Posted by: Jenny Laurello
network security, threat management
It wasn’t so long ago that network purists were decidedly of the mindset that routers should route, switches should switch, and firewalls should firewall. The mindset behind that was to do one thing and do it well. As a long time information security person, I was fully in that camp. After all, it met several of our basic tenets because it was simple, easy to troubleshoot, had no single points of failure, and provided a clear separation of duties.
As we got better at protecting our perimeters, the nature of perimeter threats evolved, moving up the Open Systems Interconnection stack to the application layer, and eventually the human layer. As the threat evolved, so did the firewalls. It’s now almost as hard to find a simple packet filtering firewall as it is to find a network hub.
Modern effective perimeter security solutions can’t simply let the “firewall.” Perimeter security requires an increasingly complex mix of technology to effectively combat Internet threats. Enter the unified threat management (UTM) concept and multi-functional perimeter devices.
The perception of the firewall has largely remained unchanged in many organizations, with a substantial number of people still in the camp of “firewalls should firewall” and then have a number of ancillary devices (anti-virus, anti-SPAM, virtual private networks, intrusion detection/prevention systems, content filtering, data loss prevention, security information and event management, email encryption, etc.) should do other tasks at or around the perimeter.
Clearly the important thing is to ensure all the perimeter bases are covered, regardless of how it’s accomplished. There is definitely a significant argument, using the same criteria as above (keep it simple, easy to troubleshoot, no single points of failure, and separation of duties), that supports the UTM approach.
Going the UTM route of purpose-built devices with different components to fill each of the specific needs on the perimeter falls within the old keep it simple and easy to troubleshoot approach. Managing eight to ten different technologies that all need to evaluate traffic can quickly become overwhelming to design and troubleshoot. Not to mention the resources and expertise/training needed to staff it.
At first pass, no single points of failure seems to be a win for purpose-built devices, but there are high availability options for most UTM platforms that can either be a standby or actively load-balanced solution. Not only is it easier to implement and manage the availability of a UTM solution, it’s almost certainly cheaper. Achieving separation of duties has become a significant challenge with dwindling budgets and a whittling head count in organizations today, especially in the information security realm.
Implementing a fully managed UTM service is one of the more elegant solutions to achieve separation of duties and is a good foundation for change management. A managed services UTM platform not only frees up internal resources for other tasks, but it also ensures that changes to the organization’s perimeter security postures are evaluated, documented, and not performed by the same folks that run the day-to-day operations of the network.
Reporting is an added bonus to UTM perimeter protection. Budgeting is one of the hardest hurdles to overcome every year. It is especially challenging for information security folks because it is very hard to demonstrate a return on investment for protecting from potential catastrophes. While data analytics logs can help provide raw information from the many purpose-built perimeter security components, compiling the logs, analyzing them, and presenting output in a compelling form for executives is usually not something managers look forward to and would prefer to have as “out of the box” functionality. This is another plus for UTM since many platforms support some variety of reporting.
Much of what information security professionals learned from the Rainbow Series books in the early 80s and 90s is fundamental to what we do now. As such, we have a predisposition to resist change; that’s a good thing and part of our nature. But it’s definitely time to re-evaluate the perimeter and adapt our approach to better suit the evolution of Internet threats.