UTM vs. NGFW - One Shade of Gray

Original author: Andrew Plato
  • Transfer
Stumbled upon the blog of Andrew Plato, president of Anitian Enterprise Security, a man with 20 years of experience in the field of information security. In his blog, Andrew raises an interesting topic about the concept of “Next Generation Firewalls,” the so-called NGFW. According to him, industry analysts such as Gartner and firewall manufacturers such as Palo Alto claim that NGFW will change the market for network security systems and supplant traditional means of access protection or unified threat management Unified Threat Management. In addition, NGFW manufacturers are positioning their products as the “next big step” in the evolution of network security systems.

Since the original version of the topic is in English, I quote the translation under the Habrakat.




So why is NGFW so revolutionary? What makes NGFW different from UTM?


Nothing. There is no difference between UTM and NGFW. These are the same technologies with the same capabilities that they began to sell and advertise as different. Moreover, in essence, next-generation firewalls (NGFWs) have nothing unique or revolutionary. These are regular firewalls that have expanded their functionality. In other words, NGFW is UTM.

What's really interesting is how Gartner and the vendors lined up to create a whole class of fabricated products. Frankly, this is an ancient tactic - to change political priorities. Since the time of the Roman Empire, politicians have resorted to this. So, the essence of the process is quite simple:

1. Do you have a product (or candidate) that does not quite meet the competitive requirements. It lacks functionality or there are negative aspects.
2. Instead of taking action directly to these shortcomings, you start a new conversation to distract attention from the negative properties.
3. You focus the discussion solely on the “new” conversation and reject the other issue as outdated, out of date, or as such, which is relevant for a small part of society.
4. Feed all this to the media echo-chamber (or industrial analysts) and for a long time, until disgust, speak on this very topic.

Then you observe how the old topic dissolves into a new one, and everyone wants to discuss new issues, and they consider discussions of the old problem to be useless. The media echo camera, or, in this case, Gartner industry analysts, is critical of the job. You need to position your new product in such a way that the memory of an old problem has sunk into oblivion.


The solutions of the vendors of traditional systems of network and information protection did not correspond to the trends of unified threat management UTM when it appeared on the market. Their dependence on the use of old code and corporate customers suppressed innovation. The first attempts to break into the market of multifunctional protective devices were quite ineffective. CheckPoint and Juniper are examples. Their early data protection devices were clumsy and not powerful enough. They were significantly inferior to the more innovative products of companies such as Fortinet and Astaro.

In addition, these, as well as some new budding companies like Sourcefire and Palo Alto Networks, did not have the intellectual property to compete with such a variety of opportunities. They lacked a good antivirus, anti-spam, or URL filtering engine.

Essentially, instead of competing, they simply reprofiled. The first step was to isolate UTM into a small business market. Gartner, never missing an opportunity to sell regular reports, soon introduced the Enterprise Firewall category, which, of course, was designed for all of these next-generation devices. UTM has relegated to discussions about small business and managed services. Next step: Introduce NGFW as a unique, special firewall. Thus, NGFW was the next step after the protocol analysis of packets with state tracking on the server. Some vendors went so far as to announce as if the algorithm of protection against unauthorized access by the method of stateful packet inspection of their NGFW was absolutely unique and new. Which, of course, was not so.

It is surprising how well this industry has accepted this trick. Manufacturers have changed the subject of firewall talk without actually changing technology. Gartner reinforced the overall vision to convince consumers. And consumers swallowed the bait. NGFW marketing has been extremely effective.

In order not to be unfounded, we consider the set of functional capabilities of devices of such brands as Palo Alto Networks, CheckPoint, Sourcefire and McAfee, which are the so-called NGFW, i.e. next generation firewalls. Write “next generation firewall” on Google and make sure that these four products pop up first. Now type “unified threat management” and you will see SonicWall, WatchGuard, Fortinet, and Sophos (Astaro) and some other small manufacturers. Compare these products. Take, for example, Juniper and Cisco, as they are well known and also tend to play on both fronts.



Have you noticed anything? The functionality is the same. The only noticeable difference is the inclusion of email protection. The products of Palo Alto Network and Sourcefire do not have this protection. But this can be argued that their anti-virus programs and other software and hardware systems provide email protection.

Of course, NGFW vendors will claim uniqueness and cite the fact that their products are able to detect applications on all ports. In fact, such statements turn into an empty phrase as soon as you realize that this is just another marketing ploy. For example, Palo Alto claims that their AppID is unique. Not at all. Since ancient times, other products support the application identification feature. Sourcefire emphasizes that their intrusion prevention system (IPS), which is introduced in NGFW, has no analogues. This is not true. A huge number of products have network and computer security systems that detect intrusions or security breaches and automatically protect against them. Decoding, authentication, content verification - none of these functions in security systems is unique to UTM,

The similarity of UTM and NGFW does not mean that all these products are identical in their capabilities. Each manufacturer has its advantages and disadvantages. The quality and performance of these products vary greatly. However, from the point of view of exclusively their functionality, they are absolutely identical. Their differences in approach to application scanning, antivirus or intrusion prevention systems may explain the advantages of their performance or accuracy, but this does not change the fact that the basic set of functionality for all is the same.

Now consider the definition of NGFW that Gartner made in its Magic Quadrant for Enterprise Firewalls on December 14, 2011.

As the firewall market develops, from stateful security tools to the next generation of firewalls, other security features (such as an intrusion prevention system) and full-stack inspection, including applications, will also be provided in NGFW. Sooner or later, the NGFW market will include most individual devices with an intrusion prevention system. However, this will not happen instantly, as many vendors of corporate firewalls have IPS in their products, which makes them competitive with standalone IPS solutions, and undoubtedly oppose the integration of functions and instead combine them in one device. Although Firewall / VPN and IPS (and sometimes URL filters) converge, other security products do not. All-in-one products or unified threat management (UTM) products are suitable for small and medium-sized businesses, but not for corporations: Gartner predicts that this separation will last at least until 2015. Firewalls, which are designed for affiliates, become a specialized product, separating from products for small and medium-sized businesses.

There are many questions related to this definition. First, industry does not evolve from stateful firewalls to something else. A stateful check is a component of any single UTM and NGFW available on the market. This is something that cannot be removed or replaced. Moreover, in the protocol analysis of the transmitted packets, taking into account the state of the connection, there is nothing new or innovative. Any firewall on the planet that is of any interest has been filtering packets based on connection status data for many decades.

Also, what exactly is the difference between UTM and NGFW? Gartner does not cite a single weighty argument on this subject, merely mentioning that UTM is an “inappropriate solution” for corporations. Why are UTMs not suitable? If you think about the fact that all UTM devices, like NGFW products, use the same functional set, as well as that UTM vendors also release corporate products, there are no differences.

Moreover, the all-in-one attribution to UTM is rather strange, since the UTM and NGFW products have absolutely identical functional set. So what is the difference between an all-in-one UTM and NGFW?

Gartner could make a statement that UTM products are targeted at the small and medium business class, while the target segment of NGFW are large corporations. This statement deserves attention, but what is the purpose? Does it follow that Palo Alto's SME products are in fact UTM? Or is the enterprise-class product that Sonicwall releases just NGFW? Such a distinction only stirs up water in a reservoir, although this makes no sense. UTM is NGFW. Why not classify them as one species, but at the same time divide them into products of the small and medium business class and separately the class of large corporations, in accordance with the target segment, like any other technology.

The separation between UTM and NGFW, in essence, is just an invention of marketers, whose goal is to create an image for certain vendors as more competitive than they really are. This was done intentionally to change the rules during the game, to bring corporate clients to a different system of criteria, as well as isolate established companies, such as Fortinet and Astaro, within the “small business” class.

Competent corporations, like small business consumers, should see what they really are: a meaningless differentiator designed to sell a less reputable product at a premium price. If you are planning to purchase a new network security device, wisely approach this decision, ignoring this differentiation: consider UTM and NGFW technologies as absolutely identical, choose the product that meets the needs of your business to the greatest extent.

As for Gartner, they are in the category of business selling tips and market formation. However, this is the case when the advice is misleading. This makes one wonder what their motives are. Is their goal really to sell reports? Or are there some other hidden motives? There is no complete certainty about this, but it is clear that Gartner wants UTM and NGFW to fight for the market and the share of attention gained.



MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service

Also popular now: