Six criteria for purchasing unified threat management appliances

Expert Ed Tittel explores key criteria for evaluating unified threat management (UTM) appliances to determine the best choice for your organization.

Unified threat management appliances -- devices that bundle all kinds of network infrastructure protection into one device -- are mighty popular in small to midsize environments -- and are gaining traction in larger infrastructures -- for many good reasons. In the right environment, relying on a single device to cover firewall, virtual private network (VPN) access, application control, intrusion protection and lots of other services saves money and administrative effort.

Determine your needs

Before diving deep into unified threat management (UTM) appliance comparisons and ordering trial units, the first step toward procuring a UTM is to determine an organization's security needs.

Here's a list of questions to consider:

  • Does it need a full protection solution or a solution that supplements current technologies?
  • What types of protection does the UTM appliance need to implement? This includes firewall, VPN, application control and so on.
  • Does it want an access point included in the appliance? Only certain UTM appliances have integrated wireless access points, and those are usually found in entry-level or small office products.
  • What is the infrastructure's bandwidth? This involves gathering statistics from the infrastructure, such as average incoming and outgoing bandwidth usage, the average number of users accessing the Internet, and the number of daily email messages (sent and received). Also record spikes and determine if they occur regularly. These statistics help with right-sizing a UTM appliance to its environment and in determining if a network upgrade is necessary.
  • How many users and devices does the organization need to support today? How many two years from now? This answer helps it right-size an appliance with an eye on growth. Higher-end UTM appliances are fully scalable, but come with bigger price tags.
  • Does it have a solid antivirus product in place that's working well? Many unified threat management appliances come with antivirus, but not every organization wants to replace its current solution.

During needs analysis, be sure to keep notes (perhaps in a spreadsheet) to enable mapping the organization's needs to UTM features on a per-vendor basis.

Shopping 101: The big picture

Not every company calls its products 'unified threat management' or 'UTM.' In fact, UTMs are often simply referred to as 'security appliances,' and many companies still call them 'next-generation firewalls.'

Today's leading UTM vendors, such as Fortinet, Check Point, Dell, Sophos and others, make the shopping and purchasing process pretty easy (with the exception of licensing and subscriptions, which you'll learn about soon). The vendor websites typically list appliances for small, midsize and large environments -- clearly stating performance details, like firewall throughput, VPN throughput, number of users, and number and type of ports.

Note: Be careful of nomenclature when perusing vendor products. Not every company calls its products "unified threat management" or "UTM." In fact, UTMs are often simply referred to as "security appliances," and many companies still call them "next-generation firewalls." However, a next-generation firewall typically includes intrusion protection and perhaps application control, where a UTM appliance includes a firewall, IPS and a whole lot more.

Each website also lists the features and controls that are either integrated into the appliance by default or that can be integrated by purchasing a license or subscription. It's important for an organization to understand which features they will actually use, because appliance performance can be affected (sometimes greatly) when all available features are enabled.

Evaluation criteria for UTM appliances

When researching unified threat management appliances, use the following list of criteria to make a proper comparison:

  • Vendor: It's usually best to pick a market leader, the assumption being that the vendor has a good track record, adequate or excellent support, and has produced a well-honed line of products. Also consider that top vendors typically have the resources to perform ongoing research into emerging threats and can roll that knowledge and captured data into their products. Continuity and compatibility are also factors when looking at vendors. If an organization's security staff already uses products from a specific vendor, the learning curve can be much shorter by sticking with a UTM appliance from that same vendor.
  • Features: Not every unified threat management appliance has the same features. Data loss prevention and deep packet inspection over SSL connections aren't usually part of the standard feature set. Models from the same vendor can include different features, too, although many vendors' appliances do include a common feature set across all models. An organization's needs analysis should help whittle down which features are must-haves versus nice-to-haves.

    Regarding antivirus, find out if the vendor has its own antivirus solution or is partnered with another company that provides it. Some vendors use Kaspersky or Sophos, for example. The vendor's choice of antivirus product might not be the organization's first choice.
  • Performance: As mentioned, vendors publish firewall and VPN throughput rates for their appliances. Those ratings are not necessarily the same rates that will be experienced in different environments. When researching products, also check UTM ratings or reviews from independent sources such as NSS Labs and Miercom.

Tip: Time allowing, it's a good idea to reach out to other organizations that already use UTM appliances and get their feedback on performance in a live environment, as well as ease of deployment, compatibility with other network protection equipment, and tech support responsiveness.

  • Cost: The cost of UTM appliances varies greatly, from those geared toward small environments (usually in the range of $400 to $1,200) to the highly scalable, highly available appliances for enterprises (tens of thousands of dollars). This is where a needs analysis pays off -- that data should point to the appliance with the best fit and tell the organization which features it truly needs.
  • Licensing and subscriptions: With very few exceptions, UTM vendors require licenses or subscriptions to turn on UTM features, such as application control, antivirus and so on, and/or cloud-based management control. In some cases, it's possible to configure those features, but they won't be active until a valid license key is supplied.

    Those licenses or subscriptions are offered with term limits -- one year, two years and up to 10-year increments -- and may or may not include support, such as 24/7 assistance and replacement hardware. This is one area of research where it takes time to comb through each vendor's requirements and offerings, and to find a bundle at the best price. Licensing and subscriptions can easily run 50% or more than the cost of the appliance. Dig into upgrade pricing as well, in case the number of devices or users changes or additional features are needed following initial purchase.

    Another issue with licensing is to understand if the vendor licenses its product per user, per device or per IP address. If the vendor follows the IP address model, do only those IP addresses behind the firewall count toward the total? If an organization has a high-availability cluster, does each device in the cluster need a separate license?
  • Support: Find out what's included in the standard support package, and the price of a premium package if standard isn't adequate. Remember, some vendors roll support into their licensing packages, which needs to be taken into account when examining overall costs.

Other considerations

UTM vendors want customers to be satisfied with their products -- a happy customer doesn't need as much support, right? Vendors often allow organizations to request a unit of their choice and run it in their own environment, taking time to thoroughly test performance and compatibility with other equipment. Some vendors even offer free support during the evaluation period, and online demos may be available to help customers tinker with the interface and to safely reconfigure a virtual appliance to mimic their own network.

During the evaluation stage, be sure to assess ease of deployment, configuration interfaces (GUI, command line or both) and usability of the management console. Can staff easily maneuver around the screens? Are settings easy to find, and is the documentation clear enough to avoid a support call? Ease of use is especially important to smaller organizations that may not have dedicated security staff.

Finally, if an organization must follow compliance regulations and laws, find out if the UTM appliance offers functionality and reporting tools needed for a compliance audit. Most appliances do, but double-checking this important feature before purchase will prevent headaches down the road.


Even though the UTM appliance buying experience has been simplified thanks to fairly consistent comparison points and a highly competitive market with vendors who want your business, there are still a lot of factors to consider carefully before making a decision.

Every decision should start with a thorough needs analysis of an organization's particular environment and a map from those needs to vendor offerings. Then, find out what experts think are the best products for environments similar to yours.

Next Steps

Check out part one which looks at the basics of UTM appliances in the enterprise

Part two examines the business case for UTM products

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing