Tech Experts' Tips for Cutting Back
Unified Threat Management: Are We Dreaming the Impossible Dream?
By Sharon Nelson and John Simek
In an IT world fraught with danger on all sides, everyone has clamored noisily for a security miracle. Where there is a demand, a supply will emerge. Enter UTM, heralding itself as the answer to all our security needs.
Unified threat management, or UTM, almost unheard of outside the IT world in 2004, became gospel in 2005, when it came barnstorming in accompanied by promises of a one-stop-shopping solution to all manner of security problems. The publicity bandwagons gathered full speed and UTM devices were rushed into production. Oh, but we do want everything instantaneously. And it’s no wonder we’re so frantic for a security cure. On January 19, 2006, the FBI released a study noting that 90 percent of all businesses had suffered from a virus, spyware, network intrusion, online assault or other attack in 2004 or 2005, with the average damage amounting to $24,000.
Speed, however, is not always desirable when it comes to IT security. As the character Miracle Max says in The Princess Bride, “Don’t rush me, sonny. You rush a miracle man, you get rotten miracles.” Some of what we have seen of UTM is far less than a miracle, or perhaps a rotten miracle at best. As always, when a thing seems too good to be true, it is worth taking a few wary steps backward to study both the promises and the deliverables.
Addressing a World of Blended Threats
Just what is UTM? IDC defines UTM appliances as products that unify and integrate multiple security features onto a single hardware platform. These appliances must contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus functions. Basically, one device layers together sophisticated software and hardware.
Conceptually, UTM makes perfect sense. Most law firms have separate programs to deflect spyware, viruses and network intrusions. They sometimes have multiple programs to perform the same functions. All of these programs must be purchased, licensed, managed, patched, updated and the like. And, as we all know, user error enters the playing field all the time—something doesn’t get done and there’s a problem, sometimes minor, sometimes catastrophic. One centralized solution sounds delicious and economical. Oh, the joyful allure of dealing with a single vendor and a single point of administration in your network. It is an administrator’s dream.
But in reality, it is caveat emptor. UTM, while a great concept, is still pretty new on the horizon, and it presents (at the least) these major issues:
- A UTM device might perform two or three functions admirably but be weak on the fourth.
- Many UTM solutions focus on perimeter security, ignoring the disaffected employees who cause so many of the problems internally (fully 44 percent of incidents come from inside the organization, according to the FBI study referenced earlier).
- The whole concept of UTM provides something that all IT folks hate—a single point of failure.
The converts to UTM are, nonetheless, multiplying at a furious rate. IDC has reported that UTM is the fastest growing segment of the security
market. It exceeded $100 million in revenue in 2003, a growth rate of
160 percent over 2002. IDC projects that by 2008, UTM devices will make up about 59 percent of the $3.45 billion IT security market.
So how much do these little bundles of joy cost? They can come for as little as $1,500 for the small business models. Most companies offer a dizzying array of models meant to span the gap from major enterprises to very small businesses. The higher-end models can cost up to $70,000. One industry leader, Secure Computing, says the base pricing on all eight of its models provides its customers with the following:
- A network-layer stateful-inspection firewall
- An application-layer firewall with integrated IPS
- Controls for XML/SOAP traffic, IM, P2P, spyware and phishing traffic
- IPSec and SSL VPN termination for client-based or clientless VPN access
- A high speed, never-been-compromised SecureOS operating system protected by patented Type Enforcement technology
- Free Web-based training
- Optional classroom training
- 24-7 technical support
Most companies now offer different suites for different needs intended to scale to the proper enterprise level. Some of the software components are optional and can be selected as opt-on, or opt-out, modules. For instance, if you like the anti-spam solution you already have, you can “deselect” that when you purchase a UTM solution. UTM devices may also help with Sarbanes-Oxley compliance by providing anti-spam, antivirus and content-filtering software, as well as software designed to report who accessed data and when. Clearly, this is a good marketing tactic, since SOX has many a company quivering in fear about compliance.
Some of the leaders in this brave new world are Fortinet, ServGate, Barrier1, Check Point Software, Internet Security Systems, Symantec, LokTek, Secure Computing, WatchGuard Technology, Network Box and Cisco Systems. To no one’s surprise, Microsoft has jumped on the bandwagon, too.
Making Patience the Watchword
Without question, the assaults on our networks are painful, cause monetary damage, waste bandwidth, drain productivity, and sometimes result in outright sabotage. Managing individual defenses to these assaults is labor-intensive and costly. UTM devices provide an excellent start at combating security demons in an integrated way. But as one very candid manufacturer admits, no threat management software is “100 percent effective, 100 percent of the time.” Sad but true.
Even though UTM devices are often updated several times a day, there are still no true guarantees. And read those warranties carefully—they tend to exonerate the vendor in many real-life situations. What good does it do you if you have the latest and greatest in the UTM world but your data evaporates? If your contract doesn’t allow recovery of damages (first- and third-party), you may really be up the river without an oar.
One manufacturer has this tag line for its product: “The end of vulnerability.” Forgive us if we shake our heads with resignation and cynicism. The bitter truth is that there will never be an end to vulnerability in IT security. There will never be a light at the end of the tunnel because the evil-doers will vigorously continue to construct more tunnel.
It is tremendously difficult to gauge the worth of many of the UTM solutions because they simply haven’t been around long enough. Of course, if you believe the advertising copy, everything is hunky-dory with all of them—but most of us have become battle-weary veterans of Madison Avenue and know the truth is that reality and ad copy rarely have much in common.
Companies have been so eager to scarf up UTM dollars that they are moving way too fast, sometimes stacking software with known vulnerabilities on top of software with known vulnerabilities. This is like building a fortified city and graciously leaving the key in front of the gate. Remember Miracle Max? “You rush a miracle man, you get rotten miracles.”
The rotten miracles may naturally shake out as the industry shakes out. The Advisory Council, in a March 2005 Information Week, suggested that most businesses thinking about UTM solutions should be wary and let others do the preliminary bleeding. The council recommended studying UTM solutions and adopting them two to four years from the date of the article’s publication, after the industry has a chance to repair its failures and companies not up to snuff have passed from the terrain.So let’s take our miracles a bit more slowly. No one wants to be victimized by rotten miracles. The tried and tested miracle should be ready for most law firms in 2007. Patience is painful but well-advised.