“Total Solution” Security Risky

Like the mosquitoes that relentlessly swarm across the 49th state every summer, plagues of viruses and hack attacks continuously assault the University of Alaska-Anchorage’s network. The school’s CIO, Richard Whitney, hates hackers as much as he hates insects that bite. That’s why, like a growing number of CIOs, he’s decided to take an aggressive, “Swiss Army knife” approach to network defense by installing an integrated security gateway (ISG). “We like the idea of [having] intrusion detection, firewalling and inbound virus detection in one box,” he says. “Most CIOs are in a position today where they’re being forced [by cost and convenience issues] to consider this [approach] really seriously.”

To help enterprises that are battling network threats on multiple fronts (worms to spam to application vulnerabilities) several hardware vendors are now offering ISGs that combine an arsenal of security capabilities?such as intrusion detection and prevention, virus scanning, spam blocking and Web content filtering?in a single box. Many integrated products also incorporate a firewall and VPN support.

For many CIOs, the technology’s biggest drawing card is its cost. A single box is generally less expensive than an amalgamation of dedicated security appliances. ISG vendors also tout enhanced performance. A single ISG is less likely to create a network bottleneck than an array of standalone hardware and software products. Other looked-for and promised benefits include simplified security management from a single interface and enhanced network protection, as a properly designed ISG should be less vulnerable to security gaps than an ad hoc collection of boxes and software.

The Case for Integrated Packages

“ISGs are a trend that’s been gathering steam over the last three or four years,” says Phil Schacter, vice president and service director of the directory and security strategies service for IT research firm the Burton Group. “Multifunction security appliances are definitely a growth market.” The field’s major vendors now include BorderWare Technologies, Fortinet, Inkra Networks and Internet Security Systems. Other important players are CipherTrust, Mirapoint, NetScreen Technologies and Symantec. ISG prices range from about $10,000 to $50,000, depending on a product’s functions and performance level. Such prices can be tempting to budget-conscious CIOs, as a standalone entry-level hardware firewall and VPN box can run anywhere from $3,000 to $10,000.

ISG vendors are also taking advantage of the fact that CIOs now view security as a multifaceted strategic issue?for instance, when weak spam filters can also make a network more vulnerable to virus attacks?rather than a series of isolated problems. This trend is motivating many CIOs to turn away from dedicated security boxes and software tools and move toward integrated products.

ISGs have the potential to perform better than either dedicated security devices or software-based security tools. “There’s a problem if you have to put several of these products in series, just chaining traffic through them,” says Schacter. “There’s a problem maintaining appropriate throughput speeds and in the complexity of having multiple products processing traffic all in a relatively short period of time.” Additionally, and unlike software-based security products, ISGs don’t rob servers or clients of their CPU power. “Security can’t be the choke point of your throughput,” says Jason Wright, a security industry analyst at technology research firm Frost & Sullivan. “It gets to be that way by trying to scan every packet of information, apply the rules to it and then pass it along.”

Not All Boxes Are Alike

While all ISGs offer multiple protection capabilities, specific functionality varies greatly between products. Internet Security Systems’ Proventia device, for example, has a full complement of network security capabilities, including VPN, firewall, antivirus, intrusion detection and prevention, and content and spam filtering. Other systems, particularly those that are e-mail oriented (see “E-Mail Alert!” this page), provide fewer features. Mirapoint’s Message Director model, for example, focuses on virus and spam threats.

Many vendors are also beginning to equip their products with at least some form of intramodule communication, a feature that allows ISG components to collaborate to provide a unified security defense and enhanced performance. Intramodule communication allows an ISG to take information collected by one component and apply it to another. An intrusion detection component that detects unusual e-mail behavior, for example, could automatically tweak the spam filter to block a suspicious flow of incoming junk mail.

Fortinet, for example, includes a cross-module “policy engine” that allows the firewall, VPN, intrusion detection and antivirus modules in its FortiGate ISGs to share data. “This allows for maximum efficiency, so the [ISG] only has to inspect a packet once,” says company spokesman Mike Haro.

Faster Detection

For University of Alaska’s Whitney, the decision to acquire and deploy an ISG was easy. On the virus front, more than 20,000 network users required faster and better-administered protection than individually installed virus scanners on clients could provide. Whitney also wanted to add fast intrusion detection and prevention capabilities to his network.

“In spring 2002, we began looking carefully at system and network security, and looked at individual firewalls, intrusion detection systems and so on,” says Whitney. He chose a Symantec 5300 Gateway Security Appliance, a $40,000 unit that features firewall, antivirus, intrusion detection, content filtering and VPN capabilities. Whitney felt that the product offered the best performance and function mix for the price. “I didn’t do any [total cost of ownership] comparisons between solutions, but in the end we were impressed by the single-product architecture, ease of use and implementation, and the fact that our already overworked systems engineer could administer the gateway with little additional overhead,” he says.

With nearly two years’ worth of experience under his belt, Whitney believes his ISG “continues to do what we’re expecting of it.” Focusing functions at a single point has simplified his network management chores and enhanced overall security. “Had we not had this [unit] in place, our limited staff would be running all over the place,” he says. “Things would be fairly unmanageable, particularly for our primary enterprise-class servers. You can’t operate an enterprise without a tool like this.”

ISG deployment can also boost an enterprise’s bottom line. Illinois Tool Works, an industrial components and systems manufacturer, is using Mirapoint’s Message Director ISG to combat spam and viruses. Gary Anton, the company’s vice president of strategic sourcing, estimates that in 2003, with 5,000 users connected, the product provided a 26 percent ROI, the result of migrating users off of licensed software for virus scanning and Web and e-mail filtering.Taking into account recurring software support and license fees, Anton predicts the product’s ROI will rocket to 118 percent in 2004, 177 percent in 2005 and 213 percent in 2006.

Trade-Offs, Downsides and Traps

As ISGs join the enterprise, however, CIOs are discovering that the technology’s strengths generate their own set of problems.

“There’s definitely less management work required [with an ISG], but it also means you give up some level of your own control,” says John Pescatore, an Internet security analyst for Gartner. Frost & Sullivan’s Wright agrees: “There are fewer knobs to tweak and fine-tune, so you may not be able to get it as perfectly in sync with the network traffic.”

Another mixed blessing is an ISG’s ability to consolidate network security to a single point. Besides providing simplicity, consolidation can also make a network more vulnerable to a sudden, unexpected failure. “If the power supply fails, for example, it could take out four different functions,” notes Pescatore. “One definitely has to look for redundancy and think through the availability issues.”

Deploying an ISG doesn’t necessarily remove the need for maintaining a multilayer security infrastructure. “When you try to put everything on one box on the [network] perimeter, if [a hacker] gets past that box, he’s in,” says Wright. “Unless you have other technology on your host, servers or desktops, you could lose the capabilities of having multiple security technology.” That’s why many enterprises, even after adopting ISG technology, still choose to protect networks at key points.

“This move to a multifunction security appliance doesn’t mean we’ve eliminated the strategy of having zones where we have two discrete firewalls in place,” says Burton Group’s Schacter. On the other hand, beyond securing network entry points, most ISG functions don’t benefit from duplication. “Like the process of scanning for a virus, this doesn’t benefit from being done in two boxes rather than one,” he says.

By concentrating key security functions in a single box, ISG adopters also give up a significant amount of flexibility, specifically the ability to cherry-pick the best security technologies from multiple vendors. Since no CIO wants to embrace mediocrity, ISG vendors are beginning to offer products that include one or more category-leading security functions. “Just because these combinations are occurring to save costs doesn’t mean that enterprises will be abandoning best-of-breed,” says Pescatore. “For years to come, [CIOs] will want at least one of the functions in these combined gateways to be considered best-of-breed by its own right.”

Finally, like many dedicated security boxes, ISG performance is typically boosted through the use of application specific integrated circuits (ASICs), chips that are “hard-wired” to process specific tasks. But ASICs are “expensive, and you can’t change them, so there are upgrade issues,” notes Wright. Dedicated ASIC-powered security devices also present upgrade problems, and ISG owners may face the need for more frequent upgrades since ISGs provide multiple functions, each one vulnerable to obsolescence.

Picking Performance

The top priority for a CIO choosing an ISG is finding a product that includes all of the features he needs for complete network protection. Yet performance is at least as important a consideration as functionality. After nearly two years, Whitney is already planning to replace his Symantec 5300?which has a 100Mbps top data transfer rate?with a speedier model. “We just upgraded our network to gigabit, so this is going to be an issue for us, probably within the next six months,” he says.

Speed is essential. “When security solutions slow down the network, people generally find ways around the security solution,” notes Gartner’s Pescatore. To guarantee performance and avoid potential operability headaches, Pescatore advises CIOs to stick with certified ISGs. “The [certification] most enterprises are looking for is called Common Criteria certification?it’s done by government-approved test labs,” he says.

Despite the technology’s growing pains, ISGs are expected to become the enterprise norm during the next few years, pushing aside dedicated security appliances. “I think that in three or four years they will be mainstream,” says Schacter. Pescatore believes that ISGs are reshaping the security market, leading to the emergence of a basic network security appliance. “The markets themselves are combining, collapsing into one market,” he says. “We’re just calling this The Next-Generation Firewall.”