An ITKE poster recently asked a great question.
Experts tout unified threat management appliances as an ideal antimalware, intrusion prevention and content filtering firewall for midmarket companies. But doesn’t this counter the long-standing security practice of defense-in-depth? With a one vendor, platform, and management console, aren’t we talking about a dangerous single point of failure?
When is UTM good enough? When should we go with standalone devices?
Here’s the answer that I offered:
Actually it is defense in depth even though they are all contained on one appliance or device. Think about the layers in a bullet proof vest. They each work in tandem to prevent damage to the person wearing it. However just one type of layer by itself would likely not be enough protection against certain firearms.
Granted it is a single point of failure, but the ability to manage an entire suite of services from one console is attractive to many smaller organizations that may not be able to provide the care and feeding of single purpose devices. The ability of a vendor to patch the entire product suite against vulnerabilities is another good reason to go to a UTM device. If using multiple devices from different vendors, then the vulnerability exposure could potentially be greater if one vendor addresses a vulnerability in their appliance/service but another does not.
I would go to standalone devices if the potential threat to my organization could create capacity/performance issues on the UTM device.
How do you think about the UTM vs defense in depth issue? Do you agree with the answer I offered? What do you think?
Thanks for reading and let’s continue to be good network citizens.