Not Your Father's Firewall
An old firewall is like a polyester leisure suit: It may still fit, but it's hopelessly outdated. With the Internet landscape cluttered by security problems of all kinds, firewall vendors have started to add new protective services under the banner of Unified Threat Management, or UTM.
Today's UTM firewalls add a range of security functions that have typically been available piecemeal as separate programs or devices, from virus protection to spam, phishing and spyware blockers.
The philosophy is simple: As long as the firewall is monitoring and analyzing the data packets flowing to and from a private network, it might as well inspect for all the common security threats at the same time. Firewalls that are more than two years old are candidates for replacing or upgrading to take advantage of the protective technologies consolidated under the UTM banner. Here are five things IT managers need to know when shopping for a UTM firewall.
1. UTM is in the eye of the beholder. Although everyone is selling UTM, there is no standard definition of the term. On the menu of UTM features, buyers can find intrusion prevention systems (IPS); content filtering functions; programs to block spam, spyware and phishing attempts; and even vulnerability scanning — software that probes for potential security gaps based on a network's defenses and known vulnerabilities. Yet every vendor offers a different mix of services in their UTM cocktail, and the mix can even vary within a single vendor's product line. For example, WatchGuard's Firebox X family of security appliances can run either the standard Fireware or Fireware Pro operating systems, but IPS and antispyware capabilities are only available on the Pro version. Figuring out the menu of available services isn't hard, but anticipating future as well as current needs is critical. In many cases with the smallest devices, UTM features and expansion capabilities may be severely limited.
In all its various flavors, UTM carries a clear promise: more security that is easier to manage, requires fewer boxes and provides higher reliability. It's an obvious advance that has pushed every significant firewall vendor to jump on the UTM bandwagon. Calculating security return on investment is a difficult game: Estimating money saved by not suffering a network breach or other security meltdown can be next to impossible. But the new generation of UTM firewalls offers a better deal, combining a range of services into a single box that's economical to purchase and easy to manage.
2. Antivirus is an inoculation, not a cure. Antivirus is often the first UTM feature on the spec sheet, but protection in the firewall is just the first line of defense. Even though firewalls see every packet, they don't scan every data stream for viruses. For example, Juniper's NetScreen 5GT can scan HTTP, FTP and the three common mail protocols (POP, IMAP and SMTP). But other data streams, such as instant messaging or BitTorrent peer-to-peer file transfers, aren't checked for viruses. Testing at Opus One, a Tucson, Ariz., consulting firm, found that some applications, such as Web-based e-mail (e.g. Hotmail or Yahoo mail), were not always properly scanned on all UTM firewalls.
Add to those minor gaps the fact that firewalls can't penetrate encryption, like that available in many e-mail programs, and there's a clear need for added layers of virus protection. The 2005 CSI/FBI Computer Crime & Security Study, an annual survey the Computer Security Institute conducts with the help of the FBI's Computer Intrusion Squad in San Francisco, found that while 96 percent of the companies surveyed use antivirus software, 74 percent got infected at least once over the previous 12 months. Those startling findings are actually an improvement over 2004 findings of a 78 percent infection rate, despite 99 percent deployment of antivirus software. Deploying multiple layers of protection is the only way to keep viruses at bay, and firewall-based scanning is, at best, a valuable adjunct to other forms of protection at the workstation and elsewhere in a network.
3. Performance may vary. Each of the new features in the world of UTM comes at a price: performance. The differences can be dramatic, and it's very important not to buy an under-powered firewall for use with UTM features. For example, the SonicWALL TZ170 is rated at 90Mbps throughput. Such speed might seem like overkill for a 1.5Mbps T1 or a cable or DSL connection. And it is, until multiple UTM features are turned on. Combine SonicWALL's antivirus, antispyware intrusion prevention, and content filtering and the performance of the TZ170 can drop to a small fraction of its rated speed.
The wide variety of products, traffic types and UTM features make it hard to establish a simple formula to calculate performance requirements of a UTM firewall. However, Opus One testing suggests that with UTM enabled and all features turned on, performance ranges from 1 to 10 percent of the rated peak speed of most firewalls. Thus, for example, a SonicWALL Pro 2040, rated at 200Mbps, would be a better choice than the 90Mbps TZ170 for a typical 3Mbps to 7Mbps broadband connection, if all UTM features will be enabled. The easiest way to tune performance of UTM firewalls is to trim unnecessary features, such as scanning for viruses in outbound traffic.
4. Redundancy and high availability are not just for big companies. Small businesses can be just as dependent on their Internet connection as the behemoths. E-mail can be mission critical, not to mention outsourced customer relationship management or finance applications, Web-based marketing and sales tools, product research and development environments and e-commerce platforms. As businesses move from more expensive Internet services such as T1 connections to less expensive DSL and cable modem connections, there can be a cost: decreased reliability.
The fail-over capabilities of these new firewalls add reliability by allowing them to automatically reroute traffic to a backup connection, should the primary Internet link fail. For example, Check Point's Safe@Office 500 offers the capability to connect to two different Internet service providers with automatic switching from one to the other in the case of a failure. As the price for broadband connections has dropped dramatically, having two redundant connections to ensure availability has become more cost-effective. Even with business-class services such as T1 lines, outages are possible, and at $30 per month, a backup DSL circuit is very inexpensive insurance.
As previously noted, not all these UTM firewalls include backup capabilities in their base feature set. For example, while Check Point includes fail-over in all the Safe@Office 500 models, SonicWall only offers this feature with the Enhanced version of its SonicOS operating system. Although maintaining a redundant Internet connection as a backup seems like an extravagance for a small business, the capability can be valuable and cost-effective for companies of all sizes today.
5. A firewall without support is a doorstop. UTM features in today's firewalls are dependent on continued support and frequent, subscription-based firmware updates from the vendor to be useful, a fundamental shift in the cost model for such equipment. While traditional firewalls that functioned primarily to block unauthorized traffic to and from a network didn't necessarily require ongoing support, the new generation of UTM firewalls involve a long-term partnership and continuing operational expense.
For example, the SonicWALL Pro 2040 has a street price of about $1,750. However, the annual cost of 8x5 support and a suite of UTM services, including gateway antivirus, intrusion prevention, anti-spyware and content filtering, is more than the price of the box itself, which costs $2,250. The cost is well worth the investment for most Internet-dependent small businesses, but IT managers and business owners should budget for it. There's no point in turning on UTM features without keeping them up to date.