Taking the threat out of UTM

The term Unified Threat Management (UTM) was coined in 2004 by research firm IDC to describe a single appliance combining three core functions of network firewall, network intrusion detection/prevention (IDP) and gateway anti-virus (AV). However, this title can raise some questions amongst prospective customers and channel players alike. For example, is UTM about responding to complex, unified threats, or about unifying the management of security within an organisation? The answer is both.

On one hand, says Phil Keeling, regional director at UTM pioneer Fortinet, cybercrime and blended threats are the new security issues companies must face. “On top of viruses, worms, bots and Trojan attacks, organisations are contending with social engineering deception and traffic masquerading as legitimate network applications,” he says. “To face these new attacks, piecemeal, reactive, point security solutions must give way to multi-threat security systems that blend firewall, Intrusion Prevention System (IPS), AV, anti-spyware and content filtering technologies into a single footprint.”

As threats become more varied and more numerous, so user organisations face the added problem of managing more and more security products. Ian Kilpatrick, chairman of security and e-business distributor Wick Hill, says: “UTM has multiple solutions on a single box, making it easier to position to the end-user. With point solutions, in a large organisation you can potentially end up with 100 devices to manage, all with their own look and feel.”

Stuart Taylor, security product team manager at networking, security and communication distributor Westcon, says: “UTM has allowed SMEs to address threats in a cheap, easy-to-manage solution, whereas before the cost of protecting against all threat categories would have been prohibitive.”

As well as the core functions of firewall, IDP and AV, UTM appliances may include content and URL filtering, VPN, protection against spam, phishing, spyware and adware, plus pretty much anything else vendors care to throw in.

However, some purists see this as a dilution of UTM. Keeling says: “Since 2004, with virtually every major security vendor congregating in the market, the definition of UTM has become overstretched. Today it seems merely to refer to single solutions that encompass various security functions, rather than a tightly integrated, high-performance platform designed explicitly to offer better protection against blended threats, and at higher speeds and lower costs than equivalent aggregations of point products.”

Keeling dismisses many UTM offerings as “bundled threat management”, the result of alliances between vendors anxious to scramble into a new market, rather than tightly woven proprietary hardware architectures.

Simon Walker, managing director of networking and security VAR Foundation IT, says: “Users should beware point solution vendors jumping on the bandwagon by attempting to integrate third-party security products into their firewall platforms and passing them off as UTM. These solutions are often clunky and licensing models can become complicated.” However, he adds that this is an excellent opportunity for resellers with a real understanding of UTM to act as consultants to their customers.

Some so-called entry-level UTM products lack even the most basic requirements of UTM, warns James Walker, product manager at broadband access vendor Zyxel.

“Resellers must exercise care when selling to smaller businesses whose budgets are likely to be substantially less and that will look to cut corners with cheaper alternatives,” he says.

But at the top end of the market, the broader approach is to be welcomed, argues Throop Wilder, co-founder of high-end UTM vendor Crossbeam.

“In our discussions with the analyst who first coined the term, Charles Kolodgy of IDC, it’s clear that the current definition is just the minimum set of services,” Wilder says. “The true value of UTM lies in its flexibility and the fact that it enables customers to apply the right service to the task at hand. At the high end of the market, the concept extends to best-of-breed UTM in which the range of services available to a customer is not con-fined to a single vendor’s proprietary solutions.”

David Ellis, director of e-security at distributor Computerlinks, says that the Crossbeam approach enables large organisations to run best-of-breed applications such as Check Point, Trend Micro, Websense and ISS on a single, fast, highly resilient platform. Similarly, says Andy Kellet, senior research analyst at Butler Group, Secure Computing’s UTM firewall includes AV from McAfee and spam filtering from Cloud Mark.

Ellis believes the entry of enterprise vendors such as Check Point, ISS and Nokia has helped to improve the quality of UTM products.

“As the UTM market grows and matures, more point product vendors will focus strongly on this space,” he says. “I believe there’s a requirement for both UTM and point product approaches, depending on the customer scenario and requirements.”

The fusion of UTM and best-of-breed will broaden UTM’s appeal, says Andrew Brown, technical manager at UTM vendor SonicWall,

“The traditional position is that SMEs want UTM for its simple deployment and ease of management, but enterprises want best of breed dedicated solutions,” Brown says. “However, as the UTM market matures and products become more sophisticated, enterprises are beginning to see the benefits.

“Increasing CPU performance and decreasing cost allow more complete solutions to be integrated into a single appliance. Rather than offering network firewalling with reduced IPS and AV functionality compared with point solutions, the new generation of appliances are able to offer far more complete solutions, which enterprise customers find attractive.”

The overheads of managing multiple security solutions can affect corporates as much as SMEs, especially at smaller sites. Nick Lowe, regional director of UTM vendor Check Point, says: “While UTMs are a favourite of SMEs, we see them being deployed at branch offices and smaller campuses of larger enterprises as well. The determining factor is not the size of the company, but the number of IT staff available on-site and the performance demands placed on the internet connection.”

The education market offers great potential, Taylor says. “With the government initiatives for getting schools online and the increase in school networks and VPNs, each school can be seen as the branch office for the Local

Education Authority,” he says. “The challenge with schools is the flexibility needed, for example an easy-to-manage content filter.”

The service provider market has untapped potential, says Keeling, adding that fixed line and mobile operators have also identified the need to protect their infrastructures from viruses, worms and other threats.

For the present, however, most UTM sales are to SMEs, where the case for the technology is strongest, since a full range of point solutions is beyond both their budget and their competence.

Taylor says: “It makes sense for SMEs to buy a multi-function device, easily managed by themselves or their service provider at low cost, that can easily cope with their relatively small level of data traffic, rather than investing in a lightning quick point solution that can only address one area of their concerns.”

UTM devices can cost as little as one fifth as much as the equivalent point solutions, and offer significant cost savings in management and implementation overheads such as training, maintenance, installation and upgrades, Kilpatrick says. Licensing per appliance rather than per user also reduces on-going costs, Simon Walker adds.

A key benefit of UTM is its unified management structure. Mike Small, director for security management strategy at security and software vendor CA, says: “A single management infrastructure and standard web-based management console interface enable system administrators to provide rapid response to security issues, deploy solutions and updates quickly, create and enforce policies, query end points, and create necessary management reports and charts with ease.”

The advantages of standardised management interfaces have not been lost on point solution vendors. Greg Day, a security analyst at point security vendor McAfee, says: “Point products are increasingly coming under a common management console, making them as easy to manage as UTM.”

But the point vendors are hitting back and can dismiss UTM as a ‘jack of all trades, master of none’, but is this fair? Not at all, according to UTM’s defenders.

“I’ve never once seen a tender request for a ‘UTM’ or a ‘multi-threat’ solution,” Keeling says. “Day in, day out our partners are winning deals against single function point products because enterprises can see the flexibility and low cost of ownership benefits of a truly integrated security platform.”

UTM can even be functionally superior. Small says: “Blended attacks are more easily combated by a combined threat defence than if each anti-threat component were a stand alone product.”

Best-of-breed systems can also result in kernel-level conflicts, whereas integrated components from a single vendor tend to work together more smoothly, Small adds.

Simon Heron, technical director at UTM managed services provider Network Box, says: “A UTM solution is better because nothing falls through the cracks. For example, where does spyware stop and AV start? What is a firewall rule and what is IDP? And there are fewer problems when it comes to routing traffic through a UTM. With a distributed solution, there may be routes round the defences because of proxy settings or routing requirements.”

Ultimately, according to Kilpatrick, you get what you pay for. “Low-end UTM devices will offer only stateful inspection and open source basic AV protection, whereas more corporate devices will have a combination of best-of-breed solutions on a single device,” he says.

The important thing, Brown says, is for VARs to recognise that, despite the advantages of cost, integration and ease of management, UTM does not have all the answers.

“A UTM appliance is still a single entity offering protection at a single point in the overall network structure,” Brown explains. “To protect the network, the data must typically pass through the appliance so UTM solutions don’t extend deeper into the network and to desktops and servers. Therefore they need to be used in context and alongside other products and services.”

Customers’ other big worry with UTM is the wisdom of putting all their eggs in one basket.

Heron says: “The solution is to look at failover and on-site replacement options. Most UTMs have failover functionality that allows a secondary box to take over if the primary one fails.”

Ellis adds: “Many companies offer good Service Level Agreements for onsite swap outs and so on, and in the enterprise space vendors build high levels of resilience into their platforms.”

If UTM is simplifying security, does that mean non-specialist resellers will be able to sell it? Perhaps at the bottom end of the market, according to Kilpatrick. “As UTMs become more commoditised they can allow non-security resellers to enter the market, and some resellers do sell UTMs without fully understanding the product.”

However, Kilpatrick says, above the entry level, “UTMs are not an easier sale, and specialist security resellers can still justify their higher margins by displaying their broader knowledge.”

Rhodri Davies, technical architect at managed services provider Vistorm, warns: “VARs can make a bad job of a UTM configuration just as easily as they can with point solution configurations. Understanding the spectrum of security threats and configuring systems to deal with them still gives specialists an edge.”

Heron agrees. “Security policies still have to be defined and implemented,” he says. “UTM just means security resellers have a more useful tool in their toolbox.”

Resellers who do use UTM as a way into selling security should keep their eyes open, according to Ellis. “Selling a UTM solution is easier for a VAR entering the market because the training and support overheads are less than partnering with multiple vendors,” he says.

“However, resellers need to have a good understanding of networking and TCP/IP if they’re to be successful, as the products are certainly not plug and play and require value to be added by the channel in the form of installation, support, general security consultancy and so on.”

In Foundation IT’s experience, reseller opportunities in the UTM space are plentiful, especially at the higher end. Walker says: “Margins here are excellent, although inevitably these will shrink as technology evolves and the market matures. In our experience the market isn’t being attacked by non-security resellers as UTM still requires security experience.”

Far from constricting a reseller’s opportunity to add value, UTM can enhance it, Keeling says. “There’s as much value to be added in a UTM sale as in any other, in fact sometimes more because it will generally involve migrating away from existing solutions, integrating with other point solutions and discussing and managing where to deploy the products in the network,” he adds.

Migration can throw up particular problems, according to Heron. “It can be difficult for companies to migrate to UTMs as the licences on their point devices won’t necessarily end at the same time,” he says. “Resellers need to help customers migrate.”

Wilder says that reliable UTMs can cut support overheads, which can benefit the reseller as much as the customer. “Selling multiple point solutions is bad for resellers in the long run because they’ll have a support contract for each component,” he says. “A consolidated approach gives customers just one system to manage, which means lower total cost of ownership [TCO] for them and lower associated support costs for the VAR. Low TCO is a key driver for channel sales.”

Revenue opportunities are not limited to the initial sale. “Annual subscription services mean resellers will be able to see at least half of the original deal year on year,” Keeling says. “In addition, the evolutionary nature of the sale means VARs can keep revisiting the same accounts to sell more services. To avoid the problems of commoditisation, partners could become managed security service providers and offer UTM as a service to the SME and mid-markets.”

Heron says: “Despite being easier to manage than distributed point solutions, UTMs are complicated devices. Many unmanaged systems are not configured correctly, or aren’t fully utilised because it takes too long to understand all they can do. Vendors should look at providing or selling managed services to counteract this.

“The UTM market is still growing and a large number of companies are still to migrate. The trend towards consolidation is strong as the benefits are strong drivers for change. The market is maturing and has changed from the early adoption phase into the early majority.”

CONTACTS:

3net (0870) 243 3325

www.3netuk.com

Butler Group (01482) 586 149

www.butlergroup.com

CA (01753) 577 733

www.ca.com

Check Point (01256) 374 560

www.checkpoint.com

Computerlinks (01638) 569 600

www.computerlinks.co.uk

Crossbeam (0118) 925 4259

www.crossbeamsystems.com

Fortinet (08707) 353 666

www.fortinet.com

Foundation IT (01635) 203 700

www.foundation-it.com

McAfee (01753) 217 500

www.mcafee.com/uk

Network Box (0800) 107 6098

www.network-box.co.uk

SonicWall (01344) 668 090

www.sonicwall.com

Vistorm (01925) 665 500

www.vistorm.co.uk

Westcon (01753) 797 800

www.westcon.co.uk

Wick Hill Group (01483) 227 600

www.wickhill.com

Zyxel (01344) 303 044

www.zyxel.co.uk