Comments on: Quit Complicating Our Controls – UTM Remix

By: Green Data: Firewalls Evolution - From Application Aware to UTM

Green Data: Firewalls Evolution - From Application Aware to UTM — Thu, 20 Dec 2007 15:43:06 +0000

[...] other addons such as Network Based Antivirus, Network Based Antispam, and Network Based IPS. Some people may argue that UTMs are not mature enough and they add complexity to the network. They also believe that an [...]

By: An Information Security Place » Blog Archive » UTM back and forth

An Information Security Place » Blog Archive » UTM back and forth — Wed, 12 Dec 2007 22:04:19 +0000

[...] Mike says Cutaway doesn’t know sh*t from Shinola about UTM’s (in defense of Rothman, Cutaway admits he doesn’t). Hoff says Cutaway is smoking crack if he thinks UTM’s add complexity since you are [...]

By: Security Ripcord » Blog Archive » The Perimeter is DEAD - Let’s Make It More Complex

Wed, 12 Dec 2007 12:16:38 +0000

[...] Christopher Hoff Ponders Consolidation vs. Piling it On on Quit Complicating Our ControlsTarek on Quit Complicating Our Controls – UTM RemixChristofer Hoff on Quit Complicating Our Controls – UTM RemixSecurity Ripcord » Blog Archive [...]

By: Tarek

Tarek — Mon, 10 Dec 2007 23:53:29 +0000

A Network Layer is a Network Layer, but when it comes to Application Layer, we have dozens of Applications and each have its own security requirements. For SMTP, Spam is your enemy. When it comes to File Sharing, CIFS, FTP, HTTP, SMTP and POP3, you should check the files being transferred to make sure they do not contain Viruses. IPSs and IDSs are needed to protect you from the different worms and exploits that span from layer 2 up to layer 7. So, this is what UTM’s are doing, it’s a box – mainly a firewall – with many other addons such as Network Based Antivirus, Network Based Antispam, and Network Based IPS.

I am not sure what you mean here by Application Layer Firewalls. Are you talking about Proxy Firewalls, or those who have protocol pre-processors and are application aware such as Palo Alto Networks’ Firewall?

Anyway, I am not with Proxy Firewalls, in fact I think it’s something from the past, and even in Gartner’s report, the top leader vendors are all Stateful Firewalls. Now if you are talking about Application Aware Firewalls, I think this is equivalent to Deep Packet Inspection which can some how be considered as light version of Network IPS.

So, what I want to say here is that Application Firewalls are a subset of UTM’s. And with today’s Networks layer-3 and layer-4 visibility is not enough, especially with the applications using port 80 such as P2P and IM’s as well as the Web 2.0 hype where everything is becoming web-based. So a firewall will never be able make good decisions without being able to inspect the Application Layer. Also keep in mind that applications that open dynamic ports will never work without Application Aware firewalls.

My suggestion of having two layers of UTM’s is a response to your complexity vs. vulnerability issue. I already know many customers who prefer to have two layers of Firewalls/UTM’s from two different vendors.

“Now, I do agree that having two would help reduce some risk, but not enough to offset the cost of the system, its installation, the training of employees, documentation of configuration, and many other things involved with deploying a solution. I image that deploying a UTM is in and of itself a very complicate task and organizations will have their hands full implementing one. Adding a second would just be cruel”.

Yes, it will add cost and complexity to the installation, but this is for sure less than the complexity and the cost of having different boxes for Anti-Spam, Firewall, VPN Concentrator, Anti-Virus, Anti-Spyware, IPS, Behaviour Analysis, hmmm … you name it.

By: Christofer Hoff

Christofer Hoff — Mon, 10 Dec 2007 17:59:24 +0000

Not wanting to disappoint you, here is my first-round response:

http://rationalsecurity.typepad.com/blog/2007/12/consolidating-c.html

Looking forward to yours…

/Hoff