This month, we looked at ten multi-function security appliances. As you can see from the features table (right), these appliances are all over the map in terms of their functionality. Because we have discussed the individual functions of many of these appliances elsewhere, for this group test we concentrated upon how well integrated these functions were and how the appliance as a unit presented its information.
During the tests, some important questions came to mind that must be answered before implementation. First, who benefits from these products? Would they better suit small businesses, or large, dispersed organisations? Also, how critical is the appliance as a single point of failure in the overall architectures of the network? This affects both network and security architecture. Finally, how do these appliances impact a corporate defence-in-depth strategy?
These are three crucial questions for any security tool, but even more so if they are multi-functional.
Another issue is how these devices stack up against universal threat management (UTM). Here’s another example of how marketing has added confusion rather than clarity. What is the difference between a multi-function appliance and UTM? Defta Partners (www.deftapartners.com/newsarchive2.htm) quotes IDC: “UTM products unify and integrate multiple security features onto a single hardware platform. Qualification for inclusion within this category requires network firewall capabilities, network intrusion detection and prevention (IDP), and gateway anti-virus (AV) functionality.”
Of the ten boxes reviewed, seven met those criteria, but it would be hard to argue that not all ten were multi-function devices. So our definition of multi-function is, in most cases, a superset of the IDC definition of a UTM. You get the point, I’m sure. Defining what you need to buy depends more on your requirements than on convenient marketing labels.
So what are the pros and cons of multi-function appliances? There is no doubt that, at some level, they are a single point of failure. The more functions they offer, the more risky that becomes. But depending upon the situation, a single point of failure might be manageable with a hot standby.
More important, however, is the appliance’s impact upon defence in depth. While they offer a lot of convenience and even an economic benefit, there is no doubt that some depth is sacrificed. Compromising the appliance may compromise the entire network if it is the only point of connection between the untrusted and the trusted environments.
Appliances that are used as “omni-purpose”, such as firewalls, VPNs, anti-virus, anti-spam, web filters, anti-spyware and IDS/IPS, can be complicated to configure and manage. Small configuration errors can have big consequences, so we put a lot of emphasis on ease of use in our testing.
Generally, we found that there is an inverse relationship between the size of an organisation and the number of features in an appropriate multi-function appliance. The smaller the organisation, the bigger a role cost plays. A multi-function appliance can offer a lot of protection for a relatively low price. The downsides are the single point of failure, impact on defence in depth and need for solid training of all support personnel. For these organisations, full-featured appliances may make sense, but have a cost attached.
For large organisations with big throughput requirements it makes more sense to use specialised devices. Splitting malware defence, VPN/firewall, and IDS/IPS might offer a better response to the defence-in-depth problem. These products are available as well as the fully-featured ones. Also, more fully-featured versions might be appropriate for outlying offices.
The bottom line is that these appliances do not, regardless of initial appearances, represent a panacea. They need to be architected into the security and network infrastructures, just as with any other security device.
Because most of these devices have been reviewed for their individual modules, we opted to evaluate them based on how their features hold together. We were looking for ease of use over the span of all capabilities, reporting, ease of implementation and management and overall performance. These tests were more functional than usual and we took the viewpoint of the implementer and/or administrator.
Our conclusions are that these products are all over the place in usefulness and desirability. This really is a case of “buyer beware”. However, we had some clear winners, and we believe that the use of multi-function appliances can be appropriate, with some good products available to satisfy varying needs. And that’s a good thing, because these puppies are here to stay.