UTM back and forth

December 12, 2007 // Posted in Security  

So what has my buddy Cutaway got himself into here??  Looks like the Hoff and the Roth are smacking him around a bit about his stance on UTM.  Mike says Cutaway doesn’t know sh*t from Shinola about UTM’s (in defense of Rothman, Cutaway admits he doesn’t).  Hoff says Cutaway is smoking crack if he thinks UTM’s add complexity since you are putting everything in one box.  Cutaway just wants a beer (see end of post).

image

As I read through all of this, I had to say that I agreed with Mike and Hoff more than Cutaway.  My major beef with Cutaway is his assertion that risk is increased because of the possibility of vulnerabilities due to so much functionality being loaded into one box.  While on the face that seems to be true, Cutaway and Andy seem to be assuming that a UTM = big Linux box with a bunch of security apps thrown on it.  My guess is most companies don’t have uber-geek working for them and are more likely to buy a box from Juniper, Checkpoint, Fortinet, etc.  These are proprietary OS’s that do not typically fall prey to the same problems that a Linux server with Squid, Snort, and SpamAssassin installed on it.  The theory is still feasible to be sure, but a LOT less likely with purpose-built hardware and OS. 

Also, the single point of failure is a real problem, but a good network design mitigates that, so that only comes into play if you have a problem spending a few thousand more dollars. :)

Also, to take this to another level, I wonder if Cutaway would think that a multi-segmented firewall or IPS is dangerous because if the box is compromised then each segment becomes vulnerable?  That is also a true assertion, but is the risk worth the cost savings and convenience?

But just to show that I am not only disagreeing with Cutaway (I will buy you a beer next time we see each other, buddy), let’s look at this statement from Mike:

Consolidating hardware and more importantly the management of these disparate network security functions is critical to helping today’s security folks to keep their heads above water.

First of all, if you standardize on one manufacturer’s hardware, you’ll find that many (if not most) have a management application that makes management a lot easier, even if you have multiple functions dispersed among different hardware.  Also, with the advent and (hopefully soon-to-be) maturation of the configuration management solutions out there, this may not be as big of an issue in a few years.  Mike’s statement is true, but not as significant as it once was.

Vet

This entry was posted on December 12, 2007 at 5:04 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.