All-in-one security devices face challenges
- 15 August, 2006 08:10
The multipurpose security appliances that consolidate firewall/VPN, content filtering, intrusion prevention and more into a single box are winning favor as easy-to-manage devices. But the open secret about these unified threat management devices is that they take a bite out of bandwidth as they inspect content.
It's not uncommon for UTM products on the market today to suffer as much as a 50 percent loss in performance as the full panoply of security services is put to use. That's a situation acknowledged by UTM vendors, which sometimes advise customers to compensate by getting higher-bandwidth devices than they ordinarily might need.
"When you turn on all the services, the speed is impacted," says John Kuhn, product line manager at SonicWall, whose UTM products range in bandwidth support from tens of megabits per second to more than one gigabit. "Absolutely, there is a performance consideration, and it could be a 50 percent loss."
Even at the high end
What's true for a UTM appliance at the low end is also true at the high end with appliances that attain multigigabit speeds.
"You pay a performance penalty as you go deeper into the content, and you could lose half the performance," acknowledges Chris Roekl, vice president of corporate marketing at UTM vendor Fortinet. Fortinet's FortiGate line of UTM devices support speeds from 10Mbps to 48Gbps.
Several other UTM appliance vendors, including Internet Security Systems (ISS), Secure Computing and Symantec, are equally blunt in saying customers could experience as much as a 50 percent performance loss in speed.
"In general, it's more like 10 percent, but 50 percent is possible," says Mark Butler, director of product marketing at ISS, which offers three multifunction security appliances in its Proventia line.
"The approach we take is we size [the appliance] according to the number of users," Butler says, noting about the latest ISS products that the Proventia MX 1004 supports 100 concurrent users, the MX 3006 as many as 250 concurrent users and the MX 5010 as many as 500 concurrent users.
Cisco, which offers various models of its Adaptive Security Appliance (ASA) that tops out at 1.2Gbps, is reluctant to admit more than a 10 percent performance hit.
Despite any drawbacks associated with bandwidth, UTM seems to be here to stay. UTM is the phrase coined two years ago by Charles Kolodgy, security analyst at research firm IDC, for the multipurpose security appliance whose basic foundation is a firewall or firewall/VPN.
"It has to have a firewall/VPN, and gateway antivirus and preferably intrusion prevention," says Kolodgy, who estimates the UTM market will reach about US$850 million by year-end, up from US$700 million last year.
While Fortinet leads at the high end and SonicWall at the low end, Kolodgy says, this still-nascent market is changing rapidly with Cisco's ASA appliance, which debuted a year ago shaking up the low end.
UTM appliances vary considerably from vendor to vendor. Some vendors making UTM products must partner with other security firms to support antivirus, or other content-filtering, on their UTM products when they don't have the technology in-house.
For example, Cisco and Secure Computing partner with Trend Micro, and SonicWall partners with McAfee. ESoft, which offers the InstaGate UTM with top speed of 190Mbps, uses its own antivirus filtering but turns to Aluria for antispyware and Secure Computing for Web filtering. Crossbeam Systems makes use of the Check Point FireWall-1 UTM as well as Trend Micro, Aladdin and Websense for content filtering.
UTM's role expanding
Most vendors see their UTM products deployed at the Internet gateway, though Cisco's senior product manager for ASA and the PIX firewall, Mike Jones, says "it's no longer about protecting just the Internet edge, but going inside" to provide firewall, antivirus, antispam and URL filtering deep within the corporate network.
Nevertheless, businesses deploying UTM appliances generally do so at the point of Internet access at corporate headquarters and branch offices. The value of the multipurpose security appliance, according to the vendors selling them and their customers, derives from the simplicity of managing a single device instead of several.
"The single point of management for content filtering and the intrusion prevention is a key point for us," says Jack Wickwire, CTO at Central Bank Illinois, which has deployed Secure Computing's Sidewinder G2.
However, other technology managers are hesitant to put all their security eggs in one basket with a UTM.
"One of these things, when it breaks, then everything breaks," explains Brian Walowitz, technical coordinator at Yeshiva University's High School for Girls, about his reluctance to go with UTM.
Page Break
The school preferred to deploy separate security gear, such as St. Bernard's iPrism Internet monitoring appliance and the Barracuda content filter, instead of a single box.UTM vendors often recommend deploying their appliances in a pair for purposes of failover should one go down.
"People buy at least two for high availability," says Paul DeBernardi, director of product marketing at Secure Computing.
Whether UTM appliances are always the best at the job arouses some debate. SonicWall, for instance, argues that it's not viable to do highly accurate, full-performance spam filtering on any UTM.
"What's capable on a firewall is not anywhere near what you can get on a separate spam gateway, such as quarantining messages," SonicWall's Kuhn says.
Some disagree.
"Antispam is possible on UTM, but SonicWall simply does not have the horsepower," says Bob Walder, director of product evaluation at product-testing lab NSS Group.
NSS Group last year began testing UTM appliances, and another round of lab evaluations is set for this fall. Only Fortinet and ISS have received the "NSS Approved" mark so far, and Walder declined to say which vendors didn't make the grade.
But with UTM growing in popularity, one question that arises is whether the market will see a drop in stand-alone devices, such as firewalls or spam filters.
Future of UTM
Each vendor sees its UTM future differently, but a common concern is analyzing the impact VOIP traffic might have on UTM design now that customers are starting to put VOIP traffic through UTM gateways.
"As you add voice traffic to the network, there are a lot more small packets that make the box work harder," Fortinet's Roeckl says, adding that Fortinet is working on an acceleration technology it expects to announce by year-end that will speed VOIP processing to ensure voice quality. Fortinet also envisions ways to inspect VOIP traffic for viruses that might be injected into VOIP streams.
"We're looking at the various attacks," Roeckl says.
Symantec, which makes the Gateway Security line, says it plans to add a QoS control to its UTM, so the appliance can give priority to IP-based applications, including VOIP. At the same time, Symantec -- which had an internal memo on the topic leak out -- acknowledges it's changing course on UTM, reducing investment in its flagship UTM line, and will look to partners to help design the hardware.
For its part, SonicWall is adding support for the VPN standard, IKE 2.0, into its UTM with the expectation customers will be using IKE Version 2 for VOIP traffic.
Secure Computing plans to add a secure application pathway to its UTM based on the Session Initiation Protocol (SIP), so managers can create VOIP policies for different groups within an organization.
"Basically, we're building a SIP proxy, because when you open up VOIP in firewalls, it's like Port 80, a big, fat hole," Secure Computing's DeBernardi says. "This SIP proxy, with different commands for VOIP connectivity, will ensure only pure VOIP traffic gets through."
Secure Computing sells three lines of UTM appliances -- the low-end Snapgear and the high-end Sidewinder G2 and CyberGuard, which each reach 3Gbps. Secure Computing expects to introduce a new version of Sidewinder G2 soon that integrates the content-filtering technologies gained through its acquisition of CyberGuard late last year.