COMMENTARY: There’s a joke that has been around for the best part of 20 years. I first saw it in the early 1980s, aimed at those who were part of the new influx into computer programming: ‘Six munce ago I couldn’t even spel compewter programma... now I are wun!’
A quick Google search suggests this joke has been extended to almost any area in which the ill-prepared are willing to jump on a bandwagon.
The latest bandwagon in the IT security space is the area of UTM: unified threat management.
This was a term coined a couple of years ago by IDC to describe the approach of integrating different IT security sub-systems (such as anti-virus, firewall, intrusion detection, spam filtering, etc.) on a single system.
The attraction of this approach is twofold. First, it provides simplicity for the user: one system to deal with. Second, and far more importantly, it provides the potential for a much more powerful tool.
Many new security threats blend different techniques and vectors for attack (hence the term ‘blended threat’). A UTM system can bring to bear the various different tools appropriate to the task, resulting in a more effective defence.
The problem is that like a lot of good ideas, it has become a bandwagon that everyone is jumping on. And six months ago, a lot of these guys couldn’t spell UTM!
The result is that a lot of customers (and resellers) have been flummoxed by this. So let’s put a few myths to bed and consider for a moment what a UTM system should be.
Unified
A simple term with a clear meaning. UTMs get their power from the integration of their component parts.
Simply making a few component parts run on the same platform is not providing a UTM system.
The various component technologies need to be integrated: they need to work together.
A firewall, for instance, should have zero-packet integration with its accompanying intrusion detection system, so not even a single packet attack can get through. A string and gaffer-tape approach simply is not good enough.
Similarly, gateway anti-virus systems should not be confined to checking email: they need to integrate with such things as web and ftp proxies to check HTTP and FTP traffic as well.
And those systems that just work on SMTP and don’t handle webmail or POP3 mail are solving only half the problem. These are simple examples but they illustrate the point: if a UTM simply consists of disparate systems operating on the same platform, they are not really UTMs!
Threat Management
Technology does not manage threats. Technology is a tool for managing threats. The biggest gap in the delivery of the UTM promise is the lack of management.
To live up to its promise, a UTM system (and in fact any perimeter security system) needs to be expertly configured and kept ruthlessly up to date.
So is it real? Is the promise of UTM systems realistic? Sure, but you’ll have to sort the sheep from the goats. Here’s how to spot the real ones:
1. They will be comprehensive. UTM customers do not want firewalls; they do not even want ‘anti-virus’ firewalls. They want comprehensive solutions. IDC’s definition includes firewall, intrusion detection and anti-virus. In real life customers want (and need) that and more! It is a rare customer who is not looking for at least web content filtering and spam filtering at the same time. Trying to sell a UTM with a sales pitch that starts with apologies for all the holes the system does not plug is asking for trouble.
2. They will use industrial-strength components. The choice of best-of-breed components (especially in the areas that are part of the perimeter arms race: anti-virus, anti-spam and web content filtering) is a good sign.
3. They will be managed. And management is not simply the automatic updating of signature databases — that is important, but it is only part of the task.
4. They will be backed by a credible, experienced vendor. UTM is not new, but it is different. There are several experienced, competent, global UTM vendors but there is also a bunch of ‘metoo’ guys who have just jumped on board.
Unified threat management is real; it does work; customers love it. The opportunities for resellers are there. It takes a little more than believing the press releases and the marketing hype, but those who take the time to investigate will find their hard work rewarded.
Andrew Tune is a director at Melbourne-headquartered MSSP Network Box Australia, which has been providing fully managed UTM systems for more than three years in Australia.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
