The Internet is a nasty place, and getting nastier. Rather than continuing to add an array of standalone security devices to protect public-sector networks from the latest threats, some government IT managers are deploying unified threat management (UTM) appliances that roll firewalls, intrusion prevention, antivirus, content filtering and virtual private networks into a single device.

UTMs are useful because they can provide more network protection for the money, require less training to operate and can be easier for IT to support, especially for remote offices.

The biggest benefit is cost savings, because you can combine several security functions into a less expensive device. Enterprise-class products cost about $12,000 to $15,000, while branch-office devices can be had for between $1,000 and $5,000. In some cases there can be a one-year or two-year payback, particularly if an organization has to replace outdated network infrastructure or deploy new branch-office security, according to Eric Maiwald, a senior analyst with the Burton Group in Union Bridge, Md.

“We don’t have to spend thousands of dollars to secure our network,” says Dana Brown of the Altoona Police Department in Wisconsin, who uses the WatchGuard Firebox X Core. “Our UTM device makes it easier for us to deploy new applications and gives us the most security for our money.” Deployment is easier because there is a single box and one set of security policies for the department to manage.

The Maryland Department of Planning’s main reason to deploy UTM was stretching the IT budget while safeguarding the network. The department has 300 users across two regional offices connected to its Secure Computing Sidewinder G2 appliance, says Jim Johnson, network manager for the agency in Baltimore.

Along with saving money, UTM devices save space in the wiring closet. “You don’t want to have five or six boxes sitting on your network just for handling security if you are a small or medium agency,” says David O’Berry, the IT director at the South Carolina Department of Probation, Parole and Pardons in Columbia. O’Berry uses a variety of Juniper security devices on his network, including the SSG UTM line and older NetScreen appliances, to support 30 branch offices and several hundred users.

Another benefit is the ability to easily set up a series of unified security policies for a department or organization and have a bird’s-eye view of what’s happening on the network.

“We selectively block instant messaging and peer-to-peer traffic and choose who can and can’t have access to these protocols,” says Brown. “We also can monitor the text chats and can see where potential misuse is.”

Maryland’s planning department manages security for other state agencies too and is considering using text chat among them to coordinate responses to security events. “We don’t have to start poking holes in our firewalls, but can set up the specific security policies that are fine-grained enough to give us control and greater flexibility with our needs,” Johnson says.

UTMs offer a good start for a department that presently has no security products deployed, or a department that is looking to enable secure applications that use Internet connections. “We went from absolutely nothing to our WatchGuard Firebox,” Brown says. “In the first few minutes after we had set it up, we could see how many people were trying to access our network from the Internet.”

“Even if you have hardened all your workstations, this is useful to make sure that your network is still secure,” Johnson says.

Shawn Hazard, a network specialist with the Texas Public Utilities Commission (PUC) in Austin, deployed SonicWALL’s Pro 4060 line of UTM appliances in 2006.

Hazard suggests starting any UTM bid process by looking first at a product’s firewall features. “The firewall is probably the most important portion, though having the VPN has proven to be a great value-add,” he says. Being a high-profile public agency, PUC first wanted to protect its networks from outsiders.

Deployment Drawbacks

UTMs aren’t for all situations. Agencies have to be careful that they match the expected throughput of their network to the size and throughput of their UTM device.

“UTMs are designed for small and midsized enterprises and generally don’t support very high volumes of traffic, especially when they have multiple security modules running,” says Paul F. Roberts, a senior analyst with The 451 Group, a consultancy in Boston. “What kind of latency do I get when I turn everything on at once?”

A second drawback is that not all component modules in a UTM are created equal, or even created by the vendors themselves. Many vendors use different OEMs for different components. “You need to understand what is under the hood and which vendors are supplying the threat intelligence modules, such as antivirus and antispam signatures, if you are going to have the best threat protection from the UTM,” Roberts recommends.

These multiple sources can make UTMs less usable, too. “The biggest stumbling block for many UTMs is having a consistent management interface across all of the modules, because they pull technology from different sources,” says South Carolina’s O’Berry. He ensures his group obtains the necessary training for its staff from its reseller to iron out any issues ahead of time. “We’ve seen fairly quick learning curves, so we can train our people easily,” says Texas PUC’s Hazard.

Finally, how your staff manages the device is also critical. Some UTM devices don’t support multiple administrators performing different tasks concurrently, and assume that a single administrator has access to everything in the box.

“What you have done is combined a number of features that may have been managed by individuals in different groups, and now the checks and balances that you had begin to go away,” says the Burton Group’s Maiwald. However, this is offset somewhat by productivity gains in security staffs that don’t have to manage multiple devices.

Still, many state and local IT managers have found that the benefits win out in the end. “UTMs are especially ideal for smaller organizations that have disparate locations,” O’Berry says. “You can have affordable and centralized threat management and still have the best security practices at the edges of your network.”