Security appliances: Are they good enough?

Security appliances: Are they good enough?

Best-of-breed security software lets datacentre operators tailor protection to their exact needs. But some midsize companies or branch offices without dedicated security experts may prefer a simpler approach.

That was the situation Greg Muehl faced when securing the network connecting United Building Centers' (UBC) more than 200 lumberyards, manufacturing plants and millwork shops. He wanted to protect them, but he didn't have IT staff at those locations, nor did he want to overburden existing servers.

"We didn't want to put that additional load on the local servers by having them [encrypt and authenticate IP packets] with software, nor did we want to expose those servers to the danger of acting as border devices," Muehl said, information security senior analyst at UBC's Boston-based parent company, Pro-Build Holdings.

Like other companies seeking low-hassle network security, UBC deployed a virtual private network/security appliance - in this case, Firebox SSL Core boxes from Watchguard Technologies. They provide Secure Sockets Layer (SSL) encryption, firewalls with deep packet inspection, intrusion protection and access-control lists. Such hardware/software combinations are simple to install and manage but don't offer the highest levels of security. So the question prospective users need to answer is, how much security is good enough for a particular location?

"Appliances are growing because they're easier to install and easier to use," chief technology officer at Counterpane Internet Security, Bruce Schneier, said. "They're not necessarily better or more secure, and in fact, you can get more security if you have more fine control [through dedicated security software]. But that takes know-how, and many customers don't have the expertise."

Box boom
When looking to secure their systems, administrators have the option of either installing security software on a server or buying a security appliance with the software pre-installed. Security appliances come in two basic flavours: dedicated and multipurpose. Dedicated appliances provide a single security service such as firewall or antivirus protection. Multipurpose appliances are either networking devices such as routers that also incorporate security functions, or specialised security devices providing suites of security services.

"With an appliance, you buy hardware and software, so you have a total solution," vice-president of operations at emergency messaging services provider Varoli, Ken Poulin, said. He uses firewall and intrusion-detection appliances from Juniper Networks. "If you just buy the software, you run into compatibility issues, so it is easier for me to go with a plug-and-play solution."

Infonetics Research analyst, Jeff Wilson, said security appliance sales were growing faster than security software sales. Infonetics figures show that while overall security appliance and software sales rose 15 per cent to $US4.6 billion last year, SSL VPN gateway appliance sales rose 40 per cent after posting a 61 per cent rise the previous year.

Midsize organisations with a limited number of IT security staffers find the multifunction appliance option attractive as well. The city of Encinitas in California, for example, installed a Gate Defender appliance from Panda Software to block spam and malware at its six locations.

"I like that the appliance is updated automatically regarding both virus-like threats and spam filtration," its IT analyst, Rainer Mueller, said. "This reduces the amount of time I need to administer the device."

Branching out
By contrast, a central datacentre is more likely to have a series of single-purpose appliances acting as firewalls, VPN concentrators and intrusion-detection or prevention systems.

"I use an appliance when I have a function that is clearly defined, that doesn't require a lot of configuration and that is pretty constant in terms of the threat I am trying to solve or the methodology I am using to solve it," director of information security at Continental Airline, Andre Gold, said. "Conversely, we have leveraged software when we wanted greater control, greater flexibility or have a situation that can't be black-boxed."

He also uses appliances for routine functions such as SSL authentication to establish secure connections. That lightens the burden on server CPUs, which would otherwise have to perform the task. But in the datacentre, Gold uses only dedicated appliances.

"Especially in the enterprise, I am not a friend of the big Godzilla appliances that do everything, because they can't do everything well," Gold said.

By using separate appliances for each function, he can scale each box as needed to meet changing security requirements. The main datacentre, which is spread across two buildings at headquarters as well as six other locations, has a thorough, multilayered security mix. It includes LANShield appliances from ConSentry, Cisco firewall appliances, and software such as McAfee's Total Protection.

But for Continental's hundreds of airport ticket counters, maintenance facilities and city sales offices, that level of security is overkill. In those areas, it uses Cisco VPN 3002 hardware clients to provide firewall and VPN services; they will soon include antivirus and intrusion prevention software as well.

"I am not as interested in making huge investments in these technologies to support the small offices with five staffers and no corporate IT on their servers, compared to what I do for 5000 people at headquarters," Gold said. "This is where appliances really shine, especially when you have multifunction appliances."

So, which way should you go in securing a network - hardware or software? While the capabilities of appliances continue to grow, the users consulted for this story said they wouldn't trust their entire security operations to such a product, especially an "all-in-one" appliance.

They also noted appliances improve their security posture and simplify management. But all said they harness appliances as part of a layered security approach, often using them at the gateways or to offload certain functions from the servers while running antivirus and intrusion-protection software on servers and workstations.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments