All For One and One For All

In the classic tale of French chivalry, The Three Musketeers, the intrepid heroes more often than not find themselves in predicaments that one of them-in a drunken stupor-has precipitated.

After endless (and often drunken) bickering, they overcome their spats and, together again (perhaps still drunk), fight their way to a glorious victory. Then they drink some more.

As multi-function security devices increasingly appear in the market place, security architects are asking themselves whether the integrated functions can act in concert (even stone sober) and whether one out-of-control application will precipitate a royal catastrophe or whether, in fact, they are stronger in concert and can bail each other out of unanticipated crises.

Fortunately, there are encouraging signs for a happy ending. A sizable number of early adopters have started using multi-function security devices (we'll call them MSDs for short) with positive results. In fact, multiple security functions can, and do, play well with each other. Emerging companies such as Crossbeam (my company), iPolicy and Fortinet are seeing strong growth while established companies such as Check Point (with its new Application Intelligence) and NetScreen (through the integration of OneSecure IDP) are extending the capabilities of what was previously a single function (firewall). In so doing, they are eliminating many separate and disparate devices that previously had to be strung together in unmanageable and costly ways; and though the methodologies of these companies may vary, the results are the same - enhanced protection at considerably lower total cost of ownership. For example, Crossbeam's products replace anywhere from 5 to 50 separate devices - that's a lot fewer boxes to maintain and a lot fewer support costs to pay.

The migration to this new world will not happen overnight. The cardinal's forces guard the silos. Ask a firewall architect to install anti-virus as part of the firewall and they'll tell you to go eat cake. Why? It's not their job. Never mind that more viruses are getting in via HTTP mail than through the corporate mail server. The perimeter belongs to the perimeter guard. En garde!

Then there is the pesky problem of security policies. Drawn up by committees with good intentions, they may fail to keep pace with the accelerating threat environment when they dictate the way in which security devices should be deployed.

On the other hand, arrayed against the forces of evil, are some very positive trends that are convincing security architects to move to the new paradigm. Some of the most significant are the following:

1. Personal experience with residential broadband gateways. While
    the concept of performing multiple functions might be theoretically
    challenging, the fact is that many of us are using MSDs at home
    right now! Netgear, for example, makes a little device that
    incorporates firewall, intrusion detection, anti-virus and other
    functions into a $99 home gateway.
2. Acceptance of VLANs. Three years ago my company asked one of
    the largest banks in New England whether they would allow traffic
    segmentation by VLAN. We'd rather chop off our own heads they
    replied. Today, they have rolled out VLANs across the entire
    enterprise. Thus, the concept of virtual services in a single device
    doesn't seem quite so strange.
3. The rapid growth but irritating opacity of Virtual Private Networks.
    What, in the name of the king, is traveling across your VPN, sent
    there by compromised home laptops? Don't you want some kind
    of decontamination zone that checks for access, intrusion and
    malicious content?
4. The explosion of single-use appliances. Once upon a time, a small
    company named New Oak (a name of which the musketeers
    would certainly have approved!) built a VPN appliance around the
    same time Nokia started shipping their firewall appliances. In the
    intervening six years or so, there has been a hailstorm of 
    appliances. There are even appliances now that manage other
    appliances! Unfortunately, the network staff is not equipped to
    learn ten new appliances every year.
5. Patch management - even if your network staff did manage to
    learn ten new appliances (or even three), the complexity of patch
    management in the security world is a major hurdle. Threats, by
    their nature, are unpredictable. Consequently, the need for
    patches is going to be totally assured. Patching multiple different
    appliances alone will take more manpower than is available. 
6. Availability of new "content-aware" silicon. While the death of the 
    high tech market keeps being proclaimed, companies such as
    Broadcom, Cavium and Corrent continue to release interesting
    new hardware components that are able to move security
    functions into silicon. Put that silicon into the hands of capable
    systems companies like Crossbeam and you have simple, fast
    security platforms.
7. C'est l'economie, stupide (as Louis XIV might have said). It
    hardly bears repeating but doing more with less is paramount.
    Consolidation is in, coolness is out. If you can save significant
    operating expense while keeping up with security requirements,
    you can keep your job.

It should be royally clear by now that the forces for integration vastly outnumber the forces against. Interestingly, mid-market companies of 500 to 1000 employees may be the prime movers in this market. Why? They have fewer silos, less staff to spread across multiple functions and very compelling economic reasons to simplify all facets of IT. Still, larger companies are not sitting idly by since data center consolidation is forcing a rethinking of security architectures in general. One might even say a revolution is brewing.

Throop Wilder is co-founder and vice president of marketing for Crossbeam Systems, Inc. (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.