Why Are UTMs Not Recommended Generally
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: And then on this subject, having a UTM is nice because with Sophos, for example, you have systems with agents on them and then you can put users/machines in various groups and apply different web and application white-lists against them. That's a nice feature of Sophos, granted. But isn't from the UTM. You are perceiving a Sophos feature and thinking that it is caused by it being a UTM, but it is not. Sophos, I believe, does that in their non-UTM products, too. And you can definitely do that with non-UTM products outside of Sophos. That you can do it in a UTM, too, is nice as an add on feature to the UTM, but it doesn't change the fact that the UTM is the "lesser way to do it." Bottom line, it's impossible for a UTM to be better than alternatives from a performance and security standpoint. Anything you can do in a UTM you can do better without a UTM. All UTM features existed in the enterprise before anyone thought that shoving those features into their router was an acceptable practice. 
- 
 @scottalanmiller said in Why Are UTMs Not Recommended Generally: @dave247 said in Why Are UTMs Not Recommended Generally: I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it. Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else. You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features. I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked. It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM. 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: @scottalanmiller said in Why Are UTMs Not Recommended Generally: @dave247 said in Why Are UTMs Not Recommended Generally: @scottalanmiller said in Why Are UTMs Not Recommended Generally: If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not. I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN). Are you talking about having sub-interfaces? VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them. Basically it works this way.... If you have VLANs to separate your LANs, you can do it all on one port. If you have physical port separation for your LANs, you have no purpose for VLANs. VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other. Let me clarify. I have a switch with various trunk ports (from the different VLANs) which run directly to different ports on our SonicWall. Yes, I could run them all through one trunk port on the switch to a single port on the SonicWall with sub-interfaces, but then bandwidth will be limited to a single 1Gbps Ethernet port. Each zone is on it's own VLAN and then we have various firewall rules and policies for those. That's a weird way to do it. What you would normally want is... - To move to a firewall with a faster interface that can handle your desired workload.
- Use the L3 switch for the ACLs, not the firewall, that's why these exist in the first place. If you have an L3 switch and are doing this, you are missing why you paid for the L3 switch.
- Use trunking to the firewall instead of individual ports for each VLAN.
 One of those three, #2 preferably. Now given how many VLANs you have, I'd recommend a thread to talk about if they are needed. Rule of thumb is that you want to avoid VLANs when possible. If you have devices that need to talk across VLANs, this pretty much tells you that the VLANs aren't right for your needs. There are loads of cases for VLANs, but most places do them when they are not needed and an unneeded VLAN means performance and management overhead that is just wasted resources. Of course, VLANs become smart when you have more than 2-4K devices on a single subnet. 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked. And? I can do all of that without a SonicWall or a UTM. No one is saying you can't do it poorly with a UTM, we are just saying it's not the only, or the best, way to do it. 
- 
 @scottalanmiller said in Why Are UTMs Not Recommended Generally: @dave247 said in Why Are UTMs Not Recommended Generally: I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked. And? I can do all of that without a SonicWall or a UTM. No one is saying you can't do it poorly with a UTM, we are just saying it's not the only, or the best, way to do it. You're diverting again. This was a sub-response about you saying you never put it on the edge. I explained why and then you are back to the UTM argument. 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM. So let me ask you, do you feel that Windows SBS server, where all functions are crammed into a single device rather than being separated out into individual VMs, is smart? Because that was a big trend fifteen years ago, make it "simple" for IT shops that "didn't get it" and it was crap. Performance was crap, stability was crap, everyone who was "stuck in the old ways" laughed at them for being caught up in marketing and hype and not thinking through what they were doing, and eventually the model showed to be so ridiculous that even MS discontinued it. UTMs require you to do things in a fundamentally unreliable and expensive way. Router hardware is not as reliable, cheap, or performant as your server infrastructure. But it makes loads of money for the VARs and networking companies. What you see as "stuck in the old ways", we see as "understanding how it works." UTMs aren't a new idea, they are just new on the market. It's a new way to trick people into spending too much (thanks to security theater and security being too confusing for most shops) with by fancy terms and marketing blitzes and hoping that people buying them don't know the history or realize that all of that functionality is something we've had access to, and been doing better for a long time. Remember, UTMs aren't new, thinking that UTMs are a good idea is new. That's a huge difference. It's one of the current "buzz words" in IT. Like SAN was ten years ago. Took a few years of fighting, now everyone knows how ridiculous, costly, and risky that trend was. But for many years there, those of us pushing hyperconvergence (the "old" way) were laughed at for not doing what was "new", which neither thing was new. Then hyperconvergence got the marketing and now it is seen as "new", even though we were pushing it before SANs were popular. You see UTMs as new. We see them as a bad idea that is very old. 
- 
 @scottalanmiller said in Why Are UTMs Not Recommended Generally: @dave247 said in Why Are UTMs Not Recommended Generally: I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it. Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else. You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features. The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad. 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: @scottalanmiller said in Why Are UTMs Not Recommended Generally: @dave247 said in Why Are UTMs Not Recommended Generally: I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked. And? I can do all of that without a SonicWall or a UTM. No one is saying you can't do it poorly with a UTM, we are just saying it's not the only, or the best, way to do it. You're diverting again. This was a sub-response about you saying you never put it on the edge. I explained why and then you are back to the UTM argument. Right, you shouldn't put it on the edge. You didn't explain why at all. That you think that you did shows that you aren't understanding. By putting it on the edge it was more costly, and less reliable. So in your example, you feel that you showed why you should do it, but I see it as showing why you shouldn't because you got not features or benefits from placing it at the edge, only caveats. 
- 
 @Obsolesce said in Why Are UTMs Not Recommended Generally: @scottalanmiller said in Why Are UTMs Not Recommended Generally: @dave247 said in Why Are UTMs Not Recommended Generally: I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it. Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else. You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features. The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad. That's what they said about SBS. "Managers" who don't understand IT stuff and go from airport marketing blitzes do these crazy things because they don't understand cost, best practices, common sense, workload separation, etc. It's part of the trick of "bundling" that is one of the "predictably irrational" ways that you can manipulate buyers. Buyers perceived bundled products are cheaper and better, even when logic says that they are not. It's similar to the "three option" sales trick, even when you tell someone you are going to do it to them, the trick is so strong that even Harvard MBA students being prepped for it, mostly fall for it anyway. Bundling is one of those things that IT needs to protect businesses against, because non-technical managers have effectively no defense against it except for deferring decision making to the people who know the stuff. But truly, any manager choosing the tech is incompetent beyond belief, because the one thing he knows for sure, is that he isn't qualified to make the decision. 
- 
 @scottalanmiller said in Why Are UTMs Not Recommended Generally: @Obsolesce said in Why Are UTMs Not Recommended Generally: @scottalanmiller said in Why Are UTMs Not Recommended Generally: @dave247 said in Why Are UTMs Not Recommended Generally: I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it. Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else. You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features. The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad. That's what they said about SBS. "Managers" who don't understand IT stuff and go from airport marketing blitzes do these crazy things because they don't understand cost, best practices, common sense, workload separation, etc. It's part of the trick of "bundling" that is one of the "predictably irrational" ways that you can manipulate buyers. Buyers perceived bundled products are cheaper and better, even when logic says that they are not. It's similar to the "three option" sales trick, even when you tell someone you are going to do it to them, the trick is so strong that even Harvard MBA students being prepped for it, mostly fall for it anyway. Bundling is one of those things that IT needs to protect businesses against, because non-technical managers have effectively no defense against it except for deferring decision making to the people who know the stuff. But truly, any manager choosing the tech is incompetent beyond belief, because the one thing he knows for sure, is that he isn't qualified to make the decision. I agree completely. 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: @scottalanmiller said in Why Are UTMs Not Recommended Generally: If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not. I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN). Are you talking about having sub-interfaces? Now from your post on your other thread we know that your setup isn't as it should be for your use case. Granted, I think no one will agree with your use of six VLANs, only two make sense as you described your network, but ignoring that and assuming that the VLANs are staying.... Your traffic link to your router should be a single link that is the same speed as the upward link to the Internet. So GigE most likely. Any additional ports or speed is purely wasted money doing nothing. Traffic going to the router / firewall / UTM should be only traffic heading to or from the Internet, leaving your edge device with more resources to do its job. The firewall can still support the VLANs, it just doesn't route between them. Then the L3 switch, which must have been purchased for this purpose originally as it is the only purpose of an L3 switch, operates as the firewall and handles any and all traffic between the VLANs inside of itself at switching speed. This not only fixes your GigE uplink problem, and reduces cabling, but increases your VLAN to VLAN speed to that of the switching fabric. You then use the firewall in the switch to handle the ACLs between the VLANs. Simple, faster, cheaper, as intended. 
- 
 @scottalanmiller said in Why Are UTMs Not Recommended Generally: @dave247 said in Why Are UTMs Not Recommended Generally: It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM. So let me ask you, do you feel that Windows SBS server, where all functions are crammed into a single device rather than being separated out into individual VMs, is smart? Because that was a big trend fifteen years ago, make it "simple" for IT shops that "didn't get it" and it was crap. Performance was crap, stability was crap, everyone who was "stuck in the old ways" laughed at them for being caught up in marketing and hype and not thinking through what they were doing, and eventually the model showed to be so ridiculous that even MS discontinued it. UTMs require you to do things in a fundamentally unreliable and expensive way. Router hardware is not as reliable, cheap, or performant as your server infrastructure. But it makes loads of money for the VARs and networking companies. What you see as "stuck in the old ways", we see as "understanding how it works." UTMs aren't a new idea, they are just new on the market. It's a new way to trick people into spending too much (thanks to security theater and security being too confusing for most shops) with by fancy terms and marketing blitzes and hoping that people buying them don't know the history or realize that all of that functionality is something we've had access to, and been doing better for a long time. Remember, UTMs aren't new, thinking that UTMs are a good idea is new. That's a huge difference. It's one of the current "buzz words" in IT. Like SAN was ten years ago. Took a few years of fighting, now everyone knows how ridiculous, costly, and risky that trend was. But for many years there, those of us pushing hyperconvergence (the "old" way) were laughed at for not doing what was "new", which neither thing was new. Then hyperconvergence got the marketing and now it is seen as "new", even though we were pushing it before SANs were popular. You see UTMs as new. We see them as a bad idea that is very old. You say UTMs are new here but in another spot you say they aren't new. I'm not surprised. I've read through hundreds of your posts and seen various spots where you contradict yourself. You once argued with me for hours about a router and a firewall being the exact same thing. You spew out vast amount of information in the form of debating and arguing about IT stuff but what it really boils down to is that you are splitting hairs about various IT concepts. I'm not sure if you do this "for the good of the IT community" or if you're doing it to bolster your own ego. Ether way, you can't seem to have a simple discussion without unpacking a torrent of paragraphs and fragmenting discussion threads in some sort of frighting Scott Alan Miller battle-dance, where you come out the victor because your opponent is forced to yield due to shier exhaustion from all the reading and typing. I truly understand what you are saying and where you are coming from with a lot of this stuff, but you are just tireless with the discussion. I'm out. 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: You say UTMs are new here but in another spot you say they aren't new. I'm not surprised. I was SUPER clear on this. They are new "to the market" but not new "as a concept". We just knew better than to use them before. I explained this earlier specifically because I knew you were trying to say we were out of date and trying to make UTMs sound like a new idea, rather than a new trend. And, as I predicted, you ignored that and made the claim anyway. 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: . I've read through hundreds of your posts and seen various spots where you contradict yourself. Link? 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: You once argued with me for hours about a router and a firewall being the exact same thing. And they are. And I've even stated it here. All routers on the market for decades are firewalls, all firewalls on the market are routers. We've covered this. Stating that I said this is weird, since I said it in today's discussion, even. 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: You spew out vast amount of information in the form of debating and arguing about IT stuff but what it really boils down to is that you are splitting hairs about various IT concepts. I think you see "fundamental network architecture and design" as "splitting hairs". This just doesn't work. Thinking your firewall isn't a firewall will lead you to all kinds of mistakes. Not realizing you bought a multi-port router (firewall) and not using it and crippling your network, for example, is one of the results. Please find an example of where I "split hairs" but it wasn't critical to your understanding of networking? You mention some pretty huge examples of what you call "splitting hairs" but it would seem pretty incredibly obvious that knowing where your firewalls are is anything but splitting hairs. How can you design security if you are being driven by marketing, and not by understanding the network and how security plays into it? If there is one takeaway from these threads today, one thing of the utmost value, it would be that you see "understanding the network" or "saving money" or "improving security" as "splitting hairs", and these are not. These things are super important, they are the fundamental value that IT ads to an organization. This isn't trivial, this is what gives us our jobs. If we just wanted to "buy whatever is advertised", IT isn't needed for that, management can do that without us. It's cutting through the BS, not allowing marketing hype and buzz words to influence us, knowing how to deploy good technologies, knowing not to deploy bad ones, how to deploy them correctly, etc. that earns IT its keep and gives value to our organizations. Instead of trying to brush off core IT understanding as "splitting hairs", take a moment and ask yourself... if you don't understand these basics, how can you make effective decisions about your network? 
- 
 This post is deleted!
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: I'm not sure if you do this "for the good of the IT community" or if you're doing it to bolster your own ego. Ether way, you can't seem to have a simple discussion without unpacking a torrent of paragraphs and fragmenting discussion threads in some sort of frighting Scott Alan Miller battle-dance, where you come out the victor because your opponent is forced to yield due to shier exhaustion from all the reading and typing. So we split threads because if we don't, any discussion outside of the original scope is seen as a derailment and people complain about it. You only need to type a lot because you are arguing for something but not making any points. If you read what had been written, and responded logically with understanding, or just asked for more information because you didn't understand, you'd have no need for writing so much. It is because you are trying to use personal attacks, rather than logic or technical information, to cover up that you apparently don't have a reason for the things that you have done. It seems frustrating to you because, from what we can tell, you did what most humans do and made decisions that were based either on a lack of information or on emotions (or manage a network someone else made, but same starting point) and now are feeling defensive and trying to "reverse rationalize" fundamentally irrational decisions. You should read Predictably Irrational, because it does an amazing job of covering how the brain works and how these exact situations arise. That book explains exactly why things like UTMs get to be so popular, by bundling tricks buyers into seeing value where it doesn't exist, and predicts exactly how you will respond when you are asked to explain a decision rationally that wasn't made rationally originally. That's not meant as an attack, it's an explanation. Your responses are text book by that specific book, and most people are, nearly all people. You are seeing the marketing hyper as important and the IT knowledge as "splitting hairs." You are using personal attacks instead of technical information. Step back, take a breath, ask what your real goal is, ask why you are getting upset. Certainly, being faced with several people all agreeing that your current setup and path forward probably aren't in the interest of your business, and then lots of information that says your reasons for choosing what you did don't hold water (maybe you thought that UTMs were how you got these features before and now you don't and are reeling from the shock that we all have these features if we want without UTMs and have for a long time) will make you risk a fight or flight amygdala response. But take a moment, reflect, let the adrenaline subside. And really think... are these ideas actually trivial? Is there really a reason you are being so defensive? Did you really ask for advice and get upset when the advice wasn't what you desired it to be? 
- 
 @dave247 said in Why Are UTMs Not Recommended Generally: I truly understand what you are saying and where you are coming from with a lot of this stuff, but you are just tireless with the discussion. So... - Why do I care more about your learning and network that you do?
- Why are you arguing so much if you don't think it matters? You seem really, really passionate about specific technical implementations and vendors - but only passionate enough to get upset if we don't support them, but not enough to tell us why you feel they are good. You've given "throw away" reasons that if you had been paying any attention to what any of us were writing, you'd have realized could't make sense because we have all those benefits and more without the implementation you said.
- What were you hoping for as a response? Just a quick "buy X"? That's not how IT works. Especially not good IT. We are here to learn, to grow, to understand. That's the purpose of the community. All of us have lots to learn, all of us need chances to be challenged. And nothing is a quick answer, IT isn't that simple. There are loads of products and product types on the market because there are not just so many ways to skin a cat, but so many different cats. IT is complex and to do it well we have to really, really understand all these pieces.
 One of the most important things you can glean from community "arguing" is learning to look at your decisions and be forced both to think about them rationally (and be open to admitting when they are not your decisions, and/or are not rational) and to then articulate those reasons in ways that convey that logic to others. In your back and forth, for example, you kept saying things that you should have known were "blow off" answers that logic reason or logic. For example, you said that SonicWalls were "easy", but didn't give a comparison. For those of us who have used them and others, we see them as very hard and a waste of time. You didn't give an "easy compared to..." for us to understand your context. They aren't "hard", but are quite hard compared to their competition, especially compared to competition that many of us are suggesting we prefer here. All things that have been in other threads, too. Or when we point out that the UTM model doesn't do something "as well" as another model, instead of explaining why you feel a UTM is a superior model, you simply state over and over that the UTM "can do it" and expect that illogical response that suggests you aren't reading what we are writing at all to mean something. No one suggested the UTM can't do content filtering, we are saying that it isn't the best way to get the same results. It feels like we, and especially I, are arguing with you a lot. but go back and read carefully. There is a LOT of what "feels like arguing" that is really just pointing out that you are not responding to real information. Stating that the SonicWall you have does something, when you know that everything else does that too, is obviously meaningless. Why were you stating that in that way if not for the sole purpose of creating an argument and then claiming that people are arguing? You forced us to either leave on obvious misdirection, or point out that what you said didn't make sense. 
- 
 @dave247 here is a mental exercise to try (don't do this for real, just do it in your head...) Go back and read the discussion. Then picture yourself printing it out, and handing it to your CEO for a review of your thinking. Ask him to look over the discussion and give his opinion, not of it UTMs make sense or not, he has no way to know, but of your approach to thinking about them. Would you be happy with him reviewing your "logic" behind spending so much money, spending so much time, and how you are looking to secure your business in the future. Are you confident standing behind your decision making? Take the reverse. I'm completely comfortable knowing that my statements are public, my boss can (and does) read them, as do my customers. I feel confident that, regardless of if a UTM is correct in any given situation, that my logic, points, consistency, etc. speak for themselves and I stand behind them. I have no worries that someone to whom I answer, even if it is just other peers in the community, can look at this and will agree, perhaps not with my conclusions, but with my statements and logic. Thinking of it as a private conversation between two people makes it far easier to lose perspective. Thinking about your decisions of this nature as being continuously reviewed by someone to whom you answer can help you step away and look at your logic with an outsiders view and can help force a perspective. Do you feel that your reasons would hold up if someone whose money was being spent, and whose data was needing to be protected, was the one who was reviewing your logic? 


