If you are looking for a broad introduction to Unified Threat Management please click on this link. Basically a Unified Threat Management is an network security approach to consolidate the various individual security modules employed at the network perimeter in to a single platform/appliance in order to save cost as well as bring in unified management of the individual modules (Like Anti-Spam, Anti-Virus, VPN, Firewall, IPS, Content Filtering, Spyware protection etc). But when individual devices are consolidated in that fashion, there is one major limitation – the performance. As the network performance depends on the performance of the network perimeter security device and as network are scaling up to 10GE, this becomes a crucial factor. Let us look at how hardware based UTM and software based UTM solutions compare with respect to performance and other crucial factors.
Hardware/Appliance based UTM:
Of course, the hardware is just a part of a UTM solution, and it also consists of a security operating system/ and the various security modules. But, these two are common for both hardware and software UTM. We are referring to the UTM with custom built hardware, which is sold as a single appliance integrated with all the modules. These UTM appliances employ specialized hardware like customized processors and Application Specific Integrated Circuits (ASIC) to accelerate performance (Instead of using general computer/server hardware).
Historically, Routers and Firewalls have taken such an approach and been very successful. Initially, they were software programs running on a PC, then they were housed in a custom built hardware unit with specialised processors and ASIC chips. ASIC technology is a proven technology to improve throughput. Security specific ASIC processors contribute to the hardware acceleration of the security inspection process and hence greatly improve performance. One major advantage with this approach is that, hardware optimization could be extended through to the application layer of the OSI model.
There could be different types of processors employed to carry out different functions, in an appliance based UTM. For example, there is a main processor and there could be other co-processors to offload the work of the main processor. Some of these co-processors can be employed specifically for certain purposes like performing high-speed comparisons (from the memory) of objects to known threat patterns which is used to accelerate anti-virus, IPS and other application level security technologies for which such functions are crucial. There could be other specialized co-processors for performing high intensity tasks like encryption etc, which if done by the main processor, would inadvertently increase the load. The co-processors can also be placed at unique locations in an appliance based UTM. Some of them can be placed directly after the network interface, for example, to offload the main processor of functions related to firewall, policies, detecting protocol anomalies, expediting the delivery of latency sensitive traffic etc. at interface level itself (without taking them to the main processor) and if necessary transmit state information (and not actual packets) to the main processor improving performance drastically.
Software based UTM:
These type of UTM solutions are available as software downloads from the website of the vendors and the security functionalities that they are capable of, are activated via software licenses. So, these UTM’s can be downloaded on to a general computer server (according to the minimum specifications provided by the vendor) without a specific appliance for that purpose.
There are some advantages of such an approach. First, the rate of processor development (Speeds, multi-cores etc) is much faster for the computer servers than specialized ASIC based processors. The computer servers are made in bulk, increasing the possibility of getting a better price-performance ratio. But this is not always the case, as the computer servers for such applications are generally over-sized, and it is better to do so.
Generic Computer servers used for such a purpose is more flexible – they give redundant power supplies, RAID disks, slots for adding memory, etc. The hardware replacement is even more flexible as they are maintained along with the other computer systems and can be done by any system integrator, and hence there is no vendor lock-in(for hardware). These computer servers are available and serviceable at any part of the world.
Software based UTM’s are scalable. If more processing power is needed, more processors could be inserted. If more memory is needed, more memory is inserted. This approach also allows the UTM’s to offload some functions to a second gateway allowing for good amount of expansions, if the software licenses are taken in to consideration. Some vendors also support portability. That is, if a certain security module is not required in the head office (Like Anti-Spam), but required at the branch office, it could be transferred there.
All the expansions/upgrades/purchasing additional modules can be done on the fly by just purchasing software licenses over the Internet. That saves a lot of time and effort. Most of the software UTM’s support the multi-core processor technology used in today’s servers thereby allowing distributed computing – offloading different processes to different servers, improving the performance of the UTM.
Open-source implementations for Network security are possible and have been popular as well – There are open source based software UTM options like Untangle, pfSense, Endian which can be downloaded from the given link from their website which is free of cost (basic modules) and is open-source (registered with the GPL). These Open-Source UTM’s enable, in a single platform, technologies like web-filter, virus blocker, ad-blocker, spam-blocker, firewall, intrusion prevention, VPN etc based on the offering, and they are basically a combination of various open-source technologies available for individual security modules. They could be useful for SMB companies and home offices, which don’t want to invest in more expensive professional UTM solutions. Of course, a computer server according to the specifications (based on the number of users/ bandwidth) specified in their website needs to be dedicated for this one to run and this PC needs to be the gateway for the entry/exit of all network traffic.
You could stay up to date on the various computer networking technologies by subscribing to this blog with your email address in the sidebar box mentioned as ‘Get email updates when new articles are published’.