Gartner Blog Network


Unicorns, Pixies, and Enterprise UTM

by Greg Young  |  September 29, 2009  |  16 Comments

19535 The child actor who died from drinking Pop Rocks candy and Coke and the Nigerian minister who just needs a little help with some money transfer.. I need to call someone at Snopes.com and pull in some favors to get “Enterprise UTM” added to the myths list.

The Loch Ness Enterprise UTM message has again been sighted in the security market.  At Gartner, we haven’t seen enterprises shifting to using UTMs or SMB multifunction firewalls, nor do we forecast that this will happen any time soon. 

Here are some of the tricks used in security marketing to make these claims:

Trick #1: Redefining what an enterprise is.  Enterprises are in fact about 1000 employees.  Between 500 and 1000 employees we consistently see IT buying behavior, including security, differ from the SMB.  For firewalls, companies shift from buying what we call SMB multifunction firewalls (what is also called UTM) and start moving consistently to point products at about that 750-ish employee mark and don’t go back.  Redefining by vendors of what an enterprise is in order to fit the product just games the equation.  The trend is the key: calling an enterprise 200 or 2 employees doesn’t change the selection trend. 

Trick #2: Calling a non-enterprise an enterprise.  Sure a branch office may use a converged device, but that isn’t the enterprise.  As  a sidebar, branch offices generally aren’t doing mail security in the firewall (the mail servers aren’t usually out in the branches).  Also, carriers, ISPs, and hosting companies aren’t enterprises: they are carriers, ISPs, and hosting companies and serve up security in a very different manner than both enterprises and SMBs. 

Trick #3: Holding up the recession as a reason to see unicorns.  During the last year some vendors have claimed that enterprises can now use SMB products or UTMs because of the recession.  In fact, the recession may have been a reason to seek a less expensive enterprise product.  If your construction company has come upon tough times, the solution is not to start hauling gravel in minivans.  Maybe a vendor who is selling the enterprise UTM message can find a reference customer to hold up as proof, however this is them having sold into their niche and have found the exception rather than the rule.

Trick #4: Calling a few point products together a UTM. Getting fuzzy with the definition of what is this mysterious UTM is the biggest trick.  This is why Gartner doesn’t use the term “UTM”: we expressly separate products into “SMB Multifunction Firewalls” and “Enterprise Firewalls”.  UTMs and SMB multifunction firewalls are generally understood to be all the network security products in one appliance.  Enterprise firewalls are generally firewall, VPN, and maybe IPS: that isn’t the same as the SMB product or what has generally been called UTM.  In our Gartner research, we provide some considerable detail to this topic, however a firewall and IPS together is not a UTM.  The unicorn-solvent is email anti-virus: if they mean to propose doing email anti-virus on the firewall then good luck with meeting your firewall latency SLAs (see below), otherwise they are being realistic but tricksy by just calling what is a firewall or next generation firewall a UTM.

There isn’t one big convergence happening in network security products.  In our Gartner research, we provide some considerable detail to this topic, but enterprises won’t be deploying UTMs as their firewall anytime soon because:

  • Buying and operations centers.  In enterprises, mail security and network security are different security operations groups, and the safeguard is usually required in different places: i.e. firewall at edge and anti-spam in the data center.
  • Latency sensitivity and inspection differences.  You can wait a little while for mail anti-virus and not for network packets.  It also turns out that the types of inspection for handling packets quickly and doing deep inspection and expression matching are very different.  At the lower bandwidth and connection rates of the SMB this inefficiency isn’t a big problem, but at true enterprise throughput and iMix the inefficiency quickly becomes a service-killer.
  • Best of breed requirements.  Enterprises continue to favor getting good protection, and a single vendor offering 10 safeguards in a single appliance is likely not be to great at all of them.  If you look at the Magic Quadrants (MQ) for messaging security, firewalls and IPS you will very little overlap across quadrants in the MQs.

Greg Young| Research Vice President | Gartner
Network Security
https://blogs.gartner.com/greg_young/
http://twitter.com/Gartnergreg
Browse my published research

Category: 

Greg Young
Research VP
6 years at Gartner
22 years IT security

Greg Young is a research vice president in Gartner and the lead analyst for network security. Mr. Young has experience in IT security in product companies, and in both the private and public sectors. He spent his military career in technology security… Read Full Bio


Thoughts on Unicorns, Pixies, and Enterprise UTM


  1. Adam Hils says:

    Trick #5 – calling any multifunction firewall in the $6k price band and above an “enterprise UTM”. If that’s the standard, most of the multifunction firewall companies are doing robust “enterprise UTM” business at a price point that is a rounding error for most real enterprise-class single-function firewalls.

  2. alan shimel says:

    Greg – I will be interested to see what Fortinet and some of the other “enterprise UTM” folks have to say about this. While I don’t disagree with a lot of what you say. I think that a 1,000 employee firm is mid-market and not a true enterprise. I have written more about this on my blog at https://blogs.gartner.com/greg_young/2009/09/29/unicorns-pixies-and-enterprise-utm/

  3. Greg Young says:

    Thanks Alan for the comments.

    Visible to Gartner customers is a research note from almost 4 years ago with the section heading “There Is No Unified Threat Management for the Enterprise”.

    Gartner has some fairly detailed models we continually adjust for company size, and also by region, revenue range and type of business. For example, the research note “Dataquest Guide: Gartner’s New SMB Segmentation and Methodology” is a great start. I intentionally summarized to fit into the blog post.

    One thing to consider is that threat, bandwidth, and the number of network safeguards grows – as inspection capability has progressed the bar has continued moving, so I don’t think that I’ve observed any noteworthy changes in where the line has moved between midsizes and enterprises. I continue to see companies outgrow and swap out their SMB firewalls at pretty much the same size/profile. You raise a good point that there is no one size fits all of course – hence the need to consider the factors above.

    Greg

  4. […] Next Generation Firewall” which should be available to Gartner clients next week. Today Greg opines about UTM, which isn’t NGFW – we go through the differences in the research note coming […]

  5. Vlad says:

    I see most of this post arguing vendor tactics of redefining “Enterprise” (which is a separate topic), but not much in disproving why this is not a feasible technology. If you think “UTM in the enterprise” is not feasible from a technical perspective, then at some point a vendor will probably come out with something that’ll be fast enough.

    Really looking forward to your next report (and John’s), hopefully you’ll shed more light on it from technical perspective.

  6. Good post and feedback. What about WAF’s here? I noticed you’re doing a Quadrant on them soon and the criteria seem to put them in the traditional DMZ layer. Since most are appliances, do you consider them part of a UTM or other network layer solution?

    I ask only because it’s relevant to your post and since we were invited to partake in the Quadrant this time the ‘grading process’ seems off. What about SaaS WAF’s and software-based WAFs that live with the webapps themselves and are not hardware? I have a sneaking suspicion that our SaaS WAF is what got us invited to the party, however, the the framework for the Quadrant doesn’t leave room for such solutions. Have I misinterpreted?

    There also seems to be a lack of webappsec related questions to the Quadrant. What about high-level proactive security features such as secure session management, URL encryption and a web authentication framework?

    Would like to hear your thoughts! Here’s our view on the SaaS side:
    http://www.artofdefence.com/dokumente/Cloud_AppSec_Whitepaper.pdf

  7. Stiennon says:

    Gartner analyst throws chum in water. Ex-Gartner analyst strikes at the bait!
    http://www.threatchaos.com

  8. Jack Daniel says:

    Unfortunately, the reality of the market contradicts your statements. As much as I appreciate snark and hyperbole in blog posts, the fact is that there are “enterprise” UTM deployments (even using your somewhat convoluted definition of enterprise) undermines your position and credibility.

    Are UTMs sweeping the enterprise? No. Are some enterprises using them? Absolutely. Some of your points are clearly out of touch. In this economy I am seeing a collapsing of hierarchies and divisions in IT and security teams- and as fewer people perform more, and more disparate tasks, the “unified” aspect of UTMs is a significant asset.

    Further, your point about “best of breed” is off the mark on two critical points: First, many UTMs do provide “best of breed” quality features. Second, many “best of breed” solutions are not deployed and maintained in optimal configurations, often due to tedious or convoluted configuration and management routines. The significant growth of the field of “firewall management” solutions clearly shows the failures of “industry leaders” to provide manageable solutions.

    Finally, I have to ask if Gartner’s results have not become somewhat self-selecting. Conservative companies turning to a conservative analyst firm, which then focuses said conservative clients…doesn’t seem like a recipe for either innovation, or spotting it.

    (Yes, I work for a UTM vendor. No, I do not speak for them).

  9. […] colleague Greg Young recently heard from some Bigfoot videographers after his post “Unicorns, Pixies, and Enterprise UTM”, wherein he correctly stated […]

  10. Greg Young says:

    Eric:

    please send me an email directly and we can communicate better that way. In short, any survey is a blunt instrument and we don’t ponly rely on it to make an assessment of the market.

    We are looking at both on-server and appliance-based WAFs. If a question doesn’t apply just comment “N/A” or add a comment. I think I have a good grasp already on the products so I won’t look twice if I see “N/A” for questiosn from either appliance (“do you run on apache?”) or on-server (“how many physical interface and of what type”) vendors.

  11. […] is titled: Unicorns, Pixies, and Enterprise UTM, and says in part: At Gartner, we haven’t seen enterprises shifting to using UTMs or SMB […]

  12. […] Can we not draw a parallel between this example with new security products and solutions?  Yes, I don’t doubt that there are some customers that are not ready for the convergence of an integrated security solution (aka UTM), but there are many customers who are ready and a UTM solution is right for them. ”Evangelists” are merely doing the industry a disservice by saying “NO! You might like the idea, heck you might even like the product and can derive significant benefit from it…but you are an ENTERPRISE! Send that box packing on that Unicorn riding Pixie it rode in on.” […]

  13. […] UTM” sounds better than….(see Greg Young for details) Share and […]

  14. Marcelo Mayorga says:

    […] The unicorn-solvent is email anti-virus: if they mean to propose doing email anti-virus on the firewall then good luck with meeting your firewall latency SLAs […]

    As I see it, anyone that implements e-mail anti-virus is expecting latency for that traffic. That’s true if you configure it in your UTM as it is for an standalone AV appliance. In both cases e-mail traffic is going to be inspected for AV so… wait for it.

    For traffic different than email you don’t expect any additional latency, since you’re not enforcing AV inspection on it. Not all UTM’s configurations are based on the “all or nothing” concept. Actually, I’ve seen many UTM products with much more granularity than pure Firewall, IPS, AV, etc.

  15. […] Greg Young of Gartner blogged about Enterprise UTM’s, comparing them to Unicorns and Pixies. I could not have agreed more with […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.