This content is part of the Essential Guide: A guide to threat management

Essential Guide

Browse Sections

Introduction to unified threat management appliances

Expert Ed Tittel describes unified threat management (UTM) appliances and features, and explains its advantages to organizations of all sizes.

A unified threat management (UTM) system is a type of network hardware appliance, virtual appliance or cloud service that combines and integrates several security technologies -- typically, a firewall, intrusion prevention system (IPS), antimalware, virtual private networking (VPN) and Web/content filtering.

UTM virtual appliances and cloud services are gaining in popularity. Both types of UTM eliminate the need for an on-premises appliance, but still offer centralized control and ease of use. However, this article focuses on UTM appliances.

Unified threat management appliances simplify management by granting network administrators use of an integrated interface to configure and maintain each component. Centralized control also reduces complexity and the likelihood of errors because the details of each component are clearly visible on a dashboard. An administrator can react quickly to performance issues as they arise, and can monitor how changes affect other components. Plus, organizations realize lower overall costs compared to acquiring each component separately, and they can produce cohesive compliance reports when required by regulations, such as Health Insurance Portability and Accountability Act, Sarbanes-Oxley Act and so on.

On the downside, UTM products also present a single point of failure should an event occur that cannot be handled proactively or remediated quickly.

The demographics of UTM customers

UTM vendors initially targeted the small to medium-sized business (SMB) market to help them reduce administrative overhead and control security costs. However, the reliability and scalability of UTM products makes them suitable for enterprise adoption as well.

Today, UTM appliances are found in small office/home offices (SOHOs), retail, banking and similar environments, branch offices, midsize organizations and large enterprises. Most UTM vendors offer a line of products to accommodate each type of customer.

Characteristic features of UTM appliances

Nearly every unified threat management appliance includes the same core features, and each vendor may include additional components in various models to appeal to different customers. These core features may be described as follows:

  • Antivirus/antimalware: This component scans for malicious programs and other types of malware, and either quarantines or removes it. Some UTM appliances include antispam features as well. If the antimalware scanner is appliance-based (meaning the software resides on the appliance), scans will affect the performance of the unit to some extent. Some vendors use antimalware scanners in the cloud, which minimizes the use of UTM appliance resources during scanning.
  • Firewall: A next-generation firewall sits at the heart of a UTM appliance. Common throughput rates are 600 Mbps to 200 Gbps, with several ports that may include 10/100 Ethernet to 1, 10, 40 and 100 Gigabit Ethernet.
  • Intrusion prevention: This component analyzes incoming network packets for attack signatures and evaluates results against a defined policy. Unsafe packets may be dropped or a connection terminated to protect the internal network.
  • Virtual private networking: This component manages VPN connections for secure remote access to the internal network.
  • Web filtering: This component prevents access to inappropriate Web content. An administrator may define URLs/domains that are not allowed (blacklisting), or the filter may communicate with a continuously updated reputation service. The filter may also intercept all HTTP requests in a TCP connection. Some vendors provide Web filtering as part of the core package, whereas other vendors require an additional Web filtering license.

Other features that are included in specific UTM models include application control, bandwidth management, data loss prevention, identity-based access control, load balancing and more. These more advanced features are generally found in higher-end systems aimed at midsize and larger organizations.

Pricing and support

Unified threat management products simplify management by granting network administrators use of an integrated interface to configure and maintain each component.

How unified threat management appliances are packaged and sold varies by vendor. A customer may purchase or lease a unit from a vendor or reseller, which usually requires an annual subscription for software updates and upgrades. Such a subscription can add significantly to the total cost of purchase.

Appliances for SOHOs start at about $400, and small branch office units with subscriptions start at around $1,700, but are more typically in the $2,500 range. The next tier -- for midsize organizations -- jumps to about a $20,000 minimum. From there, the cost for a unit can climb to $200,000 or more for large enterprises.

For an additional fee, most vendors offer different tiers of support. At the low end, a support contract includes limited phone and email support, an online knowledge base and forums. Phone support at this level may be restricted to business hours only. Higher priced contracts may include 24/7 phone support, four-hour or next-day on-site engineer support, next-day parts delivery, and an assigned account representative. Annual support contracts cost in the range from $500 to over $25,000.

UTM training

Many vendors and resellers provide UTM training for administrators and support engineers for an additional fee. Costs vary widely, but typically range from $1,000 to $3,500, depending on whether sessions are Web-based or in-classroom.

Although it's usually not required, training can help an administrator get up to speed on new technology more quickly than self-learning, and training can be critical for an administrator that is migrating technology from one vendor's products to another.

Technical staff might also sign up for training while pursuing a certification from a particular vendor, which might or might not be paid for by the employer.

Are UTM appliances right for your organization?

Although many organizations install and manage firewalls, antimalware software, an IPS, Web filtering software and other security technologies from a variety of vendors, a UTM product can make the process much easier and more cost-effective. The best approach may be for an organization to document its current security appliances and purchase dates, when they will reach their end of life, the manufacturer/vendor of each appliance, and estimated replacement costs. Then find out more about UTM appliances and compare the hard and soft costs.

That is personnel time that could be freed up by standardizing many security components on a single system and vendor, with a centralized management console.

Organizations may very well find that UTM is the smart decision going forward.

Next Steps

Discover the benefits of using a UTM appliance to reduce security incidents.

Read up on the top questions to ask when evaluating UTM vendors.

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing