When Blogging goes bad…
Hey, do you remember reading this little snippet as a quote from a certain industry personality we all know and love in regards to his lack of love for UTM?
"I have a problem with the idea of Universal Threat Management
appliances. Leaving aside the horrible terminology (Who wants to
manage threats? Don’t you want to block them and forget about them?)
the question that I always ask is: If best-of-breed is the standard for
large enterprises why would it be good practice for a smaller entity to
lump a lot of security functions such as firewall, email gateway, spam
filter, anti-virus, anti-spyware, IDS, IPS, and vulnerability
management all in one under-powered device?"
I’ll give you a hint. It was posted here by the original author and I responded to it, here.
That’s right! It was my buddy, Richard Stiennon — lambasting Universal (sic) Threat Management appliances…like those of Fortinet, before they offered him a job. Perhaps Fortinet doesn’t count because they make Unified, not Universal, Threat Management devices?
Don’t hate the player, baby, hate the game! (i.e., be careful what you blog, it could come back to hire haunt you.)
Sorry, Rich. 3 Bourbons and a long week make Johnny a lit boy. Couldn’t help myself. Fire Away!
/Hoff
INCOMING!
Bored Chris? Been eating raw meat lately?
Nothing like being quoted to get a blogger's attention.
Here is where I stand. I hate the huge bucket that UTM has become. Absolutely every form of gateway security can be lumped in to this category that IDC invented. We discussed this at RSA on the panel that Mr. Rothman so graciously hosted. When trying to classify a market you look for common traits and, even better, common buying patterns, to help lump vendors or products in to a category. But for Crossbeam, Fortinet, and Astaro to be lumped together has always struck me as a sign that the UTM "market" was not going to work.
I much prefer the Gartner view (as I would) of Security Platforms. These are devices that are able to apply security policies using a bunch of different methods and they can loosely be thrown on to a grid, one axis of which trends from Open to Proprietary, the other from Integrated to Stand Alone functionality. On such a grid you would place Crossbeam in the Proprietary and Non-Integrated quadrant, Astaro in the Open and towards the Integrated quadrant, and Fortinet in the Proprietary and Integrated quadrant. No judgment about which is better here, it is just an internally consistent way to look at a universe of products.
Now, yes, I did join a company that IDC considers to be a major UTM player- leading in volume shipments in those parts of 2006 that they are reporting. But, I was an independent analyst and I NEVER classified Fortinet as a UTM play. Heck, in the 24 categories for the security market that I maintained I did not even track UTMs. As I tracked Fortinet over the years I considered them a security platform vendor and one that just happened to be executing on my vision for the network security space.
As you know Chris I have always been a big fan of Crossbeam and in the interest of full disclosure, Crossbeam was a client while I was a Gartner analyst and my second client when I launched my own firm. Great people and a great product. Crossbeam is the security platform of choice for running legacy security apps.
Now let's address the concept of running multiple security defenses on one security platform. Let's take three such functions, Firewalling, VPN, and IPS. Thanks to Checkpoint, firewalls and VPN are frequently bundled together. It has become the norm, although in the early days these were separate boxes. Now, you can either take a Snort implementation and bolt it on to your firewall in such a way that a signature can trigger a temporary block command ala Checkpoint and a bunch of other so called IPS devices or you can create a deep packet inspection capable firewall that can apply policies like: No Worm Traffic. To do the latter you have to start from scratch. You need new technology and several vendors do this pretty well.
So, given a new way to firewall (payload inspection instead of stateful inspection) what enterprise would choose *not* to use IPS capability in their firewall and use a separate device behind the firewall? See the trouble? A legacy firewall is NO LONGER BEST OF BREED! The best of breed firewall can do IPS.
I have spent eight of the last 12 weeks on the road meeting our large enterprise clients in the Americas, Asia, and EMEA. None of them shop comparatively for UTM appliances. Every single customer was shopping for firewall upgrades, SSL VPN, spam or virus filtering inline, etc. During the sales process they realize the benefit of combined functionality that comes with the ability to process payloads and invariably sign up for more than just a single security function. Does that mean UTM is gaining traction in the enterprise? To me the answer is no. It means that the enterprise is looking for advanced security platforms that can deliver better security at lower capex and opex.
I hope I am not putting to fine a point on it. Sometimes these TLA arguments delve too much in to semantics.
I would lay off the Bourbon Chris. Try a snifter of my 16 yr old Lagavulin that I picked up in London this Friday. It will help to mellow you out.
Any enterprise sized customer that would consider a platform like Fortinet is taking on way too much risk, imo and of course this is all my opinion.
First, having one box that does many different things serially with no correlation buys the user NOTHING except one hardware platform with many internal points of failure. The exception is Crossbeam which does have internal failover mechanisms that are architected into the platform, Fortinet does not. If a single platform could correlate a combination of events such as an IPS trigger with a web filtering event or even create a "suspect" event by correlating an event across different security filters the there's an argument. But that functionality is still left up to some 3rd party platform.
Second, nothing Fortinet does is best of breed, so it's like buying an all in one stereo at a budget price instead of a hi-end component system. The IPS was tested as an individual discipline and did poorly, who knows about the other UTM functionality because they are never tested individually. You get what you pay for, no exceptions.
Third, GPL source code (which is what Fortinet uses) is great for home user and maybe some SMB's but Enterprises demand accountability and tightly controlled software from their vendor/partners. Combining that with the fact that Fortinet is a privately held security company doesn't lend itself well to a large customer that is forced to abide by the many government regulations that they are now accountable to. Who is a non publicly held security company running GPL source code accountable to? What if there is a breach of a government regulation due to the failure of the product? What would the audit look like?
Finally again my opinion, how can anyone collecting a paycheck from a company consider themselves impartial when defending their position on that company or the industry that company is in? Richard is a marketing officer for Fortinet and this must be considered when he speaks of the virtues of the company that pays his bills. I say this to not to imply that RS is not doing his best to be impartial but to rather frame his point of reference. Let’s face it we are all in the same boat and no one like to have their kid called “ugly”.
Now let's address the concept of running multiple security defenses on one security platform. Let's take three such functions, Firewalling, VPN, and IPS. Thanks to Checkpoint, firewalls and VPN are frequently bundled together. It has become the norm, although in the early days these were separate boxes. Now, you can either take a Snort implementation and bolt it on to your firewall in such a way that a signature can trigger a temporary block command ala Checkpoint and a bunch of other so called IPS devices or you can create a deep packet inspection capable firewall that can apply policies like: No Worm Traffic. To do the latter you have to start from scratch. You need new technology and several vendors do this pretty well.