utm vs ngfw - a single shade of gray

intelligent information securityANITIAN

NGFW VS UTMA SINGLE SHADE OF GRAY

Revised September 2014


Overview

Intent • Establish Unified Threat Management (UTM) and Next-

Generation Firewall (NGFW) as the same technology• Help you understand these products, the market and how

they are used• Educate you, Anitian does not sell these products

Outline• Background• The Players• Deployment Options for UTM/NGFW• Implementation Challenges


Speaker: Andrew Plato• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security assessments & projects• Discovered SQL injection attack tactic in 1995• Helped develop first in-line IPS engine (BlackICE) • Co-developed RiskNow™ - Rapid Risk Assessment approach • Championed movement toward practical, pragmatic information

security solutions


We enlighten, protect and empower great security leaders. We believe security will make the world a better place. • Security is necessary for innovation and growth• Security can be empowering when it is practical and pragmatic• Good security comes from rational, scientific methods of

analysis

ANITIAN


Premises & Assumptions• Most of our experience is with Fortinet, Palo Alto, Juniper and

Cisco products• We have direct experience with over 500 deployments • We have audited hundreds of NGFW/UTM deployments • Anitian is not a VAR, we do not sell any of these products • Anitian has no financial interest in any of these vendors• We believe the best NGFW/UTM product is the one

implemented, managed and audited correctly


NGFW VS UTMMARKET OVERVIEW


Origin of the Words• Unified Threat Management (UTM) sprung up as a term in about

2004 from the research company IDC• Defined an emerging class of products that combined multiple

security features

• Next-Generation Firewall (NGFW) sprang up in about 2011 with Gartner and Palo Alto Networks championing this term

• Claimed uniqueness as a technology due to application control

• Anitian challenged this sleight of hand in our blog entry: http://blog.anitian.com/utm-v-ngfw-a-single-shade-of-gray/


UTM Definition UTM security appliance products include multiple security features integrated into one box. To be included in this category, as opposed to other segments, the appliance MUST contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus (AV). All of the capabilities in the appliance need not be utilized, but the functions must exist inherently in the appliance. In these products, the individual components cannot be separated. Source: IDC, Worldwide Threat Management Security Appliances 2004-2008 Forecast and 2003 Vendor Shares: The Rise of the Unified Threat Management Security Appliance © 2004

TL:DR – A Firewall with expanded security capabilities.


NGFW Definition A class of firewalls designed to filter network and Internet traffic based upon the applications or traffic types using specific ports. The application-specific granular security policies provided by Next Generation Firewalls help them detect application-specific attacks, giving them the potential to catch more malicious activity than more traditional firewalls.Next Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of service (QoS) functionalities in order to provide smarter and deeper inspection. In many ways a Next Generation Firewall combines the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), while also offering additional features such as SSL and SSH inspection, reputation-based malware filtering and Active Directory integration support.Webopedia

TL:DR – A Firewall with expanded security capabilities.


Gartner SaysAs the firewall market evolves from stateful firewalls to NGFWs, other security functions (such as network IPSs) and full-stack inspection, including applications, will also be provided within an NGFW. The NGFW market will eventually subsume the majority of the stand-alone network IPS appliance market at the enterprise edge… Although firewall/VPN and IPS are converging (and sometimes URL filtering), other security products are not. All-in-one or unified threat management (UTM) products are suitable for SMBs but not for the enterprise: Gartner forecasts that this separation will continue until at least 2015. Branch office firewalls are becoming specialized products, diverging from the SMB products.Magic Quadrant for Enterprise Firewalls, December 14, 2011

TL:DR: NGFW are firewalls with expanded security capabilities, but totally not UTM


UTM = NGFW


Conclusions• NGFW and UTM are identical technologies • Changing words does not change the underlying technology• Firewalls are adding new capabilities, and that is good• Quality of players is variable • Application identification is not unique, special or new• Be careful, words can be used to deceive and mislead • Beware of the phrase “the only” its rarely true • Analysts have agendas, and they rarely disclose them


THE PLAYERS


UTM Market Share 2012

Rank Company Share1 Fortinet 18.9%2 CheckPoint 17.8%3 Sonicwall 9.3%4 Juniper 5.8%5 Cisco 5.4%6 WatchGuard 5.1%7 McAfee 4.2%8 Sophos (Astaro) 2.2%9 Others 31.3% Source: IDC Worldwide UTM Market Share June 2012, the most recent and reliable data we could find

<- ??? PAN, Stonesoft, Barracuda, HP, etc.


NGFW Market Share

This space intentionally left blank** because there are no market share reports!!!!


Anitian’s Estimated Market ShareThis is our best guess at the current UTM/NGFW combined market share

Rank Company Share1 Cisco 20%2 Fortinet 15%2 Juniper 15%2 Palo Alto 15%3 CheckPoint 10%3 SonicWall 10%- Others 15%


UTM/NGFW Players

The Leaders• Checkpoint • Fortinet• Palo Alto Networks

The Challengers • Dell Sonicwall • Sophos• Cisco / Sourcefire

The Uncompetitive • Juniper• McAfee / Stonesoft• WatchGuard

Rookies• Barracuda


The Leaders - Checkpoint• Excellent management platform • Diverse platform set • Willingness to play dirty • Loyal customer base• Milking the life out of those loyal customers• Aging technology and platforms• Expensive, complex licensing • CHKP: $1.4B revenue, $13.5B market cap


The Leaders - Fortinet• Outstanding performance • Broad rage of products • Massive R&D, brilliant engineering team • Unified stack (hardware/software/content) • Affordable, simple licensing • Lots of third-party certifications • Terrible marketing and sales efforts • Central management & reporting is mediocre • Inconsistent support • Management turn over is distracting• FTNT: $685M revenue, $4.3B market cap


The Leaders – Palo Alto Networks• “Apple-esque” brand buzz• Stellar business leadership and maturity• Novel approach to application control • Excellent AD integration • Good reporting • Questionable performance claims • Overzealous, but extremely effective marketing• Minimal third-party certifications • Infuriating commit process• Ultra-premium pricing • PANW: $598M in revenue, $7.7B market cap


The Challengers

Sonicwall • Impressive performance• Good NSS reviews • Dell ownership is a negative• Fragmented development

Sophos• Good feature set at a good price• Solid strategic vision• Poor name recognition • Solid SMB solution, weak enterprise position


The Challengers

Cisco / SourceFire• SourceFire has excellent accuracy, reputation, and smart people • Cisco has gobs of money, power, and market share• Put together, this has the promise of something great• Still a work in progress


The Uncompetitive

Juniper• Security is not a priority for them• Coasts on market share aloneMcAfee• Stonesoft purchase is interesting• Intel buyout has been very negativeWatchguard • A business case in how not to run a security company • Archaic, underperforming platform


The Rookies• Barracuda• Positive reviews• Low rent marketing, sales, and channel engagement• Questionable performance and feature set


DEPLOYMENT OPTIONS


Point Products Are Dying • Point products create excessive administrative overhead• Causes mistakes and security vulnerabilities • Training and ramping challenges • Interdependence between technology vendors • Lack of integration • Lack of cohesion among security data • Multiple point of failure problem is minimized• Difficulty in virtualizing

• Unifying to a common security platform creates a more efficient, seamless environment


Single Platform – Multiple Deployments • Traditional Firewall / VPN• IDS/IPS*• Web Filter & Application Control *• Web Proxy / Reverse Proxy / Caching • Core Firewall*• SSL-VPN • Remote Endpoint • Wireless Networking • BYOD Networks • Virtualized security *• SSL inspection / scanning


IDS / IPS • Well suited to this task • UTM/NGFW is consuming the IDS/IPS market • Traditional point players are underperforming UTM/NGFW

products • NSS Report for IPS had Sourcefire as top spot for detection

accuracy (no surprise there) • CheckPoint & Fortinet were close behind• PAN was the weakest of the NGFW products • TippingPoint, Juniper and IBM-ISS were the weakest of all

products tested!


Web Filter / Application Control / Web Proxy• Web filtering is commodity• User integration is strong for the leaders• Application control is tricky to implement • Blacklisting is always easier than whitelisting applications• Integrating gateway AV is good • Proxy support is good among most platforms • WCCP never works • Reporting is challenging


Core Firewall• Ideal role for UTM/NGFW• Can provide internal segmentation • Terminate VLANs to control access• Implement IDS/IPS & Application Monitoring • Watch out for performance issues, buy big • Huge security benefits • Virtualize core firewalls to provide business-unit segmentation


Virtualized Security• All of the leaders and

some of others have full virtualized their platforms

• Allows you seamless transition from on-premise to cloud

• Ideal for PCI or HIPAA compliance segmentation

• Create multiple security zones in a single hypervisor


IMPLEMENTATION CHALLENGES


Challenges / Solutions

Intra-department turf battles?Define management and architecture roles early

Different teams managing different components?Use access controls to break up management or virtualize

devices to perform different functions Performance concerns? Buy way more than you need, deploy in a cluster Single point of failure concerns?

Buy an HA pair, deploy active-active cluster Accuracy concerns?

NSS labs has proven UTM/NGFW is MORE accurate10GB!!!!

Spendy, but all platforms have 10GB solutions


Challenges / Solutions

UTM is for small business, NGFW is for enterprise! Pointless differentiator, the two are the sameBut only _____ can do _____! Differences between the players are all pretty minor

It basically comes down to performance, price and usability My boss told me to get a ______! Be wary of any manager who mandates a vendor. Picking

a technology based on free lunches from a VAR is about the worst possible way to select a product.

Too expensive! When you collapse point products to a common platform

it can save a lot of money


QUESTIONS

? ?


Thank YouEMAIL: [email protected]: anitian.comTWITTER: @andrewplato

@AnitianSecurityBLOG: blog.anitian.comSLIDES: http://bit.ly/anitianCALL: 888-ANITIAN

utm vs ngfw - a single shade of gray

Technology