UTM – Preparing for New Generation of Security Threats

By | June 5, 2006

Securing networks has rapidly taken center stage among most enterprises as the threat from increasingly sophisticated attacks becomes more complex and costly to manage. According to the research group IDC, enterprises worldwide spent an estimated $32.6Bn in 2005 on network security but are still faced with an ever-changing landscape of new security threats. Traditional network defense solutions such as firewalls and intrusion prevention devices must be supplemented by secure content management devices in order to block the full range of sophisticated attacks including viruses, spyware, spam and phishing.

Unfortunately, purchasing and deploying a full range of best-of-breed security solutions can be daunting for small-mid sized businesses that typically have only have a fraction of the resources and budgets of larger enterprises. These customers are typically willing to sacrifice best-in-class security, performance and features for simplicity, ease-of-use, and low price. To better serve this segment of the market where simplicity and low cost are top priorities, Unified Threat Management (UTM) products have emerged.

UTM is the evolution of the traditional Firewall into a Swiss Army product that not only includes a firewall but also content inspection and filtering, spam filtering, intrusion detection and anti-virus. With all of these capabilities, UTM solutions have become the fastest growing segment in the security industry, growing at 47.9% (CAGR: 2003-2009) according to IDC.

The biggest value with UTM platforms is simplicity and lower price given its “all-in-one” footprint. Some of the key benefits of UTMs include:

Cost-effectiveness: By reducing the number of appliances, there is a lower up-front cost as well as lower management and support costs; Easy to configure and manage: ideal for enterprises that lack the technical skills and resources to manage complex platforms; Stop attacks at the Network Gateway: The additional layer of security that a gateway device provides simply makes sense. Gateway devices block network threats before they have the opportunity to enter your network or attack individual desktop PCs or mail servers.

While UTM solutions provide significant benefits, especially for SMBs, the design of many UTM appliances on the market today is a compromise of performance, functionality, price and simplicity. These compromises often include critical functionality such as content scanning speed and coverage (e.g. detection rate, limited signature databases) as well as enterprise class features (e.g. spam quarantine), resulting in a product that delivers mediocre performance, restricted feature sets and limited scalability.

Before a small-mid size enterprise chooses a UTM solution, they should be aware of the built-in compromises in such a product. These are:

Performance: The practical performance of a UTM appliance is often not obvious from reading the appliance specifications, since they typically depict just the performance of the firewall with the other security applications disabled or providing minimal functionality. Once these other security functions are enabled, performance can be reduced dramatically. Some of this performance impact can be attributed to poor software design. UTM appliances handle multiple security applications simultaneously. Therefore, the processing load on an appliance can be significant, depending on the amount of network traffic in the network. Many UTMs operate by simply stringing together a number of security applications without any real consideration for the processing implications. These applications typically work independently of each other and do not leverage common information and resources. Also, good traffic is often unnecessarily processed many times by different security applications before being allowed through, also impacting performance.

Example of performance impacts:

The anti-virus performance of a UTM is typically limited to a small set of in-the-wild viruses, supported by a limited virus signature database. When measured against a standard virus benchmark, the UTM typically blocks about 70% of viruses with a throughput in the range of 40Mbps – 100Mpbs (SMB class of product). When simultaneously running another scanning application such as anti-spyware, UTMs will become less accurate as the scanning coverage is scaled down in an attempt to maintain speed throughput, or a combination of reduced accuracy and lower speed.

Features: UTMs rarely include enterprise class features such as spam quarantine, white-list and black-list, configurable web-filtering policies, and per-user reporting of web surfing behavior. While these features have been sacrificed in many first-generation UTM products, enterprise demand for best-in-class security solutions will drive a new generation of products that includes this level of functionality.

Scalability: With limited throughput and system performance, first-generation UTMs are expected to quickly run out of horsepower to keep up with the broadband speeds enterprises are demanding. Additionally, since many security platforms today utilize signature-based technologies, being able to flexibly reconfigure the platform and update the signature databases, in response to new variants and threats, has become essential. Therefore fixed architecture-based systems are expected to quickly evolve to a software-driven UTM architecture that can be upgraded via a simple download even after deployment.

There is no doubt that enterprises require best-in-class security. From a UTM appliance this means a platform with high-speed content inspection supporting the following: Firewall; High-quality email and web filtering; Intrusion Detection and Prevention; Antivirus scanning; Antispyware; Spam filtering

But as described earlier it has already been made clear that best of breed = high price, and this is an equation that many SMBs cannot afford. So how is this challenge overcome? The answer is by Accelerating the UTM platform.

Utilizing a high-performance acceleration engine that can be easily integrated into an existing appliance and operate in conjunction with the appliance´s core CPU/NPU, UTM performance can be accelerated by as much as 70X. Designed to accelerate bottleneck operations associated with supporting multiple simultaneous applications, high-speed packet process and content inspection, a security acceleration engine can provides CPU/NPU offload and ensure multiple application support with full content coverage and accuracy while maintaining throughout performance. The acceleration engine can be a software-only integration, suited for appliances requiring acceleration up to 400Mbps, or a pre-configured PCI-based (plug and play) accelerator card for Multi-gigabit performance. The underlying technical uniqueness resides in the acceleration engine´s ability to perform very high-speed pattern matching against a signature database that can be as large as 10,000,000 signatures. To minimize system resources and maintain low cost, the database can be recompiled and compressed into a small memory footprint.

As a result, the current best-of-breed email and web filtering platforms can, in one appliance, deliver true best-of-breed security: 100% virus blocking; 95% spyware blocking; 97% spam and phishing blocking; best-of-breed web filtering configurable by user and/or group; email regulatory compliance filtering and encryption.

Throughput of these types of appliances can scale to very high-speeds. For example a single web filtering appliance can easily support 200 Mbps of HTTP traffic, which is typically enough to handle the needs of 10,000 users while capable of scaling further. A single email filtering appliance can handle 240,000 messages per hour, which is typically enough to handle the needs of 5000 users.

The current best-of-breed intrusion prevention solutions can deliver the following security: Proactive protection against both known and zero-day attacks; Real-time protection against sophisticated DoS, DDoS and SYN Flood attacks; Prevention of zero-day and DoS attacks, spyware, malware, botnets, VoIP threats, evasions, worms, peer-to-peer threats, etc; Enterprise-class flexibility and scalability; Multi-Gigabit performance and high port-density (solutions for network perimeter, core and branch office)

The evolution of traditional network security practices and products into comprehensive Unified Threat Management solutions brings with it a level of protection never before available to corporate networks. As network threats continue to appear with increasing frequency and complexity, accelerated UTM applications that utilize a highly reconfigurable architecture signature-based services, and URL-based filtering, provides the strongest one-stop protection for any growing network infrastructure.

Leave a Reply