and access policies. You could call it NGFW (for Next Generation Firewall) or NGS (Next Generation Security), but regardless, the old day UTM would have to change. There are no other choices left.

Are enterprises ready to move into the cloud?

Many businesses are interested in finding out how they can benefit from the cloud computing hot wave. Cloud based services such as Saas, Paas and Iaas, are supposed to bring in customer the benefits including economies of scale, on-demand and cost savings . The pay-per-use model is really attractive, because it means companies can plan for the future without huge initial investment on the infrastructure.

But many enterprises are also concerned. A survey in 2010 by IDC shows that majority of the Fortune1000 companies will not adopt public cloud storage for storing their data, at least for the next couple of years; 75% of the surveyed businesses are concerned about the reliability, security, availability and the control over their own data in the clouds;

For example, business customers are concerned how their data is segregated if their data is stored on the same physical media shared by other businesses. Would data stealing malwares craw from one tenant to another tenant, from one virtual machine to another virtual machine, from one virtual storage to another virtual storage? How customer data privacy is preserved in this environment?  Some customers are also concerned how they can "move" their data out from the cloud back to their private data center, should they decide to keep the data really in premise. Similarly how could business customers move their data from one cloud service provider to another cloud service provider's hosting environment, should they become disappointed with their current provider?

Of all the concerns, one of the most important considerations is SLA. CSPs (or cloud service providers) need to implement a meaningful performance management system so that cloud service providers can prove that their cloud service delivery infrastructure has fulfilled the contractual service agreement, in terms of application response time, bandwidth allocations and security activity monitoring as well as recovery time over outages etc.. The Amazon and Sony outages in 2011 are examples that how vulnerable cloud service infrastructures are today, and how much business pains that can cause to customers. The outage came on the same day that Amazon’s cloud-based web services business went down, affecting lots of businesses relying on AWS and S3 including Reddit and Quora etc.. It also shows how immature the cloud-based services are, how risky to rely on a single cloud service provider.

Unfortunately, for many of these concerns, there are no standard procedures defined by industry associations or regulatory agencies, which are partially the reasons that serious businesses are slow in adopting cloud based services.

The implications of cloud computing on audits and compliances are also depressing. Iaas service providers must produce evidence (or by third party compliance/audit vendor) that one customer can not access other customers resources (storage, web server and etc.) physically or electronically. Customers can only have the access to view and control over their data and system status. Audit and logging trails must be uniquely associated with a specific customer with unique ID; CSP must define policies allowing customers or third party venders hired by customers to perform compliance and audit, as well as forensic investigations.

Cloud computing brought in the complexities that often are overlooked because of the monetary benefits.  The pressing needs for integration, monitoring and management of cloud services, cloud applications with the traditional security infrastructures (fireall, IDS/IPS, UTM, and IAM etc.) are on the way.

Cloud computing even creates confusion on the service providers' relationships, and hence the liability and transfer of legal liabilities. For example, as depicted perfectly by the book "Security 2020" (authored by Doug Howard and Kevin Prince), a SaaS provider could host their applications on the infrastructure hosted by another IaaS providers, which may hire another managed service provider (MSP) on operations and maintenance. In case of outages, data breaches, who are responsible for what?

In summary it is apparently compelling that the cloud computing industry forums need to define the standards and procedures for security, privacy, data moving and service recovery, in order to boost the public confidence on the cloud. Without necessary regulatory and industry standards, the acceptance of cloud based services, would be still "cloudy".