Security appliances are become the "six-guns of the Internet frontier. But is software a better solution?
Sometimes with the Internet it seems like you are living out on the frontier. But unlike the wild West, which settled down after a few years, computer security threats have continued to rise and show no signs of abating any time soon.
I have been in the computer field for 25 years, and it is only been in the past six years or so that security has become the major issue it has, said Rainer Mueller, IT analyst for the City of Encinitas in California. We are forced to spend much more money, time, and effort than we ever have to keep our facility and information secure. And unfortunately, I believe that this will continue for the foreseeable future.
Like those pioneers who always packed a six-gun, IT staff are forced to take a vigilante approach rather than waiting for the sheriff to arrive. So, as security threats continue to grow, so do the number of companies turning to security appliances.
These days it is standard-practice to install many things on an appliance, said Paul Stamp, senior analyst for Forrester Research. An appliance can use custom hardware to accelerate functions more quickly and efficiently than just using multipurpose hardware with some software installed on it.
Consequently, we are witnessing a steady rise in the use of security appliances. According to IDC, the market for threat management hardware will pass the $5 billion threshold by 2009, due to the distributed nature of security duties throughout the IT organization.
We are starting to find a lot of functions that were being done by security are being offloaded to different teams, such as the networking staff, he explained. Network teams are not used to dealing with software, but they are accustomed to appliances.
This blossoming security appliance market breaks down into several categories. The largest group is the firewall and VPN appliances that come from a wide array of networking and security vendors.
Then there are specialized security appliances to address specific activities. Decru, now part of Network Appliance, has something called the DataFort, a dedicated appliance for encrypting and decrypting network traffic.
Bluesocket of Burlington, Mass., makes appliances for controlling the interface between wired and wireless segments of a network. ConSentry Networks makes appliances that sit between the access and distribution layers on a network fabric and use algorithms to detect network anomalies, and the list goes on and on.
Further, there are perimeter security devices from vendors which have their roots in the antivirus space. Although security vendor Symantec laid off its security appliance staff last year in order to concentrate on managed services, both McAfee and Panda Software have unified threat management appliances which address a range of security issues.
Winning The Shootout
Perimeter security appliances incorporate a number of features that one would typically find in a security software suite. The advantage is that setting up an appliance is just a matter of plugging the device into the network rather than having to manage one or more dedicated servers and the associated software.
While a corporate data center may have the support staff to manage separate applications, appliances are a good match for smaller companies that don't have specialized IT security personnel. But they are also the best option for certain types of large enterprises.
We have found that it has more to do with how distributed an environment is, rather than the size of the company, said Stamp. Large retail chains like using appliances because they have many locations that have relatively small processing requirements.
The City of Encinitas uses Panda's GateDefender Performa 8100, but they do so in different ways. The appliance includes antimalware, antispam and a web content filter. It is designed for 25 to 500 users; 160 email messages per second and (SMTP); and 80 Mbps of HTTP traffic. Encinitas uses it as a frontline defense, but also runs host-based security software on all the servers and workstations.
GateDefender offered us the ability to diminish not only viral-type threats, but also significantly reduce the amount of spam we are inundated with, said Mueller. Just yesterday I saw that a staggering 73 percent of the email we received here at the City of Encinitas was spam. That's outrageous.
Before buying the product, Encinitas conducted a 30-day trial of competing appliances, and did in-house testing on both devices. Mueller preferred Panda due to its range of protection, ease of installation/uses, and the minimal amount of overhead processing time on incoming messages to the City.
Stamp notes that appliances are best suited to filtering email and Web traffic. When traffic loads are unknown or less predictable, however, he advises going with software on a server.
If the server is overloaded, you can generally stick another CPU or additional memory in there, but you are a bit more constrained with an appliance, Stamp said. Appliances tend to be better when one can predict the load, and an organization generally knows how much email it gets in a day.
He also says that a general purpose security appliance might not be the best choice when the different types of traffic it filters are managed by different personnel in the organization.
If you have an organization where email filtering is supported by a different team than the web content, you have a lot of finger pointing when something goes wrong, he said. You need to determine ahead of time who owns the box and what procedures to follow for dealing with issues that arise.
Given those caveats, installing a security appliance still allows an organization to achieve a higher level of security without an excessive management headache.
I currently feel we are fairly secure, because we attempt to be as proactive as possible, said Mueller. I realize that there is no such thing as perfection with security, but by being proactive, I believe we are handling and protecting the needs of our customers as well as our co-workers.