UTM vs. NGFW - one shade of gray
I stumbled upon the blog of Andrew Plato, President of Anitian Enterprise Security, a man with 20 years of experience in the field of information security. In his blog, Andrew raises a rather interesting topic concerning the concept of "Next-generation firewalls", the so-called NGFW. According to him, industrial analysts such as Gartner and firewall manufacturers like Palo Alto argue that NGFW will change the market for network security systems and supplant traditional access protection or unified threat management. In addition, NGFW manufacturers are positioning their products as the “next big step” in the evolution of network security systems.
Since the original version of the theme is in English, I cite a translation under Habrakat.
')
Nothing. There is no difference between UTM and NGFW. These are the same technologies with the same opportunities that they began to sell and advertise as different. Moreover, in essence, next-generation firewalls (NGFW) have nothing unique or revolutionary. These are the usual firewalls, which have been extended functionality. In other words, NGFW is UTM.
What is really interesting is how Gartner and vendors lined up to create a whole class of fabricated products. Frankly, this is an ancient tactic - to change political priorities. Ever since the Roman Empire, politicians have resorted to this. So, the essence of the process is quite simple:
1. You have a product (or candidate) that does not quite meet competitive requirements. It lacks functionality or there are negative aspects.
2. Instead of taking measures directly to these shortcomings, you start a new conversation to divert attention from the negative properties.
3. You focus the discussion solely on a “new” conversation and reject the other problem as outdated, outdated or as such, which is relevant for a small part of society.
4. Feed all this to the echo chamber of the media (or industrial analysts) and for a long time, until disgust, speak on this very topic.
Then you observe how the old topic dissolves in the new one, and everyone wants to discuss new issues, while the discussions about the old problem are considered useless. Echo chamber media, or, in this case, Gartner industrial analysts, are critical of this work. You need to position your novelty in such a way that the memory of the old problem has sunk into oblivion.
The decisions of vendors of traditional network and information protection systems did not correspond to the trends of unified threat management of UTM when it appeared on the market. Their reliance on old code and corporate customers overwhelmed innovation. The first attempts to break into the market of multifunctional protective devices were rather ineffective. CheckPoint and Juniper are examples of this. Their early data protection devices were clumsy and not powerful enough. They were significantly inferior to more innovative products of companies such as Fortinet and Astaro.
In addition, these, as well as some new budding companies, such as Sourcefire and Palo Alto Networks, did not have intellectual property to compete with such a variety of possibilities. They lacked a good anti-virus, anti-spam, or “engine” URL filtering.
Essentially, instead of competing, they simply repurposed. The first step was to isolate UTM in a small business market. Gartner, who never misses the opportunity to sell regular reports, soon introduced the Enterprise Firewall category, which, of course, was intended for all these next-generation devices. UTM has been reduced to discussions about small business and managed services. The next step is to present NGFW as unique, unlike any other, special firewall. Thus, NGFW has become the next step after protocol packet analysis with state tracking on the server. Some vendors have gone so far as to declare that the NGFW was absolutely unique and new. It was an algorithm for protecting against unauthorized access by the stateful packet inspection of their NGFW. Which, of course, was not the case.
It is surprising how well this industry has adopted this trick. Manufacturers have changed the object of talking about firewalls, without actually changing the technology. Gartner reinforced the overall presentation in order to convince consumers. And consumers swallowed the bait. NGFW marketing has been extremely effective.
In order not to be unfounded, consider the set of functional capabilities of the devices of such brands as Palo Alto Networks, CheckPoint, Sourcefire and McAfee, which are the so-called NGFW, i.e. next generation firewalls. Add a “next generation firewall” to Google and make sure that these four products pop up first. Now enter “unified threat management”, and you will see SonicWall, WatchGuard, Fortinet, and Sophos (Astaro) and some other small manufacturers. Compare these products. Take, for example, Juniper and Cisco, since they are well known and, besides, they play the game on both fronts.
Did you notice anything? The same functionality. The only noticeable difference is the inclusion of email protection. There is no such protection in Palo Alto Network and Sourcefire products. But this can be argued that their antivirus programs and other software and hardware systems provide email protection.
Of course, NGFW vendors will argue about the uniqueness and refer to the fact that their products are able to detect applications on all ports. In fact, such statements turn into an empty sound as soon as you realize that this is just another marketing move. For example, Palo Alto claims that their AppID is unique. Not at all. Since ancient times, other products support the application identification feature. Sourcefire emphasizes that their intrusion prevention system (IPS), which is represented in the NGFW, is unique. This is not true. A huge number of products have network and computer security systems that detect intrusions or security breaches and automatically protect against them. Decoding, authentication, content verification - none of these functions in security systems is unique for both UTM and NGFW platforms.
The similarity of UTM and NGFW does not mean that all these products are identical in their capabilities. Each manufacturer has its own advantages and disadvantages. The quality and performance of these products vary greatly. However, in terms of solely their functionality, they are absolutely the same. Their differences in the approach to testing applications, antivirus, or intrusion prevention systems may explain the advantages of their performance or accuracy, but this does not change the fact that the basic set of functionality is the same for everyone.
Now consider the definition of NGFW, which Gartner has given in its Magic Quadrant for corporate firewalls on December 14, 2011.
As the firewall market develops, starting with stateful protection and ending with next-generation firewalls, other security features (such as intrusion prevention systems) and full-stack inspection, including applications, will also be provided in NGFW. Sooner or later the NGFW market will incorporate most of the individual devices with an intrusion prevention system. However, this will not happen now, because many corporate firewall vendors have IPS in their products, which makes them competitive with standalone IPS solutions, and undoubtedly counteract the integration of functions and instead combine them in a single device. Although the firewall / VPN and IPS (and sometimes URL filters) converge, other security products do not. All-in-one products or unified threat management products (UTM) are suitable for small and medium businesses, but not for corporations: Gartner predicts that this separation will last at least until 2015. Firewalls, which are designed for branch offices of companies, are becoming a specialized product, being separated from products for small and medium businesses.
There are many questions associated with this definition. Firstly, the industry does not evolve from firewalls with state tracking to something else. State tracking is a component of any single UTM and NGFW on the market. This is something that cannot be removed or replaced. Moreover, there is nothing new or innovative in the protocol analysis of transmitted packets, taking into account the state of the connection. Any firewall on the planet, which is of at least some interest, filters packets based on connection status for decades.
Also, what exactly is the difference between UTM and NGFW? Gartner does not make a single valid argument to this effect, mentioning only that UTM is "not an appropriate solution" for corporations. Why is UTM not suitable? If you reflect on the fact that all UTM devices, like NGFW products, use the same functional set, as well as that UTM vendors also produce corporate products, the differences are not noticeable.
Moreover, the attribution of “all-in-one” to UTM is rather strange, since the UTM and NGFW products have an absolutely identical functional set. So what's the difference between an all-in-one UTM and NGFW?
Gartner could make a statement that UTM products are focused on the class of small and medium businesses, while the target segment of the NGFW are large corporations. This statement deserves attention, but what is the goal? Does it follow from this that the products for small and medium businesses produced by Palo Alto are in fact UTM? Or is the enterprise-class products that Sonicwall manufactures are nothing but NGFW? Such a distinction only muddies the water in the reservoir, although this makes no sense. UTM is NGFW. Why not relate them to one type, but at the same time, divide them into products of the class of small and medium business and separately the class of large corporations, like any other technology, in accordance with the target segment.
The separation between UTM and NGFW, in essence, is merely an invention by marketers whose goal is to create an image for certain vendors as more competitive than they really are. This is done intentionally to change the rules as the game progresses, to lead corporate clients to a different criteria system, and also to isolate established companies, such as Fortinet and Astaro, within the “small business” class.
Knowledgeable corporations, like consumers of small businesses, should see what they really are: a meaningless differentiator designed to sell a less reputable product at a premium price. If you have to purchase a new network security device, wisely approach this decision, ignoring this differentiation: consider UTM and NGFW technologies as absolutely identical, choose the products that meet the needs of your business to the greatest degree.
As for Gartner, they are in the category of business selling tips and market formation. However, this is the case when the council is misleading. It makes you wonder what their motivations are? Is their goal to sell reports? Or are there some other ulterior motives? There is no complete certainty about this, but it is unambiguously clear that Gartner wants UTM and NGFW to fight for the market and a share of the attention gained.
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service
Since the original version of the theme is in English, I cite a translation under Habrakat.
')
So why is NGFW so revolutionary? What makes NGFW different from UTM?
Nothing. There is no difference between UTM and NGFW. These are the same technologies with the same opportunities that they began to sell and advertise as different. Moreover, in essence, next-generation firewalls (NGFW) have nothing unique or revolutionary. These are the usual firewalls, which have been extended functionality. In other words, NGFW is UTM.
What is really interesting is how Gartner and vendors lined up to create a whole class of fabricated products. Frankly, this is an ancient tactic - to change political priorities. Ever since the Roman Empire, politicians have resorted to this. So, the essence of the process is quite simple:
1. You have a product (or candidate) that does not quite meet competitive requirements. It lacks functionality or there are negative aspects.
2. Instead of taking measures directly to these shortcomings, you start a new conversation to divert attention from the negative properties.
3. You focus the discussion solely on a “new” conversation and reject the other problem as outdated, outdated or as such, which is relevant for a small part of society.
4. Feed all this to the echo chamber of the media (or industrial analysts) and for a long time, until disgust, speak on this very topic.
Then you observe how the old topic dissolves in the new one, and everyone wants to discuss new issues, while the discussions about the old problem are considered useless. Echo chamber media, or, in this case, Gartner industrial analysts, are critical of this work. You need to position your novelty in such a way that the memory of the old problem has sunk into oblivion.
The decisions of vendors of traditional network and information protection systems did not correspond to the trends of unified threat management of UTM when it appeared on the market. Their reliance on old code and corporate customers overwhelmed innovation. The first attempts to break into the market of multifunctional protective devices were rather ineffective. CheckPoint and Juniper are examples of this. Their early data protection devices were clumsy and not powerful enough. They were significantly inferior to more innovative products of companies such as Fortinet and Astaro.
In addition, these, as well as some new budding companies, such as Sourcefire and Palo Alto Networks, did not have intellectual property to compete with such a variety of possibilities. They lacked a good anti-virus, anti-spam, or “engine” URL filtering.
Essentially, instead of competing, they simply repurposed. The first step was to isolate UTM in a small business market. Gartner, who never misses the opportunity to sell regular reports, soon introduced the Enterprise Firewall category, which, of course, was intended for all these next-generation devices. UTM has been reduced to discussions about small business and managed services. The next step is to present NGFW as unique, unlike any other, special firewall. Thus, NGFW has become the next step after protocol packet analysis with state tracking on the server. Some vendors have gone so far as to declare that the NGFW was absolutely unique and new. It was an algorithm for protecting against unauthorized access by the stateful packet inspection of their NGFW. Which, of course, was not the case.
It is surprising how well this industry has adopted this trick. Manufacturers have changed the object of talking about firewalls, without actually changing the technology. Gartner reinforced the overall presentation in order to convince consumers. And consumers swallowed the bait. NGFW marketing has been extremely effective.
In order not to be unfounded, consider the set of functional capabilities of the devices of such brands as Palo Alto Networks, CheckPoint, Sourcefire and McAfee, which are the so-called NGFW, i.e. next generation firewalls. Add a “next generation firewall” to Google and make sure that these four products pop up first. Now enter “unified threat management”, and you will see SonicWall, WatchGuard, Fortinet, and Sophos (Astaro) and some other small manufacturers. Compare these products. Take, for example, Juniper and Cisco, since they are well known and, besides, they play the game on both fronts.
Did you notice anything? The same functionality. The only noticeable difference is the inclusion of email protection. There is no such protection in Palo Alto Network and Sourcefire products. But this can be argued that their antivirus programs and other software and hardware systems provide email protection.
Of course, NGFW vendors will argue about the uniqueness and refer to the fact that their products are able to detect applications on all ports. In fact, such statements turn into an empty sound as soon as you realize that this is just another marketing move. For example, Palo Alto claims that their AppID is unique. Not at all. Since ancient times, other products support the application identification feature. Sourcefire emphasizes that their intrusion prevention system (IPS), which is represented in the NGFW, is unique. This is not true. A huge number of products have network and computer security systems that detect intrusions or security breaches and automatically protect against them. Decoding, authentication, content verification - none of these functions in security systems is unique for both UTM and NGFW platforms.
The similarity of UTM and NGFW does not mean that all these products are identical in their capabilities. Each manufacturer has its own advantages and disadvantages. The quality and performance of these products vary greatly. However, in terms of solely their functionality, they are absolutely the same. Their differences in the approach to testing applications, antivirus, or intrusion prevention systems may explain the advantages of their performance or accuracy, but this does not change the fact that the basic set of functionality is the same for everyone.Now consider the definition of NGFW, which Gartner has given in its Magic Quadrant for corporate firewalls on December 14, 2011.
As the firewall market develops, starting with stateful protection and ending with next-generation firewalls, other security features (such as intrusion prevention systems) and full-stack inspection, including applications, will also be provided in NGFW. Sooner or later the NGFW market will incorporate most of the individual devices with an intrusion prevention system. However, this will not happen now, because many corporate firewall vendors have IPS in their products, which makes them competitive with standalone IPS solutions, and undoubtedly counteract the integration of functions and instead combine them in a single device. Although the firewall / VPN and IPS (and sometimes URL filters) converge, other security products do not. All-in-one products or unified threat management products (UTM) are suitable for small and medium businesses, but not for corporations: Gartner predicts that this separation will last at least until 2015. Firewalls, which are designed for branch offices of companies, are becoming a specialized product, being separated from products for small and medium businesses.
There are many questions associated with this definition. Firstly, the industry does not evolve from firewalls with state tracking to something else. State tracking is a component of any single UTM and NGFW on the market. This is something that cannot be removed or replaced. Moreover, there is nothing new or innovative in the protocol analysis of transmitted packets, taking into account the state of the connection. Any firewall on the planet, which is of at least some interest, filters packets based on connection status for decades.
Also, what exactly is the difference between UTM and NGFW? Gartner does not make a single valid argument to this effect, mentioning only that UTM is "not an appropriate solution" for corporations. Why is UTM not suitable? If you reflect on the fact that all UTM devices, like NGFW products, use the same functional set, as well as that UTM vendors also produce corporate products, the differences are not noticeable.Moreover, the attribution of “all-in-one” to UTM is rather strange, since the UTM and NGFW products have an absolutely identical functional set. So what's the difference between an all-in-one UTM and NGFW?
Gartner could make a statement that UTM products are focused on the class of small and medium businesses, while the target segment of the NGFW are large corporations. This statement deserves attention, but what is the goal? Does it follow from this that the products for small and medium businesses produced by Palo Alto are in fact UTM? Or is the enterprise-class products that Sonicwall manufactures are nothing but NGFW? Such a distinction only muddies the water in the reservoir, although this makes no sense. UTM is NGFW. Why not relate them to one type, but at the same time, divide them into products of the class of small and medium business and separately the class of large corporations, like any other technology, in accordance with the target segment.
The separation between UTM and NGFW, in essence, is merely an invention by marketers whose goal is to create an image for certain vendors as more competitive than they really are. This is done intentionally to change the rules as the game progresses, to lead corporate clients to a different criteria system, and also to isolate established companies, such as Fortinet and Astaro, within the “small business” class.Knowledgeable corporations, like consumers of small businesses, should see what they really are: a meaningless differentiator designed to sell a less reputable product at a premium price. If you have to purchase a new network security device, wisely approach this decision, ignoring this differentiation: consider UTM and NGFW technologies as absolutely identical, choose the products that meet the needs of your business to the greatest degree.
As for Gartner, they are in the category of business selling tips and market formation. However, this is the case when the council is misleading. It makes you wonder what their motivations are? Is their goal to sell reports? Or are there some other ulterior motives? There is no complete certainty about this, but it is unambiguously clear that Gartner wants UTM and NGFW to fight for the market and a share of the attention gained.
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service
Source: https://habr.com/ru/post/160703/
All Articles