A Look at All-in-One Security Appliances

eWEEK Labs' tests show that all-in-one security appliances can increase system security, but they can also create performance bottlenecks.

This year was the worst ever for worms and viruses, and it doesnt look like the onslaught will slow next year. As IT managers scramble to implement increased protection, integrated security appliances that combine myriad security functions certainly sound like the answer to their prayers. eWEEK Labs tests show that implementing an integrated appliance will drastically ease ongoing security management and reduce network complexity, yet add a possible bottleneck for performance and availability.

To date, IT administrators have been forced to deploy separate systems for anti-virus scanning, Web and e-mail content filtering, intrusion detection and prevention, virtual private networking, and intelligent application-aware firewall capabilities. This has left administrators with a complex, difficult-to-manage network architecture, not to mention degraded performance: Network traffic travels from appliance to appliance, getting stripped down and examined at each stop, which reduces the networks overall efficiency.

A number of vendors are rushing to help administrators overcome these problems with Swiss Army knife-like security appliances. Symantec Corp.s Gateway Security 5400 series and Internet Security Systems Inc.s Proventia line are the newest entries on the market, with Symantec and ISS hoping to leverage their respective anti-virus and intrusion detection expertise to convince customers that their products are the solution to the bigger security problem.


See eWEEK Labs review of Symantecs Gateway Security 5460 appliance.

One of the biggest drawbacks to these products is that they are a single point of failure in the network architecture. To ensure reliability, these devices must be deployed in tandem, requiring a hefty upfront cash outlay. Administrators may find that limiting multifunction appliances to logically connected security services may be easier politically and financially.

Administrators must also consider how beholden they want to be to a single vendor. A vendor that excels in a single service may not provide the best features in an overarching solution. IT managers must weigh the cost and complexity of best-of-breed solutions against the promise of integrated management and streamlined network architecture.

The Swiss Army knife approach is not new, but until now it has been focused on the low end of the market. Appliances targeted at small businesses, from security vendors such as SonicWall Inc. and WatchGuard Technologies Inc., have for years successfully integrated virtual private networking and stateful inspection firewalls with simple content filtering and rudimentary anti-virus capabilities. However, these devices do not provide the performance, reliability and manageability levels that enterprise customers demand for their complex, mission-critical networks.


Both stateful and deep inspection engines assess packets individually, examining each packets header or application content and then passing or blocking each packet according to defined policies.

A new generation of attacks, however, can span multiple packets, requiring the firewall to cache packets and assemble the whole data stream before making policy decisions. This store-and-forward proxy mechanism necessitates drastically different hardware capabilities and tuning parameters than are required for stateful inspection-based engines.

Security in a box
Integrated security appliances contain some, but not necessarily all, of these functions:

  • Stateful inspection firewall
  • Proxy firewall
  • Deep inspection firewall
  • Site-to-site VPN
  • Remote access VPN
  • Anti-virus scan for Web, FTP, e-mail
  • Web content and URL filtering
  • E-mail content and spam filtering
  • Intrusion detection
  • Intrusion prevention

Symantec and ISS have taken a similar tactic, throwing processor power and memory at the problem, yet the question remains: Can a device effectively perform store-and-forward and filtering inspection tasks?

A few startups have taken innovative approaches to this dilemma. Fortinet Inc.s FortiGate products have content processors, based on application-specific integrated circuits, that offload scanning from the core operating system. Inkra Networks Inc., meanwhile, is introducing the concept of virtualization to its security appliances. With Inkras Virtual Service Architecture, administrators can run separate security services on distinct virtual partitions of the appliance and decide in advance how to share the system resources among services.

Next page: Calculating costs