Now we enter the next-generation firewall. In the last article we share the NGFW’s role in today’s enterprises. We also pointed out that NGFWs are not UTMs. Yes, NGFWs are not UTMs even though it can often be difficult to discern the difference between unified threat management (UTM) and next-generation firewalls (NGFW). Experts agree that the lines appear to be blurring between the two product sets, but enterprises that focus on defining each product type during the purchasing process may be making a mistake.
In the following part we will share some experts’ thoughts and reviews from different industries, which help you know much more about the NGFWs and UTMs.
NGFWs emerged more than a decade ago in response to enterprises that wanted to combine traditional port and protocol filtering with IDS/IPS functionality and the ability to detect application-layer traffic; over time they added more features like deep-packet inspection and malware detection.
Meanwhile, UTMs were borne of a need for not only firewall functionality among small and midsize businesses, but also IDS/IPS, antimalware, anti-spam and content filtering in a single, easy-to-manage appliance. More recently UTMs have added features, like VPN, load balancing and data loss prevention (DLP), and are increasingly delivered as a service via the cloud.
According to Jody Brazil, CEO of Overland Park, Kan.-based security management firm FireMon LLC, SMBs and remote office locations were attracted to the UTM, but larger enterprises tended to favor the NGFW to standalone devices throughout the network, minimizing the impact on firewall performance.
Greg Young, research vice president for Stamford, Conn.-based Gartner Inc., said larger enterprises have had the budgets to buy the best technology, and the staff to support the more advanced features and better performance afforded by NGFWs. On the other hand, SMBs not only wanted an all-in-one product, but also needed extra support from the channel to manage the device, even if it meant that each feature of the UTM was good, but not the best.
“Service providers for ISPs have different needs than enterprises,” Young said. “So, UTM vendors will only offer basic firewall features as a price-play for that market.”
Young said those differences in ease of use and support demands still exist today, though they have become more nuanced; there is overlap in the underlying technology of NGFW and UTM, and spec sheets tend to look similar. Young said that the key differences now are more around quality of features, and the level of support from channel partners to meet customer needs.
Young also noted that vendors tend to excel in one market or the other, like Fortinet Inc. with UTM for SMBs, or Palo Alto Networks Inc. with NGFW for enterprises. Few vendors can succeed in both, he said, like Check Point Software Technologies Ltd. has done.
“The confusion came from SMB vendors trying to move into the enterprise market without making channel and quality changes,” Young said. “It was an intentional campaign to confuse, but very few end users are confused about what they need. It is either a racecar NGFW or a family van UTM.”
Brazil admitted that the differences between NGFW and UTM can be confusing, even for experienced practitioners, but described UTM as a collection of unrelated security features, one of which is the firewall.
“UTM generally refers to a firewall with a mix of other ‘bolted-on’ security functions like antivirus and even email spam protection,” Brazil said. “These are not access control features that typically define a firewall.”
What traditionally has defined next-gen firewalls, Brazil said, is robust Layer 7 application access control, though an increasing number of NGFWs are being augmented with integrated threat intelligence, enabling them to deny known threats based on a broad variety of automatically updated policy definitions.
However, Brazil did caveat his distinctions by saying that a UTM could be considered an NGFW if it met the Layer 7 parameters, and an NGFW that included malware functions could be considered a UTM. Though, he was clear that despite these potential overlap points, he would keep the classifications separate because of a lack of similarities in other respects, like access control.
Brazil said that NGFW will eventually become the standard, and the terms “NGFW” and “firewall” will become synonymous. He said UTM will remain an important product for SMBs, especially when a company prioritizes simplicity of deployment over the depth of security and performance, but NGFW and UTM will not converge because of performance and management concerns.
“The idea of a ‘converged’ network security gateway will continue to have appeal, so vendors will continue to add functionality to reduce cost of firewall ownership to the customer and increase revenue to the vendor,” Brazil said. “However, issues with performance and manageability will continue to force separate, purpose-built systems that will be deployed in enterprise networks. As such, there will continue to be enterprise firewalls that should not be considered UTMs.”
Mike Rothman, analyst and president for Phoenix-based security firm Securosis LLC., said he believes that UTM and NGFW are essentially the same, and the differences are little more than marketing semantics. Rothman agreed that marketing from vendors caused confusion, but also blamed analysts for adopting the term NGFW and driving it into the vernacular.
He said that early UTMs did have problems scaling performance from SMBs to larger enterprises, especially when trying to enforce both positive rules (firewall access) and negative rules (IPS), but that early NGFW had the same issues keeping up with wire speed when implementing threat prevention. He said that the perceived disparities were used to enforce market differentiation, and they persist today, despite these scaling issues not being relevant anymore.
According to Rothman, the confusion lies not only in comparing the two device types, but also in the term “next-generation firewall” itself, which he thinks minimizes what the device does.
“What an NGFW does is bigger than just a firewall,” Rothman said. “A firewall is about access control, basically enforcing what applications, ports, protocols, users, etc., are allowed to pass through the firewall. The NGFW also can look for and deny access to threats, like an IPS. So it’s irritating that the device is called an NGFW, as it [is] more than just a firewall. We call it the network security gateway, as that is a more descriptive term.”
Rothman said that today’s UTMs can do everything a NGFW can do, as long as they are configured properly and have the right policy integration. He said he believes that arguments about feature sets or target markets are examples of aritificial distinctions that only serve to confuse the issue.
“From a customer perspective, the devices do the same thing,” Rothman said. “The NGFW does both access control and threat prevention, as does the UTM, just a little differently in some devices. Ultimately, the industry needs to focus on what’s important: Will the device scale to the traffic volumes they need to handle with all of the services turned on? That’s the only question that matters.”
Moving forward, despite differences in opinions, the experts agree that enterprises shouldn’t go into a purchasing process by trying to decide whether they need a NGFW or a UTM. Rather, the ultimate goal should always be to focus on the best product to solve their problems.
Rothman said that the distinctions will go away as low-end UTM vendors add more application-inspection capabilities and more traditional NGFW vendors go downmarket by offering versions suitable for SMBs. He also said he doesn’t expect an end to confusing vendor marketing anytime soon, so enterprises need to be careful to ignore these semantics and focus on finding the right product to address security needs.
Young said that in the short term, UTM and NGFW will remain separate and will both continue to be mainstays for SMBs and larger enterprises respectively, and the decision around what device to use will be a question of need.
The question of UTM vs. NGFW is still divisive, and experts have different ideas regarding if and where the two technologies diverge when looking at the issue from a vendor perspective. However, when looking at the issue from a customer perspective, the experts agree that focusing on an enterprise’s security needs will help to mitigate the confusion and lead to the right product.
“It isn’t just about technology, it is about how a small company’s security is different than a big company’s security,” Young said. “It’s all about the use case, not a ‘versus.’ ”
Making the Decision: UTM vs. NGFW
The decision on purchasing a UTM or NGFW should be based on risk and what your business needs most. The following questions can help:
- Which risks are you attempting to mitigate? If you cannot fully answer this, you’re not ready to buy just yet. Perform your risk assessment (technical and operational) and determine what’s at risk and what can be done about it.
- What are your network throughput numbers, service-level agreement requirements and unique network visibility and control needs? Prospective vendors should be able to help you map your requirements to their offerings.
- How much time do you have to dedicate to deploying, managing and troubleshooting these systems?
- What are the independent test lab reports, product reviews and people using these systems saying? You’ll learn more about what’s best for your organization this way than through any other means.
The answers to these questions could very well be contrary to what a vendor’s sales engineer or account manager thinks is best for you. Only your organization knows its network best; you know what’s at risk and what you’re capable of doing about it. Get as many people involved as you can and gather all the right information so you can decide on the solution that best helps you meet your goals.
The best choice–UTM or NGFW–will emerge and be quite obvious. Just don’t get caught up in the semantics or vendor/analyst hype. Remember, it’s not wrong to choose a different product (or products) altogether.
Reference from https://searchsecurity.techtarget.com/news/2240240518/UTM-vs-NGFW-Unique-products-or-advertising-semantics