• United States
Bob Violino
Contributing writer

Security made simple

Sep 29, 20035 mins
Intrusion Detection SoftwareNetworkingViruses

Security appliances are the latest rage, thanks to their easy deployment and high reliability.

Today’s security appliances perform so many necessary security functions, they are becoming irresistible to network executives. IDC reports that worldwide unit shipments of security appliances increased 17% in the first quarter of this year over the first quarter of 2002.

True, network executives still prefer the traditional software-on-server approach for their conventional needs – like the main corporate firewall. But they like appliances for their simplicity and convenience, particularly when securing small or home offices.

“What appliances have going for them is you can drop them into a network, configure them and you’re done,” says Laura Koetzle, a senior analyst at Forrester Research. “We see this in organizations that have a lot of branch offices, with people in the field who are not technical but need to have some sort of security. You can configure the appliance in the head office and ship it out to the remote office.”

Adds Charles Kolodgy, research director at IDC: “You don’t have to worry about patch levels on the systems, you don’t have to worry about interactions between software on another machine, and you don’t have to worry about buying an operating system. You just have to receive the box from the vendor.”

However, appliances have limitations. They aren’t as reconfigurable as software-based security applications. “Appliances can really only do what they’re designed to do,” Koetzle says. “If your needs change radically it’s tough to update appliances. If your needs are stable then appliances make total sense.”

Beyond firewalls

The earliest models mostly combined firewall and VPN functions, but today’s crop integrates a wider range, such as intrusion detection, anti-virus protection and content filtering. “Pretty much everything that you can do with software you can do with an appliance,” Kolodgy says.

As appliances’ capabilities have expanded, network executives gained a path for adding new security protections to their networks. Mike Grimm, CIO at Seton, a Norristown, Pa., manufacturer of leather automotive products, uses Fortinet’s Fortigate 200 and 400 appliances for VPN, packet-level virus-scanning and firewall functions. He soon will use the products’ intrusion-detection capabilities as well, he says.

A sampling of security appliances
FortinetFortiGate 3600Network-based anti-virus, Web content filtering, firewall, VPN and intrusion detection.About $30,000.
NetScreen Technologies NetScreen- IDPIntrusion-detection and -prevention device.NetScreen-IDP 10 is about $8,000; IDP 100 is about $16,500; IDP 500 is about $35,000.
Nokia Internet Communica-tions Nokia Secure Access SystemSecure Sockets Layer VPN.From $3,500 to $12,000 for 10 connections, ranging up to $55,000 for 500 connections.
SonicWall SOHO TZWIntegrated firewall and VPN for wireless environments.Available in base configuration supporting up to 25 users, with upgrades to 50 or unlimited users for $895.
SymantecGateway Security5400 SeriesFirewall, VPN, intrusion detection and preven-tion, anti-virus software and content filtering.Ranges from $4,000 to $51,300 based on model, functions and number of nodes used.

Seton is in the midst of an appliance rollout that began early this year, with plans to use appliances at 11 regional sites worldwide, Grimm says. All traffic going in or out of each facility passes through the devices. Grimm initially had concerns that the packet-level scanning might cause latency problems with data flow, but says his fears have proven unfounded.

By using the appliances’ VPN functions to secure remote offices, Seton will become less reliant on its frame relay network. Over time, Grimm will phase out frame altogether for these offices, saving the company an expected $12,000 a month in telecom costs, he says. The appliances cost about $50,000.

Plus, with multiple security functions executed by a single device, “less staff is needed to maintain security,” Grimm says. On the down side, “if you have a hardware failure you’re in trouble. We have had hardware appliances fail us in the past,” he says. To counter that, he has placed a second, redundant appliance at each site.

As for intrusion-detection, time will tell how well the appliances perform. Grimm does note that through the first seven months of use, Seton hasn’t suffered any major breaches such as viruses or hacker attacks.

Still, Seton also uses a few server-based security software applications, such as the virus scanning of its enterprise e-mail systems. Seton began using software from Trend Microsystems several years ago before the anti-virus appliances were available. Grimm feels that keeping it in place gives Seton multiple layers of protection for e-mail.

Questions for your security appliance vendors

What security standards does your box support?
In what ways is the appliance’s operating system hardened?
Under what circumstances will the appliance need to be updated with patches and how difficult is that process?
How compatible is the appliance with the rest of our IT infrastructure?
If we buy multiple devices, can we manage them as a pool rather than separately?

Protecting thousands

Raymond James Financial, a financial services company in St. Petersburg, Fla., also is using a combination of appliances and traditional security software. The company uses Linux-based appliances called V6 from VPN Dynamics, equipped with Check Point software for firewall/VPN and intrusion detection and prevention.

Raymond James has installed appliances at 50 of its locations worldwide and ultimately plans to deploy the devices at 2,000 to 3,000 offices, says Scott Loach, senior information security engineer. The appliances cost about $500 each, including hardware and software, Loach says, and are proving to be a cost-effective way to secure its widespread network of home offices and independent financial advisors environments – smaller facilities that are not covered by the corporate firewall.

Simplicity, centralized management and monitoring were among the key selling points for the appliances, Loach says. While he isn’t planning on tossing out the server-based Check Point software now used as the main corporate firewall at headquarters, Loach finds appliances equal the reliability of server-based software.

Analysts agree: Be it start-ups, niche players or mainstream security vendors, this is a highly competitive market that only will become more so as appliances’ popularity soars.

Violino is a freelance writer covering business and technology. He can be reached at