Multi-function boxes take off

As the number of security technologies grows - firewall, anti-virus, content filtering, intrusion detection and others - some vendors suggest it makes sense to load all these platforms on a single device to save capital and operational costs, and perhaps even to improve security.

The flip side is that these boxes might represent a single point of failure in the network and that the individual security functions might not represent the best in their category.

Nevertheless, more vendors are offering products in this category, with recent additions ranging from network leader Cisco to start-up NetworkD. Other vendors include Crossbeam, Fortinet, Juniper, Sonic Wall, Symantec, Secure Computing and ServGate. A recent study by IDC says it expects even more vendors to enter this market, which is expected to boom over the next few years. In 2003, the total sales in this category were $105 million, according to IDC, but that is expected to grow to $3.5 billion by 2008. Sales of multi-function platforms will cut into the revenues that today go to firewall/VPN appliances, IDC says.

This growth is in part because these multi-function products, which in many cases grew out of firewall technologies, are maturing and overcoming some of the shortcomings they may have had earlier, experts say. For instance, some suffered performance hits when all security platforms were turned on, says Zeus Kerravala, an analyst with The Yankee Group. "They didn't scale very well because they were a firewall, and they added other security to it later. But now they have a lot of processing power to handle all functions," he says.

Rampant skepticism?

Despite effort by vendors to deal with shortcomings, end users are still skeptical, according to a poll of 653 IT managers from businesses with at least 1,000 employees. Fewer than one in five prefer the stand-alone, multi-function security devices; most of them prefer multiple, single-function appliances, according to an unpublished study by Forrester Research.

"That's mostly because of the immaturity of the all-in-one type devices," says Rob Whiteley, an analyst with Forrester. "What's been out there really didn't have sufficient horsepower to handle all-in-one. It defeats the purpose of security if your box fails and thus is more of a risk that it ever was."

For this reason, Summit Information Systems in Corvallis, Ore., dropped a Nokia IP440 firewall/VPN/intrusion-protection platform, says Ken Pearson, network manager for the firm. "I had an instance where we were running [multiple functions] on the same platform and it flat ran out of horsepower. I had to split the functions to keep up," he says. The company now uses separate firewall, intrusion-detection and intrusion-prevention platforms. "It's a bit more trouble, but it's worth it."

Provell, a marketing firm in Minneapolis, agrees that many individual devices are preferable, but not because of performance slowdowns. It uses multiple systems to backstop each other, says William Wells, the company's technical support manager.

For instance, Provell's Internet router blocks certain ports, and its firewall is configured to block the same ones. "I've always taken the approach that anything coming in from outside should pass through at least two distinct security systems which use different approaches and complementary rules. While both may block or allow the same ports, they do so in a different manner," Wells says.

Not everyone feels the same way. "The probability of human error is geometrically higher with a bunch of single function boxes," says Roger O'Daniel, a network and security consultant also in Minneapolis.