Security Appliances: Are They Good Enough?

The answer depends on where, why and how they're used -- and what else is in the mix.

Best-of-breed security software lets data center operators tailor protection to their exact needs. But some midsize companies or branch offices without dedicated security experts may prefer a simpler approach.

That was the situation Greg Muehl faced when securing the network connecting United Building Centers (UBC) more than 200 lumberyards, manufacturing plants and millwork shops. He wanted to protect them, but he didnt have IT staff at those locations, nor did he want to overburden existing servers.

We didnt want to put that additional load on the local servers by having them [encrypt and authenticate IP packets] with software, nor did we want to expose those servers to the danger of acting as border devices, says Muehl, information security senior analyst at UBCs Boston-based parent company, Pro-Build Holdings Inc., the nations largest supplier of building materials to contractors.

Like other companies seeking low-hassle network security, UBC deployed a virtual private network/security appliance in this case, Firebox SSL Core boxes from Watchguard Technologies Inc. in Seattle. They provide Secure Sockets Layer (SSL) encryption, firewalls with deep packet inspection (inspection of the data in the packet, not just the header), intrusion protection and access-control lists. Such hardware/software combinations are simple to install and manage but dont offer the highest levels of security. So the question prospective users need to answer is, how much security is good enough for a particular location?

Apparently, many users find that appliances provide enough security for their needs. Appliances are growing because theyre easier to install and easier to use, says Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif. Theyre not necessarily better or more secure, and in fact, you can get more security if you have more fine control [through dedicated security software]. But that takes know-how, and many customers dont have the expertise.

Box Boom

When looking to secure their systems, administrators have the option of either installing security software on a server or buying a security appliance with the software preinstalled. Security appliances come in two basic flavors: dedicated and multipurpose. Dedicated appliances provide a single security service such as firewall or antivirus protection. Multipurpose appliances are either networking devices such as routers that also incorporate security functions, or specialized security devices that provide suites of security services.

With an appliance, you buy hardware and software, so you have a total solution, says Ken Poulin, vice president of operations at emergency messaging services provider Varolii Corp. in Bedford, Mass. He uses firewall and intrusion-detection appliances from Juniper Networks Inc. If you just buy the software, you run into compatibility issues, so it is easier for me to go with a plug-and-play solution, he says.

Companies are increasingly adopting that approach, says Jeff Wilson, an analyst at Infonetics Research Inc. in Campbell, Calif. He says that security appliance sales are growing faster than security software sales. Infonetics figures show that while overall security appliance and software sales rose 15% to $4.6 billion in 2006, SSL VPN gateway appliance sales rose 40% after posting a 61% rise the previous year.

What were formerly separate network elements or devices such as firewalls or VPNs are now on a single platform, says Aaron Vance, an analyst at Synergy Research Group Inc. in Reno, Nev. We also see integration of those capabilities into more traditional network elements like routers and switches.

This is reflected in who leads the market: Networking giant Cisco Systems Inc., which offers hybrid security/ networking products, has a 42% share, according to Synergy. The rest of the top five are a mix of networking and security firms: Check Point Software Technologies Ltd., Juniper Networks, Nokia Corp. and Symantec Corp.

Vance says that the growth of distributed networks is also driving the adoption of multifunction appliances as companies try to protect connections such as those among branch offices.

Midsize organizations with a limited number of IT security staffers find the multifunction appliance option attractive as well. The city of Encinitas, Calif., for example, installed a Gate­Defender appliance from Panda Software in Glendale, Calif., to block spam and malware at its six locations.

I like that the appliance is updated automatically regarding both virus-like threats and spam filtration, says Rainer Mueller, IT analyst for the city. This reduces the amount of time I need to administer the device.

Branching Out

In contrast, a central data center is more likely to have a series of single-purpose appliances acting as firewalls, VPN concentrators and intrusion-detection or -prevention systems.

Andre Gold

Andre GoldI use an appliance when I have a function that is clearly defined, that doesnt require a lot of configuration and that is pretty constant in terms of the threat I am trying to solve or the methodology I am using to solve it, says Andre Gold, director of information security at Continental Airlines Inc. in Houston. Conversely, we have leveraged software when we wanted greater control, greater flexibility or have a situation that cant be black-boxed.

He also uses appliances for routine functions such as SSL authentication to establish secure connections. That lightens the burden on server CPUs, which would otherwise have to perform the task. But in the data center, Gold uses only dedicated appliances rather than multifunction models.

Especially in the enterprise, I am not a friend of the big Godzilla appliances that do everything, because they cant do everything well, Gold says. Vendors may show you marvelous numbers for their firewall performance, but turning on the [intrusion-prevention system] and other functions can cripple the device, and it wont be able to keep up with enterprise requirements.

By using separate appliances for each function, he can scale each box as needed to meet changing security requirements. The main data center, which is spread across two buildings at headquarters as well as six other locations, has a thorough, multilayered security mix. It includes LANShield appliances from ConSentry Inc. in Milpitas, Calif., Cisco firewall appliances, and software such as McAfee Inc.s Total Protection security suite.

But for Continentals hundreds of airport ticket counters, maintenance facilities and city sales offices, that level of security is overkill. In those areas, it uses Cisco VPN 3002 hardware clients to provide firewall and VPN services; they will soon include antivirus and intrusion-prevention software as well.

I am not as interested in making huge investments in these technologies to support the small offices with five staffers and no corporate IT on their servers, compared to what I do for 5,000 people at headquarters, says Gold. This is where appliances really shine, especially when you have multifunction appliances.

So, which way should you go in securing a network hardware or software? While the capabilities of appliances continue to grow, the users consulted for this story said they wouldnt trust their entire security operations to such a product, especially an all-in-one appliance. Muehl, for instance, continues to use antivirus software on the servers and workstations at UBCs branches rather than activating the anti­virus module available for the Firebox appliance.

The users also noted that appliances improve their security posture and simplify management. But they all said they harness appliances as part of a layered security approach, often using them at the gateways or to offload certain functions from the servers while running antivirus and intrusion-protection software on servers and workstations.

There isnt a single product in the universe that is good enough to be a complete solution for anything, says Counterpanes Schneier. Every security product has value, and none is a panacea.

Robb is a Computerworld contributing writer in Los Angeles. Contact him at drewrobb@attbi.com.

Copyright © 2007 IDG Communications, Inc.

 
Shop Tech Products at Amazon