UTM back and forth

UTM back and forth

So what has my buddy Cutaway got himself into here??  Looks like the Hoff and the Roth are smacking him around a bit about his stance on UTM.  Mike says Cutaway doesn’t know sh*t from Shinola about UTM’s (in defense of Rothman, Cutaway admits he doesn’t).  Hoff says Cutaway is smoking crack if he thinks UTM’s add complexity since you are putting everything in one box.  Cutaway just wants a beer (see end of post).


As I read through all of this, I had to say that I agreed with Mike and Hoff more than Cutaway.  My major beef with Cutaway is his assertion that risk is increased because of the possibility of vulnerabilities due to so much functionality being loaded into one box.  While on the face that seems to be true, Cutaway and Andy seem to be assuming that a UTM = big Linux box with a bunch of security apps thrown on it.  My guess is most companies don’t have uber-geek working for them and are more likely to buy a box from Juniper, Checkpoint, Fortinet, etc.  These are proprietary OS’s that do not typically fall prey to the same problems that a Linux server with Squid, Snort, and SpamAssassin installed on it.  The theory is still feasible to be sure, but a LOT less likely with purpose-built hardware and OS. 

Also, the single point of failure is a real problem, but a good network design mitigates that, so that only comes into play if you have a problem spending a few thousand more dollars. 🙂

Also, to take this to another level, I wonder if Cutaway would think that a multi-segmented firewall or IPS is dangerous because if the box is compromised then each segment becomes vulnerable?  That is also a true assertion, but is the risk worth the cost savings and convenience?

But just to show that I am not only disagreeing with Cutaway (I will buy you a beer next time we see each other, buddy), let’s look at this statement from Mike:

Consolidating hardware and more importantly the management of these disparate network security functions is critical to helping today’s security folks to keep their heads above water.

First of all, if you standardize on one manufacturer’s hardware, you’ll find that many (if not most) have a management application that makes management a lot easier, even if you have multiple functions dispersed among different hardware.  Also, with the advent and (hopefully soon-to-be) maturation of the configuration management solutions out there, this may not be as big of an issue in a few years.  Mike’s statement is true, but not as significant as it once was.


6 Replies to “UTM back and forth”

  1. “Referring to UTM and then not referring to UTM was confusing…” Of course, this was all due to the communication problems associated with letters and email (to which we can safely add blogging). I understand the confusion now.

    Thanks to all for helping me understand. All of this has definitely helped.

    Go forth and do good things,
    Don C. Weber

  2. @Farnum…Right! Must remember to not take you seriously…check! (not.)

    @Don…I think you’ll find that Farnum’s point is the root of much of the
    contention surrounding your post(s) — I ‘splained part of this in that
    comment answering your question on your blog.

    Referring to UTM and then not referring to UTM was confusing…


  3. Don,

    Actually, that seemed to be exactly what you were saying when you made the assertions in this post about loading SpamAssassin, Snort, etc on a firewall box and started pointing out all the vulnerabilities each one has had in the recent past. If that was not your point, then I am not sure what it was. 🙂 back at ya.


  4. If only my wife had been drinking orange juice when she heard about that picture.

    For the record, I do not subscribe to your UTM equation and I didn’t claim to in any of the posts. Please read them first next time :). I was hoping that somebody would explain how UTM is != to big Linux box. I am trying to get somebody to explain because I don’t like the all-in-one box but I do not know enough about UTM to tell anybody what the difference is and why it might be a better solution.

    Go forth and do good things,
    Don C. Weber

  5. I’m sorry, Mike, but I need to call you on one thing…

    I never said Don was smoking anything. In fact, I haven’t even written my opinion
    yet, although I did say I disagreed with his assertions. I specifically asked Don
    questions so I *could* address what I understand to be his position.

    Just wanted to clear that up before I responded to his post.



Comments are closed.