All-in-one boxes eliminate branch office hidden costs

Juniper last week jumped into to the intriguing market for all-in-one branch-office products with its Secure Services Gateway (SSG) 500 Series appliance. This product, like others in this space, combines security and routing functions in a single physical device—eliminating the need to install and manage multiple devices.

The space, defined as unified threat management (UTM) or services gateway and preceded by multi-function routers, is piquing the interest of IT decision-makers. (For more details, click here)

Why? Some key organizational and IT trends are forcing staffs to pay close attention to the branch office infrastructure. Roughly nine out of 10 employees works away from headquarters, and applications, servers, and networking gear is being consolidated in the data centers.

For a greenfield site, all-in-one devices make perfect sense. The cost, typically between $5,000 and $12,000, depending on size, is lower than the collective cost of buying each of the functions (routing, firewall, anti-virus, intrusion prevention, Web filtering) in a separate box.

But even for existing sites, in which multiple boxes already reside, the all-in-one boxes may make financial sense.

Where are the key costs and savings?

* Initial capital purchase. If it’s a greenfield site, the initial capital costs of an all-in-one box will be less than buying each function separately. With an existing site, the initial capital cost will be an extra cost, unless it’s time to replace some of the gear.

* Installation. We’ve found that implementing an all-in-one box typically takes six hours (including programming and testing). Stand-alone products typically take four hours each. So once you hit two boxes, you’ve typically gotten payback on the installation time. With an existing site, that six hours is an extra cost. At $40 an hour, the installation would cost $240, compared to $160 for a stand-alone product. Multiply that stand-alone product by six (the average number of networking/security devices at the branch), and the total climbs to $960 per location.

* Ongoing management/maintenance. The amount of time spent on management/maintenance on a single box typically is lower than individual products because a single vendor is responsible for providing the updates, rather than coordinating efforts with multiple vendors. Savings here can make up for the extra capital and installation costs of an existing site.

* Downtime/troubleshooting. One box with one set of connections, rather than multiple boxes with multiple connections, lessens the chance of a physical circuit/line problem. In some cases, these products (such as that from Net Devices) separate the management plane from the delivery architecture, so if there is an outage, a central IT staff can still access the device management to troubleshoot and repair the problem. Meanwhile, if one function of the box is down, the rest shouldn’t be affected.

* Fall-out from security breach. Many branch offices lack necessary security features because organizations can’t afford to buy, install, and manage the various products at multiple branch offices. All-in-one boxes make it more affordable to get the functions into the organization to avoid the productivity loss and potential liability costs of a breach.

* Bandwidth savings. Filter peer-to-peer Web traffic at branch offices, and bandwidth requirements will drop.

So what’s the downside to these products? My main concern ironically is the main benefit: You’re using the same vendor for multiple functions. That’s great, but it also means that you may not be getting best-of-breed for certain functions within the box.

What would be even more interesting is if a vendor developed an intelligent, open architecture/framework upon which best-of-breed functions would co-exist. That truly would be combining the best of both worlds.