One tool to rule them all

If you are out in the woods, miles from anywhere and traveling light, it pays to have a tool that can perform a range of tasks and offer some form of protection. Many small companies have taken a similar approach to their IT security, employing a multi-purpose appliance to handle a whole range of different threats.

Remote workers, branch offices and small businesses have all been persuaded of the advantages of the appliance route. Instead of installing different applications, configuring systems and tuning them to company requirements, it is much easier (and cheaper) to plug in an appliance and let it run, often remotely managed and updated by the supplier.

Market predictions certainly bear out this move toward the black-box solution. Research firm IDC forecasts a 61 percent growth in the market for integrated appliances between 2004 and 2009.

But this popularity seems still to be confined to the lower end of the market, where skilled staff and the money to spend on equipment are in short supply.

The question is how far the trend will go, and whether appliances will make it into the world's largest corporations.

Opinions are split. Appliances can be used to mitigate a whole range of threats, and for some the ease with which they can be set up, used and upgraded is appealing, especially for those on tight budgets. But larger enterprises have the resources and specialist staff to handle this.

"Today, you don't see a lot of integrated appliances at the high end, and one of the main reasons is performance," says Mike Wittig, chief technical officer at Cyberguard. "Enterprises look for the best of breed. The chances of a vendor having one or more best-of-breed solutions in an integrated product are very small."

Industry analysts believe that bigger organizations have far different needs than small companies and this is an important consideration. Those needs are also more complex. Sometimes you need a big, proper screwdriver instead of one found on a Swiss Army knife or multi-tool.

"Needs tend to be similar across SMEs. The bigger the organization, the less likely a standard configuration will meet its requirements," said Graham Titterington, principal analyst at Ovum. "The more bespoke the need, the less you gain from buying an all-in-one box."

Titterington says that throughput poses the biggest problem for an integrated appliance. More functionality tends to slow data transit, making it not such a good idea for bandwidth-hungry firms, typically large enterprises. "Everything in one box is more useful for less intensive bandwidth usage," he says.

Oliver Harcourt, senior research analyst at IDC, says that large organizations' performance requirements for large central sites are so high that it is just not feasible to have a lot of security applications running on the same hardware.

"Larger enterprises are looking at unified threat management (UTM) appliances to protect their smaller branches and remote offices, but not so much to protect large central sites," says Harcourt.

But not everyone agrees. Mike Smart, a director at security company SonicWall, says he has seen more interest from bigger companies in using appliances.

"Companies are now facing blended threats and need to deploy unified threat management solutions that can operate at the application level," he says.

This is not just driven by security. Companies need to control the use of peer-to-peer messaging for compliance purposes and also to stop them stealing bandwidth and harming quality of service.

The rising use of MPLS (multi-protocol label switching) is also having an effect on this trend, he says. Appliances capable of deep-packet inspection will be needed to support quality of service for applications such as voice over IP.

But he sees these being additions to companies' existing infrastructures, rather than a complete replacement. "We don't expect UTM appliances to take over in the Fortune 500 companies. They will be added to create multiple layers of security," he predicts.

Cyberguard's Wittig believes ease of use will be more important as the complexity of specialized devices gets beyond administrators. "Best-of-breed appliances aren't being managed properly," he says.

So are enterprises just not getting the message that integrated appliances could be of some use in their infrastructure? Harcourt says that "deploying multiple UTM devices and running different security applications on each" could be a way to go. This would allow an enterprise to "build a very flexible and scalable security infrastructure," he says.

Jonathan Mepsted, regional director at Fortinet, says large enterprises need to look at integrating functionality within devices based on what goes together best.

"For enterprises it makes sense to group functionality in terms of whether the traffic is inbound or outbound," he says.

For example, email traffic coming in needs to be checked for viruses, spam and content, and a similar approach could be taken with web traffic. A firewall with intrusion prevention or detection makes sense as long as throughput is acceptable.

Mepsted urges enterprises to consider adding more functionality to their architecture, or look at devices that can add multiple functionality. "The latter solution allows for the avoidance of security gaps that can sometimes appear with point solutions," he says. Any aggregation of functions raises questions also over how the security department is organized.

Larger enterprises have specialist teams to deal with different areas of security, often isolated from each other. This makes selling an integrated product to these teams difficult.

"It's still very political. The IDS team is still different from the firewall team in many large organizations," says James Clegg, a director at Crossbeam Systems. He says this can lead to teams thinking they have to lose a manager.

But if the right approach is taken, the rewards could be much more than just security consolidation. It means looking at this not just as a hardware problem, but as an organizational problem as well.

"What you need to do is look at what the company does, and act accordingly – it can reveal problems in the organization itself," says Wes Wasson, vice-president of worldwide marketing at application acceleration company Netscaler.

There would be little point in integrating functions if this led to competing teams fighting over who manages the device. This is where security managers and CSOs can look at making the organization of teams more logical and efficient. It can also make consolidation of security functions easier to achieve, as teams will have a clearer role to perform and less overlap of responsibilities.

But some think the effect of the security application could be a lot more radical. Lloyd Hession, CSO for BT Radianz in New York, predicts the multi-function appliance will be welcomed by many chief information officers in large organizations who are no longer prepared to deal with "arrogant, over-priced security guys."

"We've got to recognize that security has become too darned complicated, and there is a growing frustration among CIOs," he says. "CIOs have spent millions of dollars on IDS systems and they've not seen a great deal for it. They want something that is just good enough."

He admits these might not be as flexible or configurable as best-of-breed solutions, but insists that a system that is easy to install and manage is very attractive.

"The CIOs have a lot of requirements with customers wanting to access systems in different ways, such as from internet cafés, and so on. A lot of big organizations are now looking at the appliance as a black-box solution that they can install swiftly and easily," he says.

Many security experts, he says, try to hang a cloak of mystery on the technology rather than install a simple appliance to do the work.

"The hardcore security guys say you should have separate boxes that can be customized to your needs. But this is not an issue at all in most cases.

"Look at the man hours you need to spend tuning firewalls or an IPS and configuring systems for security. In an appliance, the OS is already hardened. The black-box approach has huge benefits."

He even makes the point that with data center space at a premium, consolidating functions into a small number of boxes also saves on footprint and power. And he dismisses the charge that the appliance would be a single point of failure.

"That is a smokescreen. You have two or more boxes for safety. You just don't have ten boxes all doing different things."

All teams should be examined, their assorted functions looked at again, and action taken to make them work better. This should allow managers the chance to question the security structure of their organization and rectify problems. That way will enable an organization to be better equipped to deal with whatever environment they find themselves in.

The debate will doubtless continue and companies will take different approaches.

Even if the multi-tool solution is not the best of all possible worlds, it can act as a catalyst for change.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.