Why I See UTMs As Generally Bad in the Current Market

NashBrydges

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

I believe both Sophos and Palo Alto offer their UTM products in software at a pretty major price discount from their appliance offerings. But as they are both closed pricing, there is no official pricing on either approach.

I can't speak for PA but Sophos licensing in a VM is based on IP addresses while the hardware isn't limited to that license scheme. Guess it's their way of forcing people to the hardware.

scottalanmiller

@NashBrydges said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

I believe both Sophos and Palo Alto offer their UTM products in software at a pretty major price discount from their appliance offerings. But as they are both closed pricing, there is no official pricing on either approach.

I can't speak for PA but Sophos licensing in a VM is based on IP addresses while the hardware isn't limited to that license scheme. Guess it's their way of forcing people to the hardware.

That's... weird

scottalanmiller

@NashBrydges said in Why I See UTMs As Generally Bad in the Current Market:

One thing that I've read over and over and over is that UTM's are generally NOT recommended. However, I'm interested in what use-cases people believe they may be a good fit. I often see "if you're going to use a UTM, get a Palo Alto" but would love to hear about when people think it IS a good fit.

UTMs or more often "UTM features in a VM not on a firewall" are needed typically in environments that are subject to focused, external attack vectors. Not typically companies that might be getting dinged by script kiddies, but ones where aggressive, trained attackers feel that they are a specific target worthy of focus. Banks, for example. Police agencies. Maybe hospitals. Places that are treasure droves of digital data. Places that hold data or access for lots and lots of other people.

dave247

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

NGFW has trumped UTM in the hyper of "what's current" for network edge security. NGFW are simpler, more of an evolutionary advancement of our more traditional firewalls, and make far more sense as they are both more effective (generally) than UTMs, and follow standard IT concepts of how to approach services on the network.

I am thrown off by this. Are you supporting the use of "next generation firewalls" over the use of UTMs? I mean, I read through this twice now and that's what I am taking away from this paragraph. I skimmed through the comments and it sounds like people are saying that NGFW and UTMs are about the same thing -which I can agree with since the various security products over the years would naturally fall into different places across the security appliance spectrum (evolve), some being more similar/related than others. Your one paragraph here kind of separates the two for a moment, with the NGFW far better than the UTM, but I would think that you'd consider both bad on the basis that they are both things that group security roles (don't keep things separate).

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

CloudKnight

An interesting topic, we could go on from this by recommending how to run the individual services correctly outside of the UTM device. IDS/IPS, DPI. Etc. That would be a good topic as well.

Donahue

@StuartJordan said in Why I See UTMs As Generally Bad in the Current Market:

An interesting topic, we could go on from this by recommending how to run the individual services correctly outside of the UTM device. IDS/IPS, DPI. Etc. That would be a good topic as well.

i agree

scottalanmiller

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

NGFW has trumped UTM in the hyper of "what's current" for network edge security. NGFW are simpler, more of an evolutionary advancement of our more traditional firewalls, and make far more sense as they are both more effective (generally) than UTMs, and follow standard IT concepts of how to approach services on the network.

I am thrown off by this. Are you supporting the use of "next generation firewalls" over the use of UTMs? I mean, I read through this twice now and that's what I am taking away from this paragraph. I skimmed through the comments and it sounds like people are saying that NGFW and UTMs are about the same thing -which I can agree with since the various security products over the years would naturally fall into different places across the security appliance spectrum (evolve), some being more similar/related than others. Your one paragraph here kind of separates the two for a moment, with the NGFW far better than the UTM, but I would think that you'd consider both bad on the basis that they are both things that group security roles (don't keep things separate).

To some degree, all of these things are marketing terms, so that makes it a little hard to discuss clearly. So to clarify...

Where UTM = Firewall with "non-firewall features running on it instead of VMs" and ...
Where NGFW = Firewall that uses packet inspection deeper that L4

Then yes, when appropriate NGFW can be a very good thing. NGFW does not imply running extra "services" on the router that could be in their own VMs. An NGFW is the evolution of the firewall itself, not adding other things to the firewall as if it were a general purpose server. NGFW things cannot realistically be offloaded elsewhere.

Of course, to muddy the waters, you will have firewall makers making an NGFW and then adding UTM features to it to make something both. I retain that the UTM "putting things that would function better elsewhere" on to any firewall is not the best approach (the exception would be in the rare case where you need those features but don't have a server infrastructure), even if the underlying firewall is an NGFW with deep packet inspection.

scottalanmiller

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.

I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.

dave247

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.

I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.

ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.

scottalanmiller

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.

I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.

ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.

Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.

The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.

scottalanmiller

The difficulty with all of those things is handling encryption. That's long been a problem. One that is partially solved, but not fully. Even "solving it" creates problems.

NGFW has been a term for quite a while, but I don't like it. A firewall with DPI should just be called that, ideally. Not treated like it is a new magical thing. But... sales people.

dave247

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.

I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.

ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.

Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.

The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.

(╯°□°)╯︵ ┻━┻

scottalanmiller

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.

I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.

ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.

Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.

The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.

(╯°□°)╯︵ ┻━┻

Same as we've always been saying. Firewall is not the place for the "UTM pieces". They are better elsewhere, when needed.

It's that they are rarely needed, but sometimes.
When they are needed, in the firewall isn't the best place for them.

It's not that the concepts are always bad, it's just how they are pushed way too often, and not in a good way to deploy them because it's not a good security practice to have them on the firewall.

Donahue

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.

I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.

ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.

Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.

The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.

(╯°□°)╯︵ ┻━┻

Same as we've always been saying. Firewall is not the place for the "UTM pieces". They are better elsewhere, when needed.

It's that they are rarely needed, but sometimes.
When they are needed, in the firewall isn't the best place for them.

It's not that the concepts are always bad, it's just how they are pushed way too often, and not in a good way to deploy them because it's not a good security practice to have them on the firewall.

how many NGFW products are on the market that do not come bundled with UTM?

scottalanmiller

@Donahue said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.

I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.

ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.

Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.

The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.

(╯°□°)╯︵ ┻━┻

Same as we've always been saying. Firewall is not the place for the "UTM pieces". They are better elsewhere, when needed.

It's that they are rarely needed, but sometimes.
When they are needed, in the firewall isn't the best place for them.

It's not that the concepts are always bad, it's just how they are pushed way too often, and not in a good way to deploy them because it's not a good security practice to have them on the firewall.

how many NGFW products are on the market that do not come bundled with UTM?

Pretty much all of them. UTM is nearly always an "add on" cost on top of the NGFW. But some are NGFW only, like Ubiquiti.

Donahue

The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?

scottalanmiller

@Donahue said in Why I See UTMs As Generally Bad in the Current Market:

The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?

ERL does nearly half of what you need...

https://community.ubnt.com/t5/EdgeRouter/ERL-Performance-Testing-with-IPSec-VPN/m-p/1053799#M44593

ER and ERPro are so much more powerful. The ER Pro has 2x the CPU power, and 4x the RAM. We'd expect it to be able to saturate your lines no problem. Of course that is "expect", but based on the ERL speeds, and that they run the same code, there is little doubt that it can push IPSec over 1Gig speeds.

https://dl.ubnt.com/datasheets/edgemax/EdgeRouter_DS.pdf

Donahue

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@Donahue said in Why I See UTMs As Generally Bad in the Current Market:

The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?

ERL does nearly half of what you need...

https://community.ubnt.com/t5/EdgeRouter/ERL-Performance-Testing-with-IPSec-VPN/m-p/1053799#M44593

ER and ERPro are so much more powerful. The ER Pro has 2x the CPU power, and 4x the RAM. We'd expect it to be able to saturate your lines no problem. Of course that is "expect", but based on the ERL speeds, and that they run the same code, there is little doubt that it can push IPSec over 1Gig speeds.

https://dl.ubnt.com/datasheets/edgemax/EdgeRouter_DS.pdf

Your link is what convinced me not to use the ER pro. the Pro's will only do <500 mbps at full capacity, its in the link you posted.

scottalanmiller

@Donahue said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@Donahue said in Why I See UTMs As Generally Bad in the Current Market:

The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?

ERL does nearly half of what you need...

https://community.ubnt.com/t5/EdgeRouter/ERL-Performance-Testing-with-IPSec-VPN/m-p/1053799#M44593

ER and ERPro are so much more powerful. The ER Pro has 2x the CPU power, and 4x the RAM. We'd expect it to be able to saturate your lines no problem. Of course that is "expect", but based on the ERL speeds, and that they run the same code, there is little doubt that it can push IPSec over 1Gig speeds.

https://dl.ubnt.com/datasheets/edgemax/EdgeRouter_DS.pdf

Your link is what convinced me not to use the ER pro. the Pro's will only do <500 mbps at full capacity, its in the link you posted.

Where in it?

Oh, I see. he mentions ER Pro in another post, then posts them without stating what they are in a thread on ERLs. VERY confusing.