Quit Complicating Our Controls – UTM Remix
I had a good comment from Tarek on the original Quit Complicating Our Controls post.
In fact, firewall were made to protect the different network segments or zones from each other by controlling who is supposed to talk to who using which protocol or application.
But later one, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. On the other hand Proxy Firewalls such as MS ISA – I know it’s a piece of crap – but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO and SMB networks. And I think this is when UTM came to life. Vendors also competed with each other and each vendor wanted to have more features in his data-sheet, and I think were are going to see vendors announcing that their firewalls are the first to market with built in Coffee Makers.
I can agree with what you wrote here sometimes. For an ISP’s Data Centre or a Large Multinational Company this can be true. Having an all in one box is not the best choice. But when it comes to normal mid-range enterprises they can have a UTM, and in such case having two layers of clustered UTM’s from different vendors can protect them when complexity lead to a vulnerability in one box.
I wanted to cover this because UTM is actually a different animal then what I was originally addressing. Although I do not have any experience with Unified Threat Management, as a blogger I don’t feel ashamed jumping into it. I am sure that Chris Hoff, Rich Mogull, Lori MacVittie, Andy Willingham, or Alan Shimel will correct me if I am misguided.
Application firewalls have their own unique places. True, they definitely should not be lumped onto the controls you are using to separate your environments. But, the applications firewalls serve a purpose of, to use the terms loosely, deep-packet inspection and correlation directly associated with that specific application. These controls should be deployed directly in front of the application or application farm so that it can provide the most protection.
Now, as I mentioned UTMs are a different animal. They are taking the controls we are talking about separating and, although placing them on one device, keeping them separate. I imagine that when deployed correctly no one component of the system has the administrative access to the complete system. UTMs should be deployed so that while working the controls in parallel they are also passing the information off to controls that operate within their role with lesser privileges than the central system. So, technically, in the spirit of my original arguement, UTMs are acting correctly. Although we do get back to the whole, single point of failure issue, but that can be addressed by high availability.
Tarek, I think the real trap you are falling into is expanding the cost of your security controls by recommending separate UTMs within the same environment. Now, I do agree that having two would help reduce some risk, but not enough to offset the cost of the system, its installation, the training of employees, documentation of configuration, and many other things involved with deploying a solution. I image that deploying a UTM is in and of itself a very complicate task and organizations will have their hands full implementing one. Adding a second would just be cruel. Actually, by making this recommendation, you may be burning your bridges with your management. Remember, your management is going to be evaluating risk to reward and cost as well. If you are making recommendations that SIGNIFICANTLY increase cost and complexity without reducing risk SIGNIFICANTLY, you are running the risk of your management labeling your security group as a liability rather than an asset. Although this may not be true to your organization, I would think twice before making the dual UTM recommendation.
Go forth and do good things,
Don C. Weber
UTM, firewalls, Tarek, Security Ripcord, application firewalls
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
December 10th, 2007 at 5:59 pm
Not wanting to disappoint you, here is my first-round response:
http://rationalsecurity.typepad.com/blog/2007/12/consolidating-c.html
Looking forward to yours…
/Hoff
December 10th, 2007 at 11:53 pm
A Network Layer is a Network Layer, but when it comes to Application Layer, we have dozens of Applications and each have its own security requirements. For SMTP, Spam is your enemy. When it comes to File Sharing, CIFS, FTP, HTTP, SMTP and POP3, you should check the files being transferred to make sure they do not contain Viruses. IPSs and IDSs are needed to protect you from the different worms and exploits that span from layer 2 up to layer 7. So, this is what UTM’s are doing, it’s a box – mainly a firewall – with many other addons such as Network Based Antivirus, Network Based Antispam, and Network Based IPS.
I am not sure what you mean here by Application Layer Firewalls. Are you talking about Proxy Firewalls, or those who have protocol pre-processors and are application aware such as Palo Alto Networks’ Firewall?
Anyway, I am not with Proxy Firewalls, in fact I think it’s something from the past, and even in Gartner’s report, the top leader vendors are all Stateful Firewalls. Now if you are talking about Application Aware Firewalls, I think this is equivalent to Deep Packet Inspection which can some how be considered as light version of Network IPS.
So, what I want to say here is that Application Firewalls are a subset of UTM’s. And with today’s Networks layer-3 and layer-4 visibility is not enough, especially with the applications using port 80 such as P2P and IM’s as well as the Web 2.0 hype where everything is becoming web-based. So a firewall will never be able make good decisions without being able to inspect the Application Layer. Also keep in mind that applications that open dynamic ports will never work without Application Aware firewalls.
My suggestion of having two layers of UTM’s is a response to your complexity vs. vulnerability issue. I already know many customers who prefer to have two layers of Firewalls/UTM’s from two different vendors.
“Now, I do agree that having two would help reduce some risk, but not enough to offset the cost of the system, its installation, the training of employees, documentation of configuration, and many other things involved with deploying a solution. I image that deploying a UTM is in and of itself a very complicate task and organizations will have their hands full implementing one. Adding a second would just be cruel”.
Yes, it will add cost and complexity to the installation, but this is for sure less than the complexity and the cost of having different boxes for Anti-Spam, Firewall, VPN Concentrator, Anti-Virus, Anti-Spyware, IPS, Behaviour Analysis, hmmm … you name it.
December 12th, 2007 at 12:16 pm
[...] Christopher Hoff Ponders Consolidation vs. Piling it On on Quit Complicating Our ControlsTarek on Quit Complicating Our Controls – UTM RemixChristofer Hoff on Quit Complicating Our Controls – UTM RemixSecurity Ripcord » Blog Archive [...]
December 12th, 2007 at 10:04 pm
[...] Mike says Cutaway doesn’t know sh*t from Shinola about UTM’s (in defense of Rothman, Cutaway admits he doesn’t). Hoff says Cutaway is smoking crack if he thinks UTM’s add complexity since you are [...]
December 20th, 2007 at 3:43 pm
[...] other addons such as Network Based Antivirus, Network Based Antispam, and Network Based IPS. Some people may argue that UTMs are not mature enough and they add complexity to the network. They also believe that an [...]