Computerworld - Security products are converging, and the state government wants us to hop on board. The bureaucrats have good reason to seize what they see as an opportunity.
Two years ago, the state legislature refused to approve the purchase of firewall technology for state agencies, such as the one I work in. Is it any wonder governments fall on their faces? You want legislators to be careful with taxpayers' money, but how can they not understand that firewalls are important?
Convergence in the form of all-in-one appliances, I am told, makes business sense. It costs less and produces more, support is better, it's easier to manage and so on. I'll believe it when I see it. My concern is that, should an all-in-one appliance be compromised (and anything can be compromised), you won't just have a problem with your firewall, your virtual private network, your security information management system, your demilitarized zone, your anti-virus tools, your intrusion-detection system, your Web filtering or your intrusion- prevention system. You'll have a problem with all of them.
Security must be layered to be effective. Plunking in a single device at each site is not a good idea. But as our earlier firewall fiasco suggests, we have had problems getting funding for many of the individual devices and tools that would let us follow the "defense in depth" model. Apparently, we have the OK to purchase the all-in-one devices and deploy them to all of our sites. Well, if that's what we can get approved, at least we're doing something to move forward.
The drawbacks of all-in-one appliances are related to technical matters, performance and security. In-line deployment would be best for the appliance's intrusion-prevention features, but that makes it a single point of failure. In that case, you would probably want two devices in fail-over mode. The alternative -- proxy-style deployment -- limits packet inspection and firewall configuration. As for performance, the number of modules or functions applied to data traffic will affect the appliance's throughput, unless there are multiple CPUs devoted to particular functions rather than a single-purpose CPU. I've already discussed security. Compromise the box, and own the network? Maybe.
On the other hand, managing a multitude of single- purpose security systems takes a lot of manpower. A farm of similar multipurpose appliances sounds a lot easier to manage and may take only one or two trained security administrators. And if we could do things like Web filtering, firewall configuration and traffic encryption at the gateway, we might be more effective in protecting the network against malware, viruses, worms, adware, spam, Trojan horses, denial-of-service attacks, hacking attempts and all the other things we guard against.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
