As competition from Next Generation Firewall (NGFW) vendors arise strongly against traditional security devices such UTM, people wonder what's the real impact on UTM's future. With this question in mind, I do not intend to analyze this from a business perspective with ROI and other factors involved. Because that would make the analysis an endless pursuing of moving targets. In stead, i try to stay on the technical course and investigate what security model(s) can really help solving the security problems facing by today's business customers.
Brief History
Let's first understand how the UTM security model has evolved to where it is today. The term UTM was first coined by IDC. In early 2002, there existed widespread blended threats - web based malware, email spam/phishing and malicious network accesses etc.. It was at a point that point security devices like stateful protocol inspection firewall, IPS, web content filtering proxy and email security boxes just could no longer withstand these blended threats individually. Chaining all these security devices all together could defend against those blended threats to some extend, but proven to be just too expensive and difficult to manage.
So it was obvious that a solution was needed to collocate all these services on a single appliance. The type of device was called UTM. UTMs unify multiple systems under a single appliance that it’s easy to deploy and manage rather than administer them individually. The concepts seemed to be simple and effective, and particularly attractive to SMBs who were limited by IT budgets while wanted something simple to deploy and manage.
What Is UTM Really?
Maybe 5 years ago, port-based firewalls met customer's needs because each applications were following the "rules". They only use its assigned ports. For example, SMTP on port 25. At that time, everyone knew that traffic that ran on port 25 was SMTP and that SMTP would run only port 25. But today that is no more true. Applications began using SSL encryption, port-hopping, tunneling, and a variety of other techniques to circumvent port-based firewalls. Port-based firewalls are pretty much useless at controlling traffic between networks of different trust levels. UTM vendors augmented their IDS/IPS to include application identification functionality, to deal with the threat landscape changes. This is surely better than nothing, but IPS engines use a negative enforcement model, i.e. default allow, and only monitor a limited number of ports.
UTM was a concept where multiple security services are rather collocated than really integrated. In the UTM approach, separate security engine is used for each type of security service - anti-virus, anti-spam, URL filtering, IPS and stateful firewall. Majority of UTM vendors architecturally scan the traffic in multiple passes with each pass inspecting one type of security problems (firewall, IPS, virus, and web content filtering etc..).
What Are the Disadvantages?
Consequently, UTM devices genetically introduce the well-known performance problems when all security services are enabled. The performance degradations are so poor that in many cases, customer simply turn off the anti-virus and email protection functions, left alone only the stageful firewall and IPS functions. We all know that network based anti-malware function simply can not be disabled. Malware will never go away. Having anti-malware on the gateway level is an important compliment to the imperfect end-point based anti-malware solutions. So what's the point of investing on an UTM box if malware inspection is disabled?
Certain vendors claim that they use ASIC/FPGA acceleration methods to have improved the performance. However the improvement is very limited and only on stateful firewall, not on content or application security aspects.
In addition, there are other concerns that make UTM approach not considered by serious especially large enterprise customers. UTM device would become a single point of failure that could paralyze all security services all together. Many vendors argued they could use approaches such as active/active, active/standby method to deal with High Availability needs, but so far none of the UTM vendors (perhaps except Juniper) have proven that they can switch traffic to redundant protected route fast enough, when an UTM device experience hard failures such as power failure, or event fiber cuts. Imagine in a case where critical cloud based financial application traffic is being protected by an UTM, sub 100ms traffic protection switching is needed for keeping the continuity of financial transaction processing. Obviously it would take a long way for today's UTM vendors to learn how to build a true fault tolerant equipment, if not carrier grade where telecom equipment manufactures have learned in many decades.
In addition, there are other concerns that make UTM approach not considered by serious especially large enterprise customers. UTM device would become a single point of failure that could paralyze all security services all together. Many vendors argued they could use approaches such as active/active, active/standby method to deal with High Availability needs, but so far none of the UTM vendors (perhaps except Juniper) have proven that they can switch traffic to redundant protected route fast enough, when an UTM device experience hard failures such as power failure, or event fiber cuts. Imagine in a case where critical cloud based financial application traffic is being protected by an UTM, sub 100ms traffic protection switching is needed for keeping the continuity of financial transaction processing. Obviously it would take a long way for today's UTM vendors to learn how to build a true fault tolerant equipment, if not carrier grade where telecom equipment manufactures have learned in many decades.
Of all the UTMs today, almost all of them still use port-based (stateful inspection) firewall technology. These UTMs have not really advanced the “firewall” technology. They do not enable positive (default-deny) network traffic control up through the application level. They depend on the negative control model of their IPS and application modules/blades.
In summary, UTMs are architecturally not feasible to solve the problems that they originally targeted to especially for large businesses; architecturally they suffer from performance problems; they can monitor only a small subset of ports for a small set of applications and protocols, and they employ negative enforcement model for application controls.
So What's Next?
With cloud, virtualization and mobile technologies are being rapidly adopted, and the increasing trend of BYOD in the enterprise world, UTM and traditional firewall technologies are no longer adequate or scalable or even valuable. Customers are looking for new solutions that allow them to define and enforce "global security policy" (GSP), where no matter what devices they use, and where they use and when they use, security controls can always be applied accurately, on the application they run, on the files they download or upload, and on the SalesForce data they access.
This requires tight integration of application identification, identity access management (IAM), correlation of applications and access policies. You could call it NGFW (for Next Generation Firewall) or NGS (Next Generation Security), but regardless, the old day UTM would have to change. There are no other choices left.
This requires tight integration of application identification, identity access management (IAM), correlation of applications and access policies. You could call it NGFW (for Next Generation Firewall) or NGS (Next Generation Security), but regardless, the old day UTM would have to change. There are no other choices left.