Testing So-Called 'Unified Threat Managers'

snydeq writes "The InfoWorld Test Center has released vulnerability testing results for four so-called 'unified threat managers' — single units that combine firewall, VPN, intrusion detection and prevention, anti-malware, anti-spam, and Web content filtering in lieu of a relay rack stuffed top to bottom with appliances. The lab threw nearly 600 exploits of known vulnerabilities in a wide range of popular OSes, applications, and protocols, and despite being designed to thwart such threats, the UTMs as a class allowed hundreds to pass through. Why did the UTMs miss so many exploits? A lack of horsepower to perform the necessary deep packet inspection under load is suspected, as the lab pushed the limits of each unit's throughput with legitimate traffic. 'The upshot is, although the vendors have packed these devices with additional gateway security functions, clearly many UTMs are still strictly firewalls at heart.'"

general purpose != good

[KingFeanor]

Is it possible that single purpose security applications and appliances do a better job? In combining make various technologies in one device, how watered down was each individual component?

Re:general purpose != good

[houstonbofh]

Part of the solution is the tool, and part is how you use it. The Pix firewall can be very secure, but it is very hard to configure correctly. So many people just opened it up, making it very insecure... If a unified tool can be more easily configured securely than many best of bread applications, it will produce a better result every time. It will also have better cross communication than other applications as it is designed that way, not tacked on to support many other things.

Now could you personally out do that? Probably. Could your typical business person? Not likely...

Re:general purpose != good

[fuzzyfuzzyfungus]

Depends. In practice, I strongly suspect that quality suffers pretty markedly in many cases. If "UTM" is the new hotness buzzword, every last maker of firewalls, IDSes, packet shapers, and god knows what else will be rushing to ship a "UTM". This will probably mean taking their existing product and hacking together, or aquiring, enough other functions to make it qualify. That will typically mean that the result is good at something, with a bunch of other near broken crap hanging around and eating CPU time.

In theory, though, there is nothing about putting multiple functions in the same box that necessarily "waters them down", and there are substantial economies, in terms of space, hardware, and management, to be realized if done correctly. For a critical device, you would certainly want redundancy in the hardware, dual power supplies, that sort of thing. Two or three redundant PSUs running a single box are cheaper than two or three redundant PSUs per box, and multiple boxes. CPU and other system resources are in the same boat. Management is likely even more important. Fewer different styles of interface, fewer distinct login systems to deal with, fewer configuration files to back up, and so forth.

There is nothing fundamentally wrong with putting many functions in the same box; but, at the same time, there is a massive temptation for mediocre and worse "me too" outfits to cram a bunch of crap in and call it an "integrated solution".

Re:general purpose != good

[KingFeanor]

I agree. When UTM isn't a buzzword and vendors have had a couple of release cycles to get their act together, get quality pieces put together and design a reasonable user interface, then these things may well be better than a mish mash of various components. There may be great benefits in time from gathering these things together, but we aren't there yet! And hopefully the vendors won't reduce the 1000 different options you had in the mish mash that perfectly served your business's needs with 10 pre configured scenarios which don't do the job.

Re:general purpose != good

[morgan_greywolf]

If a unified tool can be more easily configured securely than many best of bread applications,

Wait! Whole wheat, white, pumpernickel or 7-grain?

Re:general purpose != good

[rthille]

PIX can also be very stupid. We had one which would drop a packet while rsync'ing email from one system to another because the packet looked like an exploit to the PIX.

Re:general purpose != good

Is it possible? It's almost guaranteed. There was a reason that we had "component" stereo systems years ago(they seem to have mostly disappeared these days)...cause a Technics turntable might sound better on an Onkyo amp(mine does).

Re:general purpose != good

[IceCreamGuy]

This will probably mean taking their existing product and hacking together, or aquiring, enough other functions to make it qualify.

Watchguard's been doing that since 1996! I really do like the Firebox Core after using it for a year or two, but man, you can tell that they've taken work from multiple unrelated development projects and strung them all together with a "manager" that simply launches bulky, inconsistently designed apps which then in turn launch more inconsistent smaller apps. Great feature set and very fast, though, once you get past the decent learning curve and annoying support contracts.

Re:general purpose != good

[Hyppy]

False positives and false negatives are bound to occur. It's like a see-saw, and finding the right balance is tricky. Swinging back and forth between the two isn't nearly as effective as shrinking the fulcrum, but either way there will always be a few.

Re:general purpose != good

[Martin+Blank]

I prefer Western Hearth 12-Grain, thank you.

Re:general purpose != good

There's been talk of using a UTM where I work, but I much prefer and advocate a combination of an application proxy firewall with a rule-set that enumerates goodness, a solid IDS/IPS at key junctures to catch attacks that would get by the firewall, and a packet recording system backing up the IDS/IPS so that we can reconstruct complete sessions that get by both of the above to understand how the attacks worked. UTMs are simply too much on one system.

Re:general purpose != good

[mvdwege]

I have news for you: UTM is old news. Vendors have been selling this stuff for years already. And yes, the complaint remains: a mish-mash of badly integrated components that eat up a significant part of your performance.

I admin these things for a living, and they're a pain. Their management interfaces suck, the false negative rate sucks, and turning on the various protection methods eats up to 80% of your bandwidth.

Mart

Re:general purpose != good

[agristin]

UTM is a crock. It loads multiple single purpose apps on to a general purpose computing device and then tries to do it quickly.

The best thing in this field I've seen recently is Palo Alto Networks firewall (www.paloaltonetworks.com).

Knows the applications, even web apps. It can tell the difference between Gmail and gchat. Bittorent and wow torrent patching. Can do user based rules when integrated with AD. And can proxy SSL to look in the SSL stream if necessary. Malware blocking, url filtering via subscription. Because ports or protocols != applications and IP address != user anymore.

Re:general purpose != good

You're totally right about ports or protocols != applications, but PA networks is not the only one that does that. Pretty much every UTM vendor can do the same now, some better than others.

Nice plug though.

Strange

[Reason58]

Focusing on doing one thing well yields better results than trying to do everything. Who'd have thought?

Re:Strange

[cool_story_bro]

that's why I bought 10 pieces of hardware before connecting my computer in my home office to the internet. I think the issue ends up being scalability vs. robustness

Re:Strange

[monkeyboythom]

Your UTM gave me a UTI.

Thanks for sharing the virus!

Actually I think the idea is not to bundle all apps into one but allow data communication between them to be better. I think it could be communication pathway would be more of permiable barriers which get smaller down the line. Firewall to AV to Spy/Greyware to deep scan heuristics on the hard drives.

Re:Strange

[Rene+S.+Hollan]

Disclaimer: I am employed by one of the companies represented in the trial but do not speak for them.

Unfortunately, security is a process and affects all interacting systems. Placing them under one umbrella in a UTM device allows security issues to be dealt with in one place. This is better than having "something else" misconfigured somewhere undo all the efforts one has made in a particular place.

Yes, by layering SPAM filtering, virus scanning, and application protocol validation, one can achieve the same effect, and each appliance can excel in it's area, but this comes at the complexity of having to configure many things independently (not "atomic security changes" spanning multiple issies), adds to complexity (the bane of security), and may give rise to an "end run" if these units run in parallel, instead of sequentially (which yields latency issues).

The bottom line is that the market likes the convenience of unified threat management, and the price to be paid is generally not quality but performance.

Re:Strange

[geminidomino]

The bottom line is that the market likes the convenience of unified threat management, and the price to be paid is generally not quality but performance.

I dunno.. TFS said it did a pretty crap job keeping things out... I'd call that a cost in quality.

Re:Strange

[Rene+S.+Hollan]

The bottom line is that the market likes the convenience of unified threat management, and the price to be paid is generally not quality but performance.

I dunno.. TFS said it did a pretty crap job keeping things out... I'd call that a cost in quality.

That's a different problem, since signatures can be updated over time. But, now that you mention it, space constraints in a UTM do limit the size of signature databases it can hold.

The answer is, of course, to get a bigger UTM, and address performance with clustered UTMs.

Sadly, one does not have to be perfect, one just has to be better, for some definition of better, than the competition.

Re:Strange

[Hurricane78]

Did it say, that groups of separate items before that did it better? You know: Everything is defined by its relation.

Re:Strange

[Hurricane78]

So I can let my rootkit directly interface with all products trough standardized interfaces? Sweet! I take ten!

Re:Strange

[nametaken]

Well I hope you work for Sonicwall. All the rest did terribly.

Re:Strange

[turbidostato]

"Unfortunately, security is a process and affects all interacting systems. Placing them under one umbrella in a UTM device allows security issues to be dealt with in one place."

Unfortunately, putting all those interacting systems under one umbrella in a UTM device allows security to be tresspassed by jumping out just one choke point. Security by depth==0.

No Cisco product?

[zerofoo]

How could you do a credible review of Unified Security Appliances without including one from a tiny little networking company called Cisco?

It would have been nice to see how the ASA5500 series appliances stood up to the test.

-ted

Re:No Cisco product?

[John+Hasler]

> It would have been nice to see how the ASA5500 series appliances stood up to the test.

If you send them one I'm sure they'll test it. It appears that Cisco wouldn't.

Re:No Cisco product?

[houstonbofh]

> It would have been nice to see how the ASA5500 series appliances stood up to the test.

If you send them one I'm sure they'll test it. It appears that Cisco wouldn't.

They also didn't include Untangle, http://www.untangle.com/ which is available free, and is a direct competitor to the things tested. So it might be other reasons...

Re:No Cisco product?

[Zerimar]

They don't do well I'm sure. That being said, I'm surprised they don't have samples from Cisco, Checkpoint, or Juniper - the three market leaders. Even if the companies don't provide freebies, they should have bought a few and tested them.

Re:No Cisco product?

[Amouth]

eh.. it's one of the why bothers?

when your looking at a purchase price that high.. people arn't exactly looking for 2 page review articals .. for a 200$ graphics card sure.. but dropping 10-30k .. you don't care about the 1-2 page articals..

they through 600 things at it.. out of how many? how did they pick them? also the "as configured" and the options they had set
what are they? where is teh indepth..

if i'm going to send someone a 10-30k peice of equipment to review and put in a head to head.. you better be able to make at least a masters thesis out of reviewing the results

Re:No Cisco product?

[evol262]

Or IPcop, pfSense, m0n0wall, Shorewall, etc. Why? Because they're not appliances.

Re:No Cisco product?

[Hyppy]

Exactly. Cisco's ASA and Checkpoint's UTM products are on the short list for us. Having a solid review of the difference between those two would be far better than picking 4 quasi-no-name brands.

Re:No Cisco product?

[Hyppy]

Could you point us to something with more in-depth information, by all means. All we can find is marketing propaganda from Cisco and Checkpoint. Unbiased, timely reviews with real-world information like this are far and few between.

Re:No Cisco product?

[Vancorps]

I can vouch that at least Sonicwall will let you evaluate their firewall for free before you choose to purchse. Barracuda Networks also does this and it's an incredibly great policy as you get to play with the device to find out if it's too clunky for your purposes.

I do find it interesting that Cisco wasn't added to the mix but as another poster probably said, this was based on units available for review and Cisco is usually pretty tight lipped about a lot of their products. In one year of looking for WAN acceleration strategies not once did Cisco allow me to actually play with their WWAS product while I was able to get my hands on two Riverbed appliances and actually try it out for real in my own environment allowing me to test failure scenarios before I committed to the 60k necessary which makes a lot of sense.

Of course, these days most people don't perform due diligence and that's the real problem resulting in much of the IT world's woes.

Re:No Cisco product?

[bleh-of-the-huns]

Unbiased reviews do exist, but they are generally paid for by someone. One example would be a document that was a good 200 pages long, pitting various log aggregation and correlation devices/software against each other (Netforensics and Arsight to name 2). It was extremely thorough, and useful, but was done by a consulting/contracting company (with no vested interest in any of the products or organizations) for a large Federal/DoD entity. The damn thing was wrapped in so many NDA's that no one outside the Federal/DoD entity and the authors themselves can see it.

Re:No Cisco product?

[houstonbofh]

Or IPcop, pfSense, m0n0wall, Shorewall, etc. Why? Because they're not appliances.

monowall is not a UTM, it is a firewall. I am a dev on it, and I should know.
pfSense is also not a UTM, but it has a lot of plugins that can get close. But since it is a lot of plugins, it is not really "Unifiied."
Untangle, and both of the above are available as supported appliances, or installable on standard x86 hardware, or appliance like hardware.
I have not used IPcop or shorewall, so I can't speak on them.

Re:No Cisco product?

[John+Hasler]

"Nobody ever got fired for buying Cisco", right?

Re:No Cisco product?

[John+Hasler]

> Of course, these days most people don't perform due diligence...

They never did, and it made IBM billions.

Re:No Cisco product?

[secolactico]

They also didn't include Untangle, http://www.untangle.com/ which is available free, and is a direct competitor to the things tested.

Free with an asterisk on it. It seems if your needs go beyond the very basic, you have to pay for the professional version.

According to their website, creating different policies for specific groups of users or time-based is not available in the free version. Nor is wan failover.

I'm not against paying for the product, it seems quite capable and the $250 a year subscription is not unreasonable. But the free version doesn't seem to do much to compare to other offerings.

Re:No Cisco product?

[Amouth]

can i point you to an in-depth review of UTM's - no i'm sorry but i havn't run into nore have i looked for one.

Other stuff yes.. but i don't focus on UTM's

Re:No Cisco product?

[vlm]

Could you point us to something with more in-depth information, by all means.

Your interpretation was backwards. He's looking for less because it's expensive.

When purchasing a $200 graphics card in a corporate environment, the technical staff will read 200 page technical documents, search google for hours, write reports, run simulations, justify the upfront cost vs long term labor savings, basically spend at least a grand or two of labor costs to pick the best $200 card.

However, when purchasing a $30K "buzzword of the month" the decision will be made at a high level by a manager whom is proud of being non-technical based on:
1) What they saw on CSI and/or 24 last night, or maybe Obama's latest speech.
2) Whom has the scariest marketing material (buy this expensive magic widget or you be p0wned)
3) How much he enjoyed the sporting event the sales exec took him to, or how much he enjoyed the sales exec in general.
4) The cheapest, or the first one he saw in a magazine, or perhaps a brand that will offend one of his enemies (you know, like he hates the guy who happens to love Cisco products, so if the enemy of my enemy is my friend, then ...)

Re:No Cisco product?

As an analyst who covers Cisco, let me just tell you Cisco hates having their products compared with its competitors. Why?

1) Cisco's lab already does these comparisons and is well aware of how their equipment stands up to their competitor's offerings
2) Cisco's analyst relations and product managers are paranoid about getting canned for allowing the press to do their jobs
3) Industry consensus is that more firepower is needed for these types of devices to be more useful, but Cisco's equipment can be a little impotent on the chip side
4) Their products are much more expensive

On the other hand, a Cisco shop has many benefits and may be superior in certain cases; but those benefits are much harder to demonstrate and the real value varies among different customers.

Re:No Cisco product?

[DontBlameCanada]

"Nobody ever got fired for buying Cisco", right?

I know someone who did. They worked at Nortel and bought Cisco routers for the lab...

Not the sharpest tool in the shed.

Re:No Cisco product?

[Spazztastic]

pfSense is also not a UTM, but it has a lot of plugins that can get close. But since it is a lot of plugins, it is not really "Unifiied."

I tried shopping around with various free firewalls/UTMs when I wanted to try something different then pfSense for SOHO installs. I ended up finding out that things like Endian, Untangle, etc. all are lacking the freedom that pfSense does. I'll stick with pfSense, thanks.

Re:No Cisco product?

[secolactico]

I'll stick with pfSense, thanks.

I'll second that emotion.

For a while, I whished for a layer 7 filter for pfsense but in the end, using squid + squiguard eliminated almost all unauthorized net access (p2p, im, sending of zombie generated spam).

I still believe the best policy is to have a talk with the users about proper net usage and the consequences of not following guidelines, but there will always be someone who thinks he can get away with it and get everyone (mostly me) in trouble.

Re:No Cisco product?

[Atticka]

You can download the Astaro software free on their website (limited IP's and concurrent connections) and will send a demo/eval unit on request as well.

Re:No Cisco product?

[linuxwebadmin]

I'd vote for http://www.clarkconnect.com/. They've got a nice set of features.

Re:No Cisco product?

[DrgnDancer]

SonicWall is no where close to "No-name", but otherwise yeah. I'm a bit shocked that Cisco didn't provide a box for them to test. Info World isn't exactly a huge security publication, but it's a half-decent generalist magazine. People looking for UTMs tend to be generalist network/systems types in small to mid-sized companies, not security specialists in large ones.

Re:No Cisco product?

[Bigjeff5]

You were modded funny, but you should have been modded insightful. This happens all the time, and constantly, depending on the organization.

It also seems the bigger the company is, the more vulnerable they are to this kind of thing.

Though, I do prefer to think it happens because of smooth sales pitches and multi-thousand dollar "business trips" to Tahiti that do the trick. Mostly because I'd like to be there someday, though I probably never will. Heh.

Re:No Cisco product?

[houstonbofh]

I keep all three (Untangle, m0n0wall, and pfSense) in my toolbox. In some cases I have used 2 of the above.

Why not Cisco?

I'm disappointed that they didn't include a Cisco ASA.

http://www.cisco.com/web/go/asa

I used to love Sonicwall

[C_Kode]

I used to be a big SonicWall fan, until I joined a company that required IM messaging and used Vonage. Sonicwall causes a bunch of issues with AIM's protocol. IM will go into a blackhole, a user cannot connect, etc. We were using them at the small remote offices, but we replaced them with Juniper SSGs. The Vonage and AIM issues vanished once we switched over.

Re:I used to love Sonicwall

[iamhigh]

Isn't Juniper quite a bit more expensive than Sonicwall? Also the AIM thing doesn't surprise me as that is probably something many companies want to (for some pretty good reasons) block.

Re:I used to love Sonicwall

[C_Kode]

An Sonicwall TZ190 starts around $500 and an SSG5 can be had for about $500. They are comparable products. This is the base router without the annual subscription for filtering and virus type scanning extras that they both support, but are unnesessary for use.

Re:I used to love Sonicwall

[Vancorps]

That's funny, Sonicwall is heralded as one of the best firewalls for VOIP support these days. How long ago was this? As an admin that deployed Asterisk company-wide using Sonicwalls as head-ends with VPN tunnels to remote locations and zero issues handling any voip traffic.

I think you'll find things have changed dramatically and that Sonicwall is much cheaper than the same level UTM from Juniper.

The thing that surprised me was the disparity between Sonicwall versus the other provides as it was an entire significant digit more expensive although the pricing in the article isn't in line with the pricing I've received but you're still talking five digits for Sonicwall versus four digits for the others.

I've never encountered AIM, MSN, or Yahoo issues in my environments. Usually the software has more to do with the problems than the head-end as software needs to support your environment. Many clients for instance don't support a NAT'd configuration despite how prevalent it is today.

Re:I used to love Sonicwall

[chipperdog]

I liked Sonicwall (I run 3060s on my networks), but they really pissed me off last fall when all security services stopped because Sonicwall's license activation servers went down for a day (I just renewed the licenses about a month earlier) - apparently if they don't see the activation servers they immediately stop. I'm looking at alternatives now....

Re:I used to love Sonicwall

[rantingkitten]

You're right, Sonicwalls can cause issues with SIP (e.g., Vonage) but so will any firewall you drop between IP telephony devices and the internet. I can't think of a single device that will work out of the box with that, including Netscreens. Not that I'm a big fan of Sonicwall either, but usually you have to fiddle with their stupid ALGs and NAT features to get SIP to work properly -- and once you do, it works pretty well. At least as far as SIP-based VoIP is concerned.

I realise that's of little use to you since you already switched but maybe it'll be good for someone else to know.

Re:I used to love Sonicwall

[Hurricane78]

Reaoons being? Well, for AIM... I can understand that. But for XMPP/Jabber? That's as stupid as blocking e-mail or phone. Why not seal the doors, shut all windows, and put it all in a bunker under the sea. :P

How does this compare to open source offerings?

[Victor_0x53h]

I'm curious how would these would stack up against an iptables firewall with PSAD, or other open source offerings?

Think Linux Firewalls which was reviewed a while back, and which I use to protect my home servers.

Re:How does this compare to open source offerings?

[bleh-of-the-huns]

The biggest problem with most open source offerings, is lack of support. Businesses want support, and while yes some of those offerings may have support (I have not looked), the quality is most likely no where near close to what pure commercial entities can offer.

Re:How does this compare to open source offerings?

Yeah, but have you even tried using the "enterprise" support from large companies?

-Microsoft - Good luck talking to anyone who isn't an idiot and of course you have to repeat yourself dozens of times for stuff. Ask a hard question and you get to repeat everything over and over. Give up and call a local mcse.
-JBoss - the tech they sent onsite knew about half as much about jboss as our in house architect
-BEA/Weblogic - if you can convince them that they have a problem in their product (which takes several months) they will take another few months to fix it and get back to you

Maybe we don't aske the easy questions, but every time we've called "enterprise" support from larger companies they were nearly worthless and took months to get a resolution.

Just my experience...

Testing Criteria?

Tests like this usually favor the company that supplied the criteria and/or funding for the test. The results are exactly what you can expect. I'm sure that the other 3 companies tested could have supplied a criteria that favors them as well.

Shocking

[Monkeedude1212]

No, its not shocking that a tool for the job beats a "jack of al trades" - its shocking that the jack still missed third or more exploits. Hundreds out of 600? The odds are less that the janitor will break the server. ... heres the kicker, its happened before.

Not entirely surprising

[emocomputerjock]

Having used Sonicwall products in the past, I can believe the results. They weren't the models tested but they were fairly effective for their price and performed well for a fairly small environment (around 100 or so employees). Sourcefire has some nice stuff as well. I'm sure other posters much more experienced with hobbitmon can chime in on the configuration and deployment of that but from what I've seen it was a nice component of home-built threat managers that also had snort and open-source firewalls on them.

Re:Uhm?

[a-zarkon!]

It's the Ron Popeil/Billy Mays/Home Shopping Network sales pitch for IT Security: "It's a firewall, it's an intrusion prevention system, it will filter your web connections, it even provides anti-virus. But wait! It also acts as a router, and it even has a built in gigabit switch module. Now - how much do you think you're going to pay for this? Not $20,000 - not $15,000, not $10,000; no - all this can be yours for the low low price of $9995.95...."

Re:Uhm?

It also makes julianne fries!

Re:Uhm?

[fuzzyfuzzyfungus]

You sound an awful lot like the traditional UNIX big iron vendors.

Before they went bankrupt.

Re:Uhm?

[Presto+Vivace]

butwaitthere'smore!

using a single

[nimbius]

server with dual processors and 8gb of memory to handle "unified threat management." for a company of 300 people. openvpn, shorewall, squid, all running on it (is it really unified at this point?) but to be honest the segmentation in practice is a fundamental. email still gets scanned somewhere else, and snort isnt a part of the box i built.

Re:using a single

[Vancorps]

Talk about a dangerous power hungry scenario. At least use two servers for a highly availably solution man. Otherwise the setup is like something I did before I got funding for a proper Sonicwall. Maintaining a beast with that many different products is a pain. I'll give you an example. VPN Client wouldn't connect through the whole rig. Opening a port on the firewall is just the beginning, you need to whitelist the IPS, create a proxy routing rule and then hopefully all will work.

Of course a rig like that has a significant amount of flexibility which is a strong point in support of it. If you find a product better than Shorewall you can simply drop in whatever replacement you want and that means a lot in a fast paced work environment.

Re:Uhm?

[morgan_greywolf]

Ever heard of computer loaded with *nix and configured as a gateway/router/proxy with snort or something similar loaded? Back before you young whippersnappers came in with your fancy firewall appliances, that's what we had. And we liked it that way!

"Unified Threat Manager" is BS

[Thaelon]

It seems to me - and the headline implies this - that a "Unified Threat Manager" is a firewall that has had Marketing's claws in it.

As Bill always said, "If you work in marketing, kill yourself."

That doesn't sound like it's thought through...

[jonaskoelker]

If a unified tool can be more easily configured securely than many best of bread applications

Sounds like a half-baked idea ;-)

Re:Uhm?

[Runaway1956]

Your Gnu box is missing something - let me poke around here - hmmmm - Gnu, Gnu, Gnu............ OH WAIT!!! WHERE'S YOUR OS KERNEL!?!?!??

There's your mistake. Gnu is not an operating system. Gnu is only a collection of applications that will run fine IF implemented on an operating system, such as Linux.

Download a real OS distro, dumbass.

Re:Uhm?

[xonar]

Ever heard of computer loaded with *nix and configured as a gateway/router/proxy with snort or something similar loaded? Back before you young whippersnappers came in with your fancy firewall appliances, that's what we had. And we liked it that way!

And still like it that way

Re:Uhm?

[twidarkling]

Now get off your lawn?

Re:Uhm?

Ever heard of computer loaded with *nix and configured as a gateway/router/proxy with snort or something similar loaded? Back before you young whippersnappers came in with your fancy firewall appliances, that's what we had. And we liked it that way!

Had? Liked? I think your tense is wrong.

Re:Uhm?

[Hyppy]

My thoughts exactly. All any of these things do is take a look at packets going through it. A software application running on hardware. Given sufficiently powerful hardware (a cheap commodity these days) and sufficiently efficient software (the only big difference between the vendors), you can do all these things and more.

Flawed by Design.

[canipeal]

The notion of having a single point of failure "security" device contradicts one of the primary foundations of security principle: Defense In Depth. Multiple layers of security is essential in safe guarding your systems, placing them all one one unit is nothing short of moronic.

Re:Flawed by Design.

[ZouPrime]

Defense in depth refers to the principle of having multiple, overlapping security controls. For example, I've seen some companies use dual-firewall configurations where they will use two different brands of firewall. Or they will use a main network firewall as well as host-based software ones. So if one control fail the other is there to protect the asset.

This has nothing to do with UTM, who are about hosting *complementary* controls on the same device. In this case, there is a real benefit in term of management effort. These kinds of devices are especially interesting for small companies who can't bother handling a lot of different appliances and software for something perceived as unproductive as security.

Re:Flawed by Design.

[0x537461746943]

But by putting a bunch of services on one box the avenues of exploitation of that device increases. If the Intrusion Detection and virus scanning were on another system then you reduce your chances of the firewall itself being compromised.

Re:Flawed by Design.

[jonnyt886]

Multiple security controls, yes, but these must be independent.

If I have a firewall and an IDS on the same machine, and someone exploits a hole in the TCP stack or the IDS to get local root/admin priviledges, they then have control of not only the firewall but also the IDS. If I have two separate machines, a firewall and an IDS, if one gets compromised it does not affect the other.

Thinking about it, the way to get around it in the case of a UTM is to use VMs for each task, but that will have a hit on performance presumably, as well as integration and thus usability.

Re:Flawed by Design.

[jonnyt886]

Er, I should add that I totally agree with your point about the ease of management - this is definitely a benefit, particularly in smaller businesses (the cost of a UTM is also lower than that of separate IDS/firewall/anti-virus/etc appliances).

My point was just that from the technical perspective is isn't optimal. Realisticly, it is a good compromise for those who can't afford/don't need anything better.

Re:Flawed by Design.

Multiple layers of security is essential in safe guarding your systems, placing them all one one unit is nothing short of moronic.

So very very true....

Re:Flawed by Design.

[ZouPrime]

True... but that's not "defense in depth", that's "not having a single point of failure".

I agree that one big box to do everything has its issues. It's certainly not acceptable for corporations. But I think the cost/benefit is worthwile for a lot of small business who most of the time don't have shit (although this is getting less and less true).

It's a bit like those Linksys routers: sure they sucks, but they are so cheap and so commonly available, and so better than being only jacked right in a modem, they are overall a Good Thing.

Neglected to test

[Runaway1956]

They should have used a control for this test. Put each of these unified conglomerations up against one good Sysadmin with a clue.

No one tool will ever be "THE Solution". No matter how many doodads are attached to a Swiss knife, some sack of warm tissue has to fire a few synapsis to put the knife to use. If the sack of warm tissue is lacking in the synapse department, he fails.

One of the major problems with all in one devices.

[bleh-of-the-huns]

Is when the products that are being used to protect your network, themselves have vulnerabilities.

I will use a large, very large company as an example. They make AV, they make IDS's (although crappy), they make firewalls, and they sell smaller stuff to the general public... It starts with a giant S....

Long story short, a few years back they had a vulnerability in the way their stack did deep packet inspection, this particular piece of code was shared across their entire product line. Well, their all in one device that did AV, content management, firewall, email, IPS etc etc used this particular piece of vulnerable code in each of those functions.... That essentially made the device useless till they patched the problem.

This is of course one of the arguments against using a single company for all your products, and in the enviroments I manage or design, I intentionally choose products from various vendors to prevent problems like the above from occurring.

I'd just like to interject for a moment.

What he's referring to as GNU is actually GNU/Linux or, as I've recently taken to calling it, GNU plus Linux.

Re:I'd just like to interject for a moment.

And what real people, who actually stop masturbating Stallman long enough to do any real work with an OS, call Linux.

UTM

[kenp2002]

Unified Threat Management is a dead end concept. We've been there and done that and we left it in the past.

With disaster recovery concepts, decentralized administration on the rise again, and cloud computing we once again come full circle to the whole reason we left mainframes for client server architecture.

"Who Watches the Watchman" is a line that comes to mind. The IDS should be keeping tabs on the Firewall, not part of the firewall. TRON should be an independent keeping tabs on the MCP not part of the MCP ;)

UTM mean a single point of compromise and failure. Even clustering a UTM configuration still has liability issue for configuration information. IN addition placing one IDS in DMZ and another in the green is problematic.

For IDS best practices have always leaned towards silent passive listening, not integrated into the firewall. Firewall goes down, so does the IDS. We must assume that a firewall going down is PART of an intrusion, thus the IDS should still function if the firewall is down...

This is similar to a multifunction fax\printer\scanner argument. If the damn thing shorts out you are out a fax\printer\scanner where as if they were separate components you'd have 2/3rds of your resources still functioning.

Now to the original post, they failed as a class. Why? Because exploits at the system level are never passed up to the high level services, all those components share a common blind spot because they are running on a common platform.

No shit.

This is why I still advocate a mixed environment\mix vendor approach. From the open source side I like a pair of IDS servers, one running Linux and one running NetBSD. I like layered firewalls also. I also like built in alarms to check for cross VLAN and subnet traffic. I firmly belive in darknets and honeypots too. I still advocate at least 2 antivirus solutions present in a campus network (more often this is either symantec\mcafee and either AVG\Avast)but most importantly I like distributed systems rather then consolidated appliances...

How About

[kenp2002]

UTM = Universally Targeted Machine

So much from learning from the phrase "all your eggs in one basket..."

Yep: Policy. Enforcement. Audit.

[JimmytheGeek]

3 separate realms.

Policy to define what's allowed (you haz a policy, whether it is written down or even thought about).

Enforcement of that policy. FW, IPS, application fw. The higher in the stack the fw goes, the closer it should be in the net topology to the target it defends.

Audit the enforcement of that policy. IDS, stats, flow.

And rather than tie everything together, how about focus on the 3-4 sources that really kick ass? FW logs are not useful. Focus on what your targets are doing, not what the millions of bots are prevented from doing.

http://taosecurity.blogspot.com/ is your source for clear thinking on this subject.

Where was TippingPoint?

[c_g_hills]

I do not think much of a UTM test that does not include any products from TippingPoint, the current market leader.

Re:Uhm?

[SlashWombat]

You obviously did not take the time to read the article ... More $ doesn't always mean better!

I do wonder if they upgraded each of the four boxes from each the manufacturers before they did the testing though. Often, equipment as shipped has early release software, and it is expected that the IT techs upgrade ASAP when installing.