INTRODUCTION

The market for Unified Threat Management (UTM) appliances is growing at 16.8 per cent per annum, and will reach $3.45 billion by 2008, according to IDC (Source: UTM Market Analysis paper (IDC #31840), September 2004, by Charles J. Kolodgy). 

Offering a range of security functions in a single box, managed by a single user interface is an attractive proposition to many. In addition to the obvious small business market, large corporates are buying UTM devices to deploy in branch office networks, keeping on-site administration and troubleshooting requirements to a minimum.  

In the same paper referenced above, IDC describes the typical UTM appliance as follows: 

“UTM security appliance products include multiple security features integrated into one box. To be included in this category, as opposed to other segments, the appliance MUST contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus (AV). All of the capabilities in the appliance need not be utilised, but the functions must exist inherently in the appliance. In these products, the individual components cannot be separated.” 

For the purposes of the NSS test, a UTM device is defined as a single appliance combining the following possible functions: 

• Firewall - these devices are typically deployed at the network perimeter, and therefore robust, stateful firewall capabilities with NAT are required.
   
• VPN - often deployed as branch office solutions on a corporate WAN, the ability to create a small number of secure VPN tunnels is essential.
   
• IDS/IPS - a firewall only enforces policy, and if that policy includes allowing inbound HTTP traffic to Web servers on the DMZ, then there is nothing the firewall can do to prevent HTTP exploits from subverting the target Web server. The IPS capability will detect and block such attempted exploits at the network perimeter, preventing the malicious traffic from ever reaching the server. An IDS-only capability can detect exploits and raise alerts, but will be unable to block the malicious traffic.
• Anti Virus - gateway Anti Virus prevents inbound virus traffic at the edge of the network, thus reinforcing desktop security solutions and blocking viruses before they reach the desktop. This solution can also prevent infected machines from propagating viruses outside the corporate network.
   
• Anti Spam - gateway Anti Spam can tag inbound e-mail, allowing it to be handled more effectively by desktop filtering solutions, or can block suspected spam mails completely. This solution can also prevent internal hosts from sending spam mail outside the corporate network.
   
• URL Filtering - using a constantly-updated database of categorised URLs, a gateway URL filtering solution can prevent employees from accessing objectionable or inappropriate Web sites from the corporate network
   
• Content Filtering - by scanning Web and mail traffic for specific content, a gateway content filtering solution can prevent objectionable or inappropriate material from passing into, or out of, the corporate network.

In order to conform to the strict definition of a Unified Threat Management product as defined by IDC, the appliance should include items one to three at a minimum - the remaining items are optional.  

However, NSS would amend this definition to include those transparent gateway security devices which combine items three to seven, but which - by their very nature as transparent, non-routing devices - may not include items one or two (or where a layer 2 firewall is included, may not provide all the functionality of a typical layer 3 firewall device). 

The NSS tests are designed to determine the suitability of a particular UTM product for use as a basic, all-in-one gateway security device and will focus on the effects of combining multiple security technologies (as listed above) in a single appliance.  

Thus, the overall focus of the tests will be on the manageability, performance and capabilities of the appliance as a basic firewall or transparent bridge, and how the performance is affected by enabling/disabling the additional security functions.

UTM Product Reviews

For the first round of testing we invited all the major vendors in the UTM market place (if anyone reading this is a vendor who was not invited, please do let us know). Six agreed to take part initially, though both Crossbeam and Juniper were unable to complete their latest development cycles in time for testing - hopefully they will resubmit for the next round. 

Of the remaining four products, two failed our stringent tests, leaving just two products to scoop NSS Approved awards in the first round of testing: 

Fortinet FortiGate-3600

Internet Security Systems Proventia M50 

Vendors will be encouraged to submit new releases for testing, thus allowing us to update these reports at regular intervals and maintain an accurate appraisal of the UTM market place.  

This is a relatively immature, yet fast-moving market place, and potential customers need as much information as they can acquire when selecting and deploying such an important component in their security systems. 

Feedback confirms we are providing a major source of much needed information and advice to security professionals, and the various NSS test reports are considered the definitive guides to the security market place.

Click here to return to the UTM Index Section

top         Home

NSS Awards

Group Test Reports

Articles/White Papers

Contact

Home

Send mail to webmaster with questions or 
comments about this web site.
Copyright � 1991-2005 The NSS Group Ltd.
All rights reserved.