Differences Between UTM and Next-Generation Firewalls

Often times, security companies use technical terms inconsistently, leading to some confusion. We’d like to clear the air about what we mean by unified threat management (UTM) and next-gen firewalls (NGFW). In this simple infographic, we define what Sophos means by UTM, and explain how UTM is similar but distinct from NGFW. Although some people use the terms interchangeably, there are key differences.

As we explain below, next-generation firewalls are typically defined as firewalls enhanced with intrusion prevention and application intelligence. On the other hand, UTM systems include those features—plus additional technologies such as email security, URL filtering, wireless security, web application firewalls and virtual private networks (VPNs). In this view, UTM systems include NGFWs as components.

Historically, Next-Generation Firewall (NGFW) appliances were designed to deliver a very specific set of security services – firewalling, IPS, and URL filtering. Anything that consolidated more than those services was commonly referred to as a Unified Threat Management (UTM) appliance.

Today, however, we see significant blending of these two markets and products. The performance gap has disappeared and solutions marketed as NGFW appliances are being released with the same security services once unique to offerings marketed as UTM appliances. So, if NGFW and UTM appliances are the same when it comes to security and performance, what is the difference?

UTM appliances provide out-of-the-box policies, management, and reporting tools designed for ease of deployment and ongoing management while NGFW appliances cater to organizations that wish to customize their security policies and prefer manual reporting and management techniques. Neither approach is wrong, however, many organizations do not have the time, resources, or security expertise required to manually build security policy and manage a variety of disparate appliances. UTM solutions give those organization the same enterprise-grade security without the extra layer of management. This is particularly useful for small, midsize, or widely distributed organizations that typically don’t have dedicated security or IT teams.

It has been long debated if one appliance that centralizes a variety of network security tasks could ever compete with the performance of dedicated point solutions. Not only is the answer yes, but the performance of some UTM appliances, with all security engines running, outperform many dedicated NGFW point solutions.

Next-generation firewalls (NGFWs) and unified threat management (UTM) systems are two of the most popular network security tools on the market today. They achieve similar goals in defending against cyberattacks, but the way each type of product approaches that task is different.

A next-generation firewall (NGFW) is a network security device that does more than stateful firewalls (i.e., traditional firewalls). Stateful firewalls inspect everything inside data packets up to open systems interconnection (OSI) transport layer four. Next-generation firewalls, on the other hand, can go up to application layer seven, which allows them to block certain applications and maintain control over specific applications.

A unified threat management (UTM) system is a comprehensive system that provides a single protection point against many of the most common cyber security threats. A UTM appliance provides several layers of network protection. These layers consist of next-generation firewalls, antivirus software, intrusion and detection prevention systems (IDPS), website and spam filtering, and virtual private network (VPN) functionality.

Both NGFW and UTM products aim to protect a business network from cyber security threats and vulnerabilities. These network security solutions may serve similar purposes, but they are slightly different. The most significant difference between the two solutions is that UTM systems incorporate NGFW capabilities with other network security tasks: Endpoint protection protects desktops, laptops, and servers with antivirus and web security software. Web protection guards against web threats, controls online activity, and manages application bandwidth. Modifiable intrusion protection and adjustable VPN options provide flexible site-to-site connectivity and remote access. Email protection stops spam and viruses while keeping data secure with Data Loss Protection (DLP) processes and technology. Webserver protection uses a reverse proxy that protects servers from exploits and authenticates client requests to the appropriate backend server.

Though UTM systems generally offer a wider variety of network protections, they may not be able to accommodate advanced security needs as easily as a dedicated NGFW product. Organizations with highly complex networks may benefit more from a combination of standalone solutions rather than an all-inclusive appliance. Many network security specialists believe UTMs are best suited for small to midsize businesses because of their versatility, whereas NGFWs are for large corporations with large volumes of data traversing the network.

The decision to use an NGFW or a UTM should be based on the size of the company and the expertise, experience, and size of the security staff. Small to midsize companies with limited security staff may opt for a UTM solution, and larger companies that are adequately staffed with experienced IT security personnel may lean toward an NGFW solution.