If you've bought a firewall in the last 3 years, you've bought a UTM firewall: a device that will not only control traffic based on policy, but also one that has other built-in threat mitigation technologies, such as antivirus, intrusion prevention and content filtering. UTM features have been around for longer than that, but the market universally moved to
However, one cynical reason for the shift to UTM should be kept in mind as you investigate your new (or old firewall): UTM services are subscription services. Firewall vendors want to move their customers from a buy-once model to a recurring revenue model, where software updates, IPS rules, and antivirus/antimalware signatures add up to a steady trickle of revenue from each subscriber. This inherent conflict of interest means you need to evaluate what services you really want and need from your UTM firewall, so as to maximize the value of the subscription dollars you spend.
UTM firewalls are all over the map with additional security features that go beyond basic firewalling, but the three most common areas are antivirus/antimalware, intrusion prevention, and content filtering. Let's look at all three to see what makes the most sense for you. If you don't have a good feel for the terms "client-protecting" and "server-protecting," then you should review "How Many Firewalls Do I Need?" first.
Antivirus/Antimalware Solid Secondary Protection
UTM firewalls are great secondary antivirus/antimalware protection in a client-protective environment. If you have desktop antimalware, then adding UTM antimalware (hopefully from a different antimalware vendor) will provide a good level of secondary protection.
However, be aware that UTM antimalware doesn't go very far. It can't look inside of encrypted traffic, and most UTM firewalls only inspect a few protocols on a few well-known ports (SonicWALL and Palo Alto Networks are the exceptions to this general rule). This means that if a piece of malware is sitting on an SSL-protected Web server, or a Web server running port 81, most UTM firewalls won't see it -- which is why you still need desktop antimalware as your primary protection.
If you have other antimalware protections, such as a Web security gateway, you probably will gain little benefit from UTM anti-malware.
In a server-protective environment, such as incoming email, antimalware protection gets in the way and provides little benefit. Your most effective strategy there is to use either a dedicated antispam/antimalware appliance in front of your email server, or software on your email server that handles the same task. That becomes your primary protection, with desktop antimalware as secondary, leaving little room for value from the UTM firewall. Turning on antimalware outside of these better-managed tools is a recipe for confusion, because the logging and control facilities in UTM firewalls don't equal a good antispam/antimalware appliance or your email server. This means that when you do have a problem, debugging it will take longer or even be impossible.
Beware, though: antimalware comes with a steep performance price. If your UTM vendor doesn't quote a performance figure for your firewall with all UTM features turned on, take their normal performance guarantee and divide by 10 when adding UTM features -- at a minimum.
Management Problems Hamper Intrusion Prevention
UTM firewalls are ideally situated to provide an additional level of protection from Internet-launched threats, but the intrusion prevention (IPS) technology built into most UTM firewalls provides only a minimum of protections. The problem with IPS is that doing it right requires a fairly hefty management system that can analyze alerts, tune policies and provide feedback on the health of your network. UTM firewall vendors are stuck here because they have focused on easy-to-use simple interfaces that are typically Web-based and resident on the firewall. That doesn't coexist well with IPS functionality. This means that if you're serious about intrusion prevention, you probably want to look at a dedicated appliance, at least for the next few years until the firewall vendors solve the problem of management.
In the meantime, you can use IPS features of UTM firewalls in a server-protective environment to give you additional protection, especially if you have older Web-based applications or don't have a good strategy for server patching. Be prepared for false positives though: no IPS can avoid them completely, at least no IPS that is also providing any value in its protections.
As with antimalware protection, be prepared for a performance hit with IPS protections. While server-protective IPS is not nearly as large a performance burden as client-protective antivirus, it will drop total system performance by a significant factor in most firewalls. Press your vendor for actual performance figures, and if they won't provide them, use a 5x slowdown as a good rule of thumb. (You may be able to find performance tests which give actual numbers published by third parties).
A better strategy for server-protective environments is to use the non-signature part of your UTM IPS protections. Sometimes called denial-of-service protections, Quality of service, or even rate limiting, these protections are put in place to ensure that an errant client cannot overwhelm your servers with too many connections or repeatedly connect for password guessing or to search for a security flaw. Simple rate protections, built in to most UTM firewalls, can give you an additional layer of security beyond what a traditional IPS can offer and are of great value.
There are two other advantages of pursuing this approach to intrusion prevention: one is that you don't have to pay for IPS signature updates (since you're not using signatures to detect malicious behavior) and the other is that you take almost no performance penalty for using these features.
In our testing, we have not found very much protective value for IPS in client-protective environments, especially ones where desktop antimalware is kept up to date. Client-side protections are also much more expensive, performance-wise, and have an impact nearly as high as antimalware scanning. While IPS in a UTM firewall may provide some protection to clients, there are less expensive and better ways of providing the same protection, such as through Web security gateways and better desktop security software.
Choosing UTM of Standalone Content Filtering
Content filtering, which typically means category-based filtering for Web browsing (such as banning sports websites during business hours), is an ideal function for a UTM firewall in a client-protective environment. Because the firewall sees all Web traffic, it can easily compare URLs and enforce a security policy.
An alternative to content filtering is a standalone Web security gateway. These provide an enhanced set of services (such as caching and reporting) in a dedicated device. Whether an appliance is needed or your UTM firewall can do the trick is mostly a question of your security policy, how strict you want to be, and how much reporting you need. In general, Web security gateways will do a slightly better job at catching people going to prohibited sites because they often act as man-in-the-middle HTTPS proxies and can see inside the connection even if the end website is encrypted; most UTM firewalls don't offer this feature, and usually require some dedicated encryption acceleration to do so effectively. Web security gateways also have better reporting and may offer additional features, such as different policies for different sets of users, which may not be available in a UTM firewall.
If you are using content filtering to help "keep honest people honest" by reminding them of the policy and catching most transgressions, the UTM firewall is a very effective place to do it. If you have a stricter requirement for content filtering, such as extensive reporting or very deep inspection of the sites end-users are visiting, you will probably want to add on a standalone Web security gateway.
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
This was first published in February 2009