That explanation is exactly what I was looking for in the first article. Thank you for the clarification. You tend to put things into perspective very well and I am glad my readers, and myself, could benefit.

Tipping the king is in reference to conceding a Chess game because of an untenable position. I wasn’t referring to you as trying to be “The King” because everybody knows it’s me, baby. The reference to the board being reset is my way of saying that it is time to start the next game in the match. I’m sure a topic will spring up.

Go forth and get me that beer <- Which is definitely a good thing!!!
Don C. Weber

I’m not trying to be the king, but I think the point here that you’re missing is that there’s little if no difference except for a marketing handle between UTM devices and “all-in-one” firewalls like those mentioned in the DR article.

What I mean is when you said “I have a problem with vendors who are developing products that provide many security controls on one system (not UTMs, I’m talking firewalls performing a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell) and selling it as the ultimate solution for the perimeter of a company’s infrastructure.”

…that *IS* UTM, especially within the realm of the small business/small enterprise.

The reason it exists beyond what you allude to as (almost) vendor greed is actually the “natural” market convergence of functionality over time where features/functions become commoditized and are integrated into larger solution sets.

At a high-level I will agree that statistically based upon current industry trends of errors per lines of code that you will, on average, see the additive effect of combining functions when you add new features, but many of these errors do not lead to exploitable vulnerabilities.

And finally, in terms of risk, there are many facets of the definition: financial, operational, technical, reputational, etc…

In using these products – whether you call them UTM or not – a decision is made that given the maturity of these products, the cost and “complexity” of maintaining 5-6 disparate systems, the need to streamline operations, etc. outweighs the risk of combining these functions.

Most SME/SMB’s do not deploy multi-vendor, split DMZ architectures, so they do rely on a single product and have for years…

It’s getting much more difficult to find “just” a firewall, “just” and IDS, etc. Each of these product catagories are becoming more and more blurred as they all — wait for it — add functions to remain competitive and give the users what they want. More bang for the buck.

And just for the record, the Palo Alto box (today) is not positioned to replace the firewall, it sits behind it.

Is this “poor architecture?” Possibly, depending upon your network, your business requirements and your risk tolerance, but suggesting that in general it’s a bad idea is, well, a bad idea.

Again, I wasn’t posturing up and trying to be all that, but my experience does count for something in my opinion and it tells me that while you’re concern is reasonable, it just isn’t in step with the realities of what the market requires or needs.

There will always be exceptions.

The beer is still yours.

/Hoff