Blast writes "Appliances: breaking the server habit

By Irene Tham
April 5, 2004
MIS Asia
http://smh.com.au/articles/2004/04/05/1081017086089.html

Like the Slammer and MSBlast epidemics before it, the recent Mydoom e-mail worm sent organisations the message that security is more important than ever. And with more vendors offering more security products than ever, IT heads are spoiled for choice.


Among the weaponry: Firewalls to guard networks, applications and desktops; anti-virus software to protect gateways and desktops; virtual private networks (VPNs) for site-to-site encryption and remote access; and intrusion-detection systems for host servers and networks.

But a hot choice for many is the do-it-all box, the security appliance. These boxes combine firewall and VPN functions with intrusion detection, anti-virus protection and content filtering.

What are the pros and cons of using appliances instead of a security server? Richard Stiennon, a vice-president of research at research firm Gartner, says the performance of appliances surpasses that of the security software that is typically installed on generic machines.

Hardware solutions are purpose-built for security and are optimised for performance, he adds. And appliances come with adequate processing power for encryption acceleration.

McDonald’s Taiwan is one company in Asia that has taken the appliance route. The fast-food chain has bought SonicWall’s firewall and VPN appliance to secure remote access for 120 employees.

We get better system throughput from using appliances than from the software installed on common Windows servers, says Julian Huang, senior manager of information services at McDonald’s Taiwan.

The company used to rely on software for secure connections with McDonald’s offices overseas. It used to take about two minutes to transfer a 2MB file from server to server, Huang recalls. Data exchange was frequently interrupted by broken links. Since switching to the appliance, transmission time for a 2MB file has been reduced to about 40 seconds and connection problems have not resurfaced.

Less room for error
The benefits of using appliances include ease of installation, deployment and management. There is less room for human error in configuring the devices as IT managers can choose default settings, notes Natasha David, research manager for security infrastructure at research firm IDC. It’s easy to install and uninstall an appliance because the boxes are specified for plug and play.

Hong Kong Life Insurance opted for hardware when it upgraded its firewall in February 2003. “It is easier to upgrade your security systems when you deal with appliances,” explains technical manager Simon Chan. You just replace the old box with a new one. Preferred settings—such as user-access definitions, IP addresses and network configuration—can easily be exported to the new box.

When the company, which was set up by Hong Kong’s Wing Hang Bank and five other local lenders in 2001, upgraded to SonicWall 330 from SonicWall Pro software, the process was completed in only 10 minutes. We just powered up the box and it was ready to go, says Chan. If he had opted for software, he would have had to install a server operating system on a generic machine and then upload the firewall application. He would also have had to manually configure the system.

Eddy Gunawan, technical director of Speed Internet Digital, an Indonesian wireless-broadband service provider with 40 employees, says ease of management was his priority when he was choosing between a WatchGuard appliance and software for firewall protection and e-mail scanning in early 2003. He went for the appliance.

The trouble with software is the need to constantly download patches for the server operating system, says Gunawan. The IT team must test the OS fixes to make sure they don’t disrupt any critical applications. With appliances, however, you just need to manage one layer of application—for instance, update the security program with new virus definitions.

A cheaper option
Appliances can work out a cheaper option than software solutions. Gunawan says installing software on a Windows platform would have cost twice as much as putting in WatchGuard. This is partly because of per-user Windows server licence fees. The long-term cost of operating software on Windows would also surpass that of maintaining the appliance, Gunawan goes on, because we would have to subscribe to software-upgrade services.

In February last year, Hong Kong Life was looking for a solution to secure transactions with its 30,000 customers. Between SonicWall’s hardware bundled with a VPN application and Microsoft’s Internet Security & Acceleration (ISA) Server software, Chan chose SonicWall. The appliance was HK$32,000 (US$4,160) cheaper than the software—less than half the cost, he explains.

Chan warns, however, that no appliance can offer protection at the desktop level. For this reason, Hong Kong Life uses Symantec’s Norton anti-virus solutions to protect its desktop PCs.

At NTUC Income, a Singapore-based insurance co-operative with 1,200 office staff, CIO James Kang says he is wary of appliances. His firm uses a FortiGate appliance for firewall and virus protection at the network level, and Trend Micro’s firewall and anti-virus solutions to secure desktops and remote-access activities.

We have adopted a best-of-breed approach, because each vendor has its own strengths, explains Kang. It is almost impossible for all-in-one solutions to provide in-depth security coverage. His company employs both hardware and software, a strategy Kang says offers in-depth security at different levels: network, server, desktop and application.

For all their advantages, it seems, security appliances cannot yet be seen as silver bullets.

What appliances are good for and what they’re not
Cost. Security software is typically installed on server operating systems and additional server licence fees, based on user numbers, may inflate deployment costs. Appliances, on the other hand, are cheaper as companies pay for the boxes only.

Flexibility. Appliances are not as flexible as servers. You cannot reconfigure an appliance for some other function should needs change.

Upgrading. An appliance is optimised for performance because it runs on a resource-efficient operating system designed for a single purpose. But it cannot be upgraded with faster network cards or processors.

Stability. Windows operating systems require constant security and stability patching. Appliances run simple, robust operating systems that theoretically offer hackers fewer opportunities to break in. But appliances are not crash-proof, and may lack the advanced configuration modes of server-based security.

Limitations. No appliance can offer complete protection at the desktop level, the gateway for the two most common security threats: spam and viruses.

Software vendors catching the box bug
Corporate spending on security appliances in Asia Pacific (excluding Japan) grew almost 28 per cent to US$253 million in 2003, reports research firm IDC. Software spending increased only 19 per cent, but was still higher at US$584 million.

Box proponents say last year’s surge in hardware spending suggests that appliances are poised to become the security solution of choice for many Asian organisations.

Meanwhile, software vendors are developing more integrated approaches to network protection. Check Point Software Technologies, best known for its firewall software, made its first foray into appliances with the launch of the VPN-1 Edge in late 2003.

The device lets companies centrally manage secure connections with off-site employees. The vendor’s InterSpect internal security gateway, shipped last January, is aimed at defending local area networks from fast-moving worms.

Symantec, the anti-virus software maker, introduced its first line of appliances in early 2002.

The company’s Gateway Security 5400 appliance, launched in late 2003, has firewall, intrusion-detection, anti-virus, anti-spam and VPN capabilities, as well as management software for centralised control. "