Next Generation Firewalls vs UTM

Wednesday, May 04, 2011

I take a lot of calls from private equity and wall street analysts seeking to get educated on various aspects of the IT security industry.  

One of the benefits of spending ten years researching and analyzing a market is that I have developed a simple high level view of of a rapidly changing industry.  That change is within a very rigid framework.  Understanding the framework provides the insight needed to understand where the market evolved from and where it is going.  

There are four segments of the security industry: network, end point, data, and users. Not only are these four buckets good for categorizing the 1,200 vendors in the space but they provide a “red flag” for the analyst.

If a particular technology, or even vendor, attempts to encompass more than one of these categories watch for trouble in their go-to-market and sales strategies. 

Network security is primarily gateway security: the firewall.   But wait, you say, what about IPS? What about access control? What about URL content filtering and network anti-malware?  Aren’t those separate products, categories, industries?   NO!  Those are features in the gateway security product.

As always, during times of rapid change in an environment, in this case the rise of targeted attacks and state sponsored hacking, there are point products that are the first to provide a response.  

But industry dynamics force the established vendors to add the capabilities of the point products. And customers, overwhelmed by the need to manage multiple solutions from multiple vendors, gravitate towards established vendors that can provide comprehensive protection in a managed platform.  

One such vendor is NetASQ, the leading European UTM (Unified Threat Management) vendor.   Born as an IPS solution NetASQ rapidly leveraged their ability to do deep packet inspection, (or, as IDC terms it, complete content inspection) to apply policies based not just on source-destination-port, but on content of assembled packet streams. 

It is well worth your time to hear NetASQ’s story as related by it’s CEO, Francois Lavaste, in this interview.

As you listen to Francois, compare his story to that of the so-called Next Generation Firewall vendors  who have settled on a subset of network protections to define NGF, namely IPS and application awareness. Yet, UTM encompasses NGF, and indeed most of the NGF vendors also include URL content inspection, and anti-malware features. 

When selecting your next gateway security solution, assemble a set of features and capabilities you require (or already maintain), then compare that to the offerings from the vendors regardless of the terminology they choose to describe their product.   Next Generation Firewall and Unified Threat Management are two names for the same thing.

Possibly Related Articles:
Information Security
Firewalls Network Security IDS/IPS UTM Gateway Security
Post Rating I Like this!
Rod MacPherson Thank you.

I was starting to think that I must be missing some fundamental point about NGF. All the NGF vendors talk about how they are better than UTM because they offer deep packet inspection, but then I look at the UTM products on the market currently and think, "ok, the NGF guys are selling PART of a UTM." Yes, it's better than the firewall portion of the old UTMs from several years ago, but most of today's UTMs seem to have the same capabilities as the NGF products plus anti-virus and antispam...
Then you get the NGF people who say that you are wasting resources loading all these "extra" features on a UTM instead of streamlining to just the NGF features. I don't really see how that's an advantage. If you don't want to waste memory and processing on antivirus, just don't use that feature. The amount of resources required to have the feature in the firmware, but not use it are not something the users of the product need to worry about.

I like having flexibility in a device, so even though I don't use the spam controls of the UTM at work because we have a dedicated machine for that, it's nice to know that if we needed to it's as simple as switching it on and we'd have SOME protection should the main spam machine die. We get about about a 60%/40% split. 60% spam, 40% legit, so while spam is not usually dangerous, it is troublesome, if the end users had to deal with that I think a lot of folks would quit.