IT managers at small and midsize businesses like unified threat management appliances - firewalls that layer on antimalware protection, content filtering, antispam and intrusion prevention - because deploying a single, multi-function device reduces costs and simplifies configuration.

However, deciding whether and where to deploy UTM appliances in a large enterprise is a more complicated and difficult decision. The idea of a single point through which all traffic flows as an obvious locus for threat mitigation doesn't work when a network has dozens, hundreds or thousands of distinct locations. Also, because performance is a critical issue in large networks, savvy network managers often seek to distribute threat protection rather than centralize it, simply to reduce the likelihood of a performance bottleneck.

Similarly, the style and quality of threat mitigation features one commonly sees in an SMB UTM may not be of interest to an enterprise, where requirements are more exacting and security architectures are more complex. For example, the antispam features and functionality in UTM firewalls pale compared with those in stand-alone enterprise-class dedicated antispam/antivirus appliances.

With such dramatic differences between SMB and enterprise requirements, is there a place for enterprise UTM firewalls? The answer is definitely "yes," for these three reasons: reduced complexity, simplified management and increased flexibility.

Reduced complexity

Enterprise network managers have long sought to include additional threat protection, especially intrusion detection/prevention systems (IDS/IPS) functions, both at the core and at the perimeters of their networks. However, the complexity of dropping standalone IDS/IPS boxes into a network has made them wary.

Building the "firewall sandwich," with load balancers surrounding a core of clustered firewalls, is well understood, but trying to scale that sandwich up with another layer of protection dramatically increases architectural complexity and potential instability.

A simple sandwich is considered science by network architects, but adding layers takes it from craft to art, dramatically increasing the difficulty of the project and opening a window for failure and problems. It's like adding just one more piece of cheese to that Dagwood sandwich: Not only will you be unable to get it in your mouth, but the whole thing may fall apart on your plate.

Enterprise UTM with integrated IDS/IPS can give network managers additional security throughout the network without the massive increase of complexity that stand-alone IPS devices would create.

Simplified management

It's pleasant to imagine the concept of a single UTM console that can handle everything from IP routing to IDS alerts, but enterprise security teams often want different management systems for a reason: different people are responsible for different kinds of threats and configuration.

Nevertheless, some level of management integration can reduce the task of handling these different functions. For example, every management console must have different network objects in it that are used to define policy: here are my mail servers, here are my users, this is the guest network, here is where the Internet is.

Each time those same objects must be typed into a different management system, and each time these objects are updated and adjusted, there is an opportunity for human error or miscommunication to create a security hole. A single management console that shares objects across different functions simplifies the complex task of management.

This single management view is especially valuable when firewall, VPN and IDS/IPS are considered together because all three of these functions act on the same policy. Each of these functions needs to have some view of the topology of the network, what applications are running on different servers and what different groups of users are allowed to do. Completely separate management for all three functions makes coordinated policy maintenance difficult, if not impossible.

A single UTM-ready management console realistically enables a fine-tuning of policy across all three functions, increasing total security.