Without good management tools, the enterprise-class unified-threat-management firewalls we tested would be little more than expensive packet-pushers.
Laying out these firewalls like pieces of cheese on a plate made it clear that there are substantial differences. Each wedge may look more or less the same, but firewall management is one of the greatest differentiators we found among products. Once you taste them, you can easily tell the differences.
UTM adds another layer of confusion to the already challenging area of firewall management. For example, Check Point Software, long lauded for its top-notch firewall management, blew it when driving its UTM features. Check Point's intrusion-prevention and antivirus features don't have the great precision and control of the system it set up to control firewall, VPN and NAT policies. This is one thing that applies to all platforms.
Check Point's lapse has been an opportunity for Cisco and Juniper Networks. If there were an award for "most improved management capability," we'd give it to Cisco. The Cisco Security Manager (CSM) demonstrates that - while admittedly a few years late to the party - Cisco doesn't just understand how to manage enterprise firewalls (hint: it's not from the command line), but also is putting its software where its PowerPoint presentations used to be.
Cisco's management gains
Cisco's overall policy management is very nicely done, and its VPN management tools are slick. For example, policies can be defined in a hierarchical way, and firewalls can be linked into policies at different levels, simplifying common configurations while allowing customization of individual devices.
Of course, perfection is not yet upon us. CSM derives a lot of its structure from the underlying firewall, so someone who is familiar with the ASA or PIX ,Cisco's older stand-alone firewall product, will be able to understand what CSM is doing.
In some cases, that's good; in others, it's not as good, because some of the ugliness of the structure of the old PIX code is being carried forward. Take NAT management, for example. It is disconnected from firewall policy and is so confusing that even the gurus from Cisco who helped us with our installation got it wrong.
In other places, Cisco seems to have forgotten to put features into its central management. For example, CSM can't show you performance, errors and status information. Instead, it launches the per-device management tool, which has good status information -- but can talk to only one firewall at a time.
Now you've got two management tools pointed at the same firewall, raising the potential for conflicting policy updates. Don't even think about linking IPS analysis (which requires a separate application and separately purchased Monitoring, Analysis and Response System appliance) to policy management, because it just doesn't work that way.