Why I See UTMs As Generally Bad in the Current Market

scottalanmiller

This comes up a bit in discussions, partially because UTMs have been a hot purchasing item for the last several years, taking the place of the SAN in the "big IT spend department" as of late. So it is worth having a conversation specifically to address why those of us who do not find them generally appealing to explain why, rather than responding to someone who has one and wants to know why in a defensive context.

There are four categories to address...

1. Hard / Technical Aversions
2. Soft / Human Aversions
3. Market Realities Today
4. Business Needs

Also worth noting, in the "modern" market of the 1990s and later, router and firewall terms are synonymous. Technically routing and firewall functions are separate but all routers on the market for decades have been firewalls and all firewalls are routers.

---

Technical Aversions

UTMs are not a new concept, but are new to the market. We used to build our own UTMs in the 1990s and quickly realized what a bad idea it was. The UTM as a concept isn't new, but the name and selling it as a packaged appliance is. Of those of us who generally lean away from UTMs, I believe most have used them in the past and moved on from them finding them to not be a good solution set for reasons I'm about to discuss.

At the technical level, the issues with the UTM appliance is two fold.

First, router hardware (and router makes) is not well suited to extended tasks that UTMs require. Content filtering, inline anti-virus, IDS, etc. are heavy, complex processes nothing like routing or switching. These require different code, approaches, thinking, experience, computational power, computational type (general vs. specific), constant updates and tweaking, etc. The hardware that is good and effective as a router is terrible for these other functions, and vice versa. From a pure technology perspective, it just is not a sensible way to put pieces together.

Second, inappropriate bundling. Long has the rule of thumb in IT been to keep things separated when possible, especially when there is no benefit from lumping them together, because it allows for flexibility, security, and performance. The UTM model directly defines security-minded basics. Having all those services together in one OS means that hacking through one has a much, much higher chance of bypassing the others. Crashing one service could disrupt others, even if you can't break through it. It's simply an approach that from the onset, doesn't take good security practice in mind. You'd never do this with enterprise server workloads, why is network security seen differently?

---

Soft Aversions

It seems that most UTM deployments are based on confusion and misunderstanding. Maybe thinking that UTMs are black box magic, a common reaction from management or younger IT pros who don't understand all of the different pieces and don't really grasp what is happening. Often UTMs are believed to offer special features that actually predate UTMs and are trivial to implement in other ways.

Security Theater, using theatrics and emotional reactions to make people believe first that there is a larger threat than there really is, and then providing a simple "push of a button" silver bullet product to fix that fake threat is an effective approach. By making the threat seem far more imminent, then providing something that pretends to stop that threat, gives a very real "I'm in danger, and the device protected me" feeling. But had the device not been there, we normally would only have realized that the threat was fake to begin with. Like providing a bullet proof vest to someone attending the opera, having first convinced them that the world is full of silent, invisible bullets, then they proclaim that the vest, rather than the lack of real world bullets, is what protected them from harm.

False reports of real security issues. Because UTMs sit at the edge, they are hit before normal security measures are triggered. This provides a easy way for UTMs devices to track and record "stopped attacks" and make pretty reports that supposedly tell us that they are "doing a good job". But in reality, this is rarely the case. Attacks stopped by UTMs are generally stopped by normal firewalls, normal AV, normal content filtering (even DNS based) without any need for a UTM. But because of where the UTM sits in the network, it generally takes credit for "threats" that were never an actual threat. And because, unlike those other devices, it is sold based on these false reports and emotional responses, UTMs tend to report a lot of things that we don't bother to report normally. Your normal firewall stops hundreds of thousands of attacks per day, but we don't read those logs because that's just silly.

Bundling of services is an emotional ploy that is highly effective. Humans perceived bundled products as being more valuable than the same products individually, regardless of what logic, common sense, or statistics show. This drive is so strong that I've personally seen people proclaim that a $90 bundled product is cheaper than an $80 set of unbundled products. When asked to explain why $90 was less than $80 they would say "because it's a deal, it's bundled." The term bundle acts much like the term "sale" and can make people perceive savings where none exists, even when it is totally obvious that the opposite is true.

Complexity. In IT, it is hard to understand all components and how everything works. Unnecessary complexity leads to mistakes, oversights, and other aspects from human frailty. Complexity undermines security and stability. While the benefits of a UTM generally outweight the negatives to security from complexity increases, they are partially offset by it.

UTMs exist primarily to play on emotional responses.

---

Market Realities

In the real world, nearly all UTMs, and certainly the ones that people talk about most, are not cost effective. This is purely a market reality, and could change in the future (however, the era of the UTM is over and it is already considered passe so it is unlikely that we will see a resurgence that addresses this cost problem. In the real world, UTMs have come and gone and aren't the hot topic any longer.) Much of this comes from the first technical point, putting non-routing functions onto router hardware is costly and there is no simple work around. In practice, because of the soft aversions of UTMs existing primarily not to do a good job but to prey on emotional vulnerabilities there is no market pressure to make a low cost product, so high cost ones are the logical result and all we ever expect to see.

NGFW has trumped UTM in the hyper of "what's current" for network edge security. NGFW are simpler, more of an evolutionary advancement of our more traditional firewalls, and make far more sense as they are both more effective (generally) than UTMs, and follow standard IT concepts of how to approach services on the network.

The last market reality is that the skills and expertise to make a good router / firewall are very different from those needed for UTM functions like filtering, AV, etc. Companies that specialize in one rarely will do well at the other. So you generally get something very far from best of breed when trying to get one vendor to do all of these things, on a single piece of hardware. Getting top end AV from one vendor, content filtering from another, routing from another is more sensible in a world where market realities make it so that the best of each don't do the others.

---

Business Needs

Finally, the real business realities of UTMs.

First (and this extends the security theater aspect), does your business actually receive value from the additional protection? Generally, especially in the SMB, the answer is a solid "no" or a "nominal". Businesses like UTMs because they give a warm and fuzzy feeling, and they provide reports, claim to have stopped loads of things; but when actually evaluating needs and risk, generally there is no dollar value behind the additional features. And in those cases where there is, normally it is important enough to do things the "right" way, without the high cost and risks of the bundled UTM approach.

Second is acquisition cost. UTMs are generally expensive to acquire (comparatively, often 500% to 10,000% more than traditional firewalls) and then carry annual support costs that are often higher than buying a new firewall every year. That's often a lot of money.

Third is business behaviour based on cost. Because UTMs are so expensive, often businesses then avoid doing things with them that they should, such as maintaining support, having redundancy, or updating as often as would make most sense.

Fourth is support overhead. UTMs, typically, are much more complex to install and support than traditional firewalls. This adds to the cost perspective. Whether it is simply lost time that IT could be using for more valuable activities, or paying outside firms to do the work on your behalf, there is a cost to UTM deployments and maintenance.

In the end, how often do businesses see a real benefit from UTMs versus simply a perceived one from emotional, rather than financial, analysis?

---

Keep in mind that there are two key aspects here...

1. Is UTM-like functionality the right thing for your business?
2. If #1 is true, then is a UTM, rather than the rule of thumb "separate services" approach truly a better way to obtain that?

NashBrydges

Nicely written post. I appreciate that you took the time to put your thoughts down.

I'm one of those who has a UTM (Sophos XG) on my lab network. I could replace it with a firewall I suppose but I also like to tinker and learn it so it keeps me occupied (maybe I spend more time on it then I should when I screw something up lol). To be honest, none of my clients have a UTM. I've never felt like they needed one. And while I DO have a UTM, I can also confirm that it HAS stopped bad things from happening. Is it because it was the first thing on the network edge to catch the bad thing? Yep, probably. Would my son's AV have caught it? I'll never really know. But like I said, I keep it because I like to tinker.

One thing that I've read over and over and over is that UTM's are generally NOT recommended. However, I'm interested in what use-cases people believe they may be a good fit. I often see "if you're going to use a UTM, get a Palo Alto" but would love to hear about when people think it IS a good fit.

Something else I want to ask. When I see "if you're going to use a UTM, get a Palo Alto", would love to know about WHY Palo Alto. I don't have any experience with them so I'd love to hear about what makes them the go-to. What do they have that the other offers don't? What do they do that is so different to place them head and shoulders above the rest?

JaredBusch

Most NGFW are just updated UTM solutions from the same vendors.

I hate the entire concept of the NGFW as no one has a clue what they are buying, using, researching.

scottalanmiller

@JaredBusch said in Why I See UTMs As Generally Bad in the Current Market:

Most NGFW are jut updated UTM solutions form the same vendors.

I have the entire concept of the NGFW as no one has a clue what they are buying, using, researching.

And several things we call UTM are actually NGFW now. LIke PA.

Obsolesce

@JaredBusch said in Why I See UTMs As Generally Bad in the Current Market:

Most NGFW are jut updated UTM solutions form the same vendors.

I have the entire concept of the NGFW as no one has a clue what they are buying, using, researching.

NGFW?

scottalanmiller

@Obsolesce said in Why I See UTMs As Generally Bad in the Current Market:

@JaredBusch said in Why I See UTMs As Generally Bad in the Current Market:

Most NGFW are jut updated UTM solutions form the same vendors.

I have the entire concept of the NGFW as no one has a clue what they are buying, using, researching.

NGFW?

Next Gen Firewall. Deep packet inspection.

Dashrender

@NashBrydges said in Why I See UTMs As Generally Bad in the Current Market

Something else I want to ask. When I see "if you're going to use a UTM, get a Palo Alto", would love to know about WHY Palo Alto. I don't have any experience with them so I'd love to hear about what makes them the go-to. What do they have that the other offers don't? What do they do that is so different to place them head and shoulders above the rest?

Isn’t the main thing that makes PA acceptable that they size their hardware right for the services included?
Plus perhaps they have shown they are one of the few how can have the best in breed of more than one of the functions?

From what I’ve seen, most UTM makers drastically undersized their box for the environment they claim it can support. Ultimately you end up disabling services to improve performance, hence making it pointless in the first place. Though running all of those services individually if you need them is rather expensive, both in software and hardware needs. So buying a right sized UTM/NGFW seems like a doable thing IF you need all those services and the services the vendor supply are anywhere near best in breed.

scottalanmiller

@Dashrender said in Why I See UTMs As Generally Bad in the Current Market:

@NashBrydges said in Why I See UTMs As Generally Bad in the Current Market

Something else I want to ask. When I see "if you're going to use a UTM, get a Palo Alto", would love to know about WHY Palo Alto. I don't have any experience with them so I'd love to hear about what makes them the go-to. What do they have that the other offers don't? What do they do that is so different to place them head and shoulders above the rest?

Isn’t the main thing that makes PA acceptable that they size their hardware right for the services included?
Plus perhaps they have shown they are one of the few how can have the best in breed of more than one of the functions?

They also invented most of the technology here. And they actually do NGFW, not UTM per se.

scottalanmiller

@Dashrender said in Why I See UTMs As Generally Bad in the Current Market:

Though running all of those services individually if you need them is rather expensive, both in software and hardware needs.

Not in hardware, nearly all shops have 100x the needed capacity to run them well sitting idle already. They use very little, it just seems like a lot because routers have so little power.

Dashrender

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@Dashrender said in Why I See UTMs As Generally Bad in the Current Market:

Though running all of those services individually if you need them is rather expensive, both in software and hardware needs.

Not in hardware, nearly all shops have 100x the needed capacity to run them well sitting idle already. They use very little, it just seems like a lot because routers have so little power.

I haven't priced VM based solutions - Though I know if Unitrends is any indication - the software solution is just as expensive or even more so than the hardware solution from a vendor.

scottalanmiller

@Dashrender said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@Dashrender said in Why I See UTMs As Generally Bad in the Current Market:

Though running all of those services individually if you need them is rather expensive, both in software and hardware needs.

Not in hardware, nearly all shops have 100x the needed capacity to run them well sitting idle already. They use very little, it just seems like a lot because routers have so little power.

I haven't priced VM based solutions - Though I know if Unitrends is any indication - the software solution is just as expensive or even more so than the hardware solution from a vendor.

That's not a logical way to view pricing.

That's like saying that hamburgers were overpriced at one restaurant, therefore all restaurants overcharge for hot dogs.

You are making the illogical association of the pricing being attached to food, rather than seeing the obvious attachment of the overpricing being part of the company in question that is setting the pricing.

scottalanmiller

@Dashrender said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@Dashrender said in Why I See UTMs As Generally Bad in the Current Market:

Though running all of those services individually if you need them is rather expensive, both in software and hardware needs.

Not in hardware, nearly all shops have 100x the needed capacity to run them well sitting idle already. They use very little, it just seems like a lot because routers have so little power.

I haven't priced VM based solutions - Though I know if Unitrends is any indication - the software solution is just as expensive or even more so than the hardware solution from a vendor.

One software solution is Squid. And it is free.

scottalanmiller

I believe both Sophos and Palo Alto offer their UTM products in software at a pretty major price discount from their appliance offerings. But as they are both closed pricing, there is no official pricing on either approach.

Dashrender

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

I believe both Sophos and Palo Alto offer their UTM products in software at a pretty major price discount from their appliance offerings. But as they are both closed pricing, there is no official pricing on either approach.

Yeah - like most at that high level - it's all about schmoozing and grafting money from companies.

scottalanmiller

@Dashrender said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

I believe both Sophos and Palo Alto offer their UTM products in software at a pretty major price discount from their appliance offerings. But as they are both closed pricing, there is no official pricing on either approach.

Yeah - like most at that high level - it's all about smoozing and grafting money from companies.

Well, it's a product category that has little reason to exist at a technical level, so nearly all of their sales are done from schoozing, not providing something for a need. Even PA who makes a great product, makes one that fills a need that rarely exists.

Donahue

@scottalanmiller
If only I had found ML before I bought my Fortigates. I may have made a difference decision.

NashBrydges

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

I believe both Sophos and Palo Alto offer their UTM products in software at a pretty major price discount from their appliance offerings. But as they are both closed pricing, there is no official pricing on either approach.

I can't speak for PA but Sophos licensing in a VM is based on IP addresses while the hardware isn't limited to that license scheme. Guess it's their way of forcing people to the hardware.

scottalanmiller

@NashBrydges said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

I believe both Sophos and Palo Alto offer their UTM products in software at a pretty major price discount from their appliance offerings. But as they are both closed pricing, there is no official pricing on either approach.

I can't speak for PA but Sophos licensing in a VM is based on IP addresses while the hardware isn't limited to that license scheme. Guess it's their way of forcing people to the hardware.

That's... weird

scottalanmiller

@NashBrydges said in Why I See UTMs As Generally Bad in the Current Market:

One thing that I've read over and over and over is that UTM's are generally NOT recommended. However, I'm interested in what use-cases people believe they may be a good fit. I often see "if you're going to use a UTM, get a Palo Alto" but would love to hear about when people think it IS a good fit.

UTMs or more often "UTM features in a VM not on a firewall" are needed typically in environments that are subject to focused, external attack vectors. Not typically companies that might be getting dinged by script kiddies, but ones where aggressive, trained attackers feel that they are a specific target worthy of focus. Banks, for example. Police agencies. Maybe hospitals. Places that are treasure droves of digital data. Places that hold data or access for lots and lots of other people.

dave247

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

NGFW has trumped UTM in the hyper of "what's current" for network edge security. NGFW are simpler, more of an evolutionary advancement of our more traditional firewalls, and make far more sense as they are both more effective (generally) than UTMs, and follow standard IT concepts of how to approach services on the network.

I am thrown off by this. Are you supporting the use of "next generation firewalls" over the use of UTMs? I mean, I read through this twice now and that's what I am taking away from this paragraph. I skimmed through the comments and it sounds like people are saying that NGFW and UTMs are about the same thing -which I can agree with since the various security products over the years would naturally fall into different places across the security appliance spectrum (evolve), some being more similar/related than others. Your one paragraph here kind of separates the two for a moment, with the NGFW far better than the UTM, but I would think that you'd consider both bad on the basis that they are both things that group security roles (don't keep things separate).

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?