A Look at All-in-One Security Appliances

By Andrew Garcia  |  Posted 2003-12-15

A Look at All-in-One Security Appliances

This year was the worst ever for worms and viruses, and it doesnt look like the onslaught will slow next year. As IT managers scramble to implement increased protection, integrated security appliances that combine myriad security functions certainly sound like the answer to their prayers. eWEEK Labs tests show that implementing an integrated appliance will drastically ease ongoing security management and reduce network complexity, yet add a possible bottleneck for performance and availability.

To date, IT administrators have been forced to deploy separate systems for anti-virus scanning, Web and e-mail content filtering, intrusion detection and prevention, virtual private networking, and intelligent application-aware firewall capabilities. This has left administrators with a complex, difficult-to-manage network architecture, not to mention degraded performance: Network traffic travels from appliance to appliance, getting stripped down and examined at each stop, which reduces the networks overall efficiency.

A number of vendors are rushing to help administrators overcome these problems with Swiss Army knife-like security appliances. Symantec Corp.s Gateway Security 5400 series and Internet Security Systems Inc.s Proventia line are the newest entries on the market, with Symantec and ISS hoping to leverage their respective anti-virus and intrusion detection expertise to convince customers that their products are the solution to the bigger security problem.

See eWEEK Labs review of Symantecs Gateway Security 5460 appliance.

One of the biggest drawbacks to these products is that they are a single point of failure in the network architecture. To ensure reliability, these devices must be deployed in tandem, requiring a hefty upfront cash outlay. Administrators may find that limiting multifunction appliances to logically connected security services may be easier politically and financially.

Administrators must also consider how beholden they want to be to a single vendor. A vendor that excels in a single service may not provide the best features in an overarching solution. IT managers must weigh the cost and complexity of best-of-breed solutions against the promise of integrated management and streamlined network architecture.

The Swiss Army knife approach is not new, but until now it has been focused on the low end of the market. Appliances targeted at small businesses, from security vendors such as SonicWall Inc. and WatchGuard Technologies Inc., have for years successfully integrated virtual private networking and stateful inspection firewalls with simple content filtering and rudimentary anti-virus capabilities. However, these devices do not provide the performance, reliability and manageability levels that enterprise customers demand for their complex, mission-critical networks.

Both stateful and deep inspection engines assess packets individually, examining each packets header or application content and then passing or blocking each packet according to defined policies.

A new generation of attacks, however, can span multiple packets, requiring the firewall to cache packets and assemble the whole data stream before making policy decisions. This store-and-forward proxy mechanism necessitates drastically different hardware capabilities and tuning parameters than are required for stateful inspection-based engines.

Security in a box

Integrated security appliances contain some, but not necessarily all, of these functions:

  • Stateful inspection firewall
  • Proxy firewall
  • Deep inspection firewall
  • Site-to-site VPN
  • Remote access VPN
  • Anti-virus scan for Web, FTP, e-mail
  • Web content and URL filtering
  • E-mail content and spam filtering
  • Intrusion detection
  • Intrusion prevention
  • Symantec and ISS have taken a similar tactic, throwing processor power and memory at the problem, yet the question remains: Can a device effectively perform store-and-forward and filtering inspection tasks?

    A few startups have taken innovative approaches to this dilemma. Fortinet Inc.s FortiGate products have content processors, based on application-specific integrated circuits, that offload scanning from the core operating system. Inkra Networks Inc., meanwhile, is introducing the concept of virtualization to its security appliances. With Inkras Virtual Service Architecture, administrators can run separate security services on distinct virtual partitions of the appliance and decide in advance how to share the system resources among services.

    Next page: Calculating costs

    Calculating costs

    No matter what the architecture, costs for these appliances can escalate quickly. Although the starting price for the Symantec Gateway 5400 series is about $3,500 for a low-end firewall-only model, beefing up the hardware and layering on additional security services can increase the price to upward of $60,000 for a redundant pair.

    While these integrated appliances show promise, eWEEK Labs recommends getting your house in order before purchasing a multifunction appliance. Such an investment crosses into the purview of several IT entities: The network group, the security group and the corporate messaging group all need to be onboard for the implementation.

    The multifunction appliance should be deployed in conjunction with some existing services; administrators should continue to maintain their internal anti-virus and network-based intrusion detection/intrusion prevention architectures. However, content and network filtering devices will be replaced outright, which may be a battle if a particular device is already working well.

    An interesting compromise to this dilemma is the open-source community. Astaro AG, for example, offers Astaro Security Linux, an inexpensive, preconfigured open-source solution that can be installed on standard hardware without the headaches of trying to harden and tune the operating system.

    Case study: See how one company made use of Astaros Security Linux appliance.

    Discuss This in the eWEEK Forum

    Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

    Rocket Fuel