utm vs ngfw - a single shade of gray
DESCRIPTION
What is the difference between NGFW and UTM and who are the players in the market? Find out as Anitian explores the origin of these technologies and offers up advice on how to deploy your UTM / NGFW solutions.TRANSCRIPT
intelligent information securityANITIAN
NGFW VS UTMA SINGLE SHADE OF GRAY
Revised September 2014
intelligent information securityANITIAN
Overview
Intent • Establish Unified Threat Management (UTM) and Next-
Generation Firewall (NGFW) as the same technology• Help you understand these products, the market and how
they are used• Educate you, Anitian does not sell these products
Outline• Background• The Players• Deployment Options for UTM/NGFW• Implementation Challenges
intelligent information securityANITIAN
Speaker: Andrew Plato• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security assessments & projects• Discovered SQL injection attack tactic in 1995• Helped develop first in-line IPS engine (BlackICE) • Co-developed RiskNow™ - Rapid Risk Assessment approach • Championed movement toward practical, pragmatic information
security solutions
intelligent information securityANITIAN
We enlighten, protect and empower great security leaders. We believe security will make the world a better place. • Security is necessary for innovation and growth• Security can be empowering when it is practical and pragmatic• Good security comes from rational, scientific methods of
analysis
ANITIAN
intelligent information securityANITIAN
Premises & Assumptions• Most of our experience is with Fortinet, Palo Alto, Juniper and
Cisco products• We have direct experience with over 500 deployments • We have audited hundreds of NGFW/UTM deployments • Anitian is not a VAR, we do not sell any of these products • Anitian has no financial interest in any of these vendors• We believe the best NGFW/UTM product is the one
implemented, managed and audited correctly
intelligent information securityANITIAN
NGFW VS UTMMARKET OVERVIEW
intelligent information securityANITIAN
Origin of the Words• Unified Threat Management (UTM) sprung up as a term in about
2004 from the research company IDC• Defined an emerging class of products that combined multiple
security features
• Next-Generation Firewall (NGFW) sprang up in about 2011 with Gartner and Palo Alto Networks championing this term
• Claimed uniqueness as a technology due to application control
• Anitian challenged this sleight of hand in our blog entry: http://blog.anitian.com/utm-v-ngfw-a-single-shade-of-gray/
intelligent information securityANITIAN
UTM Definition UTM security appliance products include multiple security features integrated into one box. To be included in this category, as opposed to other segments, the appliance MUST contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus (AV). All of the capabilities in the appliance need not be utilized, but the functions must exist inherently in the appliance. In these products, the individual components cannot be separated. Source: IDC, Worldwide Threat Management Security Appliances 2004-2008 Forecast and 2003 Vendor Shares: The Rise of the Unified Threat Management Security Appliance © 2004
TL:DR – A Firewall with expanded security capabilities.
intelligent information securityANITIAN
NGFW Definition A class of firewalls designed to filter network and Internet traffic based upon the applications or traffic types using specific ports. The application-specific granular security policies provided by Next Generation Firewalls help them detect application-specific attacks, giving them the potential to catch more malicious activity than more traditional firewalls.Next Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of service (QoS) functionalities in order to provide smarter and deeper inspection. In many ways a Next Generation Firewall combines the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), while also offering additional features such as SSL and SSH inspection, reputation-based malware filtering and Active Directory integration support.Webopedia
TL:DR – A Firewall with expanded security capabilities.
intelligent information securityANITIAN
Gartner SaysAs the firewall market evolves from stateful firewalls to NGFWs, other security functions (such as network IPSs) and full-stack inspection, including applications, will also be provided within an NGFW. The NGFW market will eventually subsume the majority of the stand-alone network IPS appliance market at the enterprise edge… Although firewall/VPN and IPS are converging (and sometimes URL filtering), other security products are not. All-in-one or unified threat management (UTM) products are suitable for SMBs but not for the enterprise: Gartner forecasts that this separation will continue until at least 2015. Branch office firewalls are becoming specialized products, diverging from the SMB products.Magic Quadrant for Enterprise Firewalls, December 14, 2011
TL:DR: NGFW are firewalls with expanded security capabilities, but totally not UTM
intelligent information securityANITIAN
UTM = NGFW
intelligent information securityANITIAN
Conclusions• NGFW and UTM are identical technologies • Changing words does not change the underlying technology• Firewalls are adding new capabilities, and that is good• Quality of players is variable • Application identification is not unique, special or new• Be careful, words can be used to deceive and mislead • Beware of the phrase “the only” its rarely true • Analysts have agendas, and they rarely disclose them
intelligent information securityANITIAN
THE PLAYERS
intelligent information securityANITIAN
UTM Market Share 2012
Rank Company Share1 Fortinet 18.9%2 CheckPoint 17.8%3 Sonicwall 9.3%4 Juniper 5.8%5 Cisco 5.4%6 WatchGuard 5.1%7 McAfee 4.2%8 Sophos (Astaro) 2.2%9 Others 31.3% Source: IDC Worldwide UTM Market Share June 2012, the most recent and reliable data we could find
<- ??? PAN, Stonesoft, Barracuda, HP, etc.
intelligent information securityANITIAN
NGFW Market Share
This space intentionally left blank** because there are no market share reports!!!!
intelligent information securityANITIAN
Anitian’s Estimated Market ShareThis is our best guess at the current UTM/NGFW combined market share
Rank Company Share1 Cisco 20%2 Fortinet 15%2 Juniper 15%2 Palo Alto 15%3 CheckPoint 10%3 SonicWall 10%- Others 15%
intelligent information securityANITIAN
UTM/NGFW Players
The Leaders• Checkpoint • Fortinet• Palo Alto Networks
The Challengers • Dell Sonicwall • Sophos• Cisco / Sourcefire
The Uncompetitive • Juniper• McAfee / Stonesoft• WatchGuard
Rookies• Barracuda
intelligent information securityANITIAN
The Leaders - Checkpoint• Excellent management platform • Diverse platform set • Willingness to play dirty • Loyal customer base• Milking the life out of those loyal customers• Aging technology and platforms• Expensive, complex licensing • CHKP: $1.4B revenue, $13.5B market cap
intelligent information securityANITIAN
The Leaders - Fortinet• Outstanding performance • Broad rage of products • Massive R&D, brilliant engineering team • Unified stack (hardware/software/content) • Affordable, simple licensing • Lots of third-party certifications • Terrible marketing and sales efforts • Central management & reporting is mediocre • Inconsistent support • Management turn over is distracting• FTNT: $685M revenue, $4.3B market cap
intelligent information securityANITIAN
The Leaders – Palo Alto Networks• “Apple-esque” brand buzz• Stellar business leadership and maturity• Novel approach to application control • Excellent AD integration • Good reporting • Questionable performance claims • Overzealous, but extremely effective marketing• Minimal third-party certifications • Infuriating commit process• Ultra-premium pricing • PANW: $598M in revenue, $7.7B market cap
intelligent information securityANITIAN
The Challengers
Sonicwall • Impressive performance• Good NSS reviews • Dell ownership is a negative• Fragmented development
Sophos• Good feature set at a good price• Solid strategic vision• Poor name recognition • Solid SMB solution, weak enterprise position
intelligent information securityANITIAN
The Challengers
Cisco / SourceFire• SourceFire has excellent accuracy, reputation, and smart people • Cisco has gobs of money, power, and market share• Put together, this has the promise of something great• Still a work in progress
intelligent information securityANITIAN
The Uncompetitive
Juniper• Security is not a priority for them• Coasts on market share aloneMcAfee• Stonesoft purchase is interesting• Intel buyout has been very negativeWatchguard • A business case in how not to run a security company • Archaic, underperforming platform
intelligent information securityANITIAN
The Rookies• Barracuda• Positive reviews• Low rent marketing, sales, and channel engagement• Questionable performance and feature set
intelligent information securityANITIAN
DEPLOYMENT OPTIONS
intelligent information securityANITIAN
Point Products Are Dying • Point products create excessive administrative overhead• Causes mistakes and security vulnerabilities • Training and ramping challenges • Interdependence between technology vendors • Lack of integration • Lack of cohesion among security data • Multiple point of failure problem is minimized• Difficulty in virtualizing
• Unifying to a common security platform creates a more efficient, seamless environment
intelligent information securityANITIAN
Single Platform – Multiple Deployments • Traditional Firewall / VPN• IDS/IPS*• Web Filter & Application Control *• Web Proxy / Reverse Proxy / Caching • Core Firewall*• SSL-VPN • Remote Endpoint • Wireless Networking • BYOD Networks • Virtualized security *• SSL inspection / scanning
intelligent information securityANITIAN
IDS / IPS • Well suited to this task • UTM/NGFW is consuming the IDS/IPS market • Traditional point players are underperforming UTM/NGFW
products • NSS Report for IPS had Sourcefire as top spot for detection
accuracy (no surprise there) • CheckPoint & Fortinet were close behind• PAN was the weakest of the NGFW products • TippingPoint, Juniper and IBM-ISS were the weakest of all
products tested!
intelligent information securityANITIAN
Web Filter / Application Control / Web Proxy• Web filtering is commodity• User integration is strong for the leaders• Application control is tricky to implement • Blacklisting is always easier than whitelisting applications• Integrating gateway AV is good • Proxy support is good among most platforms • WCCP never works • Reporting is challenging
intelligent information securityANITIAN
Core Firewall• Ideal role for UTM/NGFW• Can provide internal segmentation • Terminate VLANs to control access• Implement IDS/IPS & Application Monitoring • Watch out for performance issues, buy big • Huge security benefits • Virtualize core firewalls to provide business-unit segmentation
intelligent information securityANITIAN
Virtualized Security• All of the leaders and
some of others have full virtualized their platforms
• Allows you seamless transition from on-premise to cloud
• Ideal for PCI or HIPAA compliance segmentation
• Create multiple security zones in a single hypervisor
intelligent information securityANITIAN
IMPLEMENTATION CHALLENGES
intelligent information securityANITIAN
Challenges / Solutions
Intra-department turf battles?Define management and architecture roles early
Different teams managing different components?Use access controls to break up management or virtualize
devices to perform different functions Performance concerns? Buy way more than you need, deploy in a cluster Single point of failure concerns?
Buy an HA pair, deploy active-active cluster Accuracy concerns?
NSS labs has proven UTM/NGFW is MORE accurate10GB!!!!
Spendy, but all platforms have 10GB solutions
intelligent information securityANITIAN
Challenges / Solutions
UTM is for small business, NGFW is for enterprise! Pointless differentiator, the two are the sameBut only _____ can do _____! Differences between the players are all pretty minor
It basically comes down to performance, price and usability My boss told me to get a ______! Be wary of any manager who mandates a vendor. Picking
a technology based on free lunches from a VAR is about the worst possible way to select a product.
Too expensive! When you collapse point products to a common platform
it can save a lot of money
intelligent information securityANITIAN
QUESTIONS
? ?
intelligent information securityANITIAN
Thank YouEMAIL: [email protected]: anitian.comTWITTER: @andrewplato
@AnitianSecurityBLOG: blog.anitian.comSLIDES: http://bit.ly/anitianCALL: 888-ANITIAN