By Wana Tun
Unified Threat Management (UTM) and Next-Generation Firewall (NGFW) have been used interchangeably since their emergence a few years ago. IDC coined the term UTM and defined it as a security appliance combining firewall, gateway antivirus, intrusion detection system (IDS) or intrusion prevention system (IPS). The term NGFW was created and defined by Gartner as a single device with integrated IPS, deep packet scanning, standard firewall capabilities and the ability to identify and control applications on the network.
Essentially, both terms refer to a single device with multiple and consolidated functionalities, causing confusion among customers and vendors. Both UTM and NGFW are very similar with some minor differences. In this article, I aim to differentiate between them via four different categories:
1.) Definition
NGFW has been defined by analysts as enhanced firewalls, with intrusion prevention and application intelligence. On the other hand, UTM has NGFW features along with additional endpoint technologies such as reverse proxy and selective sandboxing capability.
2.) Security features
NGFW includes a deep-packet inspecting firewall that performs the traditional port and service permit deny functions, and also the ability to do application-level inspection categorisation, blocking, and intrusion prevention. Some may include Secure Web Gateway (SGW) features. A UTM device however usually includes a firewall, intrusion detection system (IDS), virtual private network (VPN), anti-malware, anti-spam, content and web filtering. Occasionally, some vendors may include features such as advanced routing.
3.) Capabilities
A key highlight of NGFW is its application visibility and control capability. Application control enables enterprises to detect an application based on application content as compared to the traditional layer 4 protocol. On the other hand, UTM also contains application policy capabilities. However, it is more focused on analyzing the content of legitimate applications through ingress and egress filtering, blocking unwanted applications to ensure threats do not enter the network through applications. UTM also continuously monitors trusted applications so that the application behavior is not malicious.
4) For different company sizes
The security features within a UTM device are collocated, whereby a separate engine is used for each service. This makes them more suitable for small and medium businesses (SMBs) when it comes to qualities such as management capabilities and throughput. The security features within a NGFW are integrated, whereby a single engine is used for all services. This means they are more suitable for larger enterprises that include IPS capabilities and application awareness in the security posture.
To conclude, while both buzzwords are rather similar, NGFW is a subset of UTM. UTM also contains more comprehensive security features, usually a suite of endpoint protection, as compared to NGFW which is more focused on application control. Regardless of which solution an organization decides to utilize, it should meet their specific needs and be simple to deploy.
The author is the regional technical evangelist at Sophos
