I like perimeter security. It just makes sense to have your best defenses at a point where they can have a whack at everything going in or out of the network. Obviously any large business knows this, but small businesses, which are manically cost-sensitive, often get by with no such barrier, or a false one such as a NAT router.
Capable security appliances for the perimeter of SOHO networks are available at prices small businesses would consider; I recently reviewed three such appliances for PC Magazine.
The appliances are capable all right— they all have real firewalls and VPNs— but in general theres a lot more they could do. Very, very few of these low-end appliances do any kind of malware scanning, and many of those that do compromise on their effectiveness.
When you move up a class into devices designed and priced for larger businesses you get a lot more protection and performance. For the last couple of months Ive been using an EdgeForce Plus from ServGate. PC Magazine reviewed the lower-end model EdgeForce recently and loved it, giving it an Editors Choice in a roundup with several competitors. The EdgeForce Plus has greater capacities on the firewall and VPN.
Both models have an optional "Professional Module" that includes a 20GB hard disk used by the virus scanner and spam filter. The hard disk makes a big difference in virus scanning mostly in one regard: maximum scannable file size. Without a large persistent store like a hard disk, the virus scanner has to give up at some point when the file gets too big. Memory constraints can also limit the effectiveness of a spam filter. In general, just as with a desktop or server operating system, its good to be able to page things out to disk to make efficient use of your limited RAM.
And my EdgeForce Plus doesnt come with some cheesy, home-grown anti-virus application or one that comes from Uzbekistan—it comes with McAfee AntiVirus and spam filtering (the commercial version of SpamAssassin). All this does add cost to which the small business market is very sensitive, but you get what you pay for.
When you look at a SOHO appliance that does offer anti-virus protection, ask how many virus definitions there are in it. You might be surprised, appalled, whatever, to hear numbers under 10,000. Your $40 anti-virus software for your home computer probably has at least 80,000 definitions. But this is the price of squeezing anti-virus functionality into a little box with limited memory and processing capacity. There are boxes in this class, such as the Netscreen-5GT from Juniper Networks, which comes with Trend Micros anti-virus technology and can be had for under $500.
The EdgeForce line also has an optional "Performance Module" that increases capacities on the firewall and VPN in case your company outgrows it. Growth is another area in which the lower-end appliances usually fall short out of cost considerations.
A compromised perimeter is one approach to keeping costs down. The other is taken by Symantec in their Gateway Security 300 series; instead of implementing the functions on the device, it enforces policies that require any client connecting to the network to have up-to-date protection installed. There are good points and bad points to this approach, which Ive already written about, but I dont want to prejudge it since Im about to start testing one of them. More on this later, of course.
In the long term, the only differences from the low-end to the high-end of these devices should be capacity. If you want more users, you pay for more. Theres a case to be made that small business-oriented devices should be easier, with more wizards and such. But simple and complex approaches should be offered in all levels of these devices. Features such as anti-virus are tougher to do universally because reputable anti-virus products, such as those from McAfee and Trend Micro, dont come cheap.
Of course, no matter how good your perimeter security is, you need to have good client security too. But its harder to manage all that client security, and your best shot is to stop threats at the front door where nearly all of them try to get in.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer