During the last couple of weeks I have had an interesting questioned posed to me. After some thinking I have expanded and evolved the thought to: At what point does the risk require you to evolve a single UTM enforcement gateway architecture to a more complex architecture.
This architecture may envolve seperating the UTM features out into dedicated services (e.g. AV scanning, proxying, VPN) or to duplicate the firewall services (maybe heading down the mutli-vendor path) and seralising the enforcement path (i.e. putting one firewall behind the other).
While there are some very good technical reasons why you would implement certain architectures, it can be the un-thought of risk considerations that drive some of the long term operational costs. I would consider that evolving the gateway solutions into separate dedicated services, and multiple vendor enforcement devices (i.e. firewalls) would ultimately mitigate a significant amount of the threats (that could be realized by known and unknown vulnerabilities), AS LONG AS, you have the appropriate technically mature resources to support those devices, effective change control and strong governance procedures. Without these, the complex architecture would likely increase risk rather then reduce it. It is because of this that UTM’s are a good solution for certain situations which would involve the considerations like the size of the network/company that you are trying to protect, the resources available, and their technical competency.
While I would likely always try to evolve gateway enforcement services into seperate parts (i.e. pick a box that does its particual enforcement service well, with no overlap enforcement on another OSI layer/network protocol), the limit of that evolution would be bounded by the risk introduced by having not enough resources, or those resources not technical competent enough able to maintain a number of services.
The issue could be summaries using pitting two sayings against each other:
“KISS – Keep IT Simple Stupid” vs “Don’t put all your eggs in one basket”