Security in a box

Related Links

Security hardware

What is it? A security appliance is dedicated hardware that runs security software. By reducing the load on servers, its integrated security software often improves network performance.

What does it cost? A small network firewall, including software and a year of updates, can cost less than $1,000. Spend between $3,000 and $5,000, and anti-spam and antivirus perimeter defense can be added for a small office.

Must-know info? The appliance can reduce server load, extending the server's life. Moreover, there may not be enough security management personnel to configure and manage standalone programs for a small network, so an integrated appliance may be the only viable solution. Ultimately, a single point of security can simplify support and help pinpoint vulnerabilities. But all of these appliances need regular updates to keep up with new threats.

Any drawbacks? With an appliance, there is a single point of failure for all perimeter security. Compromise that, and hackers can gain full access to the network. An appliance also is likely to have known, uniform configurations that can become a hacker target. If the appliance uses software from multiple vendors, there may be overlaps and gaps in security.

Blue Coat's proxy appliances protect small to enterprise networks.

Juniper provides firewalls as well as VPNs and intrusion detection devices.

Firewalls from 3Com range from $2,744 to about $19,000.

Plug-and-play appliance benefits outweigh the drawbacks

Greater security needs place a proportionally greater burden on agency IT managers. As a result, many are turning to security appliances for antivirus, anti-spam, intrusion detection and prevention, firewall policy enforcement, even content filtering. These all-in-one, nearly plug-and-play network devices can quickly deliver security functions.

But such appliances aren't only for the enterprise environment. Many small organizations are seeking scaled-to-fit versions of these appliances for the same reasons that enterprises like them: They don't necessarily require that an IT staff have advanced security skills to quickly protect the network.
Whether you use a single-function security appliance, such as a firewall or anti-spam filter or the combined tools of a new breed of all-in-one unified threat management appliances, you should know that all of these security functions could be handled with software loaded onto servers. This raises the question: Why consider another piece of network hardware?

There are several compelling benefits and one major drawback to be derived from deploying security appliances. First, putting security functions on a separate box can eliminate the buck-passing that often happens when a breach occurs but no one can pinpoint the weak link. We've all seen that: The vendor claims problems were caused by the operating system or hardware or a bad installation procedure or conflicts with other software.

When all you've done is plug in an appliance with its pre-installed software, it can help eliminate finger pointing and let you get to the bottom of things.

Second, installing an appliance is usually quick and painless. With a lot of these security appliances, everything is pre-loaded and pre-configured. Some offer basic appliances and plenty of options that can be added later.

Third, all-in-one appliances are attractive because most servers are already overloaded with ever-increasing user demands. At worst, adding dedicated hardware only slightly increases overhead. Often it reduces the demands on hardware. Moreover, many appliances include an automatic update capability, which is a great time-saver.

Facing the inevitable

So what's the downside? The biggest drawback of using a security appliance is committing your perimeter security defenses to a box that eventually will fail. Fortunately, many of them support clustering and failover capabilities, so the network stays protected. But that means that if you're shopping for an appliance, you're really shopping for two or more.
No matter how carefully you define threat management, having several vendors provide security tools typically leads to overlap and ongoing configuration headaches or worse: security gaps of which you may not even be aware. In response, the latest trend in security appliances is unified threat management, which combines those various security tools in one more or less integrated package.

Unified threat management may include firewall, antivirus, intrusion protection, content filtering and spam prevention tools. Some also include a router or wireless access point in the same hardware package. They potentially can simplify management chores and improve security by making certain every leak is plugged.

Having one product manage all security tasks makes things easier. Still, most unified threat management can rely on software from more than one vendor, so it's important to ask vendors how they've designed their products to limit any gaps and overlap that wastes resources.

Performance is another important consideration. Early unified threat management efforts made heavy processing demands that could bring a network connection to its knees.
Antivirus tools can be very slow, because a system can't properly scan incoming data packets without first caching them. Content filtering technology also can be resource greedy, depending on how it is configured and what its requirements are.

Combining all these tools in one place can produce a domino effect on processing delays, degrading overall performance. Therefore, the appliance must be robust, particularly when unified threat management functions will be rolled out gradually instead of all at once.

This buy-as-you-need-it approach can save money initially; just don't underestimate the hardware capacity based on initial performance, then try to later add other security software to the appliance.

John McCormick is a freelance writer and computer consultant. E-mail him at

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB