The multipurpose security appliances that consolidate firewall/VPN, content filtering, intrusion prevention and more into a single box are winning favor as easy-to-manage devices. But the open secret about these unified threat management (UTM) devices is that they take a bite out of bandwidth as they inspect content.
It's not uncommon for UTM products on the market today to suffer as much as a 50% loss in performance as the full panoply of security services is put to use. That's a situation acknowledged by UTM vendors, which sometimes advise customers to compensate by getting higher-bandwidth devices than they ordinarily might need.
"When you turn on all the services, the speed is impacted," says John Kuhn, product line manager at SonicWall Inc., whose UTM products range in bandwidth support from tens of megabits per second to more than 1Gbit. "Absolutely, there is a performance consideration, and it could be a 50% loss."
Even at the high end
What's true for a UTM appliance at the low end is also true at the high end with appliances that attain multigigabit speeds.
"You pay a performance penalty as you go deeper into the content, and you could lose half the performance," acknowledges Chris Roeckl, vice president of corporate marketing at UTM vendor Fortinet Inc. Fortinet's FortiGate line of UTM devices support speeds from 10Mbit/sec. to 48Gbit/sec.
Several other UTM appliance vendors, including Internet Security Systems Inc. (ISS), Secure Computing Corp. and Symantec Corp., are equally blunt in saying customers could experience as much as a 50% performance loss in speed.
"In general, it's more like 10%, but 50% is possible," says Mark Butler, director of product marketing at ISS, which offers three multifunction security appliances in its Proventia line.
"The approach we take is we size [the appliance] according to the number of users," Butler says. He noted that the Proventia MX 1004 supports 100 concurrent users, the MX 3006 as many as 250 concurrent users and the MX 5010 as many as 500 concurrent users.
Cisco Systems Inc., which offers various models of its Adaptive Security Appliance (ASA) that tops out at 1.2Gbit/sec., is reluctant to admit more than a 10% performance hit.
Despite any drawbacks associated with bandwidth, UTM seems to be here to stay. UTM is the phrase coined two years ago by Charles Kolodgy, an analyst at research firm IDC, for the multipurpose security appliance whose basic foundation is a firewall or firewall/VPN.
"It has to have a firewall/VPN, gateway antivirus and preferably intrusion prevention," says Kolodgy, who estimates the UTM market will reach about $850 million by year's end, up from $700 million last year.
While Fortinet leads at the high end and SonicWall at the low end, Kolodgy says, this still-nascent market is changing rapidly with Cisco's ASA appliance, which debuted a year ago shaking up the low end.
UTM appliances vary considerably from vendor to vendor. Some vendors making UTM products must partner with other security firms to support antivirus, or other content filtering, on their UTM products when they don't have the technology in-house.
For example, Cisco and Secure Computing partner with Trend Micro Inc., and SonicWall partners with McAfee Inc. ESoft Inc., which offers the InstaGate UTM with top speed of 190Mbit/sec., uses its own antivirus filtering but turns to Aluria Software for antispyware and Secure Computing for Web filtering. Crossbeam Systems Inc. makes use of the Check Point FireWall-1 UTM, as well as Trend Micro, Aladdin Knowledge Systems Ltd. and Websense Inc. for content filtering.
UTM's role expanding
Most vendors see their UTM products deployed at the Internet gateway, though Mike Jones, Cisco's senior product manager for ASA and the PIX firewall, says "it's no longer about protecting just the Internet edge, but going inside" to provide firewall, antivirus, antispam and URL filtering deep within the corporate network.
Nevertheless, businesses deploying UTM appliances generally do so at the point of Internet access at corporate headquarters and branch offices. The value of the multipurpose security appliance, according to the vendors selling them and their customers, derives from the simplicity of managing a single device instead of several.
"The single point of management for content filtering and the intrusion prevention is a key point for us," says Jack Wickwire, CTO at Central Bank Illinois in Genesco, Ill., which has deployed Secure Computing's Sidewinder G2.
However, other technology managers are hesitant to put all their security eggs in one basket with a UTM.
"One of these things, when it breaks, then everything breaks," says Brian Walowitz, technical coordinator at Yeshiva University's High School for Girls in Queens, N.Y., about his reluctance to go with UTM.
The school preferred to deploy separate security gear, such as St. Bernard Software Inc.'s iPrism Internet monitoring appliance and the Barracuda content filter, instead of a single box.
UTM vendors often recommend deploying their appliances in a pair for purposes of failover should one go down.
"People buy at least two for high availability," says Paul DeBernardi, director of product marketing at Secure Computing.
Whether UTM appliances are always the best at the job arouses some debate. SonicWall, for instance, argues that it's not viable to do highly accurate, full-performance spam filtering on any UTM.
"What's capable on a firewall is not anywhere near what you can get on a separate spam gateway, such as quarantining messages," SonicWall's Kuhn says.
Some disagree.
"Antispam is possible on UTM, but SonicWall simply does not have the horsepower," says Bob Walder, director of product evaluation at product testing lab NSS Group.
NSS Group last year began testing UTM appliances, and another round of lab evaluations is set for this fall. Only Fortinet and ISS have received the "NSS Approved" mark so far, and Walder declined to say which vendors didn't make the grade.
But with UTM growing in popularity, one question that arises is whether the market will see a drop in stand-alone devices, such as firewalls or spam filters.
Future of UTM
Each vendor sees its UTM future differently, but a common concern is analyzing the impact voice-over-IP traffic might have on the UTM design now that customers are starting to put VoIP traffic through UTM gateways.
"As you add voice traffic to the network, there are a lot more small packets that make the box work harder," Fortinet's Roeckl says, adding that Fortinet is working on an acceleration technology it expects to announce by year-end that will speed VoIP processing to ensure voice quality. Fortinet also envisions ways to inspect VoIP traffic for viruses that might be injected into VoIP streams.
"We're looking at the various attacks," Roeckl says.
Symantec, which makes the Gateway Security line, says it plans to add a QoS control to its UTM, so the appliance can give priority to IP-based applications, including VoIP. At the same time, Symantec -- which had an internal memo on the topic leak out -- acknowledges it's changing course on UTM, reducing investment in its flagship UTM line, and will look to partners to help design the hardware.
For its part, SonicWall is adding support for the VPN standard, IKE 2.0, into its UTM with the expectation customers will be using IKE Version 2 for VoIP traffic.
Secure Computing plans to add a secure application pathway to its UTM based on the Session Initiation Protocol (SIP), so managers can create VoIP policies for different groups within an organization.
"Basically, we're building a SIP proxy, because when you open up VoIP in firewalls, it's like Port 80, a big, fat hole," Secure Computing's DeBernardi says. "This SIP proxy, with different commands for VoIP connectivity, will ensure only pure VoIP traffic gets through."
Secure Computing sells three lines of UTM appliances -- the low-end Snapgear and the high-end Sidewinder G2 and CyberGuard, which each reach 3Gbit/sec. Secure Computing expects to introduce a new version of Sidewinder G2 soon that integrates the content-filtering technologies gained through its acquisition of CyberGuard late last year.
This story, "All-in-one security devices face challenges" was originally published by Network World.