Why Are UTMs Not Recommended Generally
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
The only way to know that a UTM is providing any value is to run a crazy setup where you have a UTM on one path and a firewall on another and find a way to replay all attacks and see if what the UTM flags is actually something that would have gotten you with the other.
It's not that UTMs don't provide some value, they certainly do. But they come with loads of caveats. And basically they fall into a horrible middle ground.
Basically....
95% of companies have zero need for IDS, Edge AV, Monitoring, etc. so the cost and effort of setting up and maintaining the UTMs is just wasted funds - basically the equivalent of a small breach (cost is cost, however it happens.)
Of the 5% of companies that really need extreme security, UTMs are a terrible methodology for delivering it. The UTM is the "Small Business Server" of networks. Everyone knows it's in violation of all basic security and stability best practices, but it's cheap and convenient compared to doing it the "right way" so we ignore that it's "bad practice security". For companies where extreme security really matters for real, you can't use a UTM because it's such a bad idea. You use a normal firewall plus you have the "UTM" functionality run as part of the normal enterprise infrastructure with best of breed components in place for each piece, not just everything lumped together on a cheap piece of router hardware. We wouldn't treat out normal IT workloads like this, but since UTMs are really just smoke and mirrors, no one really cares that we aren't treating the components there like serious workloads.
Real world use of UTMs basically falls into a minuscule range of companies that somehow need more security than standard firewalls, AV, and security practices provide "for cheap", but don't quite warrant a really serious setup of separate security components. So maybe .1% of companies might actually have a UTM be a proper business decision for them (just how one in 1,000 shops actually had MS SBS server be the right choice for them) - but of those, nearly all would need Palo Alto level gear.
Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?
What I mean is, right now we have several networks (like 6) converged through our SonicWall ports with ACLs. If I split those up, I could use a router to converge the networks, but I would need a router with enough ports - that or use a L3 switch. I feel like I never see a router with more than 2 ports (unless it has add-in cards). I could have a router for each network but then that would be a lot of hardware.
Then, for the IDS/IPS and white-listing and metrics and all that, I would have to find separate products and connect them all appropriately. I can see the cost of going this route probably being a lot more that what we pay for the SonicWall UTM, but still, I would strongly consider it if it could truly be a better system setup.
-
Is this the ideal model?
-
@dave247 said in Why Are UTMs Not Recommended Generally:
What I mean is, right now we have several networks (like 6) converged through our SonicWall ports with ACLs. If I split those up, I could use a router to converge the networks, but I would need a router with enough ports - that or use a L3 switch. I feel like I never see a router with more than 2 ports (unless it has add-in cards). I could have a router for each network but then that would be a lot of hardware.
Even my $95 router at home is three ports. Ubiquiti offers 3, 4 and 8 port routers. MicroTik offers all kinds of combinations.
An L3 switch is actually "just" a router, too. If you needed way more than 8 ports.
-
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
Is this the ideal model?
So there is no totally accepted placement here, but I'm of the mind and I believe Cisco is as well, that your IDS is best after your edge router (inside of it) rather than outside. You don't want your IDS busy tracking all that worthless traffic out there, you only want it to see the stuff your firewall isn't blocking.
Missing from your diagram is other UTM functions like Network AV or Web Proxy, those would potentially be inline between the router and the switch as well. Not always, but optionally.
But yes, in the general sense, you have the idea...
Internet -> Firewall -> IDS -> AV, Proxy, etc. -> Switching
-
@dave247 said in Why Are UTMs Not Recommended Generally:
Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?
The first decision point is.... do you really get value from security features beyond those of a good firewall?
If yes, then which ones specifically?
Then you'd find ways to get those specific features.
-
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
-
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
usually with proper VM acting as content filters/proxies
-
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.
-
@scottalanmiller SAMIT video?
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?
The first decision point is.... do you really get value from security features beyond those of a good firewall?
If yes, then which ones specifically?
Then you'd find ways to get those specific features.
BTW, what would be a good firewall anyway? Like every time I look up firewall, all I find is UTM
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@JaredBusch said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.
SonicWall is crap. Sophos and Watchguard are meh.
Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.
Not disagreeing but I'm looking for some real life examples. Simply saying one is crap or cheap, or better from a top level when others are more expensive or less expensive (I know, price not relevant for quality) doesn't cut it.
What's a real life scenario where SonicWall is crap and Palo alto wins?
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@scottalanmiller said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@dave247 said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@scottalanmiller said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@JaredBusch said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.
SonicWall is crap. Sophos and Watchguard are meh.
Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.
Can you explain your reasoning a little more in depth? I've had mostly good experience with SonicWall..
Define good experiences. One of the problems with UTMs is that they do things that often have negative outcomes, but seem positive. They are part of what is known as security theater. They encourage false fears, and provide false results that seem to protect you against things that generally aren't really threats. It's very difficult to really find value in them, but it's easy to perceive it.
Not that they have zero value, they can have benefits. But those benefits are generally extremely nominal, while they are costly to acquire and costly to maintain.
Our appliance has protected us from various threats (IDS/IPS, Gateway AV, etc), monitoring and alerting have been nice, firewall configuration is easy, support is really good, etc.
So these are the things that I mean. How do you know that it has protected you from something? The only way to know this is for the UTM to claim it. But that's not a good measure. Those of us without UTMs are generally protected from those same things without having a UTM. So while it's essentially impossible to prove, all evidence suggests that the threats it protected you against aren't real world threats at all. You don't need an IDS or Gateway AV to protect you from them. Your normal every day $100 firewall generally blocks all that stuff already. What it doesn't block, your OS normally does, what it doesn't, the OS AV does. UTMs famously report on all kinds of things we normally ignore because they aren't really threats. That's the security theater we are talking about. Not only do they produce a panic reaction by making your network seem under attack more than it really is, they also make it seem like they are what is protecting you. When in reality, they normally do absolutely nothing of consequence.
Monitoring and alerting is "nice", but how often was it useful? What kind of monitoring are you getting? Our non-UTMs alert to basic stuff, too.
I've worked with SonicWall, if that's what you call easy, you need to check out some other stuff. It's not terrible, but I wouldn't call it good. SonicWalls cost at least double in time to set up compared to lower cost gear. That they are time waster is specifically one of the issues we typically have with them. They require more time and effort than other options. This is generally true for all UTMs, to do what they do, they require more input.
I agree here. You're going to see the utm doing more if it's the first hit. But also, I see so much that the OS and AV blocks that the Utm let's through.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
I think he means you have different phisically separated LANs
-
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
We've been doing this since the dawn of the web, UTMs are newcomers. Squid Proxy is the simplest "on your network" solution. Hosted DNS filters like pi-hole are the simplest "outside your network" solution. All kinds of ways. You can do it with your internal DNS, too. Depends on your goals.
But the first question is always.... does this really serve a business function? Content filtering can be handy, but typically undermines the business. Like most things, there is a time and a place for it, but most companies do it to prove to employees that they control them, not for any business goals.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.
It should never, ever be on the edge. Having it on the edge doesn't provide the peace of mind you are envisioning, that's part of the smoke and mirrors of UTM sales. You don't even need it on your network to get that. It just has to be inline in your web processing pipeline.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?
The first decision point is.... do you really get value from security features beyond those of a good firewall?
If yes, then which ones specifically?
Then you'd find ways to get those specific features.
BTW, what would be a good firewall anyway? Like every time I look up firewall, all I find is UTM
That's because that's where all of the marketing dollars go. Firewalls aren't things that people really search for anymore. And most people now just call them routers, because in the IT market since the 1990s, all routers are firewalls, and all firewalls are routers, so people sell them randomly as either. The higher end, the more likely to be called a router.
Most popular around here is Ubiquiti EdgeRouters.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.
Basically it works this way....
If you have VLANs to separate your LANs, you can do it all on one port.
If you have physical port separation for your LANs, you have no purpose for VLANs.
VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.
It should never, ever be on the edge. Having it on the edge doesn't provide the peace of mind you are envisioning, that's part of the smoke and mirrors of UTM sales. You don't even need it on your network to get that. It just has to be inline in your web processing pipeline.
I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it. If we are blocking all porn and gambling categories, then this ensures that nothing in our network will ever get to those sites. It's simple positioning.
And then on this subject, having a UTM is nice because with Sophos, for example, you have systems with agents on them and then you can put users/machines in various groups and apply different web and application white-lists against them.