In the classic tale of French chivalry, The Three Musketeers, the intrepid heroes more often than not find themselves in predicaments that one of them-in a drunken stupor-has precipitated.
After endless (and often drunken) bickering, they overcome their spats and, together again (perhaps still drunk), fight their way to a glorious victory. Then they drink some more.
As multi-function security devices increasingly appear in the market place, security architects are asking themselves whether the integrated functions can act in concert (even stone sober) and whether one out-of-control application will precipitate a royal catastrophe or whether, in fact, they are stronger in concert and can bail each other out of unanticipated crises.
Fortunately, there are encouraging signs for a happy ending. A sizable number of early adopters have started using multi-function security devices (we’ll call them MSDs for short) with positive results. In fact, multiple security functions can, and do, play well with each other. Emerging companies such as Crossbeam (my company), iPolicy and Fortinet are seeing strong growth while established companies such as Check Point (with its new Application Intelligence) and NetScreen (through the integration of OneSecure IDP) are extending the capabilities of what was previously a single function (firewall). In so doing, they are eliminating many separate and disparate devices that previously had to be strung together in unmanageable and costly ways; and though the methodologies of these companies may vary, the results are the same – enhanced protection at considerably lower total cost of ownership. For example, Crossbeam’s products replace anywhere from 5 to 50 separate devices – that’s a lot fewer boxes to maintain and a lot fewer support costs to pay.
The migration to this new world will not happen overnight. The cardinal’s forces guard the silos. Ask a firewall architect to install anti-virus as part of the firewall and they’ll tell you to go eat cake. Why? It’s not their job. Never mind that more viruses are getting in via HTTP mail than through the corporate mail server. The perimeter belongs to the perimeter guard. En garde!
Then there is the pesky problem of security policies. Drawn up by committees with good intentions, they may fail to keep pace with the accelerating threat environment when they dictate the way in which security devices should be deployed.
On the other hand, arrayed against the forces of evil, are some very positive trends that are convincing security architects to move to the new paradigm. Some of the most significant are the following:
1. Personal experience with residential broadband gateways. While
the concept of performing multiple functions might be theoretically
challenging, the fact is that many of us are using MSDs at home
right now! Netgear, for example, makes a little device that
incorporates firewall, intrusion detection, anti-virus and other
functions into a $99 home gateway.
2. Acceptance of VLANs. Three years ago my company asked one of
the largest banks in New England whether they would allow traffic
segmentation by VLAN. We’d rather chop off our own heads they
replied. Today, they have rolled out VLANs across the entire
enterprise. Thus, the concept of virtual services in a single device
doesn’t seem quite so strange.
3. The rapid growth but irritating opacity of Virtual Private Networks.
What, in the name of the king, is traveling across your VPN, sent
there by compromised home laptops? Don’t you want some kind
of decontamination zone that checks for access, intrusion and
4. The explosion of single-use appliances. Once upon a time, a small
company named New Oak (a name of which the musketeers
would certainly have approved!) built a VPN appliance around the
same time Nokia started shipping their firewall appliances. In the
intervening six years or so, there has been a hailstorm of
appliances. There are even appliances now that manage other
appliances! Unfortunately, the network staff is not equipped to
learn ten new appliances every year.
5. Patch management – even if your network staff did manage to
learn ten new appliances (or even three), the complexity of patch
management in the security world is a major hurdle. Threats, by
their nature, are unpredictable. Consequently, the need for
patches is going to be totally assured. Patching multiple different
appliances alone will take more manpower than is available.
6. Availability of new “content-aware” silicon. While the death of the
high tech market keeps being proclaimed, companies such as
Broadcom, Cavium and Corrent continue to release interesting
new hardware components that are able to move security
functions into silicon. Put that silicon into the hands of capable
systems companies like Crossbeam and you have simple, fast
7. C’est l’economie, stupide (as Louis XIV might have said). It
hardly bears repeating but doing more with less is paramount.
Consolidation is in, coolness is out. If you can save significant
operating expense while keeping up with security requirements,
you can keep your job.
It should be royally clear by now that the forces for integration vastly outnumber the forces against. Interestingly, mid-market companies of 500 to 1000 employees may be the prime movers in this market. Why? They have fewer silos, less staff to spread across multiple functions and very compelling economic reasons to simplify all facets of IT. Still, larger companies are not sitting idly by since data center consolidation is forcing a rethinking of security architectures in general. One might even say a revolution is brewing.
Throop Wilder is co-founder and vice president of marketing for Crossbeam Systems, Inc. (www.crossbeamsystems.com).