Testing So-Called 'Unified Threat Managers' 98
snydeq writes "The InfoWorld Test Center has released vulnerability testing results for four so-called 'unified threat managers' — single units that combine firewall, VPN, intrusion detection and prevention, anti-malware, anti-spam, and Web content filtering in lieu of a relay rack stuffed top to bottom with appliances. The lab threw nearly 600 exploits of known vulnerabilities in a wide range of popular OSes, applications, and protocols, and despite being designed to thwart such threats, the UTMs as a class allowed hundreds to pass through. Why did the UTMs miss so many exploits? A lack of horsepower to perform the necessary deep packet inspection under load is suspected, as the lab pushed the limits of each unit's throughput with legitimate traffic. 'The upshot is, although the vendors have packed these devices with additional gateway security functions, clearly many UTMs are still strictly firewalls at heart.'"
general purpose != good (Score:3, Insightful)
Strange (Score:5, Insightful)
Focusing on doing one thing well yields better results than trying to do everything. Who'd have thought?
Comment removed (Score:3, Insightful)
Re:general purpose != good (Score:4, Insightful)
Now could you personally out do that? Probably. Could your typical business person? Not likely...
Re:general purpose != good (Score:3, Insightful)
In theory, though, there is nothing about putting multiple functions in the same box that necessarily "waters them down", and there are substantial economies, in terms of space, hardware, and management, to be realized if done correctly. For a critical device, you would certainly want redundancy in the hardware, dual power supplies, that sort of thing. Two or three redundant PSUs running a single box are cheaper than two or three redundant PSUs per box, and multiple boxes. CPU and other system resources are in the same boat. Management is likely even more important. Fewer different styles of interface, fewer distinct login systems to deal with, fewer configuration files to back up, and so forth.
There is nothing fundamentally wrong with putting many functions in the same box; but, at the same time, there is a massive temptation for mediocre and worse "me too" outfits to cram a bunch of crap in and call it an "integrated solution".
Re:Uhm? (Score:4, Insightful)
Re:Uhm? (Score:2, Insightful)
Ever heard of computer loaded with *nix and configured as a gateway/router/proxy with snort or something similar loaded? Back before you young whippersnappers came in with your fancy firewall appliances, that's what we had. And we liked it that way!
Re:No Cisco product? (Score:4, Insightful)
Re:Strange (Score:4, Insightful)
Disclaimer: I am employed by one of the companies represented in the trial but do not speak for them.
Unfortunately, security is a process and affects all interacting systems. Placing them under one umbrella in a UTM device allows security issues to be dealt with in one place. This is better than having "something else" misconfigured somewhere undo all the efforts one has made in a particular place.
Yes, by layering SPAM filtering, virus scanning, and application protocol validation, one can achieve the same effect, and each appliance can excel in it's area, but this comes at the complexity of having to configure many things independently (not "atomic security changes" spanning multiple issies), adds to complexity (the bane of security), and may give rise to an "end run" if these units run in parallel, instead of sequentially (which yields latency issues).
The bottom line is that the market likes the convenience of unified threat management, and the price to be paid is generally not quality but performance.
Flawed by Design. (Score:5, Insightful)
Re:No Cisco product? (Score:3, Insightful)
Or IPcop, pfSense, m0n0wall, Shorewall, etc. Why? Because they're not appliances.
monowall is not a UTM, it is a firewall. I am a dev on it, and I should know.
pfSense is also not a UTM, but it has a lot of plugins that can get close. But since it is a lot of plugins, it is not really "Unifiied."
Untangle, and both of the above are available as supported appliances, or installable on standard x86 hardware, or appliance like hardware.
I have not used IPcop or shorewall, so I can't speak on them.
Neglected to test (Score:3, Insightful)
They should have used a control for this test. Put each of these unified conglomerations up against one good Sysadmin with a clue.
No one tool will ever be "THE Solution". No matter how many doodads are attached to a Swiss knife, some sack of warm tissue has to fire a few synapsis to put the knife to use. If the sack of warm tissue is lacking in the synapse department, he fails.
Re:Flawed by Design. (Score:3, Insightful)
Defense in depth refers to the principle of having multiple, overlapping security controls. For example, I've seen some companies use dual-firewall configurations where they will use two different brands of firewall. Or they will use a main network firewall as well as host-based software ones. So if one control fail the other is there to protect the asset.
This has nothing to do with UTM, who are about hosting *complementary* controls on the same device. In this case, there is a real benefit in term of management effort. These kinds of devices are especially interesting for small companies who can't bother handling a lot of different appliances and software for something perceived as unproductive as security.
Re:No Cisco product? (Score:5, Insightful)
Could you point us to something with more in-depth information, by all means.
Your interpretation was backwards. He's looking for less because it's expensive.
When purchasing a $200 graphics card in a corporate environment, the technical staff will read 200 page technical documents, search google for hours, write reports, run simulations, justify the upfront cost vs long term labor savings, basically spend at least a grand or two of labor costs to pick the best $200 card.
However, when purchasing a $30K "buzzword of the month" the decision will be made at a high level by a manager whom is proud of being non-technical based on: ...)
1) What they saw on CSI and/or 24 last night, or maybe Obama's latest speech.
2) Whom has the scariest marketing material (buy this expensive magic widget or you be p0wned)
3) How much he enjoyed the sporting event the sales exec took him to, or how much he enjoyed the sales exec in general.
4) The cheapest, or the first one he saw in a magazine, or perhaps a brand that will offend one of his enemies (you know, like he hates the guy who happens to love Cisco products, so if the enemy of my enemy is my friend, then
Re:Strange (Score:3, Insightful)
The bottom line is that the market likes the convenience of unified threat management, and the price to be paid is generally not quality but performance.
I dunno.. TFS said it did a pretty crap job keeping things out... I'd call that a cost in quality.
That's a different problem, since signatures can be updated over time. But, now that you mention it, space constraints in a UTM do limit the size of signature databases it can hold.
The answer is, of course, to get a bigger UTM, and address performance with clustered UTMs.
Sadly, one does not have to be perfect, one just has to be better, for some definition of better, than the competition.
Re:Flawed by Design. (Score:2, Insightful)
True... but that's not "defense in depth", that's "not having a single point of failure".
I agree that one big box to do everything has its issues. It's certainly not acceptable for corporations. But I think the cost/benefit is worthwile for a lot of small business who most of the time don't have shit (although this is getting less and less true).
It's a bit like those Linksys routers: sure they sucks, but they are so cheap and so commonly available, and so better than being only jacked right in a modem, they are overall a Good Thing.