Unified threat management (UTM) is an umbrella term for a hardware or software platform that integrates multiple security functions. The term peaked in popularity a couple of years ago. These days, vendors call their products UTM, NGFW (next generation firewall), and several other labels.
UTM became particularly popular in the small and mid-sized enterprise market as it saved them having to evaluate, purchase, deploy, and train personnel on multiple best-of-breed tools. It also saved on the money side as choosing one security platform tended to come with a nice discount.
The offerings vary considerably from vendor to vendor based on their existing product strengths, partnerships, acquisitions, and development roadmaps. Most include firewalls, intrusion prevention/detection systems (IPS/IDS), and secure gateways. Often, they also deal with remote access, routing, WAN connectivity, threat intelligence, and more. But it all depends on the vendor, what it has in its security arsenal, and what it can cobble together via acquisitions.
Also read: Taking the Unified Threat Management Approach to Network Security
Key Features of UTM
A Gartner analysis of UTM tools noted the following features in use, as well as their frequency:
- Firewall (100%)
- URL filtering (77%)
- IPS (70%)
- Web antivirus (51%)
- IPsec (63%)
- SSL, application control and virtual private networking (VPN) (46%)
- User control, QoS, and anti-spam (41%)
As you can see, there is plenty of room for variation in this market.
UTM Buying Tips
Here are some tips to help in product evaluation and selection:
- As each vendor incorporates different tools in their software suites or UTM appliances, buyers should start with the features they need and then match UTM products up against those specific features.
- The evolving threat landscape means firewalls and UTM products need to do more than ever before. As well as core functions above, ask about how the prospective vendor is incorporating new tools to stop complex, evolving attacks, how their tools can share threat intelligence with other security systems to automatically identify and isolate infected machines, and how they are incorporating analytics.
- Investigate the degree of integration. Some tools are highly integrated. Others are just packages tied loosely together that really only integrate on the front end.
- A feature that is growing in importance is to be able to parse the mountain of information collected, correlate data with other systems, and highlight critical information or threats that require action. But not all vendors offer this. If it is important to you, insist vendors demonstrate that such functionality is available now, not merely promised on a nebulous roadmap.
Also read: Understanding and Preventing Zero Day Threats
Top UTM Vendors
Enterprise Networking Planet considered multiple vendors. Here are our top picks for UTM, in no particular order:
Sophos Firewall combines the features of firewalls and UTM to offer network security with insights into network activity. It provides visibility into risky users, unwanted applications, suspicious payloads, and persistent threats. It integrates a suite of threat protection technologies that are easy to set up and maintain. And the Sophos Firewall communicates with other security systems on the network, enabling it to become an enforcement point to contain threats and block malware from spreading or exfiltrating data out of the network.
- Sophos Firewall includes full-featured email anti-spam, encryption, and DLP along with a web application firewall.
- It integrates with various VPN technologies to enable remote workers to securely connect with applications and data.
- Visibility into risky activity, suspicious traffic, and advanced threats.
- Deep learning and intrusion prevention to keep networks secure.
- Automatically identifies and isolates compromised systems to stop threats from spreading.
Fortinet offers a range of UTM products as part of its FortiGate and FortiCloud lines. These appliances provide high-performance, multi-layered security, and unified visibility while reducing complexity. They leverage dedicated security processors and provide wireless access point controller, switch controller, integration, software-defined wide area network (SD-WAN), NGFW, IPS, anti-virus, Web filtering, content filtering, DLP, VPN tunnel endpoint (SSL and IPSec), SSL inspection, and advanced threat protection capabilities.
- Next-generation firewalls (NGFWs) filter network traffic to protect from internal and external threats.
- Deep content inspection to identify attacks, malware, and other threats.
- SSL inspection, application control, intrusion prevention, and visibility across the attack surface.
- FortiGate Next-generation Firewalls are powered by purpose-built security processing units (SPUs), including the latest NP7 (Network Processor 7).
- Inspection of traffic at hyperscale as it enters and leaves the network.
- FortiGate NGFWs can communicate within the Fortinet security portfolio as well as third-party security solutions in a multivendor environment.
Cisco Meraki NGFW
Cisco Meraki’s layer 7 next-generation firewall, included in Cisco MX security appliances, gives administrators control over the users, content, and applications on their network. The Cisco Meraki proprietary packet processing engine analyzes network traffic up to and including layer 7, using fingerprinting to identify users, content, and applications. Each network flow is categorized and access control policies are enforced.
- By classifying traffic at layer 7, it controls evasive, encrypted, and peer-to-peer applications, like BitTorrent or Skype, that cannot be controlled by traditional firewalls.
- Cisco Meraki’s next generation firewall is included in all wireless access points and security appliances.
- Integrated IDS/IPS engine based on Sourcefire Snort.
- Using a combination of signature, protocol and anomaly based inspection methods ensures network security.
- Device-aware access controls enable administrators to ensure the appropriate level of network access for each class of devices.
WatchGuard UTM encompasses a stateful packet firewall backed by an array of scanning engines to protect against spyware and viruses, malicious apps, and data leakage. There are many aspects to the company’s UTM offerings. The Basic Security Suite includes all the traditional network security services typical to a UTM appliance: intrusion prevention service, gateway antivirus, URL filtering, application control, spam blocking and reputation lookup. It also includes centralized management and network visibility capabilities, as well as support.
- Protects against ransomware, botnets, advanced persistent threats, and zero day malware.
- Addresses threat prevention, detection, correlation, and response.
- Unified security controls.
- Multi-core processing delivers high throughput.
- WatchGuard Host Sensor, available through Threat Detection and Response, provides continuous event monitoring, detection and remediation of threat activity on the endpoint.
- WatchGuard Cloud Visibility and Dimension takes data from all devices across the network and presents that data as actionable information.
Untangle zSeries Appliances
Untangle zSeries appliances are shipped with NG Firewalls pre-installed and are ready for provisioning and configuration. It provides network security from branch offices to headquarters and its features span many of the UTM elements. Appliances range for those for small networks, all the way to large enterprises.
- The z4 appliance is for smaller networks, branch offices, or retail locations that need a network security solution that works out of the box. It performs well under heavy workloads like content filtering, intrusion prevention, and VPN encryption.
- The z12 delivers next-generation firewall features for mid-to-large-sized offices. This appliance offers fiber connectivity for increased performance and security.
- The z20 is the largest Untangle appliance, ideal for large campuses and headquarters with 500-3,000 users.
- Multiple high-speed interfaces, fiber connectivity, fast processing and ample memory allow this 1U rackmount appliance to support large-sized organizations while exceeding expectations for both security and performance.
SonicWall’s approach to UTM creates a security environment that delivers firewalling, content protection, anti-virus, anti-spam, and intrusion prevention on a single hardware platform. Protection starts at the gateway, and blocks both internal and external threats, at multiple access points and at all network layers.
- SonicWall Reassembly-Free Deep Packet Inspection (RFDPI) goes beyond stateful inspection of the network layer, by also inspecting the application layer for attacks on application vulnerabilities.
- Scans over 50 application types, as well as multiple protocols, including SMTP, POP3, IMAP, FTP, HTTP and NetBIOS.
- Matches all downloaded, e-mailed, and even compressed files against a continuously updated signature database, scanning in real time to block hidden threats.
- Eliminates rebooting after the signature file update.
- SonicWall UTM has built-in gateway anti-virus, anti-spyware, anti-spam, and intrusion prevention as part of SonicWall E-Class NSA, NSA and TZ Series gateway appliances.
- Built-in SD-WAN.
Barracuda CloudGen Firewalls provide multiple layers of protection, including cloud-based sandboxing that stops traditional threats and advanced threats without impacting network performance. They can be deployed across multiple physical locations as well as in Microsoft Azure, AWS, and the Google Cloud Platform. Centralized management ensures that you can maintain a consistent security posture across your entire network perimeter.
- Barracuda Advanced Threat Protection is a cloud-based service that provides protection against ransomware, malware, and other cyberattacks.
- Multiple layers of detection including signature, static, behavioral analysis, and sandboxing.
- Real-time network protection against a range of network threats that can bypass traditional firewall security.
- Combines Deep Packet Inspection and behavioral analysis to detect and classify thousands of applications and sub-applications.
- CPU emulation-based sandbox eliminates any attachment that is not addressed by preceding layers of advanced threat signatures, behavioral and heuristic analysis, and static code analysis.
- Connected to Barracuda’s global threat intelligence network to provide real-time protection from the latest threats.
- Barracuda’s firewalls can be deployed across multiple physical locations as well as in Microsoft Azure, AWS, and Google Cloud Platform.
Check Point Quantum
Check Point Quantum Network Security provides scalable protection against cyberattacks against the network, cloud, data center, IoT applications, and remote users. These NGFW Security Gateways combine SandBlast threat prevention, hyper-scale networking, a unified management platform, remote access VPN and IOT security.
- Check Point Infinity is a consolidated cyber security architecture that protects business and IT infrastructure against mega cyberattacks across all networks, endpoint, cloud, and mobile.
- Threat prevention seals security gaps and enables automatic threat intelligence sharing across all security environments.
- Includes powerful security features such as firewall, IPS, anti-bot, antivirus, application control, and URL filtering.
- SandBlast Threat Emulation and Threat Extraction offers protection against sophisticated threats and zero-day vulnerabilities.
- Cloud-based Threat Emulation engine detects malware at the exploit phase before hackers can apply evasion techniques attempting to bypass the sandbox.
- Files are quarantined and inspected, running in a virtual sandbox to discover malicious behavior before it enters the network.
Read next: Best Firewall Software for Enterprise Networks 2021