Like the mosquitoes that relentlessly swarm across the 49th state every summer, plagues of viruses and hack attacks continuously assault the University of Alaska-Anchorage\u2019s network. The school\u2019s CIO, Richard Whitney, hates hackers as much as he hates insects that bite. That\u2019s why, like a growing number of CIOs, he\u2019s decided to take an aggressive, "Swiss Army knife" approach to network defense by installing an integrated security gateway (ISG). "We like the idea of [having] intrusion detection, firewalling and inbound virus detection in one box," he says. "Most CIOs are in a position today where they\u2019re being forced [by cost and convenience issues] to consider this [approach] really seriously."To help enterprises that are battling network threats on multiple fronts (worms to spam to application vulnerabilities) several hardware vendors are now offering ISGs that combine an arsenal of security capabilities?such as intrusion detection and prevention, virus scanning, spam blocking and Web content filtering?in a single box. Many integrated products also incorporate a firewall and VPN support.For many CIOs, the technology\u2019s biggest drawing card is its cost. A single box is generally less expensive than an amalgamation of dedicated security appliances. ISG vendors also tout enhanced performance. A single ISG is less likely to create a network bottleneck than an array of standalone hardware and software products. Other looked-for and promised benefits include simplified security management from a single interface and enhanced network protection, as a properly designed ISG should be less vulnerable to security gaps than an ad hoc collection of boxes and software.The Case for Integrated Packages"ISGs are a trend that\u2019s been gathering steam over the last three or four years," says Phil Schacter, vice president and service director of the directory and security strategies service for IT research firm the Burton Group. "Multifunction security appliances are definitely a growth market." The field\u2019s major vendors now include BorderWare Technologies, Fortinet, Inkra Networks and Internet Security Systems. Other important players are CipherTrust, Mirapoint, NetScreen Technologies and Symantec. ISG prices range from about $10,000 to $50,000, depending on a product\u2019s functions and performance level. Such prices can be tempting to budget-conscious CIOs, as a standalone entry-level hardware firewall and VPN box can run anywhere from $3,000 to $10,000.ISG vendors are also taking advantage of the fact that CIOs now view security as a multifaceted strategic issue?for instance, when weak spam filters can also make a network more vulnerable to virus attacks?rather than a series of isolated problems. This trend is motivating many CIOs to turn away from dedicated security boxes and software tools and move toward integrated products. ISGs have the potential to perform better than either dedicated security devices or software-based security tools. "There\u2019s a problem if you have to put several of these products in series, just chaining traffic through them," says Schacter. "There\u2019s a problem maintaining appropriate throughput speeds and in the complexity of having multiple products processing traffic all in a relatively short period of time." Additionally, and unlike software-based security products, ISGs don\u2019t rob servers or clients of their CPU power. "Security can\u2019t be the choke point of your throughput," says Jason Wright, a security industry analyst at technology research firm Frost & Sullivan. "It gets to be that way by trying to scan every packet of information, apply the rules to it and then pass it along."Not All Boxes Are AlikeWhile all ISGs offer multiple protection capabilities, specific functionality varies greatly between products. Internet Security Systems\u2019 Proventia device, for example, has a full complement of network security capabilities, including VPN, firewall, antivirus, intrusion detection and prevention, and content and spam filtering. Other systems, particularly those that are e-mail oriented (see "E-Mail Alert!" this page), provide fewer features. Mirapoint\u2019s Message Director model, for example, focuses on virus and spam threats.Many vendors are also beginning to equip their products with at least some form of intramodule communication, a feature that allows ISG components to collaborate to provide a unified security defense and enhanced performance. Intramodule communication allows an ISG to take information collected by one component and apply it to another. An intrusion detection component that detects unusual e-mail behavior, for example, could automatically tweak the spam filter to block a suspicious flow of incoming junk mail.Fortinet, for example, includes a cross-module "policy engine" that allows the firewall, VPN, intrusion detection and antivirus modules in its FortiGate ISGs to share data. "This allows for maximum efficiency, so the [ISG] only has to inspect a packet once," says company spokesman Mike Haro. Faster DetectionFor University of Alaska\u2019s Whitney, the decision to acquire and deploy an ISG was easy. On the virus front, more than 20,000 network users required faster and better-administered protection than individually installed virus scanners on clients could provide. Whitney also wanted to add fast intrusion detection and prevention capabilities to his network."In spring 2002, we began looking carefully at system and network security, and looked at individual firewalls, intrusion detection systems and so on," says Whitney. He chose a Symantec 5300 Gateway Security Appliance, a $40,000 unit that features firewall, antivirus, intrusion detection, content filtering and VPN capabilities. Whitney felt that the product offered the best performance and function mix for the price. "I didn\u2019t do any [total cost of ownership] comparisons between solutions, but in the end we were impressed by the single-product architecture, ease of use and implementation, and the fact that our already overworked systems engineer could administer the gateway with little additional overhead," he says.With nearly two years\u2019 worth of experience under his belt, Whitney believes his ISG "continues to do what we\u2019re expecting of it." Focusing functions at a single point has simplified his network management chores and enhanced overall security. "Had we not had this [unit] in place, our limited staff would be running all over the place," he says. "Things would be fairly unmanageable, particularly for our primary enterprise-class servers. You can\u2019t operate an enterprise without a tool like this."ISG deployment can also boost an enterprise\u2019s bottom line. Illinois Tool Works, an industrial components and systems manufacturer, is using Mirapoint\u2019s Message Director ISG to combat spam and viruses. Gary Anton, the company\u2019s vice president of strategic sourcing, estimates that in 2003, with 5,000 users connected, the product provided a 26 percent ROI, the result of migrating users off of licensed software for virus scanning and Web and e-mail filtering.Taking into account recurring software support and license fees, Anton predicts the product\u2019s ROI will rocket to 118 percent in 2004, 177 percent in 2005 and 213 percent in 2006. Trade-Offs, Downsides and TrapsAs ISGs join the enterprise, however, CIOs are discovering that the technology\u2019s strengths generate their own set of problems."There\u2019s definitely less management work required [with an ISG], but it also means you give up some level of your own control," says John Pescatore, an Internet security analyst for Gartner. Frost & Sullivan\u2019s Wright agrees: "There are fewer knobs to tweak and fine-tune, so you may not be able to get it as perfectly in sync with the network traffic."Another mixed blessing is an ISG\u2019s ability to consolidate network security to a single point. Besides providing simplicity, consolidation can also make a network more vulnerable to a sudden, unexpected failure. "If the power supply fails, for example, it could take out four different functions," notes Pescatore. "One definitely has to look for redundancy and think through the availability issues." Deploying an ISG doesn\u2019t necessarily remove the need for maintaining a multilayer security infrastructure. "When you try to put everything on one box on the [network] perimeter, if [a hacker] gets past that box, he\u2019s in," says Wright. "Unless you have other technology on your host, servers or desktops, you could lose the capabilities of having multiple security technology." That\u2019s why many enterprises, even after adopting ISG technology, still choose to protect networks at key points. "This move to a multifunction security appliance doesn\u2019t mean we\u2019ve eliminated the strategy of having zones where we have two discrete firewalls in place," says Burton Group\u2019s Schacter. On the other hand, beyond securing network entry points, most ISG functions don\u2019t benefit from duplication. "Like the process of scanning for a virus, this doesn\u2019t benefit from being done in two boxes rather than one," he says.By concentrating key security functions in a single box, ISG adopters also give up a significant amount of flexibility, specifically the ability to cherry-pick the best security technologies from multiple vendors. Since no CIO wants to embrace mediocrity, ISG vendors are beginning to offer products that include one or more category-leading security functions. "Just because these combinations are occurring to save costs doesn\u2019t mean that enterprises will be abandoning best-of-breed," says Pescatore. "For years to come, [CIOs] will want at least one of the functions in these combined gateways to be considered best-of-breed by its own right."Finally, like many dedicated security boxes, ISG performance is typically boosted through the use of application specific integrated circuits (ASICs), chips that are "hard-wired" to process specific tasks. But ASICs are "expensive, and you can\u2019t change them, so there are upgrade issues," notes Wright. Dedicated ASIC-powered security devices also present upgrade problems, and ISG owners may face the need for more frequent upgrades since ISGs provide multiple functions, each one vulnerable to obsolescence. Picking PerformanceThe top priority for a CIO choosing an ISG is finding a product that includes all of the features he needs for complete network protection. Yet performance is at least as important a consideration as functionality. After nearly two years, Whitney is already planning to replace his Symantec 5300?which has a 100Mbps top data transfer rate?with a speedier model. "We just upgraded our network to gigabit, so this is going to be an issue for us, probably within the next six months," he says.Speed is essential. "When security solutions slow down the network, people generally find ways around the security solution," notes Gartner\u2019s Pescatore. To guarantee performance and avoid potential operability headaches, Pescatore advises CIOs to stick with certified ISGs. "The [certification] most enterprises are looking for is called Common Criteria certification?it\u2019s done by government-approved test labs," he says.Despite the technology\u2019s growing pains, ISGs are expected to become the enterprise norm during the next few years, pushing aside dedicated security appliances. "I think that in three or four years they will be mainstream," says Schacter. Pescatore believes that ISGs are reshaping the security market, leading to the emergence of a basic network security appliance. "The markets themselves are combining, collapsing into one market," he says. "We\u2019re just calling this The Next-Generation Firewall."