All-In-One Security Appliances

Deployment Differences

There are several factors to consider before buying an all-in-one security appliance. The first is the deployment model--whether the appliance must be deployed inline with protected services or can be deployed in a one-armed, or proxy, configuration. The inline model may be simpler from a network architecture viewpoint, but it introduces the appliance as a single point of failure, which for many organizations means the added expense of two units deployed in automatic failover mode.

The proxy configuration is more work for the network administrator because the security appliance's address must be given as the target for all the protected data types (like Web or e-mail). A device failure will not shut down the network, but there are limitations to the methods the appliance uses to inspect individual packets and firewall configuration requirements that allow packets to reach the appliance (in the case of a separate firewall). Only traffic of the type(s) being filtered can flow through the all-in-one device, lest clients gain the ability to bypass security scanning through the use of other protocol and traffic combinations.

All-in-one security appliances feature, by definition, deep packet inspection in which the packet contents up to and including the application layer are examined for rule violation. The device's performance, regardless of configuration, depends at least in part on how many packets the unit must examine around each suspect packet in order to determine a course of action. Both inline and proxy configurations can allow the device to see a string of packets, and either may use a store-and-forward technology to ensure that preceding packets are available after a suspect packet is identified.

The more difficult situation arises if intrusion-detection or -prevention system functions are part of the appliance's application suite. Both IDS and IPS may require packets from traffic in both locations on the network to determine whether a rule has been transgressed and, in the case of IPS, the ability to reset, block or rate-limit the connection depending on the inspection results. Appliances with included IDS and IPS functionality may offer both inline and proxy deployment options, but with varying capabilities. Make sure the functions you need are available in the deployment model you choose.

The number of functions applied to the data stream will affect the appliance's performance. Differing levels of functionality may be forced by the deployment model, or you may choose to turn on only some of the available functions through configuration switches or simple license-key purchases. You may already have devices in place to handle certain functions, or perhaps you want to bring functions online one at a time. The more functions brought online, and the more rules you apply to the data stream using each function, the greater the load on the appliance's processor.

Substantial performance variation is attributable to the number of processors an appliance has: Does it have a separate processor or custom silicon for each function, or is it asking a single multipurpose CPU to handle everything? The answer can be increasingly critical as more protocols are examined, since (especially in an online deployment) slower appliance performance can mean greater slowdowns in network performance for all your users. More complex functions, such as anti-malware scanning, add processing overhead, while simple yes/no decisions based on protocol and address information (like those found in most firewall functions) are typically more limited in their performance impact.

Keep Up With the Bad Guys

To adapt the appliance's performance to fit your needs and update its capabilities to meet new threats, there are two major areas to consider: signature update and custom-rule creation. Organizations have widely varying rules on how security devices can access the Internet. Ask what mechanism the appliance uses to update its signature database, since signatures may be used for multiple functional areas within the appliance. Even if the vendor says it uses behavioral models rather than signatures, ask about updates to address new threats.

Organizations use a host of mechanisms to build custom rules for functions such as IDS, IPS and content-filtering. Some appliances make it difficult to create highly tailored rules, offering only the ability to choose from lists of rule components that may not fit your requirements. Carefully examine the rules creation process, and ask how a large number of custom rules could impact the appliance's performance. If you plan on using this feature, budget training time for your staff, since competent rule creation requires extensive knowledge of network protocols and the nature of security threats.

Generate ReportsDevice management and report generation may not carry the same weight as performance, but the ability to detail attacks and related network behavior is critical for maintaining security. If you work in an industry that is subject to regulatory compliance (with HIPAA or GLB, for example), an appliance offering report formats that meet audit needs will make your job easier. Even if you don't need specific report formats for external purposes, make sure the appliance can provide logs and reports that will help you diagnose problems and give you forensics support for the inevitable times when events occur. Pay attention to both the little things, like which browsers are supported for Web-based management interfaces, and the big things, like whether the appliance will work within the management framework established by Unicenter, Tivoli, OpenView or any other enterprise network-management tools you use. An all-in-one appliance can be a useful network security tool, but not if it creates yet another island in your management infrastructure.

Curtis Franklin Jr. is a senior technology editor for Network Computing. He has been writing about the computer and network industries since 1985. Write to him at [email protected].