Slashdot Mirror

← Back to Stories (view on slashdot.org)

Testing So-Called 'Unified Threat Managers'

Posted by Soulskill on from the ain't-no-silver-bullet dept.

snydeq writes "The InfoWorld Test Center has released vulnerability testing results for four so-called 'unified threat managers' — single units that combine firewall, VPN, intrusion detection and prevention, anti-malware, anti-spam, and Web content filtering in lieu of a relay rack stuffed top to bottom with appliances. The lab threw nearly 600 exploits of known vulnerabilities in a wide range of popular OSes, applications, and protocols, and despite being designed to thwart such threats, the UTMs as a class allowed hundreds to pass through. Why did the UTMs miss so many exploits? A lack of horsepower to perform the necessary deep packet inspection under load is suspected, as the lab pushed the limits of each unit's throughput with legitimate traffic. 'The upshot is, although the vendors have packed these devices with additional gateway security functions, clearly many UTMs are still strictly firewalls at heart.'"

13 of 98 comments (clear)

  1. general purpose != good by KingFeanor · · Score: 3, Insightful

    Is it possible that single purpose security applications and appliances do a better job? In combining make various technologies in one device, how watered down was each individual component?

    1. Re:general purpose != good by houstonbofh · · Score: 3, Insightful

      Part of the solution is the tool, and part is how you use it. The Pix firewall can be very secure, but it is very hard to configure correctly. So many people just opened it up, making it very insecure... If a unified tool can be more easily configured securely than many best of bread applications, it will produce a better result every time. It will also have better cross communication than other applications as it is designed that way, not tacked on to support many other things.

      Now could you personally out do that? Probably. Could your typical business person? Not likely...

    2. Re:general purpose != good by agristin · · Score: 3, Interesting

      UTM is a crock. It loads multiple single purpose apps on to a general purpose computing device and then tries to do it quickly.

      The best thing in this field I've seen recently is Palo Alto Networks firewall (www.paloaltonetworks.com).

      Knows the applications, even web apps. It can tell the difference between Gmail and gchat. Bittorent and wow torrent patching. Can do user based rules when integrated with AD. And can proxy SSL to look in the SSL stream if necessary. Malware blocking, url filtering via subscription. Because ports or protocols != applications and IP address != user anymore.

  2. Strange by Reason58 · · Score: 4, Insightful

    Focusing on doing one thing well yields better results than trying to do everything. Who'd have thought?

    1. Re:Strange by Rene+S.+Hollan · · Score: 3, Insightful

      Disclaimer: I am employed by one of the companies represented in the trial but do not speak for them.

      Unfortunately, security is a process and affects all interacting systems. Placing them under one umbrella in a UTM device allows security issues to be dealt with in one place. This is better than having "something else" misconfigured somewhere undo all the efforts one has made in a particular place.

      Yes, by layering SPAM filtering, virus scanning, and application protocol validation, one can achieve the same effect, and each appliance can excel in it's area, but this comes at the complexity of having to configure many things independently (not "atomic security changes" spanning multiple issies), adds to complexity (the bane of security), and may give rise to an "end run" if these units run in parallel, instead of sequentially (which yields latency issues).

      The bottom line is that the market likes the convenience of unified threat management, and the price to be paid is generally not quality but performance.

      --
      In Liberty, Rene
  3. I used to love Sonicwall by C_Kode · · Score: 3, Interesting

    I used to be a big SonicWall fan, until I joined a company that required IM messaging and used Vonage. Sonicwall causes a bunch of issues with AIM's protocol. IM will go into a blackhole, a user cannot connect, etc. We were using them at the small remote offices, but we replaced them with Juniper SSGs. The Vonage and AIM issues vanished once we switched over.

  4. Re:No Cisco product? by houstonbofh · · Score: 3, Interesting

    > It would have been nice to see how the ASA5500 series appliances stood up to the test.

    If you send them one I'm sure they'll test it. It appears that Cisco wouldn't.

    They also didn't include Untangle, http://www.untangle.com/ which is available free, and is a direct competitor to the things tested. So it might be other reasons...

  5. Re:Uhm? by a-zarkon! · · Score: 4, Insightful

    It's the Ron Popeil/Billy Mays/Home Shopping Network sales pitch for IT Security: "It's a firewall, it's an intrusion prevention system, it will filter your web connections, it even provides anti-virus. But wait! It also acts as a router, and it even has a built in gigabit switch module. Now - how much do you think you're going to pay for this? Not $20,000 - not $15,000, not $10,000; no - all this can be yours for the low low price of $9995.95...."

  6. Re:No Cisco product? by Hyppy · · Score: 3, Insightful

    Could you point us to something with more in-depth information, by all means. All we can find is marketing propaganda from Cisco and Checkpoint. Unbiased, timely reviews with real-world information like this are far and few between.

  7. Flawed by Design. by canipeal · · Score: 5, Insightful

    The notion of having a single point of failure "security" device contradicts one of the primary foundations of security principle: Defense In Depth. Multiple layers of security is essential in safe guarding your systems, placing them all one one unit is nothing short of moronic.

    1. Re:Flawed by Design. by ZouPrime · · Score: 3, Insightful

      Defense in depth refers to the principle of having multiple, overlapping security controls. For example, I've seen some companies use dual-firewall configurations where they will use two different brands of firewall. Or they will use a main network firewall as well as host-based software ones. So if one control fail the other is there to protect the asset.

      This has nothing to do with UTM, who are about hosting *complementary* controls on the same device. In this case, there is a real benefit in term of management effort. These kinds of devices are especially interesting for small companies who can't bother handling a lot of different appliances and software for something perceived as unproductive as security.

  8. Re:No Cisco product? by vlm · · Score: 5, Insightful

    Could you point us to something with more in-depth information, by all means.

    Your interpretation was backwards. He's looking for less because it's expensive.

    When purchasing a $200 graphics card in a corporate environment, the technical staff will read 200 page technical documents, search google for hours, write reports, run simulations, justify the upfront cost vs long term labor savings, basically spend at least a grand or two of labor costs to pick the best $200 card.

    However, when purchasing a $30K "buzzword of the month" the decision will be made at a high level by a manager whom is proud of being non-technical based on:
    1) What they saw on CSI and/or 24 last night, or maybe Obama's latest speech.
    2) Whom has the scariest marketing material (buy this expensive magic widget or you be p0wned)
    3) How much he enjoyed the sporting event the sales exec took him to, or how much he enjoyed the sales exec in general.
    4) The cheapest, or the first one he saw in a magazine, or perhaps a brand that will offend one of his enemies (you know, like he hates the guy who happens to love Cisco products, so if the enemy of my enemy is my friend, then ...)

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  9. Re:No Cisco product? by DontBlameCanada · · Score: 4, Funny

    "Nobody ever got fired for buying Cisco", right?

    I know someone who did. They worked at Nortel and bought Cisco routers for the lab...

    Not the sharpest tool in the shed.