by Jerry Piatkiewicz, Security Engineer
Since the Dark Ages, organizations have contacted wizards to help determine the security devices they need to defend themselves against the evils trying to penetrate their fortresses. While wizards and other purveyors of the dark arts might have been sufficient in the Middle Ages, today, organizations should avoid black magic style scoping of UTM devices.
I say this in jest. But, scoping security hardware, especially UTM devices, can be confusing, overwhelming, and frustrating. For years, we have relied on consultants or people of knowledge to make decisions on the “black box” that will protect the organization.
The first questions an organization needs to ask itself:
- Do we have the experience in-house to scope the device?
- Do we hire a consultant?
- Do we outsource?
No matter which route we take, knowledge is power. Do some research and ask questions. So, let’s take a look at some more questions to help determine which hardware to select and possibly select a service provider.
- Do you know your environment and required demands? For example, are you operating under regulatory compliance constructs like FFIEC, HIPAA, or PCI?
- What is your network architecture?
- What services do you need? Some common service requirements you might need include firewall, intrusion detection/prevention, application filtering, web content filtering, gateway anti-virus?
- Do you have remote users, remote sites, or vendors that need to be connected?
- Do you have a disaster recovery plan?
- Do you need additional devices for other critical sites?
- What future growth is your organization likely to experience—additional sites, new applications, more employees, SD-WAN?
This last question is the most difficult, but contemplating these issues increases the odds of acquiring a device that will last at a minimum of three years, with the hope that it could last five years.
Now let’s demystify the black box. All security vendors put out marketing literature that says their device is the greatest—set it and forget it. The reality is, all vendors conduct speed and other performance tests on their hardware in highly controlled environments. They activate a single service under a predictable load, and not surprisingly, it’s faster than a speeding bullet and more powerful than a locomotive. The truth is, activating a single service on the device will allow it to attain a higher level of capability, though not as much as under the controlled test; still it will be impressive.
But, as we activate additional services, multiple protocols, surfing, etc., the load on the devices will increase substantially. The UTM device that was billed as more powerful than a locomotive performs more like an ordinary four-cylinder car.
So how can we truthfully calculate the horsepower of a device and figure out what you need? The truth is based on the answers to the questions listed above.
The load on the device will be based on which services are active, how much you are downloading, and how much communication you are encrypting. Depending on the device, it may drop to 30-50% of the rated values. This sounds like a lot, but remember that each vendor has a threshold that they don’t want their processor to cross. This threshold will range from 60-80% of their capacity.
What does all this mean to you as you make the UTM device decision for your organization? You have to do your research. It may be on your exploration, or you may choose to have conversations with consultants, hardware vendors, or managed security service providers.
I suggest that you have multiple discussions, maybe after you speak with a consultant or vendor, with managed security providers. Managed security providers work with different vendor hardware, giving them a unique perspective. They configure and monitor these UTM devices, so they should have a good picture of what will meet your needs for today and well into the future.