Menu
Hot stuff: Securing firewalls

Hot stuff: Securing firewalls

Security vendors are forging strategic alliances with one another in response to increasing market demand for bundled security offerings as opposed to single security point products.

Consumer demand for a total security solution has forced vendors to rethink the ways in which they deliver their respective security technologies to the market. Several software vendors have pre-installed and pre-configured their software on various operating systems and hardware platforms.

Senior analyst of Asia-Pacific security software for IDC, Natasha David, has identified a key trend in the overall security market that is a boon for the hardware segment.

”There is definitely a movement away from software firewalls sold as standalone products, whereby users buy a licence and install it themselves,” David said. “Buyers are leaning towards software firewalls bundled into single state machines and configured with the hardware.

“Even though the software is exactly the same, the way it is being delivered is different. A hardware-based solution is becoming a preference for the end user.”

Firewall deployment is most often approached in one of two ways: either by running the firewall software via a hardened kernel on an appliance or by developing a hardware-based solution using ASIC.

The process of configuring a software firewall program and hardening the underlying security of the system is a complex task. To alleviate this problem, manufacturers such as Check Point Software have since developed firewalls that run instead on appliances — boxes dedicated to function specifically as firewalls. Usually these appliances run on a hardened Linux kernel or proprietary system developed by the vendor, thereby eliminating the need to secure the underlying OS.

Checkpoint developed a version of its Firewall 1 software that runs well on a Nokia appliance. Although this is a software-based solution, it eliminates the need to secure the underlying OS.

Netscreen’s and Cisco’s ASIC-based hardware solutions exemplify the second approach, referred to as a third-generation firewall. ASIC is a chip specially designed and optimised for a specific purpose. In Netscreen’s case, the chip excels at encryption and processing firewall policies.

In addition to providing better network security, appliances also require less main­tenance of system patches and fewer upgrades. This may change in the future as more vulnerabilities are found in firewall applications, the bastions of corporate security once thought impenetrable.

With the market’s increasing focus on firewall products, resellers will see a corresponding increase in firewall appliance patches and releases.

According to IDC statistics gathered at the end of 2001 on the overall Asia-Pacific IT security market, the security hardware market will experience the most significant growth over the next five years at a CAGR (compound annual growth rate) of 31 per cent, growing from $93 million in 2001 to $364 million in 2006.

Security software will grow from $205 million in 2001 to $665 million in 2006 at a CAGR of 27 per cent. And security services will grow from $323 million in 2001 to $883 million in 2006 at a CAGR of 26 per cent, the report stated.

Senior technology consultant of managed security service provider SecureData, David Deakin, is also aware of the growing preference for hardware-based firewalls at the enterprise and SME level.

“Over the last two years we’ve sold nothing but hardware-based firewalls,” Deakin said. “People are migrating away from software-based firewalls such as Norton and ISA, to dedicated firewall systems like Check Point’s and Cisco’s.”

This movement is being driven largely by enterprises’ increased awareness of the importance of protecting their organisations at the border or gateway. Arguably the most effective protection device at this location is a hardware-based firewall.

“Over the last three or four years, enterprises have come to realise the threat of an attack from the Internet or wide area network (WAN) is a serious one and are deploying more security at the border to better protect themselves,” Deakin said.

While large enterprises are migrating to high-end hardware-based firewalls such as Check Point’s VPN-1/FireWall-1 solutions (which operate on Nokia’s purpose-built, security hardened operating system) and Cisco PIX, small-to-medium enterprises (SMEs) cannot afford such devices and are showing a preference for deploying both software and hardware-based firewall solutions.

Deakin said SMEs were opting for the implementation of mid-range hardware-based firewalls, such as the Lucent Brick or Watchguard Firebox, at the border and the implementation of software-based firewalls (the Microsoft ISA firewall) behind it.

The future of the software-based firewall sold as an aftermarket item was uncertain, he said.

“Security is now evolving as a systems platform issue,” Cisco’s security expert, Kip Cole, said. “Hence it is more appropriate now to consider security as a fundamental part of any platform or network selection. Customers and partners should expect to see security functionality embedded in their systems.”

Regional director for Australia/New Zealand, Scott Ferguson, said Check Point realised that its own growth depended heavily on integration with hardware.

Check Point’s partnership with Nokia was testimony to the effectiveness of vendor partnerships in this space. Cisco has had a stranglehold on the VPN firewall market for years but Check Point’s decision to deliver its software-based firewalls pre-configured on Nokia hardware platforms had made it a formidable component in this arena.

According to IDC, Check Point/Nokia now sell the most hardware-based firewalls used specifically for VPN firewalling, including those sold independently by Check Point as software and those pre-configured onto a hardware device that plugs into a network.

However, in terms of absolute sales, Cisco is the market leader as it imbeds its ASIC-based firewall blades in all its routers, switches and VPN desktop products.

Ferguson said the market was moving away from ASIC-based security appliances — as people recognised the limitations — in favour of pliable software-centric solutions.

“Netscreen and Cisco are essentially hardware vendors, they don’t want to offer the customer too much choice in terms of scalability because the basis of their existence depends of hardware upgrades,” he said.

By comparison, Check Point users could, for example, move between a Hewlett-Packard and a Sun Microsystems platform and have their licence adjusted accordingly regardless of how far along they are in the licenses life.

Ferguson was also critical of Cisco’s decision to leave the OPSEC (Open Platform for Secure Enterprise Connectivity) multi-vendor interoperability program earlier this year, suggesting it left customers few means of testing the longevity and interoperability of its range by refusing to share APIs (application programming interface).

Cisco’s departure from the OPSEC program is at odds with the increasing trend among security vendors to forge strategic alliances with one another in order to leverage each other’s expertise in certain facets of IT security and provide all-in-one security solutions.

Symantec’s national channel manager, Brian Stibbard, said there would be an increasing number of multi-vendor security offerings in the marketplace.

“Everybody is trying to team up with everybody else, not just for firewalls but antivirus and intrusion detection solutions as well. Symantec wants to be seen as a total enterprise security solution not just a series of point products.”

Symantec has partnered with several vendors to provide its Gateway Security Appliance, an integrated hardware appliance with antivirus, content filtering, firewalling and intrusion detection components imbedded in it.

The effects of manufacturer’s pre-configuring various security technologies on hardware appliances will have on end-user demand for services is something service providers should keep an eye on.

Opportunities for security service providers at both the SME and large enterprise levels are immense. The security services sector currently represents 52 per cent of the total security market (in terms of revenue), according to IDC.

“I suggest that resellers get their staff trained up in traditional firewall technology, high-end configurations and mid-level configurations,” Deakin said.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments