Outside the IT industry an appliance is defined as a device designed to perform a single function. Security appliances promise the same plug it in and forget simplicity. The idea? To provide simple-to-deploy, easy to understand and cheap to operate security devices that sit at the edge of your network and stand guard over your vulnerable digital assets.
Is protecting my network really that simple?
Of course not. As is so often the case in the IT industry the original definition is often stretched to the maximum. In fact security appliances come in a range of shapes, sizes and functionality that seems designed to bewilder and confuse. And most of the time, they're very much unlike the original idea of a single box designed to tackle a single task.
Vendor offerings include all-in-one multifunction devices under the UTM banner, boxes which are designed to perform single tasks such as email or web access monitoring but which can be upgraded to include other functions and single function devices which cannot be upgraded or modified.
What exactly do they do?
Depending on what you need you can get security appliance products which will address all or some of the following: intrusion detection; viruses; trojans; worms; inappropriate web use; email security; webmail security; spam blocking and spyware.
What exactly do you need to do?
What you are concerned with and what they are trying to sell you won't always match. If you are concerned about enforcing HR policies to stop your staff either pursuing their vices through your internet connection or spending the firm's time sending hilarious composite pictures of footballers in dresses then you want an appliance that will monitor in and outbound email and clean content before it reaches your network.
This will not only keep the staff from being distracted but will also conserve network bandwidth for actual work.
Even if you fully trust your hard working staff and have no need to monitor their emails for inappropriate content you will almost certainly be concerned to keep your client machines free of viruses, Trojans, worms and other malicious objects. Your classic anti-virus appliance will handle this. This firewall type device will sit on your network and monitor for malicious code. So again, exactly what you want to achieve will dictate which is the best model for your needs, while you may not need a high end appliance that offers stateful inspection (buzz phrase courtesy of Checkpoint) capabilities or need to deploy what Cisco calls a Self Defending Network, what you will need is an appliance that will inspect and filter out all the nasties that weirdos get a kick out of sharing.
How much are all of these devices going to cost me?
Prices for security appliances vary vastly from a few hundred pounds for those devices targeted at small to medium sized businesses, to several thousand for enterprise level boxes. The obvious differences are processing power and traffic capacity, scalability in terms of numbers of users, automated functions, quality of service and speed - the more money you spend, the larger the network it can be installed on.
Then there are the dreaded subscription fees. Rather like buying a dishwasher that constantly needs topping up with salt and rinse aid, security appliances will often require monthly or annual fees to be paid to keep them up to date with the latest virus and threat definition databases. Like all subscriptions, the devil is in the detail, these can be charged on a per user basis, a per processor basis or per server basis. Some vendors also charge virtual private network (VPN) subscription charges. Don't forget to factor these into your TCO calculations.
Who are the main players?
The big players in the security appliance market are Cisco, Checkpoint, Juniper, Symantec and Nokia but there are a whole raft of smaller specialist players hanging on their coattails such as Barracuda Networks, Sonicwall, Equiinet, Arkoon, Fortinet and Watchguard.
What are the different types of appliance?
There are four architectures around which appliance vendors build their products and it pays to know your onions before spending big bucks as some types are more restrictive than others:
Application-specific integrated circuit (ASIC) - These generally have a specialized function and tend not to be designed to accommodate upgrades. Their lack of flexibility is made up for by their relatively low cost.
Field-programmable gate array (FPGA) - Often a little below ASIC machines in terms of performance, and more expensive, FPGA machines are more flexible and adaptable. Signatures and other functions can be tuned and changed easily post-deployment.
Specialized processors - Appliances based on network processors or cryptographic processors are designed to handle a broad range of functions.
General-purpose appliances - These appliances are generally made by security software vendors, who deploy their software on top of fairly basic hardware, basing it often on Linux. While lacking the power and speed of the other three categories, these appliances can be customised and are easy to upgrade.
If high performance and low cost are top priority, then an ASIC-based product makes sense. But if you think you'll want to take advantage of the next generation of features, you'd better resign yourself to buying a new appliance in a couple of years.
Key questions to ask your vendor
Before you invest in an appliance there are numerous technology issues to consider and questions you should be asking your vendor:
Does your box offer application-layer security? In email security, application layer security enables examination of packets passing between the server and the client scanning for executable files, malicious Java applets and so on.
- How many users are supported by the appliance? Ranges from the low tens to the multi thousand. Don't pay for overcapacity.
- What are the system requirements?
- What are the connectivity speeds? Multi-gigabit is a must. Some vendors are quiet about this. You don't want to create a network bottleneck.
- How many Virtual Private Network (VPN) tunnels are supported? A VPN protects data by encrypting or encapsulating it for sending it over public networks, such as the internet. The number of tunnels supported by your appliance will determine how many users can connect across the network simultaneously.
- What network interfaces are supported? Ethternet? TCP/IP? ie Will it run on your network?
- How many ports does it have? How many LAN connection slots does it have? How many networks do you want to connect it to? Does it have an optional slot for wireless connection?
- Does it perform outbound and inbound email monitoring?
- What is the firewall through speed/filter flow rate? Another potential bottleneck. From 108 MBPS is average low end to multigigabit filtering at the high end. You don't want lots of traffic backing up.
- Does it have remote management capabilities? Can I manage it across the network? How is this done - command line or http interface?
- Does it have any wireless capabilities? Do you have a wireless network? Does it have a built-in wireless router? Will it connect directly to a wireless router?
- Does it offer threat rating? Some appliances offer threat rating on packets they inspect. You don't want to lose valuable data because it has been wrongly categorised.
- What protocols does it support? SMTP: to protect email traffic? HTTP: to protect web surfing/browsing? FTP: to protect file downloads? POP3: to protect users accessing web-based email accounts?
Other questions you may want to consider before you buy
- Does the security appliance have one particular strength and a series of add-ons?
- Is there a risk that an appliance will introduce a single point of failure on the network?
- Appliances are supposed to offer a reduced management overhead and less complexity, but can this be easily quantified?
Appliances are good at securing your network's perimeter, but what about inside the perimeter? - What is my security policy and how does this appliance fit with it?
