Why Perimeter UTM breaks Defense in Depth
I was reading Mike Rothman’s latest blog entry regarding defense in depth and got thinking about how much I agree with his position and how that would seemingly put me at odds given what I do for a living when put within the context of Unified Threat Management (UTM) solutions — the all-in-one "god boxes" that represent the silver bullet for security woes 😉
Specifically, I am responsible for crafting and evangelizing the security strategy for a company that one might (erroneously) expect trumpets that one can solve all security ills by using a single UTM device instead of a layered approach via traditional defense in depth. I need to clear that up because there’s enough septic marketing material out there today that I can’t bear to wade through it any longer. And yes, I work for a company that sells stuff, so you should take this with whatsoever a reasonable amount of NaCl you so desire…
There is a huge problem with how UTM today is perceived. UTM — and in this case the classical application thereof — is really defined as a perimeter play where boxes that were once firewalls that then became firewalls+IDS that then became firewalls+IDS+IPS have now become boxes that are firewalls+IDP+Anti-everything. IDC defines that the basic definition of a UTM appliance is one that offers firewall, IDP and Anti-virus in a single box. There are literally tons of options here, but the reality is that almost all of these "solutions" actually fly in the face of defense in depth because the consumer of these devices is missing one critical option: Flexibility.
Flexibility regarding the choice of technology. Flexibility regarding the choice of vendor. Flexibility of choice regarding extensibility of functionality.
Tradtional (perimeter) UTM is, in almost all cases, a single vendor’s version of the truth.
Lots of layers — but in one box from one vendor! That’s not defense in depth,
that’s defense in breadth.
That may be fine for the corner liquor store with DSL Internet access, but what enterprises really need are layers of appropriate defense from multiple best in breed vendors deployed via a consolidated and virtualized architecture that allows for safer, simpler networks.
On the surface, UTM seems like a fine idea — cram as many layers of security "stuff" into a box that you can sprinkle around the network in order to manage threats and vulnerabilities. Using a single device (albeit many of them) would suggest that you have less moving parts from a management perspective and instead of putting 5 separate single-function boxes in-line with each other to protect your most important assets, now you only need one. This is a dream for a small company where the firewall admin, network engineer and help desk also happens to be the HR director.
This approach is usually encountered at the "perimeter," which today is usually defined as the demarcated physical/logical ingress/egress dividing the "inside" from the "outside." While there may well be a singular perimeter in small enterprises and home networks, I think it fair to say that in most large organizations, there are multiple perimeters — each surrounding mini "cores" that contain the most important assets segmented by asset criticality, role, function or policy-driven boundaries.
Call it what you will: de-perimeterization, re-perimeterization, dynamic perimiterization…just don’t call it late for supper.
In this case, I maintain that the perimeter isn’t "going way," it’s multiplying — though the diameter is decreasing. As it does, security practitioners have two choices to deal with segmented and mini-perimeterized mini-cores:
- Consolidate & Virtualize
- Box Stack/Sprinkle
These two options seem simple enough, and when you pull back the covers, there are a couple of options you have to reconcile in either scenario:
- Single-vendor embedded security in the network infrastructure (routers/switches)
- Single-vendor overlay security via single-function, single-application devices
- Single-vendor overlay security via single application/multi-function UTM
- Multi-vendor embedded security in the network infrastructure (routers/switches)
- Multi-vendor overlay security via single application/muti-function security applications
- Multi-vendor overlay security via Best-of-breed security applications
When pairing the deployment option from the first set with a design methodology from the second, evaluating the solution leads to many challenges; balancing a single-vendor’s version of the truth (in one or more boxes) against many cooks in the kitchen in combination with either "good enough" or best in breed. Tough decisions.
"Good enough" or "best in breed." One box or lots. The decision should be made based upon risk, but unfortunately that seems to be a four letter word to most of the world; we ought to be managing risk, but instead, we manage threats and vulnerabilities. It’s no wonder we are where we are…
For a taste test, go ahead and ask your network switch vendor or your favorite UTM appliance maker where their solutions to these very real business-focused security challenges exist in their UTM delivery platforms today:
- Web Application security
- Database security
- XML/WS/SOA security
- VoIP security
They don’t have any. Probably never will. Why? Because selling perimeter UTM isn’t about best in breed. It’s about selling boxes. What happens when you need to deploy these functions or others in combination with FW, IDP, AV, Anti-spam, Anti-Spyware, URL Filtering, etc…you guessed it, another box. Defense in depth? Sure, but at what cost?
When defense in depth lends itself to management nightmares due to security sprawl, there is a very realistic side effect that could introduce more operational risk into the business than the risk the very controls were supposed to mitigate. It’s a technology cirlce-jerk.
What we need is option #1 from the first set paired with option #6 from the second — consolidated and virtualized security service layers from multiple vendors in a robust platform. This pairing needs to provide a consolidated solution set that is infrastructure agnostic and as much a competent network platform as it is an application/service delivery platform.
This needs to be done in a manner in which one can flexibly define, deploy and manage exactly the right combination of security functions as a security "service layer" deployed exactly where you need it in a network to manage risk — where the risk justifies the cost. And by cost I mean both CapEx and OpEx.
Of course, this solution would require immense flexibility, high availability, scalability, resiliency, high performance, and ease of management. It would need to be able to elevate the definition of the ill-fated "Perimeter UTM" to scale to the demands of "Enterprise UTM" and "Provider UTM." This solution would need to provide true defense in depth…providing the leverage to differentiate between "network security," "information security," and "information survivability."
Guess what? For enterprises and service providers where the definition morphs based upon what the customer defines as best in breed, defense in depth either becomes a horrific nightmare of management and cost or a crappy deployment of good enough security that constantly requires forklifts, doesn’t scale, doesn’t make us more secure, is a sinkhole for productivity and doesn’t align to the business. Gee, I’ll take two.
We’re in this predicament because an execution-driven security reference architecture to allow businesses to deploy defense in depth in a manner consistent with managing risk has not been widely available, or at least not widely known.
I chuckled when people called me nuts for declaring that the "core"
was nothing more than a routing abstraction and that we were doomed if
we kept designing security based upon what the layout of wiring closets
looked like (core – distribution – access.) I further chuckle
(guffaw?) now that rational, common sense risk management logic is
given some fancy name that seems to indicate it’s a new invention. Now
as the micro-cores propagate, the perimeters multiply, the threat
vectors and attack surfaces form cross-hatches dimensionally and we
gaze out across the vast landscape of security devices which make up
defense in depth, perhaps UTM can be evaluated within the context it
deserves.
On the one hand, I’m not going to try and turn this into a commercial for my product as there are other forums for that, but on the other I won’t pretend that I don’t have a dog in this hunt, because I do. I was a real-world customer using this architecture for almost 3 years before I took up this crusade. Managing the security of $25 Billion of other people’s money demands
really good people, processes and technology. I had the first two and
found the third in Crossbeam.
The reality is that nobody does what Crossbeam does and if you need the proof points to substantiate that, go to the largest telco’s, service providers, mobile operators and enterprises on the planet and check out what’s stacked next to the Juniper routers and Cisco switches…you’ll likely find one of these.
Real UTM. Real defense in depth. Really.
Chris- right on here. You can have defense in depth and breath in a UTM. As long as one vendor does not try to shove only their apps down your throat. True best-of-breed apps in a UTM environment
Chris,
If you were trying to play a joke on yourself by giving us 404 at http://www.crossbeamsys.com/products_x-series.asp it was brilliant.
If not, perhaps you could clarify one or two points for those among us that haven't been following your blog for long. The overall tenor seems to be best-of-breed is where it's at, UTM falls short. But industry punters categorize X-Series as UTM devices.
Is Crossbeam a UTM vendor or not?
Hi Peter:
Crossbeam has reorg’d their website (I haven’t worked there for 11 months, btw.)
To your point, for CROSSBEAM’s market (high-end enterprise, service provider/telco/mobile operator,) best-in-breed is the path that allows those customers to first consolidate and then expand the portfolio of security solutions in a highly-resilient platform.
The reality is that the unfortunate stranglehold analysts have in framing what or what not a company is or does applies here.
Because Crossbeam makes the hardware and glue that allows folks to run their favorite BoB software in their box, but not the software itself, it’s hard for folks to say what Crossbeam is. Are they a UTM vendor? Are they an appliance manufacturer? Are they a big, bad, network-enabled blade server?
The answer is “yes.”
Crossbeam “enables” UTM. Most people buy them to first consolidate firewalls, then move on to adding other apps (like IPS, AV, etc) as capacity and placement call for.
I’ve never really paid much attention to UTM outside of this concept. I think because I’ve never worked for or serviced SME/SMB customers; it’s always been large enterprises and service providers…so UTM “falls short” in those kitchen sink appliances because what you get is “good enough” which may very well be good enough for many.
If you’ve ever taken a UTM box and turned all the features on you can expect performance to take a 50-80% hit overall. This doesn’t happen in an X-Series (in theory, anyway) because the individual components are instantiated on dedicated hardware within the chassis, which acts as the resource arbitrator ensuring traffic is routed/switched appropriately.
OK, enough of a commercial for Crossbeam.
To be fair, I maintain that you could build a competitive platform to Crossbeam’s X-series today using COTS NPU’s, virtualization and a blade server…but that’s a topic for another time 😉
/Hoff