Unified Threat Management: Think Beyond Appliances

UTMs are effective for the perimeter, but when it comes to remote offices, don’t shirk the rest of your security needs.

Threats to our information infrastructure are real. Order up a printout for your next management meeting of your (pick one or more of the following) firewall, intrusion detection, antispam, or antivirus system’s logs the previous 24 hours. If the stack isn’t tall enough, either make it 48 hours’ worth or combine a day’s worth of all logs. That ream (or couple of cases) of paper is an invaluable visual aid during IS budget justifications.

As the variety, sophistication, and conduits for threats grew, security evolved from threat response to threat management. Keeping the cyberbarbarians from the central gates is a choreographed ballet balancing products, procedures, personnel, and costs. Keeping the barbarians from geographically-remote places, including operating companies, branch offices, or field offices can be more difficult, as the cybergates can’t extend that far.

From the solutions well springs forth the term unified threat management (UTM), market-speak for a single, multifunction security appliance providing a firewall plus VPN services (usually) and a range of additional prevention tools that can include antivirus, antispam, antispyware, URL filtering, and Web-attack filtering (such as blocking SQL injection attacks).

IDC’s research director Charles Kolodgy explains why these appliances’ growth is fifty percent this year. “UTMs give customers choices, allowing them to use the box’s multiple combinations of security features yet maintain a single management system for all of the included products. The central management of all features is very important for small and medium enterprises that don't have large IT staffs.” He also believes the UTMs reduce the complexity of selecting vendors or provisioning the devices.

The attractiveness of UTMs is the single-point, drop-in solution that replaces a set of ad hoc programs, disjointed controls, and disparate tools from a variety of vendors. A single console and single vendor become the gatekeepers for the remote entity on the Internet.

There is a sufficient range of features and costs that require intelligent deciphering by the IT department. The mantras of interoperability should be answered and silenced. As for manufacturers, Gartner analyst Greg Young observes, “Most vendors of the [current] corporate security solution should be on the short list to supply these products.” Total cost of ownership, Young notes, changes as several UTM features are a la carte licenses.

For a large corporation, the importance of certain features changes. Comprehensive remote management should be ranked equally with timely updates as crucial features. If the security team can’t easily push updates, quickly and remotely administer settings, or study intrusion profiles, the moribund device starts resembling a stopped clock rather than an effective security appliance, but at least you know when the clock is wrong.

More importantly, the benefits of UTM are moot if one believes a single product could provide a complete solution. In today’s climate, an attack from the blind side is guaranteed. As Young points out, “UTM as the sole source of security? It’s just a perimeter. No corporation depends on only the perimeter for an effective defense.”

More than a Single Effort

No CIO or IT manager believes that a single perimeter effort sufficiently protects the corporation’s crown jewels. For that reason, security is an ongoing, multifold process and never, ever just a single finger in the dyke. Real unified threat management comes from implementing plans with approaches that resemble an onion rather than an egg.

Your approach examines central assets and potential risks, future corporate needs, and assesses current efforts. You develop policies, discuss good practices, develop best practices, and execute action plans.

Operating systems are patched. Applications are hardened. Antivirus runs on desktops and servers. Software-based firewalls may be everywhere. Network traffic is monitored. Tripwires are set for intrusions. Logs are watched for suspicious activity. Users are trained and the training is refreshed. Physical premises are secured. In cases, penetration teams tests for tears.

You reassess and refine your entire operation. The end result: protection from a multitude of defensive layers that are deployed from entry point to end point.

Due to the value of their assets and their risks, remote locations usually don’t require protection equal to that at central headquarters, but they do require equal consideration. An intrusion or compromise in remote offices can have costly results. Even a small data breach can trigger regulatory issues in HIPAA or state consumer laws on disclosing security compromises or expanding civil liabilities that can hit both corporate pocketbook and corporate prestige.

Because of the physical distance and manpower costs, security usually works through electronic and human proxies. Desktop and server administration often lag. Security practices can be more casual. Since the heavy security expertise usually resides at the corporate headquarters, discovering and remediating potential problems before they become actual problems sometimes fall short.

For those reasons, UTMs do play an important role for a range of installations including large enterprises. But UTMs are, at best, a Tootsie-Pop defense: the hard outer shell and a soft, gooey center inside. The UTM doesn’t harden the remainder of the network or the people using the network. With their defenses set against the outside world, a single infected traveling notebook entering the remote network, some undiagnosed web Trojan, or just bad timing on a zero-day attack can delivery a mortal stab in the back to the security effort.

UTMs are effective for the perimeter, but when it comes to remote offices, don’t shirk the rest of your security needs. At the headquarters, security is an end-to-end process involving equipment and people. Remote offices need much of the same.