The UTM Story : By Mr. Vishak Raman Country Manager, India and SAARC, Fortinet

As computer networks started expanding with the growth of Internet, helping application vendors to roll out new services, new protocol stacks running on good old TCP/IP base kept emerging. We moved from standard SMTP and POP 3 (email), HTTP (web), FTP (File Transfer) to IM (Internet Messaging), P2P (Peer to Peer) services, as Internet started to build itself with more interactive real-time content distribution. While these are the positive side of the growth, the flip side is the exponential security breaches at the gateway (entry point) of a Network. We had huge publicity about DDOS (Distributed Denial of Services), Ping of Death

attacks during the mid-2000s and the need for network to protect against network-based attacks. In the last three years, the nature of attacks has taken a big shift from Network-based attacks to content-based attacks. In today’s environment, a hacker does not spend hours to do a port scan and tries to launch a network-based attack, but launches a simple blended attack. Blended threats are attacks that utilize multiple transmission techniques to spread themselves and attack other computers. Email, Web and File Transfers are the most common methods of transmission. Traditional and Point security solutions are not enough to effectively block blended attacks from entering and leaving your network.

This sudden rise of blended threats is driving the demand for blended security at the gateway. This gave birth to the UTM – Unified Threat Management, which was defined by IDC with features like Firewall, VPN, IDP and Gateway Antivirus on a single appliance.

IDC projects a strong growth rate in the UTM segment – 80.1% compared to the traditional Firewall / VPN appliances – 2% and UTMs would overtake FW/VPN revenues shortly.

The Performance Catch 
To check into an office, you do not need to have to spend a lot of waiting time, but for airport security you need to check in one hour before the flight takes off due to the X-ray scanning (deep packet Inspection). But if we start doing enhanced Airport security by doing a bag-by-bag rechecking for each passenger (complete packet reassembly – UTM), all passengers need to check in before 2–3–hours.

A few new UTM entrants miss core security need by claiming to do packet-by-packet real-time deep packet inspection, but do not explain how does one prevent attack from a fragmented packet as packet reassembly is essential to catch a virus or an intrusion. The collapsible firearm could be in Bag 1 or Bag n, we would get to know only when we reassemble the complete cabin bags from Bag 1, Bag 2 and Bag n of a single passenger.

How does one do complete packet reassembly without performance degradation? Not many vendors have figured it out as they still run on a PC-based architecture with individual packet-by-packet scanning and reassembly done on the hard disk (Example: bag-by-bag scanning and reassembling the same on a table – in a PC they do it on the hard disk) which adds significant delay because of the process of READ / WRITE / PACKET REASSEMBLY.

Dedicated ASIC architecture which is designed from the ground up delivers much superior performance and better security as it involves signature pattern matching procedures that scan incoming and outgoing traffic for known malicious code. While the access nodes of the network move from fast Ethernet to Gigabit Ethernet, backbone link speeds are moving from OC-192 (10 Gbits/s) to OC-768 (40 Gbits/s).

Rule databases specify how an incoming packet should be handled from the perspective of classification, differentiated services, security, load balancing and traffic measurement. These databases, consisting of 100,000 rules, are now the subject of discussion regarding near-future networks that will be implemented within one or two years.

Since the network processors are highly optimized, ASIC (Application Specific Integrated Circuits) devices meant to perform pattern matching at high speeds following the set of rules specified in these databases, they perfectly match the requirements in fighting the blended threats.

How far UTM has come? 
There are different myths floating around UTM i.e. UTM could be its single point of failure, UTM buying would happen mostly in SME, UTMs do not deliver the carrier class performance, UTMs do not deliver the same set of features that a point product delivers etc.

We feel the debate around UTM vs Point products is over, as we feel UTMs would be the first line of defence enhancing the perimeter security of the customer network.

Some of the facts about the state of UTMs today are as follows: 
® UTMs deliver great ease of management.
® Total Cost of Ownership (TCO) would still be the evaluation criteria for UTMs, but the rise of blended threats would be the driving force for the UTM choice. 
® High availability (active / active load balancing) between multiple UTM boxes would mitigate the single point of failure.
® UTMs are being delivered via security blades which deliver 10 Gigabit switching UTM. Performance using Advanced Telecom Computing Architecture (ATCA) on a chassis architecture is currently being adopted by enterprise customers, service providers, carriers, managed security service providers to offer security services “IN THE CLOUD” services.

What lies in the future for UTM? 
The definition of UTM is rapidly changing from the 4 feature set defined by IDC which are Firewall, Gateway AV, IPS and VPN. This would change with the additional feature set like Content filtering, Multi-ISP load sharing, Anti-Spam, Traffic management, VLAN Support.and SSL VPN.

® Adoption of UTMs would happen at LAN side (switch level) and WAN side (Integrated Routing functionality).
® Technology mergers and acquisitions would happen for complementary feature set, but integration of two separate security codes on a single platform would be a developer’s nightmare.
® They would continue to sell them as independent product lines immediately post merger, but would have to struggle to get a unified / integrated code to be delivered on a single product. 
® Opportunistic friendly alliances would be struck between point product vendors, but lack of tight integration and single window of support would become a customer nightmare / responsibility of the customer to do the coordination between these alliance partners.
® Alliances would last for a short period of time as their cost structures / licensing policies increase the TCO to an end-customer. 

India Status 
India continues to be a dominant player in the APAC market, registering the highest growth rates (CAGR – 24%) and we see India as an emerging market with US$64 million Security Appliance Market in 2006, which is growing at 54% CAGR. There is a huge spend on the greenfield projects. UTMs appeal the most to the greenfield market as they are the best first line of defence.