Putting the UTM vs. NGFW Confusion to Bed – Why UTM Layered Security is Your Best Defense
As humans, we want to create clean-cut categories for things to help us differentiate and understand complex topics. The security industry is a fantastic representation of this trend, with well-known categories like IAM, UTM, NGFW, MFA, EDR, all creating a confusing alphabet soup.
The main problem with this is that things are always changing. New threats spur responsive innovation and fresh technology with unique security capabilities. These features can be fluid and don’t always fit neatly into the predetermined groupings we’ve already created.
Quite possibly the best example of this dilemma would be the ongoing debate between Next Generation Firewalls (NGFW) and Unified Threat Management (UTM). With similar features and use cases, many end customers – and even industry analysts – have trouble making distinctions or decisions between the two.
The Confusion Between NGFW and UTM Products has Gone on Long Enough
When these two product segments were first defined, there were obvious feature differentiators – NGFW appliances were firewalls which included intrusion prevention systems (IPS) and application control, and UTM appliances were firewalls with IPS, antivirus (AV), URL filtering, and anti-spam capabilities. Since that time, products in both segments have advanced to the point that the line has become blured between the two. In fact, solutions from both categories have an incredibly similar set of core features; many NGFWs have added security controls like malware detection, while most UTMs have adopted all of the security features that originally defined the NGFW market.
While the feature set cross-over between NGFWs and UTMs does make it difficult to distinguish products from one another, I’d like to offer a clear explanation of the key differentiator of UTMs and why I believe they measurably increase security efficacy:
UTM solutions focus on unifying as many security controls as possible in one place, making them easier and more cost effective to manage. NGFW solutions focus on only consolidating a limited subset of controls; specifically, ones that make the most sense in certain use cases, such as in a big data center environment. In plain English, UTM solutions tend to include more types of security controls than NGFWs.
To put it simply, the key upside of a UTM is that it combines various security controls in one place, increasing your overall security posture, and making layered security attainable for some organizations that couldn’t implement it otherwise.
There are Two Key Reasons UTM Layered Security Offers a Better Defense
1. No Single Security Control is Infallible
History has proven that every time the security industry invents a new control to block an attack, hackers respond with new ways to evade those defenses. Antivirus (AV) is a great example of this. The industry started with signature-based solutions that originally did a good job, but eventually the bad guys evolved and developed new evasion techniques that bypassed reactive signature-based solutions. Today, attackers are already exploring ways to trick our newest behavior-based AV solutions. The point is, no matter how great a security control might seem, attackers will find ways around it, making it all the more important to have additional layers of security that UTM appliances provide.
2. There are Different Stages to Modern, Blended Attacks
Modern network attacks can be broken down into multiple stages. For example, the initial attack delivery, the exploit portion of the attack, the payload or malware delivery, the call home to the attacker, etc. Each of these stages presents an additional opportunity for security teams to thwart an attack. If the first stage flies under the radar, the second might not. Each of these stages also requires a different type of defense. Modern UTM solutions incorporate all of the different types of defenses necessary for each stage of an attack.
To put this into better perspective, let’s walk through a real world example:
Today, drive-by downloads (DbD) are a very common attack. A bad guy entices you to a malicious web site, which leverages flaws to silently install a trojan on your computer, and next thing you know, some guy in Ukraine has your companies’ sensitive data. Let’s walk through a few stages of this attack:
- Stage one: The bad guy needs to entice you to a site with malicious code. WatchGuard has URL filtering security controls like WebBlocker and Reputation Enabled Defense (RED), both of which dynamically track and block the bad domains and IPs attackers use. In many cases, this prevents the first stage of this attack. However, using technical tricks like botnets, DGAs, and Fast Flux DNS, attackers constantly refresh the domains they use, so URL filtering sometimes misses.
- Stage two: When the victim gets to the attacker’s website, it usually needs to exploit a software vulnerability to force the victim’s computer to do something, such as download malware. For this stage, WatchGuard’s IPS system kicks in and have a chance of recognizing and blocking the exploit the attacker’s site uses. But what if it’s a brand new attack, and the IPS misses it.
- Stage three: To gain persistent access to a victim machine, successful exploits try to deliver a payload or some sort of malware. At this stage, AV or advanced malware solutions might kick in and recognize and block the malware before it’s installed. However, like the previous defenses, some sophisticate advanced malware variants can evade certain levels of antivirus solutions.
- Stage four: If the malware does successfully infect a victim, it usually calls home on a “command & control” channel. Here again, security controls like WatchGuard’s WebBlocker can potentially catch this communication, preventing the attacker from gaining access to the victim even if the attack worked.
This example would continue all the way until the attacker steals your data.
At WatchGuard we care less about what you call what the particular types of security solutions on the market – UTM, multi-layered security, NGFW, etc. – and more for the fact that you have a mechanism to catch all the various stages of a modern network attack. By layering these protections together, you can be prepared with multiple opportunities to block threats that face your company.
Some have claimed, defense-in-depth, or layered security is dead. They make this declaration out of frustration, because lately we’ve seen so many organizations become compromised despite having defenses in place.
Although breaches can, and will, still happen, layered security with a UTM is the most comprehensive way to successfully block an attack, even if one layer of security happens to miss. To improve your organization’s overall security posture, put the NGFW vs. UTM debate to bed and go with a UTM appliance.