UTM industry has witnessed a phenomenal growth and demand in recent past. To cope with increasing number of blended threats, UTM vendors have incorporated new innovative features and values. But what difference and what changes do those features eventually bring to users? Can enhanced versions of UTM appliances provide more safety, more assurance and more smiles to IT managers? This article attempts to find out the answers.

Since 2004, UTM industry has come across a long way and has witnessed some significant technology transition. Earlier UTM versions were not competent enough to combat the growing complicated and sophisticated threats across the organizations. But with the latest innovations in architecture and multi core processing powers, organizations no longer have to settle for mediocre security in a UTM device. The approach of proven, next-generation UTMs mixes best-of-breed security with a variety of flexible features that is second to none.

While first-generation UTM devices saw deployment in mid-size businesses, the latest generation offerings are more robust than their previous generation counterparts. UTM vendors have started targeting mainstream enterprise adoption. However, when it comes to the demand side, large enterprises are still wary of UTM deployments on a large scale.

With the evolving features and value additions, new generation of UTMs have become more powerful, fast and more matured besides having robust scalability. They also enable centralized management of multiple UTMs, facilitating greater control of the network as a whole. In the later portion of this article we will discuss the significant changes, which have happened in UTM technology, architecture and management all together.

Shift in Architecture

Clearly, advanced UTM devices are far more sophisticated than their predecessors. These appliances deliver proven and uncompromising security while streamlining deployment. For years, UTMs required separate management servers to function. However, currently users can administer a host of devices and sites through the same console without the traditional prerequisite of dedicated hardware to run a management server. It currently offers ability of centralize management across a network. These are also they are supported by services that provide real-time signature update service that maintains the most current preemptive security.

Shifting From ASIC Based Architecture

To achieve high performance, high throughput and low latency and to cater the varying needs of large and heterogeneous networks without compromising on performance, vendors have shifted their focus from ASIC based architecture to Multicore architecture. Multicore technology has brought a revolution in terms of unmatched performance at a very affordable price.

Multi-core processors have many advantages over a general purpose and ASIC processor in supporting UTM appliances. These advantages include lower power consumption, onboard security co-processors and increased memory bandwidth necessary to increase throughput. Some of the vendors’ multi-core platforms integrate hardware acceleration and automation into a wide range of packet processing and application-specific functions.

Compared with general purpose processors, the multi-core processors used in next-generation security appliances provide additional security co-processing per core, allowing each individual core to perform any additional security acceleration on-chip. By integrated security co-processors in its multi-core platform, some vendors have developed high-performance solution that significantly decreases latency in security co-processing. Furthermore, an advanced multi-core architecture is not limited by bus speeds, since all security acceleration is done on-chip. Anticipating future iterations, today’s extendable multi-core platform is designed for easy expansion to apply even more cores-per-chip, more chips-per-board, and more boards-per-chassis.

Subhomoy Biswas, Country Director—India and SAARC, SonicWALL

To increase network packet processing performance, few UTM vendors have designed their multi-core processors with greater memory bandwidth than a general purpose processor. This increased memory bandwidth provides a faster packet processing platform, since more memory resources are available per packet. With a general purpose processor, the bandwidth is limited to 86 GB/s, while multi-core processors have in excess of 100 GB/s of memory bandwidth available.

Subhomoy Biswas, Country Director—India and SAARC, SonicWALL, said, “Multi-core processor technology has allowed SonicWALL to develop enhanced network security appliances that consume roughly 30% less power than comparable solutions built using a general purpose processor and security co-processors, while providing similar network scanning speeds.”

Content-based attacks are evolving in complexity everyday, which can create some major issues for closed security systems dependent primarily on hardware acceleration. After their initial configuration, ASIC based systems cannot be reprogrammed to address new attacks. As a result, closed systems with hardware acceleration-based architectures may be particularly prone to decreasing functionality, security and performance as new attacks appear. The true value of a security system is in its ability to deal with threats that have not yet appeared. Over time, closed systems can lose their performance value. Open systems, based on multi-core processor designs, are programmable and can handle new situations with more predictable performance. Also, the cycle time for bringing new advancement in multi-core processor technology and memory subsystems is much lower as compared to ASIC based systems. This helps them to maintain and even increase their value to the network over the long run.

With the incredible improvements in CPU performance and the low-margin, volume-driven server market, the strategy of using the native parallelization technologies of contemporary general-purpose CPUs is paying off and proving to be the most cost-effective way to deliver performance at every price level. With optimized software, open-server-based solutions running advanced software tend to outperform any similarly priced ASIC-based solution.

Bhaskar Bakthavatsalu, Country Manager, Check Point India

Few vendors are translating the raw computational powers of present and future CPU technologies into gateway performance, encapsulating and developing APIs for specific routines and modules in order to accelerate them over both general-purpose CPUs and specialized ICs, and developing sophisticated clustering and load- balancing technologies. The Open Performance Architecture is a framework of technologies designed to accelerate security performance as new threats appear and to take advantage of new technologies that are developed. For customers, it gives them the opportunity to gain a high level of performance without the exceptional cost associated with closed, ASIC based systems.

Addressing this paradigm shift, Bhaskar Bakthavatsalu, Country Manager, Check Point India, said, “CoreXL is a patent-pending technology from Check Point that accelerates traffic on multi-core CPUs. The first security technology designed for open system multi-core architectures; it provides near-linear scalability by load sharing traffic amongst the different cores on a system. With ASIC-based systems, the only acceleration occurs when an attack is known before the system is produced. ASICs are unable to cope with new types of threats that require deep inspection because they are programmed to perform static actions. Because of this ASICs lose performance dramatically when faced with a dynamic threat. CoreXL as part of the Open Performance Architecture is designed to adapt to new threats while keeping a predictable level of performance.”

Vishak Raman, Country Manager, Fortinet India

Multicore Architechture has allowed providing better throughputs and performance to customer taking advantage of the regular appliance rather than aligning with ASIC technology. Many traditional security devices are based on closed architecture and rely on ASICs to handle specific tasks very fast. But this approach, with security applications hard-coded in custom chips, can be poorly equipped to respond to dynamic threats. Security appliances designed with open architectures, based on multi-core high-performance processors, deliver the flexibility and performance needed to protect against existing and potential threats. Multi-core architecture is now the vehicle for delivering greater computing performance, yielding processor families that offer higher levels of scalability and more predictable performance.

UTM technology and architecture has improved significantly, offering enterprises the consolidated security approach, which provides improved security along with lower CAPEX/OPEX expense by being able to purchase and manage fewer security devices than in stand-alone product scenarios. Few vendors like Fortinet, still have not shifted their architecture from ASIC to Multocore and addressing this issue, Vishak Raman, Country Manager, Fortinet India, said, “FortiGate appliances offer multi-threat security, high-performance custom ASICs, in-house threat intelligence (better protection), early threat mitigation with better security tools and improved threat visibility (as consolidation simplifies the security infrastructure). “

As muticore architecture has introduced revolution in UTM appliance performance, similarly industry is witnessing major shift in technological approaches of UTM appliances and thus moving towards next level of UTM, termed by IDC as XTM (eXtended Threat Management).

Digvijaysinh Chudasama, Vice President—Sales, Cyberoa

Moving From UTM to XTM

Today’s hardware is more powerful than ever, making an all-in-one a very viable alternative to a collection of point solutions, even in more demanding environments where administrators may have been wary of running a UTM or XTM product previously. At the same time, as threats have become more sophisticated, so have the capabilities of the various UTM services such as intrusion prevention, anti-spam, anti-spyware, and URL filtering, making them equal contenders with traditional point solutions to meet today’s security needs. According to Digvijaysinh Chudasama, Vice President—Sales, Cyberoam, “So far, XTM as a terminology is in the initial stages of becoming known in pockets of the industry since UTMs have already gained recognition as appliances that are fast enhancing their performance and granularity.”

Over the years corporate network has evolved to a mesh of multiple disparate locations, wireless devices, and mobile workers. Numerous point security applications have now got consolidated into UTM devices. These appliances provide a basic core of critical security applications in a single box, simultaneously increasing network efficiency and reducing deployment and maintenance costs.

UTM deployments are currently limited to SME and remote location of larger enterprises. As the threat landscape widened, the need for broad base of defense also came up. The need for Threat management devices was felt that can scale up to the need of larger enterprises. This resulted in evolution of XTM or eXtended Threat Management. As per IDC, XTM platforms are supposed to take security appliances beyond what they were doing traditionally by incorporating key management and networking features, along with advanced security options.

XTM appliances provide essential networking coupled with centralized management console as part of a wider security solution that can support all of the networking needs for SMEs and remote location of distributed enterprises. Centralized management should allow security administrators to manage all remote locations and enable policy roll outs and upgrades across the network. These appliances should also provide many automated processes such as logging, event correlation for compliance purposes.

Threats are becoming more stealthy and concealed, as well. Typically, when a threat reaches a broad enough audience, a “signature” can be developed to counter and neutralize the threat. Today, the writers of these attacks have learned that low profile attacks keep threats “under the radar,” and hence, avoid detection and the eventual signature that will wipe them out. Likewise, other attackers have developed automated repackaging malware applications so that the malware changes every few minutes—effectively staying ahead of any anti-virus vendors’ ability to produce a signature.

Business is changing. Several factors are all converging to change the way businesses operate. Leading this, WatchGuard sees business mobility, the “millennial” generation, the “consumerization” of IT, Web 2.0+, and new technologies, such as virtualization and Software as a Service (SaaS), all creating new dynamics for network security and data protection. As businesses deploy new technologies, they must address protection in new ways. For example, mobility and data in motion is changing the concept of how to secure the network perimeter. Protecting the end point device will be subjacent to protecting users and data as they move through networking, web, and messaging platforms.

Sunil Sapra, Country Manager, India & SAARC, WatchGuard Technologie

All of these factors—the next generation of threats, changing business dynamics and new business technologies have widened the passage for demand of XTM, next generation of UTM solutions. Sunil Sapra, Country Manager, India & SAARC, WatchGuard Technologies, believes that the UTM to XTM evolution has been necessary. It has received very positive reception to the XTM concept from the sales channel as well as from customers. Especially in today’s tough economic times, being able to realize more security capabilities for less money is more important than ever.

When industry is looking for next generation UTM, several technologies are changing the scenario of UTM market significantly. One of these technologies is obviously virtualization. Though the subject is not really new but considering its impact in security space, industry is keen to look for this one.

Virtualization: Can it Extend flexibility?

Virtualization is in most companies’ plans for a simple reason. It enables them to reduce server expenses as well as the ongoing operational expenses associated with servers. Companies like Check Point enable security professionals to provide a clear roadmap on how to take advantage of virtualization while maintaining a high level of security. There is a significant reduction in cost as one can use a single appliance to protect and enforce different policies in various network segments by creating virtual instances which otherwise would require multiple appliances. Reduction in management and administrative cost as instead of multiple consoles, one integrated console is used for managing multiple virtual instances. However if not properly designed at hardware and operating system level, one can result in one virtual instance fighting for resources with others.

Virtualization thrives on the following drivers, such as the consolidation of physical resources, reduction in power consumption, helps to control/provide growth, simplify system maintenance and optimize resource utilization for UTM users. Virtualization offers security great advantages, especially in a managed security service scenario. Company like, Fortinet, for instance, can partition its integrated multi-threat security appliances into several, separately managed and provisioned instances. With these kind of multi-threat security appliances, customers can operate up to 4,000 virtual UTM firewalls. But also the smaller models offer virtualization functionality.

For some years now, carriers, Internet service providers (ISPs), hosting and managed security providers (MSSPs) have been virtualizing traditional network firewalls for their customers. They primarily used larger, redundant cluster firewall systems being shared by several end customers. Each customer could thus use its own, virtual firewall with appropriately separated configuration capabilities. It delivered savings in terms of hardware and software licenses and enabled providers to offer its customers cost-effective and high-available firewall services. Today, all the other UTM security functions can be virtualized. At the touch of a button, these features can be set up within a virtual firewall. And even the operating modus can be combined as required. One virtual firewall can, for example, run in the NAT/route modus, while the second operates in the transparent modus (layer2). Firewall, IPS, and antivirus functions can be run on the first instance, and on the second layer a pure web filter.

Virtualization technologies already incorporated in UTM devices enable administrators to assign different virtual UTM devices to network segments or user groups. The entire system can then be managed through a single interface. Virtualization essentially simulates having multiple devices on the network, without the overhead and complexity of physically doing so.

Virtualization helps next-generation UTMs enabling updates to be administered across functionalities and sites at the click of a button.

Advantages:

Efficiency is a common reason to deploy a virtualization solution. Using idle resources to perform work is the goal. By performing the same work on fewer physical resources, fewer energy resources are required, lowering energy bills for both running unnecessary servers as well as the cooling required. Physical space is also conserved, lowering the number of data center racks required.

High Uptimes can be achieved by moving logical resources to different physical resources while remaining online, or if a physical resource fails, starting all logical resources on a different functioning physical resource. Maintenance and upgrades of physical resources can be performed without downtime of the logical resources.

Scaling Out can be achieved with proper planning. Instead of waiting until the need arises, scaling out to two or more virtual servers from the beginning, all running on the same physical machine, will provide an easy transition from a single physical machine to multiple physical machines, all without downtime.

Disadvantages:

Performance is the most popular disadvantage in discussions of whether to use virtualization technologies. Performance is sometimes a major concern, especially in highly visible systems where high latency is widely noticed, and potentially financially harmful. Virtualization technologies are often used to consolidate existing infrastructure and not used in large-scale deployments of a single application that meets these requirements. Large high-availability and highly-scalable systems are generally cheaper and faster than large virtualized environments.

Complex Deployment and Maintenance is another common issue with virtualization technologies. When a large number of logical resources are consolidated onto a small number of physical resources, the consequences of downtime increase. To compensate, redundant physical hardware configurations are often used, increasing the complexity of deployment. This does not necessarily mean the physical hardware deployment is any more complex than a non-virtualized environment, but it does add a layer of complexity onto typical physical deployments. With the added features that virtualization provides, the possibilities increase, thus complicating the deployment options and management of the environment.

Changes in Device Management

The most significant change from management perspective, with respect to either virtual or real security appliances, is that decision-makers and management have realized it is not just all about deployment and maintenance of an appliance, but an effective policy arrived at, through in-depth analysis of threats, user pattern, business needs, etc. that add teeth to the whole security process.

The crowning achievement of advanced UTM is the capability these appliances provide for centralizing management of other devices protecting a network. For years, UTMs required separate management servers to function in this diffuse environment. However, now with this advanced approach, users can administer a host of devices and sites through the same console without the traditional prerequisite of dedicated hardware to run a management server. Advanced UTM appliances have the ability to run management software on the same hardware that enforces policy—making UTM deployment and management cheaper and simpler.

Centralized consoles also store and distribute security policy for an entire infrastructure, eliminating the need to maintain each site or gateway separately, reducing administrative burden and errors. Through these console dashboards, network administrators can define and manage firewall security, network address translation, Quality of Service (QoS), and VPNs, as well as use the technology to centralize security updates.

In some cases, dashboards even offer version control of security objects and policies for audit purposes and quick rollback. In short, advanced UTM offers the ability to manage more with less—an advantage in any network.

The configured policies actually make the ultimate difference in protecting the integrity, availability, and confidentiality of information of the enterprise and IT assets from unauthorized use or modification, and from accidental or intentional damage or destruction. Thus, the new management perspective is that security lies in the organization's ability to categorize, capture, and communicate risk as part of an overall value management process. 

In some cases, dashboards even offer version control of security objects and policies for audit purposes and quick rollback. In short, advanced UTM offers the ability to manage more with less—an advantage in any network.

The major change from the Management perspective has com about due to the following circumstances

Evolving Security Threats: The newer security threats come from blended threats, changing patterns rapidly, exploiting the holes in applications and are targeted attacks on users as the objective would be to steal data—business or personal. The attackers objective would be financial rewards rather than to gain name. The vehicles of these attacks would be viruses, worms, spams, phising, pharming, email, ftp, instant messaging, P2P etc.

Change in Business Requirement: As businesses are becoming more integrated, access to information from anywhere anytime is a must. Tradional boundaries are fading as customers, suppliers, resellers, remote offices and work from home users start getting connected to an organizations network. The kind of applications that organizations use like Web 2.0, ERP, CRM, Software as a Service (SaaS), VoIP change the security dynamics.

Change Security dynamics due to Users: Users extensively use applications like P2P, Social Networking sites, instant messaging, personal web mail, making it possible for intentional or unintentional information leak. Users may also cause productivity loss by hogging bandwidth for non-business applications and affecting the business critical application.

Today’s vendors are introducing a number of important capabilities in its management software aimed at making management of appliances easier, and at saving customers valuable time. Greater interoperability with third-party management platforms today gives customers the ultimate in management flexibility, by allowing them to choose the management environment most appropriate for them to configure and monitor their equipment.

Innovations and Expectations

New innovation in UTM is geared towards enhanced performance to meet rising bandwidth availability and consumption. Further, its aim of staying ahead of emerging threats is leading it towards increasing the granularity of the solution. Multi-core technology is a biggest step towards ensuring higher throughputs.

On the granularity front, as threats proliferate, web applications became highly interactive and open end users emerge as the biggest threat vector. There will be a constant need to bring UTM functionality closer to human intelligence by going beyond IP address and penetrating deeper layers of security processes. For example, identity-based UTM appliances take security to a level closer to human intelligence by weaving identity controls in its features that traces an user movement in the network not only till the IP address of a machine―which is the traditional approach in the industry―but till the actual user itself. This gives complete transparency over the network as to ‘who is doing what’ in the network, and thus, gives an unprecedented degree of control on the users. As user identity emerges as one of the most important paradigms in security, the next phase of innovation in UTM industry will be about making a solution more granular.

Mahendra Lalwani, Managing Director, ZyXEL India

In 2009, innovation continues with the introduction of the technology Software Blade Architecture. The Software Blade architecture is a security architecture that delivers total, flexible and manageable security solutions to companies of all sizes. The Software Blade architecture provides customers with the ability to custom configure security solutions to meet their specific needs.

A software blade is a logical security building block that is independent, modular and centrally managed. Software Blades can be quickly enabled and configure into a solution based on specific business needs. And as needs evolve, additional blades can be quickly activated to extend security to an existing configuration within the same hardware foundation.

Raghu Setlur, Business Head, Selec

Mahendra Lalwani, Managing Director, ZyXEL India expects that next generation UTM/XTM platforms should accommodate the integration of new security features as needed by customer environments. It would be VoIP security, Web security, identity and access management, NAC, Vulnerability Assessment and automated threat management programming.

According to Raghu Setlur, Business Head, Select, UTM will become more modular and open architecture based where on a given base module you can look at adding the best of technology modules like AVs, IPS etc.

Sandeep Gupta, CTO, iPolicy Networks, Security Products Division of Tech Mahindra Ltd,

Commenting on the impact of innovations for next generation UTM devices, Sandeep Gupta, CTO, iPolicy Networks, Security Products Division of Tech Mahindra Ltd, said,“ I believe that innovation should bring virtualization support at processor and hardware level besides deep inspection for application identification and content inspection, even virtual execution to understand malware behavior. Higher Application awareness, faster Antivirus and anti spam technologies are also expected in addition.”

Expecting all advanced features, Anand Iyer, President Marketing, Gajshield Infotech, said, “The next phase in the development in UTM should incorporate more advanced options in the networking, Data Leak Prevention, NAC, In-depth Application filtering, Layer 7 visiblity, Zero Hour Malware Protection.”

Anand Iyer, President Marketing, Gajshield Infotec

Next-generation UTMs should enable updates to be administered across functionalities and sites at the click of a button. Reporting is another major function that is lacking in most appliances. These days, the best UTM devices are equipped with advanced reporting features that enable network administrators to keep real-time tabs on overall performance. Provided the devices offer adequate extensibility and a good centralized management tool, the reporting interface should be able to deliver information about every security feature. Now the trend in integrated security appliances is to look at solutions that can together protect external and internal threats.

Recession—Any Impact?

Though recession has impacted strongly almost in all sectors of industry, but experts still predict a strong upcoming market for UTM vendors. For example, Fortinet increased fiscal year 2008 revenues by 36 percent to $212 million and billings by 30 percent to $252 million year over year. Indeed, the company continues to experience strong growth and has experienced our best year to date in 2008 in this economic downturn. Industry analysts believe that the UTM industry should be able to capitalize on the current slowdown. Organizations tend to prefer best-of-breed security solutions. Manish Gupta, Director—Business Continuity and Security Governance (BC&SG), BT India, said, “However, integration and management of such devices is costly and complex. Therefore, UTMs offer the potential for capex and opex reductions which appear attractive in cash-constrained environments. As such, enterprises will start to consider them as replacements for their core-systems (rather than SoHo / Branch solutions). For genuine cost and capex control, enterprises should also look to Managed Services providers to handle the delivery of security operations using best-of-breed solutions.”

Manish Gupta, Director—Business Continuity and Security Governance (BC&SG), BT India

The hefty slowdown in the global economy does have its effect on the industry. Nevertheless, India is one of the fastest growing regions in Asia and UTM security systems will continue to comprise a majority of business combined firewall/VPN. With the Increased investments in technology, growing networks, increased data generation and increased Internet adoption, hitherto leads to have tremendous growth in the area of security. With the growth of IT and ITeS market, the security business in India is seeing an upward growth. The BFSI sector is the largest spender on security after government, and this trend is likely to continue for few more years. Toady customers in India recognize the power of UTM devices and are ready to buy integrated solutions.

Conclusion

With the recent innovations in UTM industry, UTM appliances have achieved a quantum leap and the shifts in UTM technology and architecture have strengthened UTM performance in multi-fold. New innovations in management software have made administrators task much easier than ever before. Besides incorporation of rich innovative features, value additions like strong remote access and control have also raised the bar of advanced UTMs. Industry hopes that with these upcoming new and intelligent features next generation UTMs will be more powerful, intelligent and easy-to-use.

—By: ‘InfoSecurity’ Bureau.