Security appliances do more

* QRadar manages security and monitors network traffic

Security appliances continue to evolve, adding more features with every iteration. The newest product from Q1 Labs, the QRadar Network Security Management, continues that tradition.

More than just a security firewall, "QRadar includes an intelligent engine pulling together information on traffic and security incidents and event correlation into one common alert system." So says Jason Knight, managing partner of The Broadleaf Group, a network services and security firm in Houston with an office in Dallas.

QRadar is promoted as a new breed of security appliance that includes some general network management, traffic analysis and policy enforcement tools. Threat assessment goes beyond comparing virus signatures to incoming files and includes network behavior monitoring for atypical actions that may indicate a security problem. Q1 calls this its "Judicial System Logic" technology.

I asked Knight if that inflated-sounding title was more than just marketing speak. "It's a bit of marketing," says Knight, "but there's more to it than that." Early network monitoring tools caused as many problems as they helped solve because alerts weren't intelligent, he says. One router dropping off the network meant hundreds or thousands of alerts, each one calling attention to one device on the far side of the router that could no longer be reached. Modern tools are smarter than that, and "QRadar does a good job of integrating security and network monitoring details into a decent Web interface."

As companies and networks grow, network management often takes a budget back seat to expansion. Knight sees companies regularly that have no idea what types of traffic soaks up their bandwidth. Analysis with a QRadar or other network traffic analysis tool may show, for example, the majority of traffic consisting of peer-to-peer, music or video packets.

"We just had a customer ready to upgrade a data link from a fractional DS3 to a full DS3 for a considerably higher cost," explains Knight. "After some analysis, we found that three quarters of their traffic was non-business related."

That's Knight being polite. "Non-business related" sounds like consultant speak for, "Mr. Executive, your network's full of personal files that may be illegal, competing for bandwidth against spyware and virus payloads." Why pay hundreds or thousands of dollars per month for data lines, then fill them up with garbage?

Knight's smallest customer is about 500 nodes on a widely distributed network managed by a small IT support team. Q1 Labs says a good system can be delivered and installed for around $37,000, a figure Knight felt reasonable. Although that sounds like far too much money to small companies, that just means they haven't yet priced high-end network analysis, security, and traffic monitoring tools. Big networks need big tools, and they come with a big price tag.

"When customers start looking at these types of products, this price range isn't a problem," says Knight. Smaller companies worry that a security problem can shut down their network, causing embarrassment and loss of revenue. Regulatory compliance issues drive many purchases, since companies must prove they have policies in place to prevent non-business traffic and protect data against malicious software of any kind. Sometimes the rules dictate you have products like Intrusion Protection Systems (IPS) to guard against outsiders and insiders.

What does Knight suggest to small and midsize businesses who need help with security and network monitoring? "Administrative overhead and resource requirements are a serious issue," he says. "You must understand the impact of a new product on the IT organization."

Remember the days when intrusion detection systems were all the rage? Many medium and large enterprises bought them without realizing how much time it took to comb through millions of logged events searching for anything wrong. Knight sees those products on the shelf at many companies. Paid for, yes, but installed and helping? No.

"If you don’t have staff onsite 24 hours per day, you need automated monitoring tools or a third party 24 hour monitoring service," Knight says. A watched pot may never boil, but an unwatched network often breaks.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.